I have an ASA5516 that is hosting several Anyconnect VPNs using a Radius Server for authentication.
The Split tunnel list is configured on the ASA. The "SPLIT TUNNEL LIST" injects static routes onto the clients PC for the resources specified.
However we have recently discovered that if the user is to manually enter a route on its PC to any destination with the VPN gateway as the next hop, Traffic to that destination will actually go via the VPN and if there is a route for the destination on the Firewall, it will route it all the way and back. Which is a huge security risk.
Am I missing something here? Is there an attribute that can allow me to add security ACL per user on the Radius Server? or one on the ASA? We use the same group-policy and tunnel-group for every user. However each user has access to different resources.
group-policy Anyconnect internal
group-policy Anyconnect attributes
address-pools value Anyconnect_Pool
anyconnect profiles value DfltProfile type user
tunnel-group Anyconnect webvpn-attributes
group-url https://126.96.36.199/Anyconnect enable
The users are configured and authenticated by the Radius Server
using the attributes:
CVPN3000-IPSec-Split-Tunnel-List ; Framed-IP-Netmask ; Service-Type ; Class ; NAS-Port-Type.
Solved! Go to Solution.
Also be advised that unless the allowed resource is hardened, the remote user can use it to navigate further into your network.
For instance, if you allow RDP to one workstation only (with VPN filter) nothing prevents that user from launching an RDP session from the allowed host into another host internal to your network. Same thing with ssh and other remote access protocols.