Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5521
Views
5
Helpful
3
Replies

Remote Access VPN, how to specify on which interface clients will be placed on?

pweichmann
Level 1
Level 1

‎08-08-2013 02:53 AM - edited ‎02-21-2020 07:04 PM

Hi,

I have a general understanding problem with remote access VPN and Cisco ASA.

If I have an ASA with multiple interfaces and I want to make sure that a Remote Access VPN Client is placed onto a specific interface, how do I do this?

example:

ASA has 4 interfaces: outside, inside-clients, inside-workers, inside-lab.

I want to allow multiple Remote Access VPN configurations that put clients coming from "outside" to "inside-lab" and "inside-clients", with two different profiles and two different IP pools, as the IP addresses for each of the interfaces is different.

How do I do that?

If possible be as explanatory as possible for me to really grasp the concept.

Many thanks

Pat

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎08-08-2013 04:37 AM

Pat,

Have a look at:

http://www.cisco.com/en/US/docs/security/asa/command-reference/v.html#wp1547912

You can also restirct via (global) ACLs or NAT. ... multiple way to do this depending on version.

M.

0 Helpful

pweichmann
Level 1
Level 1
In response to Marcin Latosiewicz

‎08-15-2013 12:50 AM

Dear Marcin,

I went through the link you provided but did not find any information that would help me understand the issue at hand.

As an alternative method you suggested to use global ACLs or NAT.

Does it mean that all Cisco VPN tunnels terminate on the interface the IPsec connection was directed to? And then you have complete freedom to choose:

  • The client connecting via VPN can access all networks on all other interfaces?
  • The default policy allows unrestricted access?

So there is no method to restrict a client iniatiated tunnel to be fixed to one interface and that he cannot communicate with any other interface?

In other implementations I think it was possible to choose that either the tunnel terminates either on the public interface or the internal and then different ACLs and routing tables were chosen for the traffic.

As stated before, I would really like to understand in more detail the concept that ASA implements.

The requirements that I have is that we need clients to connect to different networks behind different interfaces and as far as I understand it, I would have to create different tunnel-groups where I assign a different IP pool. The client has then multiple entries in the VPN Client with the tunnel-group name configured and ends up at the same place in the ASA but with a different IP address.

But will the client be able to talk to the other networks on the other interfaces? There is only one routing table and it contains all routes for all networks or what mechanism blocks this.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to pweichmann

‎08-15-2013 06:13 AM

Hi,

The ASA will view the hosts in its routing table behind the ASA interface which forms the VPN connection with the VPN Client. This is most of the time the interface called "outside".

By default the ASA allows all traffic coming from a VPN connection to bypass the interface ACL of the ASA. The thought process behind this is I guess the fact that the VPN devices/clients have already proven they have right to connect to the network to all traffic is allowed.

The configuration that controls this setting globally on the ASA is

sysopt connection permit-vpn

The above is the default setting of the command and it WONT show up in the CLI format configurations because its a default setting.

If you were to issue the following command

no sysopt connection permit-vpn

Then this would mean that the ASA would require an ACL statement on its VPN terminating interface (outside) to permit the traffic from the VPN Pool to the LAN networks.

Naturally you would have to take into consideration also that if you have existing VPNs and insert the above global command they would also need ACL statements on the "outside" interface ACL or the inbound traffic from the VPN will start to get blocked.

Other option (wihtout touching the above setting) would be to configure VPN Filter ACL that is a separate ACL that is only attached to a certain user or group of users.

I personally prefer the method of using the above global setting and using the "outside" interface ACL to control traffic.

Naturally it still leaves the question of how you are going to configure the Tunnel Groups, Group Policys and Usernames. To be honest, I have gotten a bit distracted from VPN client setups and have forgotten a lot of stuff since I dont work with them on a day to day basis. I mostly handle L2L VPN nowadays among normal firewall configurations.

If I had to suggest something simple at this point it would be this

  • Configure separate Tunnel Groups
  • Configure separate VPN Pools for the above Tunnel Groups
  • Configure separate Group Policys for the above Tunnel Groups
  • Configure the above mentioned Global setting to limit inbound traffic from VPN
  • Configure the "outside" interface ACL so that you only permit traffic from a certain VPN Tunnel Group users only to certain LAN networks
  • Configure the required NAT0 configurations for traffic between these networks

As Marcin said, there are multiple different ways to achieve the same thing as above.

And as I said I have gotten a bit rusty with the VPN Client side on the ASA so I am not sure if at the moment I can even consider all the possible options but surely the simple ones.

PS. The link that Marcin posted seems to point to a Group Policy setting that would let you lock the that VPN connection to use only a certain local Vlan (subinterface) on the ASA and therefore limit traffic from going to networks behind other interfacec

Hope this helps

- Jouni

Customers Also Viewed These Support Documents