Network

I’ve posted an article on Client VPN setup using OpenVPN and I noticed I didn’t have one regarding Cisco ASA. A Cisco ASA being a very common Security Appliance used by small and large companies. This article will cover how to setup a standard remote client VPN utilizing IPsec as the crypto carrier. Cisco also has their own proprietary remote client VPN solution called AnyConnect. I will be posting an article after this one on how to set an AnyConnect solution up and include what the differences are between it and the standard IPsec remote client VPN contained in this article.

A remote client VPN is something very common in workplace now-a-days. It allows users to appear as if they are on the company’s internal network over an insecure medium(e.g. Internet, untrused Network, etc). It does so by using IPsec. IPsec is a tried and true Layer 3 securing technique that requires both parties involved to mutually authenticate each other before passing traffic.

A few things to keep in mind regarding remote client VPNs.

First, a subnet is required for client’s to be put on when successfully authenticated and authorized via the remote client VPN. This can be the same subnet as one already existing on your network or a separate one with a firewall in-between The later being best in practice and security.
Secondly, deciