Network architecture question > All Things Tech

Posted: 4/24/2013 11:26:51 AM EDT

I volunteer for a large animal shelter, and one of my activities there has been to choose and implement an intranet system for them.

I settled on Wordpress of all things, because what they really needed was a simple, easily accessible, content management system. They didn't need a sophisticated user environment or anything.

It's worked great and has been very well received.

Now they would like to make it available to two remote locations outside of their facility's firewall.

A VPN seems problematic because of the security issues. They don't want to open their entire network to easy browsing by volunteers at the remote site.

Other solutions like SSH tunnels seem to involve using a different URL to access the site, though I'm not positive. And Wordpress is flukey because it basically requires that every user access it with the same URL. Code within it is dependent on that URL, because PHP coders are stupid. We can change the URL for everyone, but we can't use two separate URL's simultaneously. I'm also not sure whether this invites the same security issues that a VPN would. Isn't it still a hole in the firewall? Or is it considered safer?

Mirroring the site to remote servers also seems problematic due to the inevitable time lag.

And moving the intranet server outside the firewall is a problem because we'd rather not have public access to it.

So I'm not sure what to try. Any advice?

Posted: 4/24/2013 11:40:55 AM EDT

[#1]

Why not set up a site-to-site VPN but only provide the remote site access to the specific server(s) that they need?
You can tailor the VPN any way you'd like. It's not going to give the remote site access to the entire host network unless you specifically allow it to have that.

Posted: 4/24/2013 11:42:28 AM EDT

[#2]

Why not assign an internet accessible IP address to it and only allow access from specific sources (ie the other facilities) to it?

Posted: 4/24/2013 12:00:09 PM EDT

[#3]

Quoted:

Why not set up a site-to-site VPN but only provide the remote site access to the specific server(s) that they need?

You can tailor the VPN any way you'd like. It's not going to give the remote site access to the entire host network unless you specifically allow it to have that.

This.

Posted: 4/24/2013 12:00:29 PM EDT

[#4]

Hmm. They're running a Cisco 5505, does that suggest that one of your options would be easier to set up? I know very little about network hardware.

I use AnyConnect to VPN in on my own, and then I have total network access. Several other people do as well. Is it possible to run two separate VPN's, one with that kind of wide access, and the other with very narrow access to the one machine and only over HTTP or whatever?

Posted: 4/24/2013 12:19:23 PM EDT

[#5]

Yes you would setup an IPSEC VPN to their cisco equipment and use firewall rules to limit what they can access. Not difficult but there could be a learning curve.

Posted: 4/24/2013 1:50:08 PM EDT

[#6]

Quoted:
Why not set up a site-to-site VPN but only provide the remote site access to the specific server(s) that they need?
You can tailor the VPN any way you'd like. It's not going to give the remote site access to the entire host network unless you specifically allow it to have that.

+1

!
!for non-site-to-site user vpn restriction:
!
username UNIQUE attributes
vpn-filter value UNIQUE
!
access-list UNIQUE extended permit icmp any host 192.168.1.254
access-list UNIQUE extended permit tcp any host 192.168.1.254 eq telnet
access-list UNIQUE extended permit tcp any host 192.168.1.254 eq ssh
access-list UNIQUE extended permit tcp any host 192.168.1.254 eq www
access-list UNIQUE extended permit tcp any host 192.168.1.254 eq https
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
!This wont even encrypt non-matching traffic
!
!add the souce and destnation to a specific crypto map, make it restrictive as you want. /32 host network works.
!
!
crypto map ASA5510 10 match address ACL_NAME
!
access-list ACL_NAME extended permit ip 10.255.255.224 255.255.255.224 172.16.0.0 255.240.0.0
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Posted: 4/24/2013 2:19:13 PM EDT

[#7]

Whoa, thank you!

Great help, thank you again. Let me play with this.

Posted: 5/2/2013 5:10:40 PM EDT

[#8]

That snipped of ASA code is not complete; you need to apply the cryptomap to an interface, and setup NAT exemptions (nat 0).

Posted: 5/6/2013 8:32:09 PM EDT

[#9]

I see someone has already mentioned NAT/ACL

Posted: 5/7/2013 2:07:16 PM EDT

[#10]

Okay, we took a look at the system today.

We have ASDM, so I hunted around the GUI.

Behind the firewall is an Active Directory network with two groups available for VPN users. The first is for users with global access, like us IT guys. The second should be restricted access for only the IP in question.

It seems that this involves group policies. A policy has an ACL, which looks perfect.

So all I need is a way for an external user to specify during login, or via login, which group they're logging in as. This is where I got stuck.

The AnyConnect client only allows us to log in through group A, not group B. I can't figure out if there's a way to enable multi-group selection in that. Group URL's seemed close but I don't see how that relates to the dropdown. The AnyConnect client was downloaded by putting the straight IP address in to a browser, I don't see how a subdomain or something would fly.

Does this make sense? How can we make additional groups available in the AnyConnect login dropdown?

And once that's accomplished, will selecting a group and logging in with a user in that group automatically kick the user over to the correct ACL? Or will it still default based solely on the connection protocol?

Posted: 5/8/2013 7:07:34 AM EDT

[#11]

Quoted:
Okay, we took a look at the system today.

We have ASDM, so I hunted around the GUI.

Behind the firewall is an Active Directory network with two groups available for VPN users. The first is for users with global access, like us IT guys. The second should be restricted access for only the IP in question.

It seems that this involves group policies. A policy has an ACL, which looks perfect.

So all I need is a way for an external user to specify during login, or via login, which group they're logging in as. This is where I got stuck.

The AnyConnect client only allows us to log in through group A, not group B. I can't figure out if there's a way to enable multi-group selection in that. Group URL's seemed close but I don't see how that relates to the dropdown. The AnyConnect client was downloaded by putting the straight IP address in to a browser, I don't see how a subdomain or something would fly.

Does this make sense? How can we make additional groups available in the AnyConnect login dropdown?

And once that's accomplished, will selecting a group and logging in with a user in that group automatically kick the user over to the correct ACL? Or will it still default based solely on the connection protocol?

IM sent.

Posted: 5/8/2013 10:52:16 AM EDT

[#12]

Thanks, responded.

Here's a dumb question: does AnyConnect have to be downloaded and installed again to update the policy group dropdown contents? Are they packed into the installer somehow? Or should they update automatically during a connection attempt?

Posted: 5/8/2013 1:04:43 PM EDT

[#13]

Quoted:
Thanks, responded.

Here's a dumb question: does AnyConnect have to be downloaded and installed again to update the policy group dropdown contents? Are they packed into the installer somehow? Or should they update automatically during a connection attempt?

No, they won't have to download a new client as long as you haven't updated it or made it a requirement.

Warning

Confirm Action

[ARCHIVED THREAD] - Network architecture question

[ARCHIVED THREAD] - Network architecture question