Using Palo Global Protect We are trying to set a 100Mbit max egress for our GlobalProtect vpn users. However, it appears we have to build a qos policy for every user otherwise it will basically be a 100Mbit pool for all users. What we are trying to do is simply ensure that no single user can consume all of the bandwidth but that all users collectively do not have the 100Mbit restriction, instead the entire GlobalProtect users space would have 0 cap. Anyone setting a per user limit on GlobalProtect vpn?
I hope this is the right place for me to be a moron. Sorry if not. It’s definitely a VPN question to discuss, so I hope so?
Our internal network is nearly at capacity for its IP addresses, currently on a /24 subnet. I’m tasked with, as many of you might be, preparing for potential remote work for a bulk of our office staff. Currently have a Cisco ASA and it’s already set up for AnyConnect, some staff work remotely from the field or so on.
I am an IT generalist level dummy, most of my past experience was with FortiGate, but unfortunately that has fizzled away and I haven’t learned much about ASAs other than I hate them and ASDM is terrible. (Please dumb down responses accordingly.)
We have plenty of VPN licenses but not nearly the IP capacity to add that many devices to our LAN.
My original plan was to take the /24 and reconfigure the entire thing to a /23 on a different subnet entirely (from 192.168.0.0/24 or 192.168.50-something.0/23, if it matters, occupying 512ish addresses.
That’d take a lot of work and I might end up needing to support a VPN exodus… next week.
What’s a smooth way to add a subnet for client devices and VPN users to our LAN and ensure they can still access our services? Is there a way to do so without having to physically segregate traffic on different ports and VLANs?
I’m currently thinking I might talk to Cisco support about this. Currently, the AnyConnect clients use the same subnet as the actual internal network. Is it possible to move AnyConnect clients to something like an imaginary LAN interface with really permissive routing to the main LAN? That’d be a great solution so that we can take our time and expand the physical LAN’s subnet the way we want to, or whatever ends up being the nest way at the time, and the VPN users can just stay on their own imaginary LAN.
For ASA/AnyConnect, dynamic split tunneling. I slammed this in right away for most our cloud products - office365, bluejeans, so on. Take as much load off the headends as possible. It will split exclude any domains/sub-domains in the list to leverage the users own internet connection and not full tunnel everything. I wish i could tunnel specific but we have too much wrapped around full tunnel.
lets also not to forget patching the code on your vpn device, dont forget asa 5500 series has been EOL since last year so no more code updates for vulnerabilities!
Hey all - In response to COVID-19, I’m trying to set up an AnyConnect ASAv in AWS. My inside interface is in a private subnet with routes toward a tunnel to the office(s) that has the resources needed by the users. The outside interface is an IP in my public subnet with an Elastic IP allocated to it. Right now, with no NAT configuration, users can connect to AnyConnect but can’t access internal resources, or even ping the next hop within the ASA… All basic routing is in place and verified in sessions with Cisco. I can provide more detail, but am looking for any help! Been working on this for the last 5 days. Thanks!
SonicWall has carried an SSL VPN product line for 15 years (homegrown, used to be an engineer on it) and acquired Aventail in 2007 for Enterprise SSL VPN. Both are still carried under the SMA (Secure Mobile Access) series
we have a covid19 promotion outlined here https://www.reddit.com/r/sonicwall/comments/fll8rk/sonicwall_resources_response_to_covid19/
SMA series page here: https://www.sonicwall.com/products/remote-access/remote-access-appliances/
thank you
Hi Everyone,
We’ve recently launched https://www.twingate.com in order make access to remote network easier and more secure.
Unlike traditional VPN, Twingate is deployed as a network overlay on top of your existing network so you can enable remote access to any protected host or destination without having to re-architect your network.
Just deploy our connectors inside any number of existing networks, define access policies by destination address, and install our client apps on your device for access. No firewall changes, routing rules, proxy configurations, etc. Access your private resources using the local IP or private DNS you’ve always used and we handle all the routing and local DNS resolution automatically.
My personal highlights:
- Easy setup - super easy to setup, no need to change firewall settings, no need for DMZ
- No public IPs - so its not vulnerable like a VPN gateway
- Split tunnel by default - so only traffic to secure resources go through the system. This means better user-experience so users don’t mind keeping it on all the time.
