Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Cisco VPN: Design/Security question

Posted on 2013-05-31
Medium Priority
Last Modified: 2013-08-22
I have a Design/Security question to ask about CIsco VPN Implementation:

In my cpmpany the current VPN solution is not configured so that clients connected to the VPN are reached from within the company's internal network. So that means, once the client is connected to the company network via VPN the client can initiate a connection to any device within the internal company network, but a server in the internal network cannot initiate a connection with a client that is connected via VPN session.

Is this normal implementation ?
Also, is there a security reason for implmenting VPN solution this way ?

In order to change this will there be changes made to VPN and Firewall configuration to routing and tunnelling settings so that servers on the internal network can talk to clients connected via VPN.

Will ther be any changes made to the AnyConnect client etc ?

Question by:adam_kan2000
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
LVL 11

Expert Comment

ID: 39210346
Basically, as per your query you may require two types of VPN.

1. Site to Site VPN
2. Client to site VPN

1. In site to site VPN _ two sites has been conncted, so that all the systems( who are authenticated to connect can easily enter into the remote. this is for both the locations.
you may need to give authentication for remote user to your server for better security.

2. In client to site VPN - one client vpn software has to be installed in the remote systems and from there you can log in to the remote server/HO server.. whatever. But in this case HO server can't dial to the remote machine/systems. Dialling authentication should always be in the client system.

but in site to site VPN any of the remote VPN can dial ( if there is public Ip (static)) for all the loactions, otherwise whoever has the dynamic ip can dial or else you should go for dyndns).

if Firewall configuration need to change client configuration also.

Author Comment

ID: 39210392
This is for Client to Site VPN - Imagine the client is connected to the Office Network via AnyConnect- so if we bind client's  IP add to a MAc add in the CIsco ASA then should a server that is in the Office network be allowed to initiate a connection with a client connected via a VPN.

Can you think of any Security Isssue with this setup !

Author Comment

ID: 39210453
In order to do the above Is it possible to tie a DHCP addresses to a specific MAC addresses on ASA ?
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

LVL 17

Accepted Solution

surbabu140977 earned 1500 total points
ID: 39215919
If a client can connect to your setup and access anything, then by every means you should be able to connect back to him.

If you are not, that means your internal lan Ip range is not permitted towards the client VPN ip address range (which he gets once connected) in your firewall/router where vpn is configured.

IF your client gets ip address of after connecting to vpn, do a traceroute from your lan pc to that ip. The packets should get dropped at the firewall/router.

Make changes there, you should be able to connect.

This is not a security issue but rather would be termed as a bad config issue. (unless specific reasoning is there)

In our company we have our own servers in client spaces. But in that case we block the return access via openvpn for security. Only we can connect, clients cannot.


Expert Comment

ID: 39228533
suppose the security policy allows the access.
you will need site-to-site vpn to achieve that.  it cannot be done with anyconnect.

Author Comment

ID: 39240306
Hi Surbabu140977 - That is exactly what is happening. If I were to do a traceroute to a IP assigned dynamically by an ASA to a remote client - it gets dropped.

The question is there is a server that is on the internal office LAN that sometimes need to connect to a remote client connected via a VPN.

At present the policy is to drop any connection initiated from within a LAN towards the Remote client connected via VPN.........( I don’t know why this is in place ?)

But the other problem is that Cisco ASA does not allow DHCP reservation, so even if we open up firewalls to allow this to happen the vpn client will get a different IP every time it connects and there is no way that we can keep updating the server with the new IP add of the remote client.
LVL 17

Expert Comment

ID: 39241775
The vpn client gets the ip from the vpn pool defined in the asa. if pool is defined as -, then the remote client can get any ip between -254 when connected. So allow in the list.


Expert Comment

ID: 39242868
in a remote vpn access the client can be anywhere in the internet. if the server initiates connections to your client how do you know where to terminate the VPN session?

Author Comment

ID: 39300157
Hi DanJ - Can you elaborate on what you are trying to say !

Author Closing Comment

ID: 39430484

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question