Solved: Anyconnect using IKEV2 allowing access to Vendor

mahesh18 · ‎09-17-2014

Hi Everyone,

We have configured Anyconnect using IKEv2 for our internal users and it is working fine.

Recently i got Request from our management to allow our vendor to access our network but they dont need full access to our internal network.

This vendor is also using the anyconnect IKEv2 to access their own internal network.

What i have done is asked our Vendor IT guy to update their xml profile with below info

where xyz.com is our VPN ASA hostname.

Need to know do i need to config new anyconnect profile and group policy to make this work or can i only create new group policy for this vendor?

Regards

Mahesh

Marvin Rhoads · ‎09-22-2014

Yes, that's a common use case Mahesh.

Whenever you setup a remote access VPN one of the things you need to decide is to tunnel all traffic, tunnel traffic to specified networks, or exclude tunneling for certain networks.

Generally this is a case of "split tunnel" (the latter two types) or "no split tunnel" (or "tunnelall"). Since you want to tunnel all traffic, then follow a configuration for "tunnelall". It would look something like:

group-policy vendorgroup attributes
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelall

There's a good recent example in the following TAC document.

View solution in original post

Marius Gunnerud · ‎09-23-2014

To configure the vpn filter you would do something like the following:

access-list VPN-FILTER permit ip 192.168.1.0 255.255.255.0 host 10.1.1.10

access-list VPN-FILTER deny ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list VPN-FILTER permit ip any any

group-policy VPN internal

group-policy VPN attributes

vpn-filter value VPN-FILTER

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marvin Rhoads · ‎09-17-2014

It's recommended that you avoid manually changing connection profiles as the ASA will push any deltas for the selected profile to the client when they login.

You should instead make a new connection profile for your vendors with the allowed network specified in the split tunnel list and then have them login and select that profile. Once they do so successfully, the profile will be added to their existing one and they will be able to select your network or their own from the AnyConnect dropdown list for subsequent logins.

mahesh18 · ‎09-18-2014

Hi Marvin,

So as per you i should make up new connection profile and group polices?

Also Auth for this will be via Radius.

Regards

Mahesh

Marius Gunnerud · ‎09-18-2014

I agree with Marvin. It also provides better security if your vendor uses a different connection profile as you can restrict their access much more easily than if they were sharing a connection profile with your internal users.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marvin Rhoads · ‎09-18-2014

Yes, separate connection profiles (and group policies) are what is recommended for this type of situation. It's a textbook case for doing so.

mahesh18 · ‎09-22-2014

Hi Marvin,

Need to know one more thing if this is possible

i config anyconnect with new anyconnect profile and group policy.

I assign it new pool of addresses.

if i limit the vendor to specfic subnets will it possible that vendor PC still gets access to internet from our network.

As per our requirement we need that vendor traffic for internet goes via our network.

Regards

MAhesh

Marvin Rhoads · ‎09-22-2014

Yes, that's a common use case Mahesh.

Whenever you setup a remote access VPN one of the things you need to decide is to tunnel all traffic, tunnel traffic to specified networks, or exclude tunneling for certain networks.

Generally this is a case of "split tunnel" (the latter two types) or "no split tunnel" (or "tunnelall"). Since you want to tunnel all traffic, then follow a configuration for "tunnelall". It would look something like:

group-policy vendorgroup attributes
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelall

There's a good recent example in the following TAC document.

mahesh18 · ‎09-23-2014

Hi Marvin,

Thanks for reply back.

Need to confirm one more thing before i implement this solution.

I will use full tunnel policy so that all traffic is tunneled.

But to restrict access to specfic subnets can i do this

Under Group polices

More options

Filters

Can i add the Standard ACLs to allow access to specific subnets only?

if i do this then vendor can access the network under the filters but he will

be able to access the any internet website right?

Regards

MAhesh

Marius Gunnerud · ‎09-23-2014

To configure the vpn filter you would do something like the following:

access-list VPN-FILTER permit ip 192.168.1.0 255.255.255.0 host 10.1.1.10

access-list VPN-FILTER deny ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list VPN-FILTER permit ip any any

group-policy VPN internal

group-policy VPN attributes

vpn-filter value VPN-FILTER

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎09-24-2014

Hi Marvin,

Thanks for answering my all the questions.

Regards

MAhesh

Marius Gunnerud · ‎09-23-2014

If you want traffic to go to the internet via your firewall you will need to tunnel all traffic as Marvin has mentioned.

Then if you want to limit the access to your network by the 3rd party you can configure VPN filtering. You would then permit access in an ACL that allows traffic to your servers, then another entry that denies access to the rest of your network, and at the end of the ACL a permit any any statement.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts