I have setup a SSL-VPN using my 2811 and I am getting this error with my PC, no matter what location I am at (work, Public Wifi, friend's house):
'The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.'
I am using Anyconnect version 4.2 clients. HERE is the weird part, I have the mobile app installed on my phone and it works without a hitch every time. Attached is my config for review: http://pastebin.com/fVQ6Q5gq
Please any help or questions to get to the bottom of my goof up would be GREATLY appreciated!
2 comments
I’d like to differentiate machines (or, possibly, users) on my small business network so that only some of them have access to the internet. The solution I’ve been using to this day is quite terrible: clients which should have access to the internet are given a specific IP address based on their MAC address or identifier.
In turn, the firewall has different setting for those predefined IP addresses.
This is poor both in matters of security and usability: changing the IP of a client is even easier than spoofing a MAC address. Moreover, adding a new machine is added to the network implies adding an entry on the DNS server and modifying the firewall settings.
What would be the proper way to restrict access to the internet by clients (or, possibly, users)?
Some details about the environment:
Cisco Anyconnect Error Restricting Access To The Internet
it’s for a small business network which doubles as a home network;
there are about 15 users + guests;
there are about 23 clients on the network + 10 mobile clients;
some clients need access to the LAN only, some others (mostly phones) need access to the WAN only, other (access points) to both;
2 main NASes, 1 backup NAS and a few home NAS for clients backup;
a Cisco 1921 router with an outdated, no IPsec IOS;
a Netgear FS 526T switch;
2 Wireless Access Points, of which the model escape me right now; I believe they’re part Cisco Small Business range;
the utter lack of business lately means that investments above a few hundreds euros are probably unreasonable.
Édouard
ÉdouardÉdouard
2 Answers
you need to start using VLANs and turn off inter vlan routing.
using VLANs you will be able to create multiple LANs within a single network but all of them be independant, all traffic from your router at the moment is most likely tagged as VLAN 1 (even though you do not know it).
you can also use VPN traffic, create VPN access on the network and anyone with the VPN credentials can get through the firewall.
Anything using MacAddress or IP address is pointless, you might as well do nothing.
I would need more details but you can have to WIFI access points in your office, one on a vlan 20 for example.. all vlan 20 traffic will be locked down by the fire wall.
You could use a NAC (network access control) like PacketFence. This still can succumb to MAC spoofing, but it gets way more powerful if you use it with smart switches and access points, perhaps in tandem with 802.1X.
Not the answer you're looking for? Browse other questions tagged firewallsnetwork-access-controlnat or ask your own question.
Response to DANM on CISCO ASA 5510 configuration
Step1: Configure a privileged level password (enable password) By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode: ASA5510(config)# enable password mysecretpassword Step2: Configure the public outside interface ASA5510(config)# interface Ethernet0/0 ASA5510(config-if)# nameif outside ASA5510(config-if)# security-level 0 ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252 ASA5510(config-if)# no shut Step3: Configure the trusted internal interface ASA5510(config)# interface Ethernet0/1 ASA5510(config-if)# nameif inside ASA5510(config-if)# security-level 100 ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0 ASA5510(config-if)# no shut Step 4: Configure PAT on the outside interface ASA5510(config)# global (outside) 1 interface ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0 Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2) ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1 Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP ASA5510(config)# dhcpd dns 200.200.200.10 ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside ASA5510(config)# dhcpd enable inside The above basic configuration is just the beginning for making the appliance operational. There are many more configuration features that you need to implement to increase the security of your network, such as Static and Dynamic NAT, Access Control Lists to control traffic flow, DMZ zones, VPN etc. BTW I pulled this info from another site.. I was just toooo lazy to type it all out myself:-) Cheers John
Share Flag
ASA configs
Thanks for the info. I will try it out and see if I can access the internet through the ASA.