Please how can I use Cisco ASA 5505 to permit some specific users to access the internet .
Note: I want to allow 5 users to access the internet and block the others.
Best Regards
please see below the configuration,
ciscoasa# sh
ciscoasa# sho
ciscoasa# show ru
ciscoasa# show running-config
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
description LAN
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description INTERNET
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
Best Answer
I can think of a few possible strategies to achieve the desired result of allowing 5 users Internet access and blocking all others:
Configure static IP addresses on the PCs of the 5 users or configure the DHCP server with IP address reservations for those 5 (based on their MAC address, always assign them the same IP address). Then on the ASA you can simply put an ACL on the inside interface allowing only traffic from those 5 ip addresses. Note that this is the most basic solution, but:
Physically separate the users' PCs in 2 different (V)LANs. E.g. if your current setup has all users connected to a switch (or set of switches) connected to Eth0/1, then unplug those 5 users and plug them into ports Eth0/2-6 and configure those as vlan 3, configure an
interface vlan3
etc., put a blocking ACL in vlan1 and a permissive ACL on vlan3. Note thatAlmost the same as #2 but instead of physically separating them, logically separate them on your existing LAN switch(es), i.e. create a new vlan3 on your LAN switch(es), assign the 5 allowed users' ports to that vlan, configure the link between ASA and switch as trunk (and then same as in #2, configure a vlan3 interface and ACL). Same caveats as in #2.
Configure Cut-Through Authentication which requires users to enter a username and password before they can access the Internet, so in your case you would only create accounts for the 5 allowed users. Note that this is now user-based, not PC-based. So allowed users can log in from any PC in the network or connect to any switchport, prohibited users cannot access the internet no matter where they are (as long as the 5 users keep their credentials secret).
Configure Identity Firewall which integrates with Active Directory, so users no longer have to authenticate to the firewall explicitly as in #4 but this happens transparently, and you create ACLs based on AD usernames.
Configure 802.1x on your LAN switch(es), if they support it, and then you get a whole range of additional options, e.g. you can have the switch dynamically change the vlan on the port the user connects to (and then combine that with #3 above) or dynamically create ACLs on the switch.