Restricting access to Cisco AnyConnect via source address
Posted on 2014-01-07
Remote Access VPN (AnyConnect) works like the following at my datacenter:
I have an ASA5520 with one AnyConnect Profile configured. Every customer then has their own group policy configured, which specifies what they have access to once connected to the VPN. Authentication is done by Windows 2008 NPS with attribute 25 configured. Customers can connect to the VPN from anywhere they have internet access.
I ran into a scenario where a customer needs VPN access to a server with very sensitive information in the data center. The VPN would only be from one server on the customer side to the one server in the data center. I would normally setup a site to site VPN for this, but the remote end (Customer Side) does not have the means to do do.
I thought about installing AnyConnect on the customers server and they could manually connect to the VPN to access the server at the datacenter. My problem with that is, I would want to lock that group down by source address. If I give them AnyConnect, they could essentially access the datacenter server where ever they have internet and anyconnect installed. Is it possible to to lock a AnyConnect group policy down by source address? Cisco TAC tells me it is not unless I have AnyConnect Premium and meet of bunch of criteria. I don't have AnyConnect Premium, I have AnyConnect Essentials. I find it hard to believe there is not way to do this with AnyConnect Essentials. Any idea's or thoughts on this? Does it look like a site-to-site VPN is the only way? Like I said that has been my solution from the get go, but the customer side is basically saying no.