I have gotten a rather unusual request and wondering has anybody come across it before and if it is technically feasible? We have a Cisco ASA Firewall that terminates remote access clients using an anyconnect ssl vpn on the outside interface.
There is a DMZ interface on this same firewall that Guest Wireless clients use as their default gateway and route out to the internet via the outside interface.
Is it possible for these Guest Wireless clients to build a remote access VPN to the outside interface of the same ASA? (i.e. Nat the guest clients to an public ip in the same subnet as the outside interface and then come back in to the inside interface to access resources)
I'm thinking the original question was concern that someone on the guest wireless network might be able to bring up a VPN on the outside, which would give them access to inside resources. I've never tried it myself, but I don't believe it's possible to establish a VPN coming through the ASA to reach that interface. I believe only connections arriving at the ASA on the outside would be able to establish a tunnel. If you really felt strongly about it, you could always deny some protocols inbound on the DMZ interface to the outside IP address, and that shouldn't break anything that ought to work.
Even if they could establish that tunnel coming through the DMZ interface, hopefully your VPN authentication mechanisms would keep out anyone who wasn't authorized to use the VPN. If it's too easy to crack the VPN authentication, you've got bigger problems.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :