Downloadable ACLs for users of VPN

Similar Questions

• Downloadable ACLs for users?

  Hi all

  5.4 ACS, I need ACL customized for users.

  My scenario:

  There is a way to use some "downloadable ACL" profile of permission but I want to set specific ACLs for some exceptions. For example: the user A and user B obtain permission profile 'X '. But user B is not allowed to access a host. This 'refusal rule' I will configure with custom in the internal user store attributes.

  Is this possible? How can I implement this rule?

  Best regards

  Stefan

  Hello

  You can do this by following these steps:

  1. define a user attribute of Dictionary defined under the Administration of the system > dictionary > identity > internal users call him what you want and make sure that the value is a string

  2. create the DACL in the objects of the Authority appointed under section of the political elements

  3. under the user account you will see now one filed for the dictionary name you call in step 1, make sure that the domain is the DACL, that you created in step 2

  4. create your dynamic authorization under "common tasks" defined profile as the decline of the low DACL select internal users and set the value to the attribute that you created in step 1.

  5 card authorization policy to the access policy using the conditions that will give you these results.

  6 test and you should have what you are looking for.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Download ACL for VPN users. ACS 4.1 & 1841 router

  Hello

  I have configured the router 1841 as a VPN server. All VPN users get authenticated using RADIUS ACS 4.1

  I need to apply downloadable ACLs by user.

  I configured the Downlodabale ACL ACS. Same ACS event report shows that the ACL is applied to the authenticated user, but traffic is not blocked or past accordingly.

  What is your configuration?

  I think that the more easy to do is to use IPSEC TIV in interfaces, as well as the aaa authorization network and on the radius server, use ip:inacl to the cisco av pair, as

  IP:inacl #1 = permit tcp any any eq 80

  IP:inacl #2 = permit tcp any any eq 443

  ...

  Some documents:

  http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1090634

• ACS and download ACL for multiple clients-AAA

  Hello!

  I need to know if it is possible to download ACL on the DACL device that is not a part of the conversation of RADIUS? In other words, I have a user who needs access to certain resources and attempts to connect to the network via PIX1. I need to authenicate it by ACS and download ACL PIX1 and (attention) PIX2 also (some firewalls upstream). Is it possible to do?

  I don't think that you can do. As you mentioned that the other PIX has no Radius configuration. And you can push only DACL of the Radius on the PIX server, she asks, not in any other PIX.

  And I'm not aware of any mechanism or feature, which allows you to transfer the downloaded ACL of one PIX to another.

  Kind regards

  Prem

• Group-lock for users of vpn with acs

  Hello

  Is it possible to controll what VPN profile, a user is allowed to use by Cisco ACS or the router?

  2811 router IOS 12.4 worm, ACS 4.1 using

  I just want to be sure that the VPN allows the user only the Client Profile assigned to them and no other profile groups.

  Example:

  User123abc gets their hands on a profile of co-wokers.

  HR_User_Profile.pcf

  SALES_User_Profile.pcf

  User123abc belongs to the Department of human resources and should be able to authenticate with HR_User_Profile. If User123abc is trying to authenticate by using the access SALES_User_Profile should be rejected.

  Any documentation explaining how to set up?

  The ASA will be your option. This should be controlled by the values of tunnel-group and class-group policy, group-lock, ACS and ASA

• blocking of websites for users of vpn ipsec offline

  Hello

  We use asa 5520's as our firewalls and our vendors sign in via ipsec vpn client v5. with our previous checkpoint firewall and clients, we could add a default policy, which would be active while the client was not connected which would limit that sellers sites could visit not connected to the firewall.

  with our new configuration of cisco, we are able to restrict what Web sites they visit while they are connected, but once they log off of the firewall they have unlimited access to the Internet. Is there a way to be limited to a list of pre-defined business related sites?

  Thank you

  Sam

  Sorry for the late reply.

  I don't think that you can inject a rule of firewall policy customized to the VPN client when they are not connected.

  You can use the stateful always on the firewall, but you can't customize it AFAIK.

