cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
311
Views
0
Helpful
8
Replies

Users attempting anyconnect VPN while on a site to site tunnel

Lee Dress
Level 1
Level 1

I have 4 locations that have a site to site tunnel back to our main office.

occasionally, someone on one of the remote networks will VPN in with AnyConnect, and basically cause a network loop that brings a majority of the network at the remote site down.

is it possible to deny the IP Addresses of the remote sites the ability to create an Anyconnect connection without breaking the existing site to site tunnels?

 

 

1 Accepted Solution

Accepted Solutions

@Lee Dress you could create a control-plane ACL assigned to the outside interface and deny connections from your remote site network ranges and then permit all other traffic.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221457-configure-control-plane-access-control-p.html

 

View solution in original post

8 Replies 8

@Lee Dress you could create a control-plane ACL assigned to the outside interface and deny connections from your remote site network ranges and then permit all other traffic.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221457-configure-control-plane-access-control-p.html

 

I did the block at the edge router for the port.

it was easier then all the flexconfig stuff you need to do at the firepower device.

I made a group of all my remote location IP addresses, and explicitly denied the vpn port.

thank you for the help

 

I don't know how loop occur, can you more elaborate

MHM

Lee Dress
Level 1
Level 1

Rob,

Since the site has a site to site tunnel, wouldn't that break the tunnel?

we use port 7443 for our vpn, so maybe I could make the ACL just for that port?  I could possibly just do this at the edge router if that would work.

MHM,

we have 2 outside interfaces that accept VPN connections, all of our site to site tunnels are on one interface (i.e eth1)

people anyconnect VPN in mostly through the other interface (ie. eth2)

I believe this is the cause of the loop.  I'm not sure exactly, but I've had someone vpn in from one remote site, and 80% of their network went down.  when the vpn session was disconnected, the site came back up.

 

 

@Lee Dress yes, explictly deny the SSL port (7443) and permit all other port(s), allowing the S2S VPN etc.

I've not heard/seen a single RAVPN cause a problem with a S2S VPN though tbh.

Thanks.

 

Is vpn subnet conflict with remote lan?

MHM

no. 

I'll try Rob's solution.

there's no reason someone in a remote office with a tunnel should VPN in anyway.  I'm just trying to eliminate the possibilty.

It doesn't make sense to me either but it is consistently reproducible. so I want to eliminate the ability of anyone even trying.