Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyconnect using IKEV2 allowing access to Vendor

 

Hi Everyone,

 

We have configured Anyconnect using IKEv2 for our internal users and it is working fine.

Recently i got  Request from our management to allow our  vendor to access our network but they dont need full access to our internal network.

This vendor is also using the anyconnect  IKEv2  to access their own internal network.

 

What i have done is asked our Vendor IT guy to update their xml profile with below info

<ServerList>
  <HostEntry>
   <HostName>xyz.com</HostName>
   <HostAddress>xyz.com</HostAddress>

where xyz.com is our VPN ASA hostname.

Need to know do i need to config new anyconnect profile and group policy to make this work or can i only create new group policy for this vendor?

 

Regards

Mahesh

 

 

 

 

  • VPN
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Yes, that's a common use case

Yes, that's a common use case Mahesh.

Whenever you setup a remote access VPN one of the things you need to decide is to tunnel all traffic, tunnel traffic to specified networks, or exclude tunneling for certain networks.

Generally this is a case of "split tunnel" (the latter two types) or "no split tunnel" (or "tunnelall"). Since you want to tunnel all traffic, then follow a configuration for "tunnelall". It would look something like:

group-policy vendorgroup attributes
 vpn-tunnel-protocol ikev2
 split-tunnel-policy tunnelall

There's a good recent example in the following TAC document.

VIP Green

To configure the vpn filter

To configure the vpn filter you would do something like the following:

access-list VPN-FILTER permit ip 192.168.1.0 255.255.255.0 host 10.1.1.10

access-list VPN-FILTER deny ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list VPN-FILTER permit ip any any

group-policy VPN internal

group-policy VPN attributes  

  vpn-filter value VPN-FILTER

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
10 REPLIES
Hall of Fame Super Silver

It's recommended that you

It's recommended that you avoid manually changing connection profiles as the ASA will push any deltas for the selected profile to the client when they login.

You should instead make a new connection profile for your vendors with the allowed network specified in the split tunnel list and then have them login and select that profile. Once they do so successfully, the profile will be added to their existing one and they will be able to select your network or their own from the AnyConnect dropdown list for subsequent logins.

New Member

 Hi Marvin, So as per you i

 

Hi Marvin,

 

So as per you i should make up new connection profile and group polices?

Also Auth for this will be via Radius.

Regards

Mahesh

VIP Green

I agree with Marvin.  It also

I agree with Marvin.  It also provides better security if your vendor uses a different connection profile as you can restrict their access much more easily than if they were sharing a connection profile with your internal users.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
Hall of Fame Super Silver

Yes, separate connection

Yes, separate connection profiles (and group policies) are what is recommended for this type of situation. It's a textbook case for doing so.

New Member

 Hi Marvin, Need to know one

 

Hi Marvin,

 

Need to know one more thing if this is possible

i config anyconnect with new anyconnect profile and group policy.

I assign it new pool of addresses.

if i limit the vendor to specfic subnets will it possible that vendor PC still gets access to internet from our network.

 

As per our requirement we need that vendor traffic for internet goes via our network.

 

Regards

MAhesh

Hall of Fame Super Silver

Yes, that's a common use case

Yes, that's a common use case Mahesh.

Whenever you setup a remote access VPN one of the things you need to decide is to tunnel all traffic, tunnel traffic to specified networks, or exclude tunneling for certain networks.

Generally this is a case of "split tunnel" (the latter two types) or "no split tunnel" (or "tunnelall"). Since you want to tunnel all traffic, then follow a configuration for "tunnelall". It would look something like:

group-policy vendorgroup attributes
 vpn-tunnel-protocol ikev2
 split-tunnel-policy tunnelall

There's a good recent example in the following TAC document.

New Member

 Hi Marvin, Thanks for reply

 

Hi Marvin,

 

Thanks for reply back.

Need to confirm one more thing before i implement this solution.

I will use full tunnel policy so that all traffic is tunneled.

But to restrict access to specfic subnets can i do this

Under Group polices

More options

Filters

Can i add the Standard ACLs to allow access to specific subnets only?

if i do this then vendor can access the network under the filters but he will

be able to access the any internet website right?

Regards

MAhesh

VIP Green

To configure the vpn filter

To configure the vpn filter you would do something like the following:

access-list VPN-FILTER permit ip 192.168.1.0 255.255.255.0 host 10.1.1.10

access-list VPN-FILTER deny ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list VPN-FILTER permit ip any any

group-policy VPN internal

group-policy VPN attributes  

  vpn-filter value VPN-FILTER

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

 Hi Marvin,Thanks for

 

Hi Marvin,

Thanks for answering my all the questions.

Regards

MAhesh

 

100
Views
0
Helpful
10
Replies
This widget could not be displayed.