Общая идея:
Создаем дефолную политику NoAccess,блокирующую vpn соединение для всех пользователей.
На пользователя, входящего в определенную группу в AD навешиваем другую групповую политику, разрешающую доступ.
(применимо к 8.2.x)
10.20.30.0/24 - dmz
10.10.0.0/16 - inside
10.50.50.0/24 - подсеть vpn
! обходим nat
!
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.50.50.0 255.255.255.0
access-list nonat_dmz extended permit ip 10.20.30.0 255.255.255.0 10.50.50.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (dmz) 0 access-list nonat_dmz
!
! определяем интересный траффик!
access-list split_tunnel_ad_employee standard permit 10.20.30.0 255.255.255.0
access-list split_tunnel_ad_employee standard permit 10.10.0.0 255.255.0.0
!
access-list outside_cryptomap_dyn_20 extended permit ip any 10.50.50.0 255.255.255.0
!
ip local pool employee_vpn_pool 10.50.50.1-10.50.50.254 mask 255.255.255.0
!
ldap attribute-map RemAccAD2VPNMap
map-name memberOf IETF-Radius-Class
map-value memberOf CN=RemoteAccess_Employee,OU=ASA,OU=suborg,DC=domain,DC=ru org_employee
!
aaa-server AD_VPN_Employee protocol ldap
reactivation-mode timed
!
aaa-server AD_VPN_Employee (inside) host 10.10.10.5
ldap-base-dn OU=suborg,DC=domain,DC=ru
ldap-group-base-dn OU=suborg,DC=domain,DC=ru
ldap-scope subtree
ldap-login-password SecurePassword
ldap-login-dn cn=User,ou=ASA,OU=suborg,DC=domain,DC=ru
server-type microsoft
ldap-attribute-map RemAccAD2VPNMap
!
aaa-server AD_VPN_Employee (inside) host 10.10.11.4
ldap-base-dn OU=suborg,DC=domain,DC=ru
ldap-group-base-dn OU=suborg,DC=domain,DC=ru
ldap-scope subtree
ldap-login-password SecurePassword
ldap-login-dn cn=User,ou=ASA,OU=suborg,DC=domain,DC=ru
server-type microsoft
ldap-attribute-map RemAccAD2VPNMap
!
crypto dynamic-map outside_dyn_map 20 set pfs
!
! Группа по умолчанию
!
group-policy NoAccess internal
group-policy NoAccess attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec
address-pools none
!
group-policy org_employee internal
group-policy org_employee attributes
dns-server value 10.10.10.5 10.10.11.4
vpn-simultaneous-logins 15
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_ad_employee
default-domain value domain.ru
!
tunnel-group org_employee type remote-access
tunnel-group org_employee general-attributes
address-pool employee_vpn_pool
authentication-server-group AD_VPN_Employee
authorization-server-group AD_VPN_Employee
default-group-policy NoAccess
authorization-required
tunnel-group org_employee ipsec-attributes
pre-shared-key SeCuReKeY
Создаем дефолную политику NoAccess,блокирующую vpn соединение для всех пользователей.
На пользователя, входящего в определенную группу в AD навешиваем другую групповую политику, разрешающую доступ.
(применимо к 8.2.x)
10.20.30.0/24 - dmz
10.10.0.0/16 - inside
10.50.50.0/24 - подсеть vpn
! обходим nat
!
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.50.50.0 255.255.255.0
access-list nonat_dmz extended permit ip 10.20.30.0 255.255.255.0 10.50.50.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (dmz) 0 access-list nonat_dmz
!
! определяем интересный траффик!
access-list split_tunnel_ad_employee standard permit 10.20.30.0 255.255.255.0
access-list split_tunnel_ad_employee standard permit 10.10.0.0 255.255.0.0
!
access-list outside_cryptomap_dyn_20 extended permit ip any 10.50.50.0 255.255.255.0
!
ip local pool employee_vpn_pool 10.50.50.1-10.50.50.254 mask 255.255.255.0
!
ldap attribute-map RemAccAD2VPNMap
map-name memberOf IETF-Radius-Class
map-value memberOf CN=RemoteAccess_Employee,OU=ASA,OU=suborg,DC=domain,DC=ru org_employee
!
aaa-server AD_VPN_Employee protocol ldap
reactivation-mode timed
!
aaa-server AD_VPN_Employee (inside) host 10.10.10.5
ldap-base-dn OU=suborg,DC=domain,DC=ru
ldap-group-base-dn OU=suborg,DC=domain,DC=ru
ldap-scope subtree
ldap-login-password SecurePassword
ldap-login-dn cn=User,ou=ASA,OU=suborg,DC=domain,DC=ru
server-type microsoft
ldap-attribute-map RemAccAD2VPNMap
!
aaa-server AD_VPN_Employee (inside) host 10.10.11.4
ldap-base-dn OU=suborg,DC=domain,DC=ru
ldap-group-base-dn OU=suborg,DC=domain,DC=ru
ldap-scope subtree
ldap-login-password SecurePassword
ldap-login-dn cn=User,ou=ASA,OU=suborg,DC=domain,DC=ru
server-type microsoft
ldap-attribute-map RemAccAD2VPNMap
!
crypto dynamic-map outside_dyn_map 20 set pfs
!
! Группа по умолчанию
!
group-policy NoAccess internal
group-policy NoAccess attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec
address-pools none
!
group-policy org_employee internal
group-policy org_employee attributes
dns-server value 10.10.10.5 10.10.11.4
vpn-simultaneous-logins 15
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_ad_employee
default-domain value domain.ru
!
tunnel-group org_employee type remote-access
tunnel-group org_employee general-attributes
address-pool employee_vpn_pool
authentication-server-group AD_VPN_Employee
authorization-server-group AD_VPN_Employee
default-group-policy NoAccess
authorization-required
tunnel-group org_employee ipsec-attributes
pre-shared-key SeCuReKeY
Комментариев нет:
Отправить комментарий