topic Re: Restrict VPN to certain computers in Network Security

Restrict VPN to certain computers

info0000102 — Fri, 21 Feb 2020 17:11:42 GMT

Hello!

We have a situation where, for interoffice compliance, we want to regulate what machines can and can't connect to the AnyConnect VPN service. We're advising our employees that they are to only use work computers to connect to the VPN, as some have used personal devices in the past. However, we are looking to control this (or at least monitor this) if possible. As of right now, there is no authentication server, and we're using ASA 5508x devices. Is it a possibility to control the connections, and if not, can we at least monitor what machine is connecting to the network to address it internally if needed? Thanks for any assistance you can give.

Re: Restrict VPN to certain computers

balaji.bandi — Wed, 05 Jun 2019 18:54:28 GMT

Are you providing the device to end user to use your corporate laptop ?

you do not want any other device to use any connect ?

Re: Restrict VPN to certain computers

info0000102 — Wed, 05 Jun 2019 19:06:39 GMT

Are you providing the device to end user to use your corporate laptop ?

- I'm not sure if I understand. They will be using a corporate laptop to connect. We want to either prevent connecting from non-preconfigured laptops, or monitor what computers connect remotely.

you do not want any other device to use any connect ?

- Correct - Only the computers we specify that have been preconfigured. We want to prevent other machines from connecting to the VPN.

I know there are some DACL rules you can set, but I'm not incredibly familiar with this setting.

Re: Restrict VPN to certain computers

balaji.bandi — Wed, 05 Jun 2019 19:32:15 GMT

here is the example certificate based authtentication :

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/212483-configure-asa-as-the-ssl-gateway-for-any.html

Re: Restrict VPN to certain computers

herm — Thu, 06 Jun 2019 03:37:44 GMT

you can try using the windows host file to direct non authorized internal workstations when they try to connect to the anyconnect ip to go to 127.0.0.0.

if you want to monitor who is connected it from the asa side, i would create an eem script and have it monitor/look for the syslog # of the anyconnect service when connected then tag in to call-home that way it send (emails) you who just got connected via any connect vpn.