Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Cisco VPN: Design/Security question

Posted on 2013-05-31
Last Modified: 2013-08-22
I have a Design/Security question to ask about CIsco VPN Implementation:

In my cpmpany the current VPN solution is not configured so that clients connected to the VPN are reached from within the company's internal network. So that means, once the client is connected to the company network via VPN the client can initiate a connection to any device within the internal company network, but a server in the internal network cannot initiate a connection with a client that is connected via VPN session.

Is this normal implementation ?
Also, is there a security reason for implmenting VPN solution this way ?

In order to change this will there be changes made to VPN and Firewall configuration to routing and tunnelling settings so that servers on the internal network can talk to clients connected via VPN.

Will ther be any changes made to the AnyConnect client etc ?

Question by:adam_kan2000
  • 5
  • 2
  • 2
  • +1
LVL 11

Expert Comment

ID: 39210346
Basically, as per your query you may require two types of VPN.

1. Site to Site VPN
2. Client to site VPN

1. In site to site VPN _ two sites has been conncted, so that all the systems( who are authenticated to connect can easily enter into the remote. this is for both the locations.
you may need to give authentication for remote user to your server for better security.

2. In client to site VPN - one client vpn software has to be installed in the remote systems and from there you can log in to the remote server/HO server.. whatever. But in this case HO server can't dial to the remote machine/systems. Dialling authentication should always be in the client system.

but in site to site VPN any of the remote VPN can dial ( if there is public Ip (static)) for all the loactions, otherwise whoever has the dynamic ip can dial or else you should go for dyndns).

if Firewall configuration changes...you need to change client configuration also.

Author Comment

ID: 39210392
This is for Client to Site VPN - Imagine the client is connected to the Office Network via AnyConnect- so if we bind client's  IP add to a MAc add in the CIsco ASA then should a server that is in the Office network be allowed to initiate a connection with a client connected via a VPN.

Can you think of any Security Isssue with this setup !

Author Comment

ID: 39210453
In order to do the above Is it possible to tie a DHCP addresses to a specific MAC addresses on ASA ?
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

LVL 17

Accepted Solution

surbabu140977 earned 500 total points
ID: 39215919
If a client can connect to your setup and access anything, then by every means you should be able to connect back to him.

If you are not, that means your internal lan Ip range is not permitted towards the client VPN ip address range (which he gets once connected) in your firewall/router where vpn is configured.

IF your client gets ip address of after connecting to vpn, do a traceroute from your lan pc to that ip. The packets should get dropped at the firewall/router.

Make changes there, you should be able to connect.

This is not a security issue but rather would be termed as a bad config issue. (unless specific reasoning is there)

In our company we have our own servers in client spaces. But in that case we block the return access via openvpn for security. Only we can connect, clients cannot.


Expert Comment

ID: 39228533
suppose the security policy allows the access.
you will need site-to-site vpn to achieve that.  it cannot be done with anyconnect.

Author Comment

ID: 39240306
Hi Surbabu140977 - That is exactly what is happening. If I were to do a traceroute to a IP assigned dynamically by an ASA to a remote client - it gets dropped.

The question is there is a server that is on the internal office LAN that sometimes need to connect to a remote client connected via a VPN.

At present the policy is to drop any connection initiated from within a LAN towards the Remote client connected via VPN.........( I don’t know why this is in place ?)

But the other problem is that Cisco ASA does not allow DHCP reservation, so even if we open up firewalls to allow this to happen the vpn client will get a different IP every time it connects and there is no way that we can keep updating the server with the new IP add of the remote client.
LVL 17

Expert Comment

ID: 39241775
The vpn client gets the ip from the vpn pool defined in the asa. if pool is defined as -, then the remote client can get any ip between -254 when connected. So allow in the list.


Expert Comment

ID: 39242868
in a remote vpn access the client can be anywhere in the internet. if the server initiates connections to your client how do you know where to terminate the VPN session?

Author Comment

ID: 39300157
Hi DanJ - Can you elaborate on what you are trying to say !

Author Closing Comment

ID: 39430484

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VPN issue 2 66
looking for a program or router to monitor internet connection 4 66
TL-R470T+ and Cisco ASA 2 21
Another machine has a duplicate ip? 11 26
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question