Anonymous_User Absent Member.
Absent Member.
3368 views

Cisco ASA

Anyone out here use one of these & have vpn users connect to it?

When you did your setup, did you have to set up separate vpn address
pools for *each* group of people to allow them access to only certain
IP addresses/ranges, or can that be done somewhere else?

--

Stevo
Labels (1)
0 Likes
9 Replies
jmarton2 Absent Member.
Absent Member.

Re: Cisco ASA

On Thu, 18 Jun 2009 19:17:15 +0000, Stevo wrote:

> Anyone out here use one of these & have vpn users connect to it?


Yes.

> When you did your setup, did you have to set up separate vpn address
> pools for *each* group of people to allow them access to only certain IP
> addresses/ranges,


Originally we did this on the PIX and for now we carried the same config
over to our ASAs.

> or can that be done somewhere else?


There's a way to use full blown ACLs so you limit people to specific
ports rather than simply doing it on a per-host basis. I haven't done it
yet but it looks like it's not too difficult to configure via the ASDM.



--
Joe
Does this washcloth smell like chloroform?

Joe Marton Emeritus Knowledge Partner
0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: Cisco ASA

Yep, vpnprofile gets an IP address from a specific pool and I ACL the
snot outta that.

Stevo wrote:
> Anyone out here use one of these & have vpn users connect to it?
>
> When you did your setup, did you have to set up separate vpn address
> pools for *each* group of people to allow them access to only certain
> IP addresses/ranges, or can that be done somewhere else?
>

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Cisco ASA

unsigned apparently said:

> Yep, vpnprofile gets an IP address from a specific pool and I ACL the
> snot outta that.


Looks like that's the way to go, just kind of a pain, as we have a
large number of people that will need to connect to a wide range of
different addresses.

--

Stevo
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Cisco ASA

Stevo;1811230 wrote:
Anyone out here use one of these & have vpn users connect to it?


I don't know if I'm at the right place here, but I have a question regarding vpn.
I have a Cisco ASA appliance on which I configured SSL-VPN.
It all works fine, but now I want to use the Novell LDAP-database for user authentication.
Does anyone know how to configure this for Novell?

I know how to configure it with Microsoft Active Directory but I'm a complete nono to Novell...
With Active Directory you need things like domain-names, group names etc. to configure an LDAP-server on the ASA but what do I need for Novell?
I assume I need to configure the tree and context etc?
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Cisco ASA

On Wed, 22 Jul 2009 10:56:01 +0000, gjwieringa wrote:

> I don't know if I'm at the right place here, but I have a question
> regarding vpn.
> I have a Cisco ASA appliance on which I configured SSL-VPN. It all works
> fine, but now I want to use the Novell LDAP-database for user
> authentication.
> Does anyone know how to configure this for Novell?


It's pretty easy to enable this on the ASA. In fact when you use the
ASDM to configure this there's a drop down box for LDAP server type and
one is "Novell eDirectory" or something like that.



--
Joe
Does this washcloth smell like chloroform?

Joe Marton Emeritus Knowledge Partner
0 Likes
jcalderwood Absent Member.
Absent Member.

Re: Cisco ASA

On 7/22/09 8:15 AM, Joseph Marton wrote:
> On Wed, 22 Jul 2009 10:56:01 +0000, gjwieringa wrote:
>
>> I don't know if I'm at the right place here, but I have a question
>> regarding vpn.
>> I have a Cisco ASA appliance on which I configured SSL-VPN. It all works
>> fine, but now I want to use the Novell LDAP-database for user
>> authentication.
>> Does anyone know how to configure this for Novell?

>
> It's pretty easy to enable this on the ASA. In fact when you use the
> ASDM to configure this there's a drop down box for LDAP server type and
> one is "Novell eDirectory" or something like that.
>
>
>

I was going to say that...but didn't know if that was considered support
and needed to be pointed to the edirectory forum. That's why I waited
for a sysop type to answer <G>
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Cisco ASA

On Wed, 22 Jul 2009 12:17:50 +0000, Jay Calderwood wrote:

> I was going to say that...but didn't know if that was considered support
> and needed to be pointed to the edirectory forum.


Well I'm not telling him how to configure any Novell products. Just
telling how to configure a Cisco product. If he has to do any
configuration on the eDir side of things those questions will have to go
into the support forums for sure.



--
Joe
Does this washcloth smell like chloroform?

Joe Marton Emeritus Knowledge Partner
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Cisco ASA

Guys, thanks for your answers.
I already found it out.
The ASA-part of the configuration is not a problem, but I needed to know how to connect to the Novell-server for vpn-authentication.
I found out that it's similar to connecting to Active Directory...

I still have one question.
In Active Directory there's an option to grant a user dial-in permissions.
Is there something similar for Novell?
Now all my users in NDS are allowed to login via SSL-VPN and I want to restrict it.

I created a workaround by defining a "noaccess" default policy on my ASA, but that's not the best option since I now am unable to map certain (ASA-)group policies to (NDS)user-groups...
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Cisco ASA

On Thu, 23 Jul 2009 08:46:01 +0000, gjwieringa wrote:

> In Active Directory there's an option to grant a user dial-in
> permissions.
> Is there something similar for Novell? Now all my users in NDS are
> allowed to login via SSL-VPN and I want to restrict it.


Please ask in the eDir or one of the NetWare forums.

Hint: Yes, I'm pretty sure you can do this easily, but this is a chat
only forum. No support allowed.



--
Joe
Does this washcloth smell like chloroform?

Joe Marton Emeritus Knowledge Partner
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.