Solved: Re: Secure Client - Disable VPN connection on trusted network

k2no · ‎12-11-2024

Hi everyone,

Working with Secure Client Anyconnect VPN module enable, we would like to disable the ability to connect to the VPN if we are on a trusted network.

We already set up the "Disconnect" in the VPN policy which add these lines to the xml profile :

<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>

<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>

Unfortunately, this is working when a client is already connected to the VPN but once he try to click on "connect" in a trusted network, the client is able to complete the process to connect the VPN.

Could that be something missing inside the profile or if it's possible to at least hide the module if the client is on a trusted network ?

Thanks !

Aref Alsouqi · ‎12-11-2024

I think the way to workaround this would be to block the VPN port from your company network towards the Secure Access tenant. That can be done on your edge firewall.

View solution in original post

MHM Cisco World · ‎12-11-2024

Did you config trust and untrust policy?

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1/configure-vpn.html#ID-1428-00000152

MHM

Aref Alsouqi · ‎12-11-2024

Could you please share a diagram that shows how the client and the VPN firewall are connected? I think what you can do is to set some security policies on the firewall that will deny the VPN traffic, but I don't believe you can manage that with the trusted network settings.

k2no · ‎12-11-2024

Good point to know it's not a VPN on a common firewall, it's a VPN connected to a Cisco Secure Access Tenant.

So in term of network diagram we just had to setup inside secure access the IP Pools we had to access in our VPN and after that the vpn is connected directly to the cisco datacenter and not to a specific firewall public ip.

Trust / Untrust policy set up as below :

Aref Alsouqi · ‎12-11-2024

I think the way to workaround this would be to block the VPN port from your company network towards the Secure Access tenant. That can be done on your edge firewall.

k2no · ‎12-13-2024

Indeed that could be a solution but that unfortunately would apply a timeout, allow the user to click connect etc...

Our main idea was to hide the module directly if it's detected on a trusted network, just like we can do with the profile.xml to hide the VPN module.

Saw some solution to deploy a powershell script but need to maintain the trusted subnet inside it etc...

I think we will just create a firewall rule to deny this specific traffic to outside.

Thanks !

Aref Alsouqi · ‎12-13-2024

I see your point, but I think the users should be aware that they shouldn't try to connect to the VPN when they are in the office. Not sure about the powershell script, but tbh I wouldn't go down that route because I think that would add complexity to the deployment, and in the end if the issue gets resolved by adding a firewall rule then I would keep it simple and happy days.

MHM Cisco World · ‎12-11-2024

Friend you config Action
how anyconnect know it in trust on not trust network ?

it need DNS or domain

MHM

k2no · ‎12-11-2024

It's configured with DNS i just didn't paste it on my screen ;

MHM Cisco World · ‎12-11-2024

try add domain if you can

MHM

k2no · ‎12-11-2024

Same thing with domain.

But the secure client recognize that's the site is trusted since on it i have "vpn anyconnect: on a reliable network" :

The only is that people can still connect to the VPN even if they are in this trusted network.

MHM Cisco World · ‎12-13-2024

I will check issue in weekend and if I get something I will send you PM

MHM