cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
610
Views
0
Helpful
10
Replies

Anyconnect using IKEV2 allowing access to Vendor

mahesh18
Level 6
Level 6

 

Hi Everyone,

 

We have configured Anyconnect using IKEv2 for our internal users and it is working fine.

Recently i got  Request from our management to allow our  vendor to access our network but they dont need full access to our internal network.

This vendor is also using the anyconnect  IKEv2  to access their own internal network.

 

What i have done is asked our Vendor IT guy to update their xml profile with below info

<ServerList>
  <HostEntry>
   <HostName>xyz.com</HostName>
   <HostAddress>xyz.com</HostAddress>

where xyz.com is our VPN ASA hostname.

Need to know do i need to config new anyconnect profile and group policy to make this work or can i only create new group policy for this vendor?

 

Regards

Mahesh

 

 

 

 

2 Accepted Solutions

Accepted Solutions

Yes, that's a common use case Mahesh.

Whenever you setup a remote access VPN one of the things you need to decide is to tunnel all traffic, tunnel traffic to specified networks, or exclude tunneling for certain networks.

Generally this is a case of "split tunnel" (the latter two types) or "no split tunnel" (or "tunnelall"). Since you want to tunnel all traffic, then follow a configuration for "tunnelall". It would look something like:

group-policy vendorgroup attributes
 vpn-tunnel-protocol ikev2
 split-tunnel-policy tunnelall

There's a good recent example in the following TAC document.

View solution in original post

To configure the vpn filter you would do something like the following:

access-list VPN-FILTER permit ip 192.168.1.0 255.255.255.0 host 10.1.1.10

access-list VPN-FILTER deny ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list VPN-FILTER permit ip any any

group-policy VPN internal

group-policy VPN attributes  

  vpn-filter value VPN-FILTER

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

10 Replies 10

Marvin Rhoads
Hall of Fame
Hall of Fame

It's recommended that you avoid manually changing connection profiles as the ASA will push any deltas for the selected profile to the client when they login.

You should instead make a new connection profile for your vendors with the allowed network specified in the split tunnel list and then have them login and select that profile. Once they do so successfully, the profile will be added to their existing one and they will be able to select your network or their own from the AnyConnect dropdown list for subsequent logins.

 

Hi Marvin,

 

So as per you i should make up new connection profile and group polices?

Also Auth for this will be via Radius.

Regards

Mahesh

I agree with Marvin.  It also provides better security if your vendor uses a different connection profile as you can restrict their access much more easily than if they were sharing a connection profile with your internal users.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Yes, separate connection profiles (and group policies) are what is recommended for this type of situation. It's a textbook case for doing so.

 

Hi Marvin,

 

Need to know one more thing if this is possible

i config anyconnect with new anyconnect profile and group policy.

I assign it new pool of addresses.

if i limit the vendor to specfic subnets will it possible that vendor PC still gets access to internet from our network.

 

As per our requirement we need that vendor traffic for internet goes via our network.

 

Regards

MAhesh

Yes, that's a common use case Mahesh.

Whenever you setup a remote access VPN one of the things you need to decide is to tunnel all traffic, tunnel traffic to specified networks, or exclude tunneling for certain networks.

Generally this is a case of "split tunnel" (the latter two types) or "no split tunnel" (or "tunnelall"). Since you want to tunnel all traffic, then follow a configuration for "tunnelall". It would look something like:

group-policy vendorgroup attributes
 vpn-tunnel-protocol ikev2
 split-tunnel-policy tunnelall

There's a good recent example in the following TAC document.

 

Hi Marvin,

 

Thanks for reply back.

Need to confirm one more thing before i implement this solution.

I will use full tunnel policy so that all traffic is tunneled.

But to restrict access to specfic subnets can i do this

Under Group polices

More options

Filters

Can i add the Standard ACLs to allow access to specific subnets only?

if i do this then vendor can access the network under the filters but he will

be able to access the any internet website right?

Regards

MAhesh

To configure the vpn filter you would do something like the following:

access-list VPN-FILTER permit ip 192.168.1.0 255.255.255.0 host 10.1.1.10

access-list VPN-FILTER deny ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list VPN-FILTER permit ip any any

group-policy VPN internal

group-policy VPN attributes  

  vpn-filter value VPN-FILTER

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

 

Hi Marvin,

Thanks for answering my all the questions.

Regards

MAhesh

 

If you want traffic to go to the internet via your firewall you will need to tunnel all traffic as Marvin has mentioned.

Then if you want to limit the access to your network by the 3rd party you can configure VPN filtering.  You would then permit access in an ACL that allows traffic to your servers, then another entry that denies access to the rest of your network, and at the end of the ACL a permit any any statement.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: