Solved

Cisco VPN: Design/Security question

Posted on 2013-05-31
10
265 Views
Last Modified: 2013-08-22
I have a Design/Security question to ask about CIsco VPN Implementation:

In my cpmpany the current VPN solution is not configured so that clients connected to the VPN are reached from within the company's internal network. So that means, once the client is connected to the company network via VPN the client can initiate a connection to any device within the internal company network, but a server in the internal network cannot initiate a connection with a client that is connected via VPN session.

Is this normal implementation ?
Also, is there a security reason for implmenting VPN solution this way ?

In order to change this will there be changes made to VPN and Firewall configuration to routing and tunnelling settings so that servers on the internal network can talk to clients connected via VPN.

Will ther be any changes made to the AnyConnect client etc ?

Regards
Adam
0
Comment
Question by:adam_kan2000
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 11

Expert Comment

by:diprajbasu
ID: 39210346
Basically, as per your query you may require two types of VPN.

1. Site to Site VPN
2. Client to site VPN

1. In site to site VPN _ two sites has been conncted, so that all the systems( who are authenticated to connect can easily enter into the remote. this is for both the locations.
you may need to give authentication for remote user to your server for better security.

2. In client to site VPN - one client vpn software has to be installed in the remote systems and from there you can log in to the remote server/HO server.. whatever. But in this case HO server can't dial to the remote machine/systems. Dialling authentication should always be in the client system.

but in site to site VPN any of the remote VPN can dial ( if there is public Ip (static)) for all the loactions, otherwise whoever has the dynamic ip can dial or else you should go for dyndns).

if Firewall configuration changes...you need to change client configuration also.
0
 

Author Comment

by:adam_kan2000
ID: 39210392
This is for Client to Site VPN - Imagine the client is connected to the Office Network via AnyConnect- so if we bind client's  IP add to a MAc add in the CIsco ASA then should a server that is in the Office network be allowed to initiate a connection with a client connected via a VPN.

Can you think of any Security Isssue with this setup !
0
 

Author Comment

by:adam_kan2000
ID: 39210453
In order to do the above Is it possible to tie a DHCP addresses to a specific MAC addresses on ASA ?
0
 
LVL 17

Accepted Solution

by:
surbabu140977 earned 500 total points
ID: 39215919
If a client can connect to your setup and access anything, then by every means you should be able to connect back to him.

If you are not, that means your internal lan Ip range is not permitted towards the client VPN ip address range (which he gets once connected) in your firewall/router where vpn is configured.

IF your client gets ip address of 10.10.10.2 after connecting to vpn, do a traceroute from your lan pc to that ip. The packets should get dropped at the firewall/router.

Make changes there, you should be able to connect.

This is not a security issue but rather would be termed as a bad config issue. (unless specific reasoning is there)

In our company we have our own servers in client spaces. But in that case we block the return access via openvpn for security. Only we can connect, clients cannot.


Best,
0
 
LVL 9

Expert Comment

by:DanJ
ID: 39228533
suppose the security policy allows the access.
you will need site-to-site vpn to achieve that.  it cannot be done with anyconnect.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:adam_kan2000
ID: 39240306
Hi Surbabu140977 - That is exactly what is happening. If I were to do a traceroute to a IP assigned dynamically by an ASA to a remote client - it gets dropped.

The question is there is a server that is on the internal office LAN that sometimes need to connect to a remote client connected via a VPN.

At present the policy is to drop any connection initiated from within a LAN towards the Remote client connected via VPN.........( I don’t know why this is in place ?)

But the other problem is that Cisco ASA does not allow DHCP reservation, so even if we open up firewalls to allow this to happen the vpn client will get a different IP every time it connects and there is no way that we can keep updating the server with the new IP add of the remote client.
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39241775
The vpn client gets the ip from the vpn pool defined in the asa. if pool is defined as 10.0.0.1 - 10.0.0.254, then the remote client can get any ip between 10.0.0.1 -254 when connected. So allow 10.0.0.0/24 in the list.

Best,
0
 
LVL 9

Expert Comment

by:DanJ
ID: 39242868
in a remote vpn access the client can be anywhere in the internet. if the server initiates connections to your client how do you know where to terminate the VPN session?
0
 

Author Comment

by:adam_kan2000
ID: 39300157
Hi DanJ - Can you elaborate on what you are trying to say !
0
 

Author Closing Comment

by:adam_kan2000
ID: 39430484
good
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now