Solved: Hi Brian, How about

Brian O'Flynn · ‎04-03-2014

Hi,

I have gotten a rather unusual request and wondering has anybody come across it before and if it is technically feasible? We have a Cisco ASA Firewall that terminates remote access clients using an anyconnect ssl vpn on the outside interface.

There is a DMZ interface on this same firewall that Guest Wireless clients use as their default gateway and route out to the internet via the outside interface.

Is it possible for these Guest Wireless clients to build a remote access VPN to the outside interface of the same ASA? (i.e. Nat the guest clients to an public ip in the same subnet as the outside interface and then come back in to the inside interface to access resources)

Cheers

Brian

sesoerensen · ‎04-03-2014

Hi Brian,

How about configuring webvpn on the DMZ interface as well as on the Internet facing interface?

Was in the same situation a few years back. It was easier to just configure webvpn on the guest-dmz interface.

I'm pretty sure that the ASA is not able to forward a flow from a higher security-level interface to a lower security-level interface and back in.

You might be thinking of the "same-security-level permit-intra-interface" command?

That one does allow you to "loop" a flow from one host to another connected to an Interface.

Cheers,

Søren Elleby Sørensen

View solution in original post

sesoerensen · ‎04-03-2014

Hi Brian,

How about configuring webvpn on the DMZ interface as well as on the Internet facing interface?

Was in the same situation a few years back. It was easier to just configure webvpn on the guest-dmz interface.

I'm pretty sure that the ASA is not able to forward a flow from a higher security-level interface to a lower security-level interface and back in.

You might be thinking of the "same-security-level permit-intra-interface" command?

That one does allow you to "loop" a flow from one host to another connected to an Interface.

Cheers,

Søren Elleby Sørensen

jmeggers · ‎04-03-2014

I'm thinking the original question was concern that someone on the guest wireless network might be able to bring up a VPN on the outside, which would give them access to inside resources. I've never tried it myself, but I don't believe it's possible to establish a VPN coming through the ASA to reach that interface. I believe only connections arriving at the ASA on the outside would be able to establish a tunnel. If you really felt strongly about it, you could always deny some protocols inbound on the DMZ interface to the outside IP address, and that shouldn't break anything that ought to work.

Even if they could establish that tunnel coming through the DMZ interface, hopefully your VPN authentication mechanisms would keep out anyone who wasn't authorized to use the VPN. If it's too easy to crack the VPN authentication, you've got bigger problems.

John

Brian O'Flynn · ‎04-04-2014

Hi John,

Thanks for the reply, I was looking for a way to bring up the VPN from the Guest DMZ using the outside interface alright. It was to support a few guest users that wanted to use the VPN for testing.

Cheers

Brian

jmeggers · ‎04-04-2014

Then I agree with Plan B. If you're trying to allow internal access to a group of guest users, but not all guest users, then that's your best bet.

Brian O'Flynn · ‎04-04-2014

Hi Soren,

Thanks, that was going to be my Plan B alright :)

Cheers

Brian

Hairpin a VPN on a cisco ASA Firewall