Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
566
Views
5
Helpful
4
Replies

Multi company anyconnect management VPN on single ASA

russellsherr
Level 1
Level 1

‎04-15-2020 01:12 AM

Hi All,

 

We have been asked to assist with a challenge for multiple separate companies to use anyconnect from a single device.

 

The current scenario is they are using ISR routers, so we need to aggregate the companies to an ASA, however the two companies data and users need to remain separate.

 

On paper it looks theoretically possible to have two separate URLs and two separate certificates and two separate AD auths via RADIUS to reach two separate VLANs

 

The organisations currently need to be unaware of each others existence!

 

is there any documentation or guidance on this that I can refer to in order to speed up the process? or any personal experience in this would be hugely appreciated

Thanks

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎04-15-2020 02:04 AM

Hi,

Configuring the ASA in multi-context mode would meet your requirements. Each customer would have their own context, their data would be routed in out a separate phyiscal or logical interface, rather than sharing if using a standard RAVPN....thus being unaware of each others existence.

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200353-ASA-Multi-Context-Mode-Remote-Access-A.html


HTH

russellsherr
Level 1
Level 1
In response to Rob Ingram

‎04-16-2020 04:11 AM

Thanks for this

The problem is the thing is configured in Single Context mode and in use so moving into Multi context mode i suspect it will probably cause it to implode whilst in service!!!

 

if we were starting again this makes sense

 

if anyone can bring a working example that would be appreciated

 

Thanks All

0 Helpful

Rob Ingram
VIP
VIP
In response to russellsherr

‎04-16-2020 05:19 AM

Sure, I understand why changing to multi-context might not be accepting if the ASA is already in use.

 

In that case then you can create create a tunnel-group for each customer (with their own specific settings such as VPN Pool, default domain name etc). On the RADIUS server only permit each customer to authenticate from their own tunnel-group, use the RADIUS attribute Cisco-VPN3000-CVPN3000/ASA/PIX7x-Tunnel-Group-Name value to identify each tunnel.

 

The screenshot below is from ISE, a user in the AD group Customer-1 can only connect to the tunnel-group TG-1 to be allowed access. If they knew of the existence of TG-2 they would not be able to authenticate. The opposite applies to users of the AD group Customer-2 connecting to tunnel-group TG-2.

 

Capture.PNG

 

You can combine that with a Downloadable ACL (DACL) sent from the RADIUS server or use an ACL/VPN-Filter on the ASA to restrict what each customer can access, to ensure they can only communicate with their own servers.

 

HTH

0 Helpful

Karsten Iwen
VIP
VIP

‎04-15-2020 04:51 AM

Multiple-mode is probably the better way, but technically it will all work in single mode. The only "problem" is that customer A could see that his FQDN resolves to the same IP as customer B's FQDN. That would reveal your little secret.

 

With multiple-mode both contexts can have individual IPs, even from different IP-ranges. 

 

But my standpoint is still: If you have to hide it, don't do it.

0 Helpful
Customers Also Viewed These Support Documents