Solved

EZVpn on the ASA 5505 - Best configuration to provide & block VPN access

Posted on 2012-03-16
5
568 Views
Last Modified: 2012-08-14
I'm setting up a pair of 5505s (both with Base licenses and running 8.4(3))--one in the office, one at my boss' home.  In part, the office unit will function as an EZVpn server.  It's configured against a static IP.  Rather than bother with a static IP or DDNS for the home unit, I'm going to configure it as an EZVpn client.  

As the 5505 will sit in front of a home network there will be several family devices connected that will simply need Internet access.  The other two computers are the only ones that should have VPN access.  What's the best way to configure this set up to ensure only those two systems can ever see the VPN?  Thanks.
0
Comment
Question by:mrpierce2
  • 3
  • 2
5 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 37731821
Can you split the traffic the different VLAN's?  Or put the office VPN connection on a DMZ connection and leave the family connections on the inside interface?
0
 

Author Comment

by:mrpierce2
ID: 37732653
eeRoot:

Hello.

Since I haven't yet had the occasion to set up a DMZ (I have an SBS network in the office where everything is on the same subnet and I filter specific ports), I had a mental block about the ASA restricted license and how it works in relation to a DMZ.  I now understand that the restriction just means any one of the three interfaces can only go one direction.  

I get that I can separate each group of computers (home, work) on a separate interface each assigned to its own VLAN.  Since they'd both access the net, the restriction ("no forward interface") would be placed on the VLAN with the home computers.  With only these changes specifed to the config, both of those VLANs can still access the VPN though, right?  So, in order to ensure the computers on that 'home' VLAN never have VPN access (to the office net), is it as simple as adding a command to deny an outbound connection from the associated interface/VLAN to the public IP address of my server (i.e. the VPN)?

You noted splitting the traffic of the different VLANs.  Can you provide a little more info and/or an example?

One other thought regarding a more 'subdivided' configuration... My boss is doing video postproduction from his home.  It's not in the plan right now, but since we're now moving from his using a software client to having a 5505 at his home, I thought I should make an allowance for a DMZ to support a mini-server that could be set to receive large video files from the office/clients/freelancers, some of which might be uploaded at off hours.  This could eliminate some of the hard drive shuttling we currently do between office and home.  In this scenario, the DMZ would be restricted and used solely for the mini-server.  Both office and home computers would then be together on the inside interface.  How would I then limit VPN access to only the two office computers?  Is this something that's accomplished through MAC address filtering by the ASA?  Can I have multpile VLANs on the same interface and then restrict the appropriate VLAN?
0
 
LVL 22

Accepted Solution

by:
eeRoot earned 500 total points
ID: 37733471
If the home PC's are on the inside interface, and a rule is set to block their access to the VPN IP range, they will be isolated.  You could then put the boss's PC in a DMZ that can access the VPN connection.  And if you may need to add a server, sometime in the future, add it to the same DMZ as the boss's PC.

If the boss's PC and home PC's must be on the same network, then you could use DHCP address reservations to control what IP addresses the PC's get.  And then create a firewall rule that allows the boss's PC's IP address access to the DMZ and VPN tunnel.
0
 

Author Comment

by:mrpierce2
ID: 37738648
eeRoot:

Great solutions.  Thanks.  At present I'm finishing up with the office unit and it will be a few days before I start configuring the home ASA.  I'm going to leave this question open a bit longer while I config that unit.
0
 

Author Comment

by:mrpierce2
ID: 37876808
eeRoot:

Thanks again for your help.  Sorry to take so long to finish this up.  I had a situation with connection drops on the office ASA 5505 that was truly one of the most frustrating experiences of my IT life.  It pretty much absorbed all my attention, but I'm smiling with relief now that it's over.

I decided to implement your first suggestion and put the work and home systems on separate interfaces, so it was easy to link only the work interface to the vpn.  I don't use DHCP on the office ASA--our SBS server provides it and I'm used to thinking of DHCP in terms of a handful of reservations and a single scope.  With the remote ASA I realized I could have its DHCP server assign separate subnets to the inside interface and the dmz.  I also decided to name them to be more obvious as HOME and WORK.  Still need to work out a couple of networking/DNS issues so all key systems can be seen/accessed, but I'm 90% there.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Radius ASA Authentication Failed 4 63
2960 and a VLAN id of 1237 2 50
access vs trunk with voice vlan 2 21
Punctured RAID5 Array on Cisco UCS server. 6 18
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now