Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA - Split Tunneling - allowing access to just one website?

Posted on 2014-12-15
3
Medium Priority
?
349 Views
Last Modified: 2014-12-21
So I do not have split tunneling enabled for security reasons.  Users connect to AnyConnect to access a critical business application.  Recently the vendor of this application did a security upgrade.  Users now are prompted to verify a certificate that is hosted by godaddy.  So they need to be able to get to crl.godaddy.com, which resolves to about  3 different IP addresses.  I don't want to just enable split tunneling and give them free reign to the internet while connected.  I need to find a way to lock this down.  So below is what I have done so far:

Created a VPN Filter for those public IP's below:

object-group network DM_INLINE_NETWORK_50
 network-object host x.x.x.228
 network-object host x.x.x.237
 network-object host x.x.x.237

access-list VPN_FILTER extended permit ip object AC-pool object-group DM_INLINE_NETWORK_50

__________________________________________________________________________________________________________________________


OBJECT GROUP and NAT/PAT

object network AnyConnect-pool
 range 172.28.0.1 172.28.3.254
object network godaddy1
 host x.x.x.228
object network godaddy2
 host x.x.x.237
object network godaddy3
 host x.x.x.237

nat (outside,outside) source dynamic AnyConnect-pool interface destination static godaddy1 godaddy1
nat (outside,outside) source dynamic AnyConnect-pool interface destination static godaddy2 godaddy2
nat (outside,outside) source dynamic AnyConnect-pool interface destination static godaddy3 godaddy3

So if they put one of those public IP Addresses in their browser once connected to Anyconnect, they can verify the certificate and it works.  The problem is that the application looks for crl.godaddy.com not the public IP address, so if fails.  What can I do so it can look at the fqdn and not the public IP address?
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 5

Expert Comment

by:Dawid Fusek
ID: 40500643
hi mate,

the easiest way I sometimes using when some app need access to something that should be in the internet but from security reasons is not accessible via the internet (public IP) that if it's accessible via name you can do the following:
- rewrite that name in your local IP address in some policy of VPN software
- set (if possible) this names with local IP to hosts files of the users computers
- us your own DNS server for that users and precise that name for them to track to your local IP's...

the problem is that this methods are workaround and not working in some cases, example with certification revocation lists, etc because app should see that you are trying too foolish it by changing the certificate servers IP... so in your case (in my opinion) you have to give users access via this VPN to that 3 servers (they don't need access to whole internet at all).

regards
NTShad0w
0
 
LVL 4

Accepted Solution

by:
denver218 earned 0 total points
ID: 40502475
The above configuration worked, I just had to allow DNS in the VPN filter.  They only have access to those 3 IP's on the internet.  They can't get to anything else.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 40511422
Found the solution on my own.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

671 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question