The previous post shows you how to configure a basic IPsec Remote Access VPN using a Cisco IPsec VPN client with minimal configuration. This post is in continuation to the previous one, so do have a look at Part 1 which covers the basic configuration of an IPsec Remote Access VPN using the Cisco IPsec VPN Client.
Additional and optional configuration:-
This allows you to manage what all network resources the clients are allowed to access once they are connected via the remote access VPN.
In the below example, the remote client IP is allowed to only access port 80 on the internal server via the VPN tunnel.
access-list vpnfilter extended permit tcp host 192.168.1.1 host 172.21.1.10 eq www log ! group-policy ipsec_ra_policy attributes vpn-filter value vpnfilter
This is the DNS server the clients will use for DNS queries.
group-policy ipsec_ra_policy attributes dns-server value 172.21.1.100 172.21.1.111
It injects a route for the remote client that is successfully connected to the firewall.“The primary benefits of RRI are that it enables the routing of IPSec traffic to a specific VPN headend device in environments with multiple (redundant) VPN headend devices, and ensures predictable failover time of remote sessions between headend devices when using IKE keepalives”
– extract from cisco.com.
crypto dynamic-map dyn_map 65535 set reverse-route ASA# show route ! output omitted for brevity C 22.214.171.124 255.255.255.0 is directly connected, outside C 172.21.1.0 255.255.255.0 is directly connected, inside S 192.168.1.1 255.255.255.255 [1/0] via 126.96.36.199, outside S* 0.0.0.0 0.0.0.0 [1/0] via 188.8.131.52, outside
Notice the route for 192.168.1.1. That is a remote client that has successfully connected to our gateway and with the reverse-route injection the ASA added a host route for that client. When the client disconnects, the route is removed from the routing table.
Split-tunnel basically means telling the remote client to bifurcate and send the encrypted traffic across the tunnel and the clear-text traffic via it’s default-gateway. By default, split-tunnel is configured to tunnel all traffic through the VPN. This means that all traffic the user generates, including the ‘internet’ traffic will be routed across the VPN! You definitely don’t want this unless you want to scan all user traffic through an IPS or something in similar lines.
Under normal scenarios, you configure a split-tunnel which basically puts a route in the remote client specifying the destination to which the remote user will send the traffic through the tunnel (thus encrypting it). The traffic that doesn’t match that route will use the default-gateway configured on the remote client (unencrypted traffic).
Here are the options that you can use as per your requirement;
ASA(config-group-policy)# split-tunnel-policy ? group-policy mode commands/options: excludespecified Exclude only networks specified by split-tunnel-network-list tunnelall Tunnel everything tunnelspecified Tunnel only networks specified by split-tunnel-network-list access-list split_tunnel_acl standard permit 172.21.1.0 255.255.255.0 ! group-policy ipsec_ra_policy internal group-policy ipsec_ra_policy attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value split_tunnel_acl
Group-lock is yet another interesting command. What it does is, it locks the group policy to a specific tunnel-group. So when a user is assigned a group-policy under its own attributes and that group-policy is locked to a tunnel-group, the user is restricted to connect to only that tunnel-group.
tunnel-group ipsec_ra_tunnel_1 type remote-access tunnel-group ipsec_ra_tunnel_1 general-attributes address-pool client_pool tunnel-group ipsec_ra_tunnel_1 ipsec-attributes ikev1 pre-shared-key c1sc01 ! group-policy ipsec_ra_policy_1 internal group-policy ipsec_ra_policy_1 attributes dns-server value 172.21.1.100 172.21.1.111 vpn-filter value vpnfilter1 group-lock value ipsec_ra_tunnel_1 split-tunnel-policy tunnelspecified split-tunnel-network-list value split_tunnel_acl ! username officeguy1 password strongpassword username officeguy1 attributes vpn-group-policy ipsec_ra_policy_1
This can be used where it’s not feasible to distribute different .pcf files to hundreds of new users joining in or leaving the organization, maybe contractors. So you distribute a common .pcf file to the users which has information of all the tunnel-groups, but the user can only connect to the tunnel-group that has been locked to the group-policy assigned under the user’s attributes.
This is pretty straight forward, the VPN session will be disconnected at the end of the idle-timeout value specified. The value is configured in minutes.
group-policy ipsec_ra_policy_1 attributes vpn-idle-timeout 5
This is quite a useful one. You can restrict/allow the remote client’s access to the company network by specifying a time-range.
time-range ipsec_ra_access_hours periodic weekdays 9:00 to 22:00 ! group-policy ipsec_ra_policy attributes vpn-access-hours value ipsec_ra_access_hours
TIP: The group-policy attributes can either be configured via the group level or per user level.