Friday, July 20, 2007

VPN Deployments with ASA 8.0


One common design challenge in the past was how to deploy NAC for VPN Users when the VPN device is also a corporate firewall. This entry will hopefully help you understand the existing ways of deploying NAC for VPN Users and also help you understand how to design NAC for VPN Users with ASA 8.X.

NAC For VPN Users with a standalone VPN Device:

This is the typical deployment for VPN Concentrators, PIX/ASA (for vpn only), and IOS VPN Routers(for vpn only). The CAS is typically and preferred to be deployed in Virtual Gateway Mode. VG allows for zero IP Address changes and only requires the addition of 1 Authentication/Untrusted VLAN. For more information on how to configure NAC for Standalone VPN Devices please see the NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example

Figure 1 - VPN Deployment with a Standalone VPN Device

NAC For VPN Users with a 6.X/7.X Corporate Firewall/VPN Device without a DMZ:

With this deployment you need to ensure normal internet traffic from corporate users does NOT go through the CAS. In order to accomplish this, the CAS is deployed using Real-IP Gateway and policy based routing is used on the next layer 3 hop from the firewall to send VPN Users traffic to the CAS's untrusted interface.

Figure 2 - VPN Deployment with a 6.X/7.X Corporate Firwall & VPN Device without a DMZ

NAC For VPN Users with a ASA 6.X/7.X Corporate Firewall/VPN Device with a DMZ:

In this scenario the PIX/ASA has a DMZ interface that is hosting public servers. If we look to the same deployment option as before, it presents a problem: VPN Users are able to get to the DMZ without having to go through NAC. This leave us with a couple of options:
  • Block all VPN Users from getting to the DMZ
  • Only allow specific services from VPN Users to the DMZ
  • Allow everything to get to the DMZ without going through NAC
  • Advanced Workaround using NAT on the Core Router (Not recommended)
Figure 3 - VPN Deployment with a ASA 6.X/7.X Corporate Firwall & VPN Device with a DMZ

NAC For VPN Users with a ASA 8.X Corporate Firewall/VPN Device with a DMZ

This is what you all have been waiting for, how does VPN Deployment change with ASA 8.0? It all comes down to one new feature "Restrict Access to VLAN" (also know as VLAN Mapping).

Restrict Access to VLAN—(Optional) Also called "VLAN mapping," this parameter specifies the egress VLAN interface for sessions to which this group policy applies. The security appliance forwards all traffic on this group to the selected VLAN. Use this attribute to assign a VLAN to the group policy to simplify access control. Assigning a value to this attribute is an alternative to using ACLs to filter traffic on a session. In addition to the default value (Unrestricted), the drop-down list shows only the VLANs that are configured on this security appliance.

This configuration option is configured within the Remote Access Group Policy:

Figure 4 - Restrict Access to VLAN Configuration
Please note that you must create an DOT1Q trunk and create the VPN DMZ interface using a subinterface for this option to appear. Now that we have a way to ensure VPN users get put onto a specific interface, we are able to deploy the CAS in Virtual Gateway mode and control complete access to VPN Users through NAC. This forces all users to go through NAC before they are allowed to do anything.

Figure 5 - VPN Deployment with a ASA 8.X Corporate Firwall & VPN Device with a DMZ


Cisco's ASA 8.0 software has really made deployments with NAC for VPN Users a lot less complex. Utilizing the VLAN Mapping setting on the ASA is only going to open up doors down the road for even better seamless integration of NAC Appliance into your infrastructure.

Sources: CAS Admin Guide; ASDM Online Help

No comments:

Post a Comment