This is a simple one, but still a good one that might make someone’s VPN life a little easier: how do you assign static IP addresses to ASA VPN clients when you use a local IP address pool on the ASA?
In most cases, your VPN clients can be assigned an any ol’ address from your local IP address pool, because they’re not providing any services on your network, right? But what if they are? What if one of your VPN clients belongs to a developer who writes code on his local machine and he wants to show other developers the results of the code he’s written? Or what if you have ACLs elsewhere in your network that need to apply to a particular VPN client/user, but not to others? A static client IP address might be the only way to handle those requests.
If you love multi-factor authentication like I do–ok, I don’t love it, we don’t know each other well enough for me to call it love just yet…it’s still a new relationship, ok? Don’t pressure me!
Multi-factor authentication is not a Security silver bullet. It’s just a way to add another layer to the “security onion”, making an authentication breach a little more difficult for attackers and making that vector a little less desirable. If you read about the RSA SecurID breach not so long ago, you know that even the most respected vendors can take a tumble.
So, this article is not about who has the best product or how to make your network impenetrable–it’s about providing another layer to your remote access security, using Cisco ASA and AnyConnect, along with a Microsoft CA server you may already have running in your environment. And as usual, I’ll focus on the Cisco configuration, rather than the Microsoft server config, since I don’t manage that device. Read more
Yeah, I know the title is pretty boring, but I wanted it to be clear what this one is all about, especially if you’re looking specifically for something like this.
So, here’s the deal: Cisco 99xx and 79xx phones out on the internet somewhere connecting back to an ASA over an SSL tunnel to register with an internal network’s Call Manager, using only self-signed certificates. To me, this is the best option, rather than having users try to type usernames and passwords into the phone interface. For some users, that really is just too much to ask. This method makes it easy on them, and still gives the ASA administrator and Call Manager administrator the ability to prevent a stolen or misused phone from connecting to the network.