Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1251
Views
1
Helpful
3
Replies

Remote VPN Access Control Based on Network Location and Secure Client

andi-ahmetaj
Level 1
Level 1

‎08-22-2025 03:28 AM

Description:
We have deployed a Remote VPN infrastructure using two Cisco FPR-1150 firewalls.
In this setup:
Cisco ISE is used for authorization of the VPN users.
Microsoft Azure AD is used for authentication.
Cisco Secure Client is used by endpoints to connect to the Remote VPN.

The connection flow is:
The user initiates a VPN connection.
The user is authorized via Cisco ISE.
The user is authenticated via Azure AD (Microsoft Authentication).

Requirement:
We want to enforce VPN connectivity for all endpoints that are not in the office network, with the following behavior:
Outside the office network:
Endpoint should not have internet access unless connected via VPN.
If VPN is not connected or authentication fails, the endpoint should not be able to access the internet.

Inside the office network:
If the endpoint is connected from a known internal IP/subnet (e.g. office LAN), then:
It should not require VPN connection.
It should have normal internet access.
It should recognize it is in a "trusted" network and bypass VPN automatically.

Question:
Is it possible to enforce this behavior using Cisco Secure Client profile configuration or any related Cisco solution (e.g., posture checks, Trusted Network Detection, ISE policies, etc.)?
Specifically, can Secure Client detect whether the endpoint is in the corporate LAN (e.g. by detecting a specific IP or DNS suffix), and accordingly:
Bypass VPN when in office
Force VPN before internet access when outside
We are looking for Cisco's best practice or recommended design for such a scenario.

Goal: Split policy based on endpoint's network location (inside vs outside office)

Labels:
3 Replies 3

MHM Cisco World
VIP
VIP

‎08-22-2025 03:32 AM - edited ‎08-22-2025 03:39 AM

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎08-22-2025 03:33 AM

  • Automatic VPN Policy (Windows and macOS only)—Enables Trusted Network Detection allowing AnyConnect to automatically manage when to start or stop a VPN connection according to the Trusted Network Policy and Untrusted Network Policy. If disabled, VPN connections can only be started and stopped manually. Setting an Automatic VPN Policy does not prevent users from manually controlling a VPN connection.

    • Trusted Network PolicyAction AnyConnect automatically takes on the VPN connection when the user is inside the corporate network (the trusted network).

      • Disconnect (Default)—Disconnects the VPN connection upon the detection of the trusted network.

      • Connect—Initiates a VPN connection upon the detection of the trusted network.

      • Do Nothing—Takes no action in the untrusted network. Setting both the Trusted Network Policy and Untrusted Network Policy to Do Nothing disables Trusted Network Detection.

      • Pause—AnyConnect suspends the VPN session instead of disconnecting it if a user enters a network configured as trusted after establishing a VPN session outside the trusted network. When the user goes outside the trusted network again, AnyConnect resumes the session. This feature is for the user’s convenience because it eliminates the need to establish a new VPN session after leaving a trusted network.

    • Untrusted Network PolicyAnyConnect starts the VPN connection when the user is outside the corporate network (the untrusted network). This feature encourages greater security awareness by initiating a VPN connection when the user is outside the trusted network.

      • Connect (Default)—Initiates the VPN connection upon the detection of an untrusted network.

      • Do Nothing—Takes no action in the trusted network. This option disables Always-On VPN. Setting both the Trusted Network Policy and Untrusted Network Policy to Do Nothing disables Trusted Network Detection.

        Bypass connect upon VPN session timeout—When a VPN session times out while either Trusted Network Policy or Untrusted Network Policy are set to connect, a connection retry begins automatically. If you want to disallow the connection retry, click Bypass connect upon VPN session timeout.

0 Helpful

Rob Ingram
VIP
VIP

‎08-22-2025 03:36 AM

@andi-ahmetaj you can control this with the Secure Client/AnyConnect VPN client - Trusted Network Detection (TND) will automatically disconnect a VPN connection when the user is inside the corporate network and start the VPN connection when the user is outside the corporate network.

Always-On operation prevents access to Internet resources when the computer is not on a trusted network, unless a VPN session is active. Enforcing the VPN to always be on in this situation protects the computer from security threats.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/Cisco-Secure-Client-5/admin/guide/b-cisco-secure-client-admin-guide-5-0/configure_VPN.html#id_100236

Depending on licensing (ISE and Secure Client) you can perform posture checks via ISE or on the FTD itself.

 

0 Helpful
Customers Also Viewed These Support Documents