  Apply a proxy on laptops you describe could be a better solution.

  Federico.

• Impossible for users of vpn SSL ping

  I have install several ASA with Anyconnect SSL VPN function, but I have never been able to ping to an IP address that has been assigned to the remote user. I'd be able to ping the remote user? Do I need to configure anything in any political group or the user to activate this?

  Triton

  Triton,

  Absolutely, you will be able to ping the RA client when it connects, if the customer is able to ping your internal resources, but the connection does not work the other way, then most likely the RA client firewall blocking the packets. Most of the software including Windows Firewall Firewall delete unsolicited incoming traffic that does not match a traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (except traffic).

  Kind regards.

• Download ACL GBA 5.2 using authentication for 802. 1 x

  Hi all

  I configured ACS 5.2 for authentication authentication of 802. 1 x. It works as well, getting customers belong to their VLAN respective after a successful authentication.

  Now I want to assign downloadable ACLs for particular users can someone help me in the downloadable ACLs configuration GBA 5.2.

  Any feedback is much appreciated.

  Thanks in advance,

  Selva.

  Hi Selva,

  Based on that you want to assign the DACL? based on the user name? Group?... etc?

  This document will be useful for you:

  http://tiny.cc/ogrxvw

  ignore the part of the SAA. concentrate on the config of the ACS.

  The doc use ASA as the AAA client. The difference is that you use a switch. but the idea is the same.

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• Several downloadable ACLs by ACS user group

  It is possible to map several downloadable ACLs to a single user or group of users use ASA and ACS?

  For example, you have an ACL controlling access to servers (ACL A) and another ACL (ACL B) internet access. Is it possible to assign several ACL to a group of users, such as user group can only access the servers, while the user group B can access servers and internet (ACL A + B ACL)?

  Thank you and best regards.

  George,

  The user and group settings only would allow you to select only a single instance of DACL list at once.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#configuringtheserverwitfddhias

  Kind regards

  Jousset

  The rate of useful messages-

• ACL entering for public router VPN

  Hi all

  I set up our VPN router for access to all of our mobile customers. Our private VPN range is going to be 172.16.10.x/24. I have to add ACL allow rules for this range on our ACL entering all inside LANs to facilitate access for VPN users?

  for example int S0/0/0

  IP address 85.x.x.x

  IP access-group 100 to

  access-list 100 permit ip 172.16.10.0 0.0.0.255 192.168.1.0 0.0.0.255

  If I understand it, once the user connects the VPN tunnel to the inside of the interface, so is traffic through the VPN is encapsulated and therefore wouldn't appear as a private IP address?

  All comments are greatly appreciated.

  Paul

  Sorry I mean you should not change outside the acl for vpn traffic for the rest of the things you can do.

  Thank you

  Ajay

• Change the default file for downloads and some user folders locations

  A big thank you to all who have helped me, more recently DAXnnn and try * 3.  I come once more in need with questions.  For the cleaning of my boot partition before cloning to a smaller SSD, I'm getting cause folders USER My Documents, my music, my pictures, and my videos to be moved to a different physical disk drive.  I also want to do the same with the downloads.  After trying to use MKLINK (without success) and the location of the tab in the properties for folders (in vain), try * 3 put me on editing the registry.  While I did not yet any change, I followed his instructions to look under HKEY > CurrentUser > software > Microsoft > Windows > CurrentVersion > Explorer > Shell user folders and confirm watch registry.

  What I found is that the actions I took before running into problems using the options of localities had caused registry entries updated to show the new names of path of My Documents (under personal in the registry path) and my music.  This leaves downloads, my pictures, and my videos to be changed before the data transfer of the boot partition to reduce before cloning.  I discovered the writings of my pictures and my videos contain a variable %UserProfile% then the names of folders.  My assumption (often a wrong thing to do, I know) is that I can change these entries replacing %UserProfile% with the name of path, including the drive etc letter describing where I want to move the old data and write new data and changes.  IS THAT CORRECT?

