• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 280
  • Last Modified:

Cisco VPN: Design/Security question

I have a Design/Security question to ask about CIsco VPN Implementation:

In my cpmpany the current VPN solution is not configured so that clients connected to the VPN are reached from within the company's internal network. So that means, once the client is connected to the company network via VPN the client can initiate a connection to any device within the internal company network, but a server in the internal network cannot initiate a connection with a client that is connected via VPN session.

Is this normal implementation ?
Also, is there a security reason for implmenting VPN solution this way ?

In order to change this will there be changes made to VPN and Firewall configuration to routing and tunnelling settings so that servers on the internal network can talk to clients connected via VPN.

Will ther be any changes made to the AnyConnect client etc ?

Regards
Adam
0
adam_kan2000
Asked:
adam_kan2000
  • 5
  • 2
  • 2
  • +1
1 Solution
 
DIPRAJCommented:
Basically, as per your query you may require two types of VPN.

1. Site to Site VPN
2. Client to site VPN

1. In site to site VPN _ two sites has been conncted, so that all the systems( who are authenticated to connect can easily enter into the remote. this is for both the locations.
you may need to give authentication for remote user to your server for better security.

2. In client to site VPN - one client vpn software has to be installed in the remote systems and from there you can log in to the remote server/HO server.. whatever. But in this case HO server can't dial to the remote machine/systems. Dialling authentication should always be in the client system.

but in site to site VPN any of the remote VPN can dial ( if there is public Ip (static)) for all the loactions, otherwise whoever has the dynamic ip can dial or else you should go for dyndns).

if Firewall configuration changes...you need to change client configuration also.
0
 
adam_kan2000Author Commented:
This is for Client to Site VPN - Imagine the client is connected to the Office Network via AnyConnect- so if we bind client's  IP add to a MAc add in the CIsco ASA then should a server that is in the Office network be allowed to initiate a connection with a client connected via a VPN.

Can you think of any Security Isssue with this setup !
0
 
adam_kan2000Author Commented:
In order to do the above Is it possible to tie a DHCP addresses to a specific MAC addresses on ASA ?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
surbabu140977Commented:
If a client can connect to your setup and access anything, then by every means you should be able to connect back to him.

If you are not, that means your internal lan Ip range is not permitted towards the client VPN ip address range (which he gets once connected) in your firewall/router where vpn is configured.

IF your client gets ip address of 10.10.10.2 after connecting to vpn, do a traceroute from your lan pc to that ip. The packets should get dropped at the firewall/router.

Make changes there, you should be able to connect.

This is not a security issue but rather would be termed as a bad config issue. (unless specific reasoning is there)

In our company we have our own servers in client spaces. But in that case we block the return access via openvpn for security. Only we can connect, clients cannot.


Best,
0
 
DanJCommented:
suppose the security policy allows the access.
you will need site-to-site vpn to achieve that.  it cannot be done with anyconnect.
0
 
adam_kan2000Author Commented:
Hi Surbabu140977 - That is exactly what is happening. If I were to do a traceroute to a IP assigned dynamically by an ASA to a remote client - it gets dropped.

The question is there is a server that is on the internal office LAN that sometimes need to connect to a remote client connected via a VPN.

At present the policy is to drop any connection initiated from within a LAN towards the Remote client connected via VPN.........( I don’t know why this is in place ?)

But the other problem is that Cisco ASA does not allow DHCP reservation, so even if we open up firewalls to allow this to happen the vpn client will get a different IP every time it connects and there is no way that we can keep updating the server with the new IP add of the remote client.
0
 
surbabu140977Commented:
The vpn client gets the ip from the vpn pool defined in the asa. if pool is defined as 10.0.0.1 - 10.0.0.254, then the remote client can get any ip between 10.0.0.1 -254 when connected. So allow 10.0.0.0/24 in the list.

Best,
0
 
DanJCommented:
in a remote vpn access the client can be anywhere in the internet. if the server initiates connections to your client how do you know where to terminate the VPN session?
0
 
adam_kan2000Author Commented:
Hi DanJ - Can you elaborate on what you are trying to say !
0
 
adam_kan2000Author Commented:
good
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now