Architecting a Static IP Solution for AnyConnect within 12 HoursAnd how to develop networking automation from there
The requirement for individuals to work from house obstacles us to come up with brand-new options that scale. One being the enablement of VPN connections to utilize fixed IPs for each user.
But why would anybody wish to do that?
It ends up that for several years, India has actually had a stringent no VoIP (Voice over IP) policy when utilizing VPN law. This law just emerged when the head honcho, Chuck Robbins, motivated all Cisco workers to work from house. In the past, our call center staff members were not enabled to work from house due to the fact that they were not permitted to utilize VoIP over VPN; however desperate times require desperate procedures.
With Cisco at the head, a lot of tech business took a seat with India’’ s federal government and created an exception enabling VoIP over VPN as long as each worker was offered the very same IP upon connection together with a record supplied to the DoT (Department of Telecommunications) of each worker’’ s work address. With the exception in location, that left us to come up with a service.
Conventionally, how IP addresses are designated is through an IP address swimming pool, which offers a user the very first offered IP address from a variety.
Take for example if I pick a website within AnyConnect, e.g. ““ Headquarters ”. Within the AnyConnect customer is an XML file that straight maps the website, ““ Headquarters ”, to the URL, “ headquarters.cisco.com/default”. This URL can be broken down into 2 parts: the gadget address, “ headquarters.cisco.com “”, and course “ default ” which maps to the tunnel-group ““ Default_Tunnel_Group ”. Within the VPN headend setup is a line that states the address swimming pool for the tunnel-group ““ Default_Tunnel_Group ” is 10.0.0.1-10.0.0.254 “or a “/ 24 ”. I am then designated the very first unallocated IP address because variety, in’this case let ’ s state “ 10.0.0.101 ”, which becomes my IP address within the Cisco network. If I detach and then reconnect, I will be designated a brand-new IP address from the above variety.
The size of the IP address swimming pool, the variety of users linking to a website, and the variety of VPN headend gadgets (each with a special address swimming pool) in a cluster for a website, are all elements that make the possibility of being designated the very same IP address upon connection exceptionally remote.
Example setup of an IP address swimming pool and tunnel group:
.” ‘.ip regional swimming pool DEFAULT_EMPLOYEE_POOL 10.0.0.1-10.0.0.254 mask 255.255.255.255.tunnel-group Default_Tunnel_Group type remote-access.tunnel-group Default_Tunnel_Group general-attributes.address-pool DEFAULT_EMPLOYEE_POOL.default-group-policy Default_Group_Policy.tunnel-group Default_Tunnel_Group webvpn-attributes.group-url headquarters.cisco.com/default make it possible for.” ‘.
Our very first technique to designating fixed IPs was a service that turned up in online forums from years past, which was to produce a regional user account on the ASA, and from there statically designate an IP for that particular user; nevertheless, this would need a fixed password saved on the ASA. And although encrypted, we understood our pals in InfoSec would have an outright fit over that a person. As a long shot, we tried to verify a regional user account without any fixed password versus our AAA servers, however this effort eventually stopped working.
Our 2nd effort was to take a look at how we might utilize ISE (Identity Services Engine) in this situation. ISE manages all of our permission demands in the business network, whether on-site or remote, and it made good sense to utilize it provided we were mapping fixed IPs to users. With ISE we came across 2 issues: initially, ISE does not proxy all info offered by RADIUS servers back to the VPN headends, so it was not a practical option in our partner network where we count on RADIUS groups to deal with ACLs and 2nd, there were issues over how to finish this at scale –– by hand developing over 7,000 policies in ISE would take a severe effort both in individuals and time and we’’d be cruising uncharted waters given that it had actually never ever been evaluated for this kind of circumstance.
Our 3rd technique was to utilize Active Directory in location of ISE for the IP address mapping. We when again dealt with the concern of resourcing to develop 7,000 entries by hand as well as the unidentified stress we would be putting on the system.
Sometimes the very best service is the most basic, and after hours of attempting elegant group controls with ISE and trying to get it to pass RADIUS group info; we decided on among the very first concepts that showed up while conceptualizing and one we understood must work, a distinct tunnel group and address swimming pool of one IP for each user.
The option can be finest summed up by taking me, username ““ drew ”, as an example of a user that requires a statically designated IP address. By taking the ““/ 24 ” from prior to with the IP variety of 10.0.0.1-10.0.0.254, we designate the IP address 10.0.0.201 to be my statically appointed IP address. We state an address swimming pool of simply this one IP address, which is now a ““/ 32 ”. We designate this address swimming pool to the tunnel “group “ drew ”, with the URL “ headquarters.cisco.com/drew”.
Example setup of a fixed IP address swimming pool and tunnel group:
.” ‘. ip regional swimming pool drew 10.0.0.201 mask 255.255.255.255. tunnel-group drew type remote-access. tunnel-group drew general-attributes. address-pool drew. default-group-policy Default_Group_Policy. tunnel-group drew webvpn-attributes.group-url https://headquarters.cisco.com/drew allow.” ‘.
After the effective screening and application of the above setup( which utilized automation comprehensive listed below), concerns increased throughout our group like wildfire (and to the credit of our clients, they have likewise had comparable concerns along these lines). The option appears hacky to state the least. What are the security ramifications and extremely significantly, will it scale? We ’ re discussing an option that needs to work’for countless Cisco call center staff members in India (a number which has actually approached 7,000 since today).
Here are a few of the most noteworthy concerns:
.The number of tunnel groups( and therefore users )can you have on each VPN headend? Cisco ASA paperwork mentions that the variety of tunnel groups that can be set up is comparable to the optimum variety of VPN connections it can support. In our case we are utilizing ASA 5585-SSP60s, which support 10,000 connections and therefore can be set up with 10,000 tunnel groups. Does the addition of such a big quantity of tunnel groups increase overhead on the ASA and hence reduce efficiency?
The ASA utilizes a hash map for its tunnel groups (consistent time lookup), so although there is memory utilized for the extra tunnel groups, this memory is consistent and fades in contrast to the memory utilized for an ASA ’ s typical tasks of encrypting/decrypting traffic.
With our nerves somewhat soothed about the variety of tunnel groups we had actually simply released to the VPN headend, we had some research delegated do.Due to the fact that we’ re Cisco, an option is not total without security, and DAP( vibrant gain access to policies )on VPN headends is among our core lines of defense. By keeping all tunnel groups under the very same blanket group policy, we had the ability to preserve our basic DAP checks: such as confirming AnyConnect Client and running system variations in addition to other odd policies such as AnyConnect session timeouts and FQDN split tunneling.
The last product was guaranteeing the fixed IP tunnel groups we had actually simply produced were utilized specifically by the staff members for which they were planned, which workers who were expected to be utilizing these fixed IPs were not linking to our routine business VPN headends and getting dynamically appointed IPs. To guarantee the staff member who was expected to be linking to a tunnel group was the only one effective, we used a LUA script through DAP to the blanket group policy.
.” ‘. EVAL( cisco.aaa.username, “EQ”, cisco.aaa.tunnelgroup).” ‘.
Essentially this checks the username authenticating is the exact same as the name of the tunnel group, which is deliberately the like the user ’ s username, avoiding the user “ damien ” from linking to my tunnel group, “ drew ”, and from utilizing my fixed IP of 10.0.0.201. To protect staff members were solely linking to their designated fixed IP tunnels, we utilized ISE to obstruct all call center workers from linking to” our business VPN headends by rejecting the “permission of users in an Active Directory (ADVERTISEMENT) group to those websites.
. Automation and Management.
You can discover the code in DevNet Code Exchange that we utilized to create the ASA setup for the countless tunnel groups and fixed IPs we required. It utilizes easy string interpolation in addition to a text file of users. In addition to producing the tunnel groups, the functions supplied likewise assist you take apart these tunnel groups for simpler tidy up.
The intent of these functions is not indicated to be a full-blown service, however to supply you with the foundation to make one.
The service we developed was not as classy as we would have liked, nevertheless with automation we can alter that. Utilizing these setup generation functions in addition to our preferred network setup tools, such as NSO( Network Service Orchestrator) – or Ansible, Paramiko, and so on – we can produce design templates to automate the release of this setup to the VPN headend.
Taking things an action even more, we can construct on top of these network setup tools with an application to handle these tunnel groups coupled with a database of the users and their statically appointed IPs. Therefore, when you wish to get rid of a user or include, the application does the allowance or deallocation of IPs for you without needing to trove through countless lines of setup.
You can see our usage case driven option on DevNet Automation Exchange . In regard to the Walk-Run-Fly journey it provides, we see our service as remaining in the “ Run ” state. We motivate and invite usage and improvements from theneighborhood to accomplish “ Fly ” status.
. Closing Thoughts.
It has actually now been over a month because we released our fixed IP option for call center workers, and for the many part, things have actually been fairly smooth for such an adhoc execution. This is not to state we have actually not dealt with concerns ever since, nevertheless we have actually continued to deal with enhancements, such as including redundancy to our call center VPN headend utilizing an active failover” setup.With all that beingstated, I can not worry enough just how much automation conserved us in this hacky circumstance and continues to make things easy through the management of these fixed IP tunnels. Thanks to the assistance of people in several companies throughout Cisco, we made it possible for Cisco ’ s call center workers( in addition to other business )in India, to have access to systems and resources, enabling them to continue their efficiency working from anywhere.
. Associated resources:. DevNet Networking Dev Center – discover your usage case and get going. DevNet Collaboration Dev Center – APIs, SDKs, and resources for Cisco Collaboration innovations. DevNet Network Automation Exchange – shared code repositories for network – automation. Cisco DevNet Certifications –.
Read more: blogs.cisco.com