Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1319
Views
0
Helpful
4
Replies

cisco ASA remote vpn user default permission

paul amaral
Level 4
Level 4

‎07-21-2020 02:40 PM - edited ‎07-22-2020 08:18 AM

Hi, I know by default higher security interfaces can access lower security interfaces but not the other way around,  unless you use an ACL on the lower security interface to allow permission the the higher security interface/resource.  However let's say a remote VPN user gets assigned an ip  from the VPN pool and those ips are also part of  the admins vlan. Will that VPN user be treated as the like host connect from inside that vlan. So will the VPN user be able to access all host inside the admins vlan or because its a VPN user be treated differently. Will i need ACLs to permit the remote VPN user to connect to services inside the admins vlan, if so where do i specify the ACL on the outisde interface or under the tunnel group. 

 

tia, Paul 

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎07-21-2020 02:49 PM

Depends on your deployment.

 

in general, you need ACL for the VPN user IP pool to access the internal LAN address.

here is the document :

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎07-21-2020 07:23 PM

@balaji.bandi  The local LAN in the document you linked refers to the client's local LAN - not the remote site LANs or subnets.

@paul amaral the following may be useful for you to understand:

Configure the sysopt connection permit-vpn command, which exempts traffic that matches the VPN connection from the access control policy. The default for this command is no sysopt connection permit-vpn, which means VPN traffic must also be allowed by the access control policy.

0 Helpful

Marius Gunnerud
VIP
VIP

‎07-22-2020 04:44 AM

As @balaji.bandi has mentioned, this depends on your network setup.  If you have no other security features in place to control access to your network devices and the VPN user receives an IP from within the Admin VLAN, those users will also be able to connect to your network devices accessible from the Admin VLAN (granted they would also need a user that has login rights to those network devices).

An option, in addition to what has already been mentioned, and which I believe is a better option, is to use the VPN filter feature.  This will allow you to apply an access list specifically to the VPN connection in question.  This is configured in the group policy that is assigned to the AnyConnect VPN Connection profile.

Idealy you would have the Admin subnet and user subnet separate.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

paul amaral
Level 4
Level 4
In response to Marius Gunnerud

‎07-22-2020 08:45 AM

Marius/Marvin

 

1st thanks for the response, I know about the the VPN  filter and I am not using it. I need the remote user to have full access into the admin vlan 192.168.2.0/24. Currently the remote vpn user gets and ip from a pool. It gets an ip in the range of 192.168.2.90-99. Im assuming because that ip is part of the admin vlan that get full access and I dont need ACLs to allow the VPN user into the admin vlan?? this is what im trying to accomplish. 

 

When testing, I login remotely and i get assigned 192.168.2.92 and i can ping 192.168.2.131 and i can also query that dns server. So am i right to assume that the remote vpn user is seen as part of that vlan. The weird thing is if use packet tracer to test icmp/dns from 192.168.2.92 to 192.168.2.131 it fails but it works once im connected via the VPN. I ask this because the remote user suposedly is not connecting to a windows AD sever on the admin/192.168.2.0 network and im wondering if i have missing permissions. I guess i can use the  sysopt connection permit-vpn option to temporally test things. Also will if there is no vpn filter does that mean its allowing everything? 

 

vlan 102

 nameif ADMIN

 security-level 50

 ip address 192.168.2.1 255.255.255.0

!

object network remote_vpn

 range 192.168.2.90 192.168.2.99

 

nat (WAN,ADMIN) source static remote_vpn remote_vpn destination static ADMINSTAFF_net ADMINSTAFF_net no-proxy-arp

! I think I should probably have ADMIN,WAN static so its not translated back to the WAN ip when responding

 

 

tunnel-group xx type remote-access

tunnel-group xx general-attributes

 address-pool xx

 default-group-policy xx

 

ip local pool xx 192.168.2.90-192.168.2.99 mask 255.255.255.0

 

Paul

 

 

Paul 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card