Cisco Site to Site VPN Authentication

Cisco Site to Site VPN Authentication

I would ike to know for instance , I have 2 separate companies ... CompanyA and CompanyB linked by Site to Site VPN. Users from CompanyB are supposed to remote and use Applications in CompanyA.

In this case how do you make User from CompanyB authenticate to CompanyA and use their resources. Do they need Cisco VPN Client ? if so, is CompanyA able to add  additional factor authentication, like RSA token or it is not necessary. worth to mention that CompanyA uses Active Directory.

Any clarification will be very much appreciated.

Thank you
jskfanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
If you have a site to site VPN you just need to give them an account on the remote server and set their DNS, in TCP/IP properties to point to the remote DNS server
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jskfanAuthor Commented:
what do you mean y  remote server  ?
0
Rob WilliamsCommented:
The remote server would be Company A.  Presumably if you have a site to site VPN users can connect to the resource at Company A, but then are asked for credentials (user name and password).  If a different company, i.e. domain, they will need a user account there and their user name will need to be entered in the form  CompanyA_Domain\User_Name.  They will then be authenticated by Active Directory.  Active directory may not be found unless you have Company A's DNS server as the primary in the connecting client's DNS configuration of TCP/IP properties.
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
You can implement a domain trust (A trusts B), so you can assign privileges in A for B users directly.
0
jskfanAuthor Commented:
Ok... I guess when you said remote server, you meant Cisco end device, which is usually Firewall. I know you can configure authentication on both end firewalls to authenticate with Active Directory. Then Users will launch Cisco AnyConnect client from their computers, and they will be presented with login window to enter username and password only. I am not sure if RSA token can be used in this case.
0
Rob WilliamsCommented:
If you have a site to site VPN, there is no need for any VPN client.  The two sites are linked and resources should be available.  You just have to grant them access with a local domain account or as Qlemo suggested a trust between the two sites/domains.
0
jskfanAuthor Commented:
I see what you are saying, if there is VPN Site to Site connection, it is like both sites are in the same LAN.
Our company has external vendor companies that are connected  "Site to SIte VPN" with our company. their users have accounts in our Active Directory, but they use Cisco AnyConnect client to get to our company .
 I have also seen kind of similar scenario where one company site use even windows VPN to connect to other site
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Why, for heavens sake, are they connected both S2S and per client? Doesn't make sense, that. You use one or the other.
Of course you won't built a domain trust between internal and vendor sites. Your issues now are DNS resolution (not your fault - they need to know the IP addresses) and user authentication (not your fault - they need to use local or domain accounts explicitly when logging in). There is nothing you can do about it.

We prefer S2S VPNs to our customers, and then have to know about the IP addresses and exact account info (domain and user) to remote into a machine. A VPN client screws up our DNS and domain, so I have to change that stuffing it up the throat of the connecting client via script immediately (otheriwse local resources won't work while connected).
0
Rob WilliamsCommented:
Just to clarify, jskfan, do you know what a site to site VPN is?  It is a VPN that is created by connecting 2 hardware VPN capable routers.  There is no VPN client involved, and they are always connected, making them functions as if like they are on the same LAN as you stated  (FYI they are not on the same LAN, but different subnets).  It sounds a bit confusing as if you may have the terminology mixed up a bit.  Is this how company A and B are connected.
0
jskfanAuthor Commented:
I know it sounds like Client to Server VPN, but for that we have CItrix VPN

Most of our employees that connect to the company remotely from HOME or when they are mobile, they use Citrix VPN (2 factor authentication : AD username and password and RSA Token) , but some Vendors use Cisco Anyconnect VPN Client, and the only way I know  the usage of Cisco AnyConnect  is not with site to site, it is with client to server VPN.
You configure VPN Server on the firewall, and install Client on users PC (they can download it and install it).
0
Rob WilliamsCommented:
With roaming users, it is common to use a VPN client of some sort, but with a proper site to site VPN, no client is needed.  Users just need authorization to access resources.
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
All I said is still valid if we assume Cisco VPN connections. But you can configure two factor authentication on Cisco devices, e.g. with a hardware RSA token generator.
The generated token needs to be added to the password field (usually it is appended). Before you ask, I don't know how to configure that, I'm the one having to implement the scripts to establish the connection ;-).
0
Ben Personick (Previously QCubed)Lead Network EngineerCommented:
So you are aski ng about the cisco VPN, but this is actually a complex question involving how you plan to autheticate users with Active dorectory and /or other methods, in addition to needing clarification as you mention having a site to site VPN, and then mention RA VPNs in 'the next breath'.

That seems to be leading to some confusion as other experts are addressing different parts of this question and you seem focused on the VPN, which ultimately may not need anything, or much of anything done depending on what your actual requiremens are.
0
jskfanAuthor Commented:
Thank you Guys
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.