I work on the service desk but also assist the network team. In our current setup, we have a total of 30 offices. Among these, 2 offices utilize an FTD device, with one serving as the primary VPN connection and the other as a secondary connection. The remaining 28 offices are equipped with 2 Velocloud units, each having 2 circuits and an on-premises server.
The challenge we’re facing is that users have developed a habit of connecting to Cisco AnyConnect even when they are physically in the office. This behavior bypasses their own on-premise server, leading to performance issues. We’re seeking the best approach to prevent this undesired VPN connection. Initially, we reached out to Cisco TAC for assistance, and their recommendation was to block the public IP addresses on the FTD for each of the 28 offices. However, we are hesitant to follow this advice because the circuits frequently change, and this would entail significant ongoing maintenance work. Are there alternative solutions to address this issue more effectively?
Just use DNS. Resolve ip VPN endpoint to 127.0.0.1 on internal networks. Sit back with good coffee and answer a few tickets you can answer with, working as intended.
So a couple things come to mind. I know palos have a detect function that can be defined for it to detect inside networks. Not sure if this is possible.
Considering you are using anyconnect and you mentioned changing IPs. Are you by any chance using dns for the gateway. If so I would suggest creating a sinkhole rule for the address from inside your networks.
Another option would be to block origin addresses from the anyconnect gateway. There should be a way to automate this by polling your remote site addresses and using an api to place these in a group.
I’ve not personally worked with anyconnect but these items would work with fortigate or Palo Alto systems.
If using Anyconnect use trusted network settings,
So if on the internal network then Anyconnect does not prompt for the username/password
If on an external network users are asked to log in to VPN.
There are other ways to get around this such as playing around with DNS but TND is there for a reason
Wow, our company has the exact opposite problem, you can only get to prod env via a vpn, and people just never remember to get on it in the office. PROD IS DOWN! WEBSITE SAYS UNAVAILABLE!
How often are the circuit IPs changing? That’s slightly concerning in a business environment.
My recommendation would be to block the IPs but also to set up monitoring so you are notified when a sites IP changes.
Further, depending on the current state of infrastructure, clients, intune, AD, etc… network policies for clients could be put in place for when they are in specific subnets whatever vpn client is in use is blocked from making a connection.
So you can come at it from the client or from the router side.
We’re seeking the best approach to prevent this undesired VPN connection.
Tell people not to do that. If they complain again, tell them again. If they complain to their bosses, tell their bosses. If they complain to your boss, ask them directly how much valuable technical time you should spend solving idiot human issues.
Has a communication been sent out to your users about not using the VPN while onsite?
That would be a logical first step.
Even if you do take action to block that connection onsite, you’d want to get a communication out about the change so your service desk doesn’t get flooded with calls.