That can be done at the user or group level. There is an option called a Dynamic Access Control List (DACL) that allows this granularity and can be based on user, group or even the security posture of the device that is connecting. Thanks for the question, Keith Barker
Great Video and very easy to understand. you are a great teacher Keith. if we want to also nat the full tunnel traffic so that the user can access the intranet and internet both how can we do that ? kindly tell the options. except the split tunneling .
Quick question. In the initial example, you said that you can still access normal websites when using a full tunnel (live video stream in your example) but the connection would just be a little slower due to encryption taking place. If this is the case, why wasnt Keith able to access Google when he connected to the vpn until he set up the split tunnelling?
I am not sure about ASA but we can do this on a Juniper SSL VPN . You can create roles for both the users. Eg Role A for Bob and Role B for Cat, Then we can control what they access using ACL's. lets say you want Bob to access only a server (10.9.222.210) and Cat another one 10.9.222.45. Then the policy would look something like this .. Policy1>> 10.9.222.210/32 Allow Role A Policy2 >> 10.9.222.45/32 Allow Role B The above mentioned are NOT commands that you can execute from a CLI.
Hi Keith, what happens if you uncheck Inherit for Policy and choose Tunnel Network List Below, then you check Inherit for the Network List? I have that set up on my firewall and it inherits an ACL which is in the Network List if you uncheck Inherit and click Manage to select it. Why does it select that ACL if Inherit is checked? I can see it in the Anyconnect client where it shows the secured routes, and i have internet connection, so split tunneling is working. I am really not following this, the internet connection should not be working. Thx
Hi: Is it possible to have ASA ( or any other VPN device for that matter), to control access to devices behind the ASA based on the VPN users/group? I.e. User Bob--> Server 1 only, User Cat--> Server 2 Only. Each user may even have different ip network...Bob could be assigned 192.168.10.10 and Cat could be assigned 192.168.20.10..
That can be done at the user or group level. There is an option called a Dynamic Access Control List (DACL) that allows this granularity and can be based on user, group or even the security posture of the device that is connecting.
Thanks for the question,
Keith Barker
Explained in simple way, thank you
Exactly. I was clear and easy to understand
absolutely clear explanation
You're a fantastic faculty n master of all the master's...
Quick and informative. 🐿👍
Great Video and very easy to understand. you are a great teacher Keith.
if we want to also nat the full tunnel traffic so that the user can access the intranet and internet both how can we do that ? kindly tell the options.
except the split tunneling .
Amazing video, so easy to understand.
Quick question. In the initial example, you said that you can still access normal websites when using a full tunnel (live video stream in your example) but the connection would just be a little slower due to encryption taking place. If this is the case, why wasnt Keith able to access Google when he connected to the vpn until he set up the split tunnelling?
very clear, thank brother.
wow that was amazing, very clear... thanks a lot
I am not sure about ASA but we can do this on a Juniper SSL VPN . You can create roles for both the users. Eg Role A for Bob and Role B for Cat, Then we can control what they access using ACL's.
lets say you want Bob to access only a server (10.9.222.210) and Cat another one 10.9.222.45.
Then the policy would look something like this ..
Policy1>> 10.9.222.210/32 Allow Role A
Policy2 >> 10.9.222.45/32 Allow Role B
The above mentioned are NOT commands that you can execute from a CLI.
Can we implement a layer 4 split tunneling.?
you are the best!!
Hi Keith, what happens if you uncheck Inherit for Policy and choose Tunnel Network List Below, then you check Inherit for the Network List?
I have that set up on my firewall and it inherits an ACL which is in the Network List if you uncheck Inherit and click Manage to select it.
Why does it select that ACL if Inherit is checked? I can see it in the Anyconnect client where it shows the secured routes, and i have internet connection, so split tunneling is working.
I am really not following this, the internet connection should not be working.
Thx
Hi:
Is it possible to have ASA ( or any other VPN device for that matter), to control access to devices behind the ASA based on the VPN users/group? I.e. User Bob--> Server 1 only, User Cat--> Server 2 Only. Each user may even have different ip network...Bob could be assigned 192.168.10.10 and Cat could be assigned 192.168.20.10..
Thanks !
good job.
Fantastic;
don't go to cnn go to cbt.