Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Restricting access to Cisco AnyConnect via source address

Posted on 2014-01-07
4
Medium Priority
?
1,549 Views
Last Modified: 2014-02-12
Remote Access VPN (AnyConnect) works like the following at my datacenter:

I have an ASA5520 with one AnyConnect Profile configured.   Every customer then has their own group policy configured, which specifies what they have access to once connected to the VPN.   Authentication is done by Windows 2008 NPS with attribute 25 configured.  Customers can connect to the VPN from anywhere they have internet access.

I ran into a scenario where a customer needs VPN access to a server with very sensitive information in the data center.   The VPN would only be from one server on the customer side to the one server in the data center.  I would normally setup a site to site VPN for this, but the remote end (Customer Side) does not have the means to do do.

I thought about installing AnyConnect on the customers server and they could manually connect to the VPN to access the server at the datacenter.  My problem with that is, I would want to lock that group down by source address.  If I give them AnyConnect, they could essentially access the datacenter server where ever they have internet and anyconnect installed.  Is it possible to to lock a AnyConnect group policy down by source address?   Cisco TAC tells me it is not unless I have AnyConnect Premium and meet of bunch of criteria.  I don't have AnyConnect Premium, I have AnyConnect Essentials.  I find it hard to believe there is not way to do this with AnyConnect Essentials.  Any idea's or thoughts on this?  Does it look like a site-to-site VPN is the only way?  Like I said that has been my solution from the get go, but the customer side is basically saying no.
0
Comment
Question by:denver218
4 Comments
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 2000 total points
ID: 39765185
If you're authenticating via NPS, the NAS-Port-Id sent via RADIUS will be the Internet IP address of the client. The option to add NAS-Port-Id to the network policy conditions doesn't appear to be available in the MMC GUI, but you can add it by editing the XML. Details are available here:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/f96086ed-42ce-4c09-808b-38fa6aee722a/how-check-nasportid-or-add-custom-conditions-to-nps?forum=winserverNAP

I haven't actually done this through NPS, so I don't have any more detail than this. RADIUS isn't very different from implementation to implementation, so it stands to reason that if you can add the NAS-Port-Id to the network policy conditions, anything that doesn't meet the condition will be rejected by RADIUS and will cause AnyConnect to fail to authenticate.
0
 
LVL 22

Expert Comment

by:Matt V
ID: 39766246
Does the customer not have the option to do an IPSec tunnel from the server?  Windows has this ability built in.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39767265
You can use certificates for authentication and install the certificate on the server without the "export" option turned on.

This way only the server with the certificate can connect. You can use the always on option because authentication can be done in the background without user intervention.

This is not 100% safe but it comes close.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 39854189
Thanks.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question