08-08-2013 02:53 AM - edited 02-21-2020 07:04 PM
Hi,
I have a general understanding problem with remote access VPN and Cisco ASA.
If I have an ASA with multiple interfaces and I want to make sure that a Remote Access VPN Client is placed onto a specific interface, how do I do this?
example:
ASA has 4 interfaces: outside, inside-clients, inside-workers, inside-lab.
I want to allow multiple Remote Access VPN configurations that put clients coming from "outside" to "inside-lab" and "inside-clients", with two different profiles and two different IP pools, as the IP addresses for each of the interfaces is different.
How do I do that?
If possible be as explanatory as possible for me to really grasp the concept.
Many thanks
Pat
08-08-2013 04:37 AM
Pat,
Have a look at:
http://www.cisco.com/en/US/docs/security/asa/command-reference/v.html#wp1547912
You can also restirct via (global) ACLs or NAT. ... multiple way to do this depending on version.
M.
08-15-2013 12:50 AM
Dear Marcin,
I went through the link you provided but did not find any information that would help me understand the issue at hand.
As an alternative method you suggested to use global ACLs or NAT.
Does it mean that all Cisco VPN tunnels terminate on the interface the IPsec connection was directed to? And then you have complete freedom to choose:
So there is no method to restrict a client iniatiated tunnel to be fixed to one interface and that he cannot communicate with any other interface?
In other implementations I think it was possible to choose that either the tunnel terminates either on the public interface or the internal and then different ACLs and routing tables were chosen for the traffic.
As stated before, I would really like to understand in more detail the concept that ASA implements.
The requirements that I have is that we need clients to connect to different networks behind different interfaces and as far as I understand it, I would have to create different tunnel-groups where I assign a different IP pool. The client has then multiple entries in the VPN Client with the tunnel-group name configured and ends up at the same place in the ASA but with a different IP address.
But will the client be able to talk to the other networks on the other interfaces? There is only one routing table and it contains all routes for all networks or what mechanism blocks this.
08-15-2013 06:13 AM
Hi,
The ASA will view the hosts in its routing table behind the ASA interface which forms the VPN connection with the VPN Client. This is most of the time the interface called "outside".
By default the ASA allows all traffic coming from a VPN connection to bypass the interface ACL of the ASA. The thought process behind this is I guess the fact that the VPN devices/clients have already proven they have right to connect to the network to all traffic is allowed.
The configuration that controls this setting globally on the ASA is
sysopt connection permit-vpn
The above is the default setting of the command and it WONT show up in the CLI format configurations because its a default setting.
If you were to issue the following command
no sysopt connection permit-vpn
Then this would mean that the ASA would require an ACL statement on its VPN terminating interface (outside) to permit the traffic from the VPN Pool to the LAN networks.
Naturally you would have to take into consideration also that if you have existing VPNs and insert the above global command they would also need ACL statements on the "outside" interface ACL or the inbound traffic from the VPN will start to get blocked.
Other option (wihtout touching the above setting) would be to configure VPN Filter ACL that is a separate ACL that is only attached to a certain user or group of users.
I personally prefer the method of using the above global setting and using the "outside" interface ACL to control traffic.
Naturally it still leaves the question of how you are going to configure the Tunnel Groups, Group Policys and Usernames. To be honest, I have gotten a bit distracted from VPN client setups and have forgotten a lot of stuff since I dont work with them on a day to day basis. I mostly handle L2L VPN nowadays among normal firewall configurations.
If I had to suggest something simple at this point it would be this
As Marcin said, there are multiple different ways to achieve the same thing as above.
And as I said I have gotten a bit rusty with the VPN Client side on the ASA so I am not sure if at the moment I can even consider all the possible options but surely the simple ones.
PS. The link that Marcin posted seems to point to a Group Policy setting that would let you lock the that VPN connection to use only a certain local Vlan (subinterface) on the ASA and therefore limit traffic from going to networks behind other interfacec
Hope this helps
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide