So, VPN access is wonderful, but you would like to restrict a user to certain network restrictions. For example, you have an HVAC contractor who maintains your system remotely via your Internet connection. You really have 2 options at this point:
Let’s Focus on Option 2:
So we set up a VPN connection for the user hvacguy and we restict the tunnel to only access the HVAC controller at 10.255.255.55.
At this point, we have 2 VPN tunnel-groups on my edge ASA device:
My corporate users connect via VPN to access Exchange servers, file servers, and databases, so their tunnel-group has permissions to access these networks. As mentioned previously, the HVAC contractor’s tunnel-group has permissions to only access the HVAC controller at 10.255.255.55
Here is the config for the users
Here is the config for the VPN tunnels:
As you can see in the above configuration details, the HVAC tunnel sets the group-policy to HVACPOL. Below, you will see in the HVACPOL configuration details that a VPN filter has been set to filter the VPN access to only allow access to the HVAC controller.
So, everything is working as expected. Corp users have access to Corp resources and the HVAC user only has access to the HVAC controller. BUT. The group password for both Corp and HVAC is stored in the pcf file on Cisco Client software using very weak encryption. You can copy the encrypted text to one of many web pages on the Internet and decrypt the password. What does this mean for you, dear administrator?
That’s right, by supplying the tunnel name Corp and the tunnel pre-shared-key, the HVAC user COULD authenticate using his hvac.guy credentials and then be allowed to access the Corp tunnel, giving him network access to Corp resources. DEAL BREAKER!
Can we restrict the username hvac.guy to only be allowed to use the HVAC tunnel? YES! The good news is that the solution or fix for this is much easier than the explanation of the problem above!
After you have created a user like hvac.guy, you can access or set several attributes for that user. One of these attributes “group-lock” is designed to solve this exact problem.
That’s it. Now the hvac.guy user can ONLY authenticate if he is using the HVAC tunnel-group and pre-shared-key in his VPN client. If he happens to get a hold of the tunnel-group credentials for the CORP tunnel, his login credentials for hvac.guy will fail to give him access to the CORP tunnel and Corp resources.