Anyconnect users are able to connect to subnets that are not configured for NAT0

Illini79 — Tue, 12 Mar 2019 11:40:10 GMT

Hello,

I've successfully configured remote access to multiple internal subnets by using NAT0 statements between the remote subnet and the internal subnets. But I'm unable to determine the configuration that that is allowing access to our a storage subnet that is not configured for remote access?

Could someone help me to identify the code that is allowing remote users on subnet 192.168.85.0/24 access to subnet 192.168.100.0/24?

interface Vlan100
nameif HUDSON-STORAGE
security-level 100
ip address 192.168.100.100 255.255.255.0

object network NAT0-TO-ANYCONNECT-HOST
subnet 0.0.0.0 0.0.0.0

object network ANYCONNECT-VPN85-HOST

range 192.168.85.1 192.168.85.25

ip local pool ANYCONNECT-VPN85-POOL 192.168.85.1-192.168.85.25 mask 255.255.255.0

nat (HUDSON-SECURITY,OUTSIDE-COMCAST) source static NAT0-TO-ANYCONNECT-HOST NAT0-TO-ANYCONNECT-HOST destination static ANYCONNECT-VPN85-HOST ANYCONNECT-VPN85-HOST no-proxy-arp route-lookup

nat (HUDSON-TV,OUTSIDE-COMCAST) source static NAT0-TO-ANYCONNECT-HOST NAT0-TO-ANYCONNECT-HOST destination static ANYCONNECT-VPN85-HOST ANYCONNECT-VPN85-HOST no-proxy-arp route-lookup

nat (HUDSON-SERVERS,OUTSIDE-COMCAST) source static NAT0-TO-ANYCONNECT-HOST NAT0-TO-ANYCONNECT-HOST destination static ANYCONNECT-VPN85-HOST ANYCONNECT-VPN85-HOST no-proxy-arp route-lookup

nat (INSIDE-VLAN4,OUTSIDE-COMCAST) source static NAT0-TO-ANYCONNECT-HOST NAT0-TO-ANYCONNECT-HOST destination static ANYCONNECT-VPN85-HOST ANYCONNECT-VPN85-HOST no-proxy-arp route-lookup

nat (HUDSON-KUNA,OUTSIDE-COMCAST) source dynamic HUDSON-KUNA-SUBNET interface
nat (HUDSON-SECURITY,OUTSIDE-COMCAST) source dynamic HUDSON-SECURITY interface
nat (HUDSON-SERVERS,OUTSIDE-COMCAST) source dynamic HUDSON-SERVERS interface
nat (INSIDE-VLAN4,OUTSIDE-COMCAST) source dynamic INSIDE-VLAN4-NETWORK interface
nat (HUDSON-TV,OUTSIDE-COMCAST) source dynamic HUDSON-TVs interface
nat (OUTSIDE-COMCAST,OUTSIDE-COMCAST) source dynamic ANYCONNECT-VPN85-HOST interface

group-policy ANYCONNECT-HUDSON85-GP internal
group-policy ANYCONNECT-HUDSON85-GP attributes
dns-server value 8.8.8.8
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 ssl-client
webvpn
anyconnect keep-installer installed
anyconnect dpd-interval client 180
anyconnect profiles value HUDSON-IKEv2-ANYCONNECT-PROFILE type user
anyconnect ask none default anyconnect

tunnel-group ANYCONNECT-VPN85-TG type remote-access
tunnel-group ANYCONNECT-VPN85-TG general-attributes
address-pool ANYCONNECT-VPN85-POOL
default-group-policy ANYCONNECT-HUDSON85-GP
tunnel-group ANYCONNECT-VPN85-TG webvpn-attributes
group-alias HUDSON.NET enable

Re: Anyconnect users are able to connect to subnets that are not configured for NAT0

Rahul Govindan — Fri, 27 Oct 2017 11:13:25 GMT

If you want the users to only access certain subnets internally, you would need to create a VPN filter to specifically allow only those networks. An example for this is below:

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

Nat exemption is only needed when you have a dynamic PAT rule that users will hit by default. So if HUDSON-STORAGE network has no PAT rule for internet access (or any other NAT rule), it will basically be passed through the ASA untranslated and to the VPN users. NAT exemption is not an effective way of blocking network access for VPN users.

topic Re: Anyconnect users are able to connect to subnets that are not configured for NAT0 in VPN

Anyconnect users are able to connect to subnets that are not configured for NAT0

Re: Anyconnect users are able to connect to subnets that are not configured for NAT0