  Regarding downloads, what I discovered is the second entry in HKEY > CurrentUser > software > Microsoft > Windows > CurrentVersion > Explorer > User Shell Folders, below (default) is a name {374DE290-123F-4565-9164-...}, displayed once indicating the value of % USERPROFILE%\Downloads.  Using my penchant for the skip logic, I assume that I can edit this article replace the value data with the path name where I want future writing downloads.  IS THAT CORRECT?

  If I can confirm or correct information, I am very close to stripping the size of my partition boot prefixed operation clone to place what's left on my SSD.

  Thanks to all for participating in such a large forum community!

  HR

  Yes you are right.  If you want that your download location for be moved, just change:

  Old: %userprofile%\downloads

  New: E:\OtherDrive\Some Windows\

  This will make all your downloads stored in the folder 'folder of some '.  Just be sure to include a folder name and make sure that this folder actually exists.  Make sure not to say a disc like E:\ or all your documents could get dumped at the top of this reader, rather than in a folder.

• How to use ACS 5.2 to create a static ip address user for remote access VPN

  Hi all

  I have the problem. Please help me.

  Initially, I use ACS 4.2 to create the static ip address for VPN remote access user, it's easy, configuration simply to the user defined > address assignment IP Client > assign the static IP address, but when I use ACS 5.2 I don't ' t know how to do.

  I'm trying to add the IPv4 address attribute to the user to read "how to use 5.2 ACS", it says this:

  1Ajouter step to attribute a static IP address to the user attribute dictionary internal:

  Step 2select System Administration > Configuration > dictionaries > identity > internal users.

  Step 3click create.

  Static IP attribute by step 4Ajouter.

  5selectionnez users and identity of the stage stores > internal identity stores > users.

  6Click step create.

  Step 7Edit static IP attribute of the user.

  I just did, but this isn't a job. When I use EasyVPN client to connect to ASA 5520, user could the success of authentication but will not get the static IP I set up on internal users, so the tunnel put in place failed. I'm trying to configure a pool of IP on ASA for ACS users get the IP and customer EasyVPN allows you to connect with ASA, everything is OK, the user authenticates successed.but when I kill IP pool coufigurations and use the "add a static IP address to the user 'configurations, EzVPN are omitted.

  so, what should I do, if anyboby knows how to use ACS 5.2 to create a user for ip address static for remote access VPN, to say please.

  Wait for you answer, no question right or not, please answer, thank you.

  There are a few extra steps to ensure that the static address defined for the user is returned in the Access-Accept. See the instuctions in the two slides attached

• For users remote if RADIUS or ldap services available VPN servers are not there?

  Dear people,

  I have ASA Adaptive Security Appliance 5510 with below features.

  Now, what is the best way to setup VPN for remote users to securely, if I have no services LDAP or Radius server.

  HOFW # sh flash:

  path-# - length - time -.

