Solved

Need to access a PC connected to corporate network via Cisco VPN client

Posted on 2013-01-28
6
931 Views
Last Modified: 2013-01-29
Hi,

We have a Cisco ASA firewall which has VPN access configured on it. Currently it assigns IP address to clients from the address pool administered by itself (ASA). User authentication is done by a RADIUS server (MS Network Policy Server). We also have Microsoft Active Directory environment.

Few of the PCs (Windows 7 OS) which do NOT belong to the company domain have Shrew Soft VPN clients installed. We need to access resources on them via this dynamic VPN connection (i.e. access them via hostname.contoso.com:1234).

To do that, I presume we need them to either have static IP addressess which we would have in advance or have these clients update DNS server with their current VPN adapter IP address.

We have tried so far:

- Configuring static IP address on Shrew Soft VPN client software. Doesn't work - ASA will refuse to establish VPN tunnel with the device if VPN software has static IP defined. If we could make ASA accept this static IP, this could be a solution.

- Configuring ASA to use MS DHCP server as a source to get IP address for clients. Addresses are issued just fine, the problem is that we cannot make a DHCP reservation because we see no MAC address. In the "Unique ID" field we have some very long hex string (~60 characters). Tried to create DHCP reservation using that field, but it appears that this string has one character which auto-increments with each VPN connection attempt. If we could make it static - this could be a solution.

- There is an option (I would say, an ugly one) to create local user accounts on Cisco ASA for these users in question and assign them IP addresses via ASA policy, keep all the other users connect via RADIUS authentication as before via their current VPN profile. This would perhaps be our last resort..

- Currently we are exploring option to use PowerShell script which would run locally on the PC which would
a) call VPN client and establish tunnel
b) find out the IP address assigned to the virtual VPN adapter
c) ask DNS server to delete old "A" entry for that host and create new "A" entry with the new IP address.
The problem with the last one is that to send an update to DNS server you need to have proper rights to access DNS server (which is also AD Domain Controller), that would mean embedding these credentials in the script which is not also a pleasant option.

Is there anything we are missing? Anything which we could use in addition to the above mentioned? Or tweak some existing option and get it to work somehow?

Would appreciate any help!
0
Comment
Question by:thinkbot
  • 3
  • 3
6 Comments
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38830268
do you mean that you need to access resources on the computer running the shrewsoft VPN client ?

If this is the case, there are two other methods that you might look at

1/ use a different VPN group for each client with just one address in the pool that the VPN group uses
2/ push the IP address to be used as a RADIUS attribute
0
 

Author Comment

by:thinkbot
ID: 38830388
Hi ArneLovius,

Yes, you've got exactly what I meant.

Thanks for suggestions. The 1st option is something we have thought of, but didn't want to have separate VPN groups for every user who needs to be "accessed" plus separate VPN group for the rest of "normal" users, who do not have any resources on their PCs that we need to access.

The 2nd option seems very attractive. Could you please elaborate a bit on this option? What is being pushed, from where and to where?

Thanks
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 38830750
You will need a group for static addresses, and a group for dynamic addresses.

The IP address is set o the users AD object on the Dial In tab "Assign Static Address"

In NPS, you need to add the RADIUS attributes Framed-IP-Address and Framed-IP-Netmask to the Connection Request Policy. Set a "dummy" address, it will be overwritten by the AD object, you do need to set the correct subnet mask.

On the ASA, you would use the command "vpn-addr-assign aaa"  in global mode to use the RADIUS attribute, and then not specify an address method in the group policy.

Unless there is a requirement to use RADIUS (such as for 802.1x) , I tend to use LDAP* for authentication, using LDAP effectively means not having to configure NPS, thus simplifying authentication, you can then use an LDAP attribute MAP on the ASA to convert any AD object into a RADIUS attribute.

*using LDAPS instead of LDAP so that all communication is over an SSL connection...
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 

Author Comment

by:thinkbot
ID: 38831540
Thank you for the details.

Meanwhile it seems we have successfully implemented PowerShell script which will run locally on the PC, get adapter IP and pass it on to DNS server (it involves storing credentials required to access DNS server on that machine, but they can be at least stored encrypted and then decrypted (with the key which is also in the script, so yes, it only protects from the user which doesn't have bad intentions...). Since it only involves just 3 end-points, we will try the script first and later on will look into implementing your suggestion.

Thanks again!

Cheers
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38831595
if you store the key and the script together, you only have minimal obscurity from storing unencrypted...

You could of course use a different internal domain name (or a subdomain) for the computers to register against and not require secure updates to it...
0
 

Author Comment

by:thinkbot
ID: 38831739
Yes, fully agree on your note, it's just minimal "security", for now it will do the job - we trust these users and if someone of them loses their endpoint or it potentially becomes compromised, we can block this account.

For DNS - since we have only 3 such users, it lowers the risk, so we will keep our current DNS setup. I think, eventually we will either implement your suggestion (with LDAP auth), or migrate our primary VPN access point to CheckPoint FW (and deal with what CheckPoint has to offer in this situation), whichever comes first on the timeline.

Thanks again!
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
OSPF Question 12 56
Cisco ASA inside & outside to same switch 3 41
DHCP DNS Set up 4 62
DHCP Server 14 65
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now