Solved

EZVpn on the ASA 5505 - Best configuration to provide & block VPN access

Posted on 2012-03-16
5
563 Views
Last Modified: 2012-08-14
I'm setting up a pair of 5505s (both with Base licenses and running 8.4(3))--one in the office, one at my boss' home.  In part, the office unit will function as an EZVpn server.  It's configured against a static IP.  Rather than bother with a static IP or DDNS for the home unit, I'm going to configure it as an EZVpn client.  

As the 5505 will sit in front of a home network there will be several family devices connected that will simply need Internet access.  The other two computers are the only ones that should have VPN access.  What's the best way to configure this set up to ensure only those two systems can ever see the VPN?  Thanks.
0
Comment
Question by:mrpierce2
  • 3
  • 2
5 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 37731821
Can you split the traffic the different VLAN's?  Or put the office VPN connection on a DMZ connection and leave the family connections on the inside interface?
0
 

Author Comment

by:mrpierce2
ID: 37732653
eeRoot:

Hello.

Since I haven't yet had the occasion to set up a DMZ (I have an SBS network in the office where everything is on the same subnet and I filter specific ports), I had a mental block about the ASA restricted license and how it works in relation to a DMZ.  I now understand that the restriction just means any one of the three interfaces can only go one direction.  

I get that I can separate each group of computers (home, work) on a separate interface each assigned to its own VLAN.  Since they'd both access the net, the restriction ("no forward interface") would be placed on the VLAN with the home computers.  With only these changes specifed to the config, both of those VLANs can still access the VPN though, right?  So, in order to ensure the computers on that 'home' VLAN never have VPN access (to the office net), is it as simple as adding a command to deny an outbound connection from the associated interface/VLAN to the public IP address of my server (i.e. the VPN)?

You noted splitting the traffic of the different VLANs.  Can you provide a little more info and/or an example?

One other thought regarding a more 'subdivided' configuration... My boss is doing video postproduction from his home.  It's not in the plan right now, but since we're now moving from his using a software client to having a 5505 at his home, I thought I should make an allowance for a DMZ to support a mini-server that could be set to receive large video files from the office/clients/freelancers, some of which might be uploaded at off hours.  This could eliminate some of the hard drive shuttling we currently do between office and home.  In this scenario, the DMZ would be restricted and used solely for the mini-server.  Both office and home computers would then be together on the inside interface.  How would I then limit VPN access to only the two office computers?  Is this something that's accomplished through MAC address filtering by the ASA?  Can I have multpile VLANs on the same interface and then restrict the appropriate VLAN?
0
 
LVL 22

Accepted Solution

by:
eeRoot earned 500 total points
ID: 37733471
If the home PC's are on the inside interface, and a rule is set to block their access to the VPN IP range, they will be isolated.  You could then put the boss's PC in a DMZ that can access the VPN connection.  And if you may need to add a server, sometime in the future, add it to the same DMZ as the boss's PC.

If the boss's PC and home PC's must be on the same network, then you could use DHCP address reservations to control what IP addresses the PC's get.  And then create a firewall rule that allows the boss's PC's IP address access to the DMZ and VPN tunnel.
0
 

Author Comment

by:mrpierce2
ID: 37738648
eeRoot:

Great solutions.  Thanks.  At present I'm finishing up with the office unit and it will be a few days before I start configuring the home ASA.  I'm going to leave this question open a bit longer while I config that unit.
0
 

Author Comment

by:mrpierce2
ID: 37876808
eeRoot:

Thanks again for your help.  Sorry to take so long to finish this up.  I had a situation with connection drops on the office ASA 5505 that was truly one of the most frustrating experiences of my IT life.  It pretty much absorbed all my attention, but I'm smiling with relief now that it's over.

I decided to implement your first suggestion and put the work and home systems on separate interfaces, so it was easy to link only the work interface to the vpn.  I don't use DHCP on the office ASA--our SBS server provides it and I'm used to thinking of DHCP in terms of a handful of reservations and a single scope.  With the remote ASA I realized I could have its DHCP server assign separate subnets to the inside interface and the dmz.  I also decided to name them to be more obvious as HOME and WORK.  Still need to work out a couple of networking/DNS issues so all key systems can be seen/accessed, but I'm 90% there.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now