05-02-2019 06:48 AM - edited 02-21-2020 09:38 PM
Hi all,
I have an ASA5516 that is hosting several Anyconnect VPNs using a Radius Server for authentication.
The Split tunnel list is configured on the ASA. The "SPLIT TUNNEL LIST" injects static routes onto the clients PC for the resources specified.
However we have recently discovered that if the user is to manually enter a route on its PC to any destination with the VPN gateway as the next hop, Traffic to that destination will actually go via the VPN and if there is a route for the destination on the Firewall, it will route it all the way and back. Which is a huge security risk.
Am I missing something here? Is there an attribute that can allow me to add security ACL per user on the Radius Server? or one on the ASA? We use the same group-policy and tunnel-group for every user. However each user has access to different resources.
ASA config:
group-policy Anyconnect internal
group-policy Anyconnect attributes
wins-server none
vpn-idle-timeout 480
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
address-pools value Anyconnect_Pool
webvpn
anyconnect profiles value DfltProfile type user
always-on-vpn profile-setting
tunnel-group Anyconnect webvpn-attributes
group-url https://1.1.1.1/Anyconnect enable
The users are configured and authenticated by the Radius Server
using the attributes:
CVPN3000-IPSec-Split-Tunnel-List ; Framed-IP-Netmask ; Service-Type ; Class ; NAS-Port-Type.
Kind regards
Solved! Go to Solution.
05-03-2019 01:00 AM
HI,
You could apply a VPN Filter to the VPN session, this will restrict the user to only the destination defined in the Filter ACL.
HTH
05-02-2019 08:47 AM
05-03-2019 12:57 AM
05-03-2019 01:00 AM
05-03-2019 02:44 AM
05-05-2019 09:47 PM
Also be advised that unless the allowed resource is hardened, the remote user can use it to navigate further into your network.
For instance, if you allow RDP to one workstation only (with VPN filter) nothing prevents that user from launching an RDP session from the allowed host into another host internal to your network. Same thing with ssh and other remote access protocols.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide