Cisco ASA - Split Tunneling - allowing access to just one website?
So I do not have split tunneling enabled for security reasons. Users connect to AnyConnect to access a critical business application. Recently the vendor of this application did a security upgrade. Users now are prompted to verify a certificate that is hosted by godaddy. So they need to be able to get to crl.godaddy.com, which resolves to about 3 different IP addresses. I don't want to just enable split tunneling and give them free reign to the internet while connected. I need to find a way to lock this down. So below is what I have done so far:
Created a VPN Filter for those public IP's below:
object-group network DM_INLINE_NETWORK_50
network-object host x.x.x.228
network-object host x.x.x.237
network-object host x.x.x.237
access-list VPN_FILTER extended permit ip object AC-pool object-group DM_INLINE_NETWORK_50
__________________________
OBJECT GROUP and NAT/PAT
object network AnyConnect-pool
range 172.28.0.1 172.28.3.254
object network godaddy1
host x.x.x.228
object network godaddy2
host x.x.x.237
object network godaddy3
host x.x.x.237
nat (outside,outside) source dynamic AnyConnect-pool interface destination static godaddy1 godaddy1
nat (outside,outside) source dynamic AnyConnect-pool interface destination static godaddy2 godaddy2
nat (outside,outside) source dynamic AnyConnect-pool interface destination static godaddy3 godaddy3
So if they put one of those public IP Addresses in their browser once connected to Anyconnect, they can verify the certificate and it works. The problem is that the application looks for crl.godaddy.com not the public IP address, so if fails. What can I do so it can look at the fqdn and not the public IP address?
Created a VPN Filter for those public IP's below:
object-group network DM_INLINE_NETWORK_50
network-object host x.x.x.228
network-object host x.x.x.237
network-object host x.x.x.237
access-list VPN_FILTER extended permit ip object AC-pool object-group DM_INLINE_NETWORK_50
__________________________
OBJECT GROUP and NAT/PAT
object network AnyConnect-pool
range 172.28.0.1 172.28.3.254
object network godaddy1
host x.x.x.228
object network godaddy2
host x.x.x.237
object network godaddy3
host x.x.x.237
nat (outside,outside) source dynamic AnyConnect-pool interface destination static godaddy1 godaddy1
nat (outside,outside) source dynamic AnyConnect-pool interface destination static godaddy2 godaddy2
nat (outside,outside) source dynamic AnyConnect-pool interface destination static godaddy3 godaddy3
So if they put one of those public IP Addresses in their browser once connected to Anyconnect, they can verify the certificate and it works. The problem is that the application looks for crl.godaddy.com not the public IP address, so if fails. What can I do so it can look at the fqdn and not the public IP address?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found the solution on my own.
the easiest way I sometimes using when some app need access to something that should be in the internet but from security reasons is not accessible via the internet (public IP) that if it's accessible via name you can do the following:
- rewrite that name in your local IP address in some policy of VPN software
- set (if possible) this names with local IP to hosts files of the users computers
- us your own DNS server for that users and precise that name for them to track to your local IP's...
the problem is that this methods are workaround and not working in some cases, example with certification revocation lists, etc because app should see that you are trying too foolish it by changing the certificate servers IP... so in your case (in my opinion) you have to give users access via this VPN to that 3 servers (they don't need access to whole internet at all).
regards
NTShad0w