And the best part you can just easily open an account, set it up and play with it without the excess bureaucracy that usually plagues enterprise products.
Would love to hear your feedback!
P.S.
We also have a extensive documentation on how Twingate works here if you’d like to take a peek under the hood: https://docs.twingate.com/docs/how-twingate-works
so my company is trying to guage how to support the needs of our clients. we offer anyconnect access through our DC to our clients. today we just have 4 clusters the clients are spread out on, with 5516-x which has a limit of 300 each pair, which if all our clients needed to use it heavily, could not handle the usage.
were looking at virtual devices to handle this quicky, but one question i have, is securing a virtual asa that needs boarder access. what are our concerns using a virtual firewall on the internet boarder? what are the concerns with doing this and securing the underlying hardware/virtual enviroment it runs on top of.
today I have 4 times more than the regular amount of users… And theyre just connecting more and more…
I bet OpenVPN-AS licensing department is making millions these days!! I have had to buy new licenses plenty of times now… 
This is not really a question. We were recently arguing about handing out laptops with apps preinstalled vs just using terminal services cause the first might be “more stable” when it comes to using smartcards to auth into the apps etc. I think the latter only has advantages and I’m glad it was selected.
Terminal services are known working. Smartcards can be tunneled given you use an official TS app and no Webvpn like Guacamole. No issues with different IPs appearing in the network (VPN IP pools) and some service potentially not recognizing them. Less bandwidth consumption. Less need to perform host assessment. Overall better control cause very easy to shadow a TS connection if support is needed.
OpenVPN-AS refusing to sell us licenses for shorter periods of time than one year. They milking that coronamoney.
Yay, I have quadruple my licenses for one full year.
anyone tunneling v6? if your end hosts have v6 youll run into fun times otherwise.
Anyone running Attendant console or Finesse w/ jabber vs hardphone?
This is how it will affect UK ISPs- COVID-19 - Home Working Probably Won't Break UK Broadband - ISPreview UK
Pulse Secure ICE on standby, two more floating in the purchasing pipeline now. Bursts our user count to 2,500. Pulse gave us a 2 for one price.
Anyone else use windows vpn/RRAS ? With enough bandwidth and vm horsepower, running server 2016, and client/load issues to worry about running a 200-300 clients worst case? We havent had issues thus far, but typically run around 1/2 that. We are adding extra cpu/ram to the VM’s just in case, and used to just have them on a /24 and expanding to a /22.
I’m really bad with networking stuff. How can I set up a VPN to allow my PC in work to appear on my network at home? I dont want to use remote access like teamviewer,I just want it to appear as though we are on the same network. That way I can share licenses from the office to my house. If that makes sense?
VLAN?
people with data caps - how do you work from home? I luckily dont have a data cap on my ISP but I know some people do. comcast has it in certain markets. I know I am a heavy heavy user of my internet with all the streaming, downloading and wfh that I do. how about everyone else? my company does not reimburse for home internet even if you are a full time telecommuter
Not a power user, but have some experience. Our office somehow ended up with no IT. I’m the best we have.
Need help with setting up VPN so our employees can connect to our office network.
Everything below this point is going to be cringe fiesta for all networking gods out there, so please don’t judge. Any advise is much appreciated.
Here’s our current network map:
Optical fiber > [DECODER (I think?) ] > Optical fiber > [MODEM] > [MikroTik routerboard RB3011] > [HPe OfficeConnect 1820 Switch] > 17 Devises connect to switch.
I have access to MikroTik’s web interface. Router’s local IP is 192.168.88.1.
I followed this video: Here’s what I did:
- Enabled ‘VPN Access’ and set a password.
- PPP/Profiles - default-encryption
- Set local address as 192.168.89.1
- Set DNS Server as 192.168.88.1
When I test this configuration, there are 2 problems:
- While connecting from one of the local devices, the connection is successful, but no internet access.
- While connecting from remote device, the connection is unsuccessful.
My theories:
Problem 1: There is an issue in IP or DHCP configuration which I’m too unskilled to identify.
Problem 2: Port 1723 is locked and I don’t know how to forward it to allow incoming connections from VPN
Anyone know what percentage over licence Pulse Secure will allow ? I’m trying to fin that number. We will be buying more licences very very soon.