Why use a Remote Access VPN?
Using a VPN (virtual private network) is by far the best way to provide your employees with secure remote access to corporate resources. VPNs like Cisco AnyConnect are generally both simple to set up and extremely secure. I have seen companies open holes in their firewall to allow people to access servers from home but that is a HUGE security risk. Instead, companies should use VPNs for mobile or remote access. Believe it or not, most every business-grade firewall today offers remote access VPN capabilities, including the cheap ones you’d find at Office Depot or Staples. You just have to turn it on.
Remote Access VPN with Dedicated IP Addresses
Cisco AnyConnect VPN with Shared IP Addresses
Sometimes it makes sense to give VPN users an IP address from an existing range though. I ran into this last week when a manufacturer needed to add Cisco AnyConnect (Cisco’s remote access VPN client) functionality to a Cisco ASA. This particular manufacturer did not manage their corporate WAN so they really didn’t want to have to request a new subnet be added to the enterprise routing table. In this case I agreed to allow AnyConnect clients to use addresses from the inside interface but only because the following conditions were true:
- This was a small sales office with a /24 subnet but only a couple dozen users (so plenty of IP addresses left in the range).
- Every client had static IPs so there was no chance of the AnyConnect client IP address pool overlapping with a DHCP lease as long as everyone is aware of how the address pool is chopped up.
- There were expected to be only a few clients using the VPN at any given point in time.
- Involving the (overseas) WAN team would have greatly extended the project timeline.
- This was a pretty easy request to accommodate.
After gathering a list of all existing clients at the sales office it turned out this facility was assigning IP addresses from the bottom of the range to the top and hadn’t gotten past 192.168.1.100 yet. I chose to configure the AnyConnect address pool for 192.168.1.200 to 192.168.1.224.
Remote Access Reach
In addition to providing branch office employees with access to resources in their own office, I also had to make sure they could reach the rest of the enterprise. The branch office already has access to these locations as shown below, so I just had to make sure remote users inherited the same capabilities.
As I mentioned before, it’s not often that I’m asked to have AnyConnect client addresses overlap with an existing ASA interface, but here’s the configuration I used to do it. Hopefully this will help another engineer looking to do the same thing. Please feel free to leave questions or comments below. I’ve left out parts of the config that aren’t relevant to this topic (site-to-site VPN, etc) to keep the template concise.
ip local pool AnyConnect 192.168.1.200-192.168.1.224 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x y.y.y.y
!
dns server-group DefaultDNS
domain-name company.local
same-security-traffic permit inter-interface
!This is required for "hairpin" or "U-Turn" of AnyConnect traffic to go back out the outside interface on a VPN tunnel towards corporate
same-security-traffic permit intra-interface
!
!Removed all object-groups to hide address details
!
!Split Tunnel VPN ACL
access-list split-acl extended permit ip object WAN-hosts object AnyConnect
access-list split-acl extended permit ip object corporate-hosts object AnyConnect
access-list split-acl extended permit ip object-group Branch-LAN-Hosts object AnyConnect
!
!
!Allow LAN to reach WAN and Corporate hosts
!
nat (inside,any) source static Branch-LAN-Hosts Branch-LAN-Hosts destination static WAN-hosts WAN-hosts no-proxy-arp route-lookup
nat (inside,any) source static Branch-LAN-Hosts Branch-LAN-Hosts destination static corporate-hosts corporate-hosts no-proxy-arp route-lookup
!
!
!Without this NAT exemption, traffic flowing from inside to outside (even stateful replies to VPN clients) will follow the interface NAT overload statement a few lines below
!
nat (inside,outside) source static Branch-LAN-Hosts Branch-LAN-Hosts destination static AnyConnect AnyConnect description NAT exemption for VPN clients
!
!All outbound traffic gets NATted to outside interface address unless a NAT exemption exists above
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 z.z.z.z 1
!
!Cut all IKE details
!
ssl trust-point ASDM_AnyConnect outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.1.00028-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
default-domain value company.local
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool AnyConnect
default-group-policy GroupPolicy1
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
!