How can I use Cisco ASA 5505 to permit some specific users to access the internet

cisco-c5500

Please how can I use Cisco ASA 5505 to permit some specific users to access the internet .

Note: I want to allow 5 users to access the internet and block the others.

Best Regards

please see below the configuration,

ciscoasa# sh
ciscoasa# sho
ciscoasa# show ru
ciscoasa# show running-config
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 description LAN
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 description INTERNET
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

Best Answer

I can think of a few possible strategies to achieve the desired result of allowing 5 users Internet access and blocking all others:

  1. Configure static IP addresses on the PCs of the 5 users or configure the DHCP server with IP address reservations for those 5 (based on their MAC address, always assign them the same IP address). Then on the ASA you can simply put an ACL on the inside interface allowing only traffic from those 5 ip addresses. Note that this is the most basic solution, but:

    • This allows the 5 PCs access, not the 5 users. So user6 can still access the Internet from user5's PC.
    • It is subject to IP spoofing, i.e. when user6 sees that user5's PC is powered off, user6 can configure user5's IP address on his PC and hence get Internet access.

  2. Physically separate the users' PCs in 2 different (V)LANs. E.g. if your current setup has all users connected to a switch (or set of switches) connected to Eth0/1, then unplug those 5 users and plug them into ports Eth0/2-6 and configure those as vlan 3, configure an interface vlan3 etc., put a blocking ACL in vlan1 and a permissive ACL on vlan3. Note that

    • this is still device based, not user based, i.e. this still allows user6 to use user5's PC to access the Internet
    • there are some physical restrictions
    • user6 may potentially unplug user5's cable and plug it into his PC to get Internet access
    • you'll need a new IP subnet and DHCP range (for which the ASA can either be the DHCP server, or DHCP relay to your current DHCP server).

  3. Almost the same as #2 but instead of physically separating them, logically separate them on your existing LAN switch(es), i.e. create a new vlan3 on your LAN switch(es), assign the 5 allowed users' ports to that vlan, configure the link between ASA and switch as trunk (and then same as in #2, configure a vlan3 interface and ACL). Same caveats as in #2.

  4. Configure Cut-Through Authentication which requires users to enter a username and password before they can access the Internet, so in your case you would only create accounts for the 5 allowed users. Note that this is now user-based, not PC-based. So allowed users can log in from any PC in the network or connect to any switchport, prohibited users cannot access the internet no matter where they are (as long as the 5 users keep their credentials secret).

  5. Configure Identity Firewall which integrates with Active Directory, so users no longer have to authenticate to the firewall explicitly as in #4 but this happens transparently, and you create ACLs based on AD usernames.

  6. Configure 802.1x on your LAN switch(es), if they support it, and then you get a whole range of additional options, e.g. you can have the switch dynamically change the vlan on the port the user connects to (and then combine that with #3 above) or dynamically create ACLs on the switch.