  181 14137344 March 3, 2003 08:36 asa804 - k8.bin

  195 436 sep 2012 01 16:28:05 bar.emf

  75 4096 November 10, 2011 18:41:26 login

  192 1335 November 10, 2011 18:41:26 log/recovery-event.388.20111110.131127

  79 4096 19 January 2009 16:12:34 crypto_archive

  182 7562988 19 January 2009 16:14:06 asdm - 613.bin

  184 4863904 19 January 2009 16:15:44 securedesktop_asa_3_3_0_129.pkg.zip

  185 4096 19 January 2009 16:15:46 sdesktop

  194 1462 19 January 2009 16:15:46 sdesktop/data.xml

  186 2153936 19 January 2009 16:15:46 anyconnect-victory - 2.2.0133 - k9.pkg

  187 3446540 19 January 2009 16:15:48 anyconnect-macosx-powerpc - 2.2.0133 - k9.p

  kg

  188 3412549 19 January 2009 16:15:50 anyconnect-macosx-i386 - 2.2.0133 - k9.pkg

  189 3756345 19 January 2009 16:15:52 anyconnect-linux - 2.2.0133 - k9.pkg HOFW # sh flash:
  path-# - length - time -.
  181 14137344 March 3, 2003 08:36 asa804 - k8.bin
  195 436 sep 2012 01 16:28:05 bar.emf
  75 4096 November 10, 2011 18:41:26 login
  192 1335 November 10, 2011 18:41:26 log/recovery-event.388.20111110.131127
  79 4096 19 January 2009 16:12:34 crypto_archive
  182 7562988 19 January 2009 16:14:06 asdm - 613.bin
  184 4863904 19 January 2009 16:15:44 securedesktop_asa_3_3_0_129.pkg.zip
  185 4096 19 January 2009 16:15:46 sdesktop
  194 1462 19 January 2009 16:15:46 sdesktop/data.xml
  186 2153936 19 January 2009 16:15:46 anyconnect-victory - 2.2.0133 - k9.pkg
  187 3446540 19 January 2009 16:15:48 anyconnect-macosx-powerpc - 2.2.0133 - k9.p
  kg
  188 3412549 19 January 2009 16:15:50 anyconnect-macosx-i386 - 2.2.0133 - k9.pkg
  189 3756345 19 January 2009 16:15:52 anyconnect-linux - 2.2.0133 - k9.pkg

  Concerning
  Vesta
  "Everybody is genius." But if you judge a fish by its ability to climb on a tree, he will live his entire life, believing that this is stupid. "

  With the ASA you will be somewhat limited in what you can do for remote-access-VPN.

  There are two ways to set that up:

  (1) using the SSL - VPN with the AnyConnect Client

  To do this, you must license Premium AnyConnect quite expensive for the amount of competitor users you plan to accept or AnyConnect Essentials cheap license which will give you 250 AnyConnect users which is the platform limit.

  But for the essential AnyConnect license, you need upgrade your ASA RAM because you need an ASA - latest operating system for it.

  But going this path will be the best option.

  (2) with the IPSec Client inherited (EasyVPN). The customer is EOL/EOS announced and not all development will get more. But for now, it could be a way to go until you upgrade your ASA.

  Here is an example of how to configure your ASA for the old CLient IPSec:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• Is there a website similar to the old Central stock Adobe, where individuals would download actions for other users to download?

  Is there a website similar to the old Central stock Adobe, where individuals would download actions for other users to download?

  You should probably ask in the forum for the specific program

  If you start the https://forums.adobe.com/welcome Forums Index

  You will be able to select a forum for the specific Adobe products you use

  Click on the symbol "arrow down" on the right (where it says all communities) to open the drop-down list and scroll

• ASA5520 and ACS 4.0 - AnyConnect WebVPN (Clientless SSL Tunnel) does not downloadable ACLs (DACL)

  I'm having a lot of problems called "Clientless SSL-Tunnel" AnyConnect VPN sessions - i.e. those that are enacted by visit https:// via a browser, and let the Java/ActiveX plugin will automatically run Fat Client AnyConnect VPN for you - downloadable ACL honor.

  Our installation is integrated via RADIUS Cisco ACS 4.0.

  Dynamic group-> connection profile strategy seems to work for either (direct according to AnyConnect VPN Client heavy or indirectly via a browser-> /Java Client ActiveX), however, our only downloadable ACL take affect if the user instantiates the SSL VPN via AnyConnect VPN Client Fat; first of all, users who access the site through the "Browser-> https://" route seem to have no ACLs applied to all?

  I understand that I can change the custom "Cisco VPN/3000/etc" parameters RADIUS, such as 'WebVPN-filters' and 'WebVPN-Access-List' to apply an ACL configured locally on the firewall of the SAA, but what I have to configure to make the sessions ' WebVPN/Clientless-SSL-Tunnel"to honor the DACL that sends our ACS?

  It is a known problem with some Software ASA Versions see bug cisco CSCtv19046 - DACL is not applied to acre during connection via the Web portal. You probably need to update your ASA 8.4 (4.1) or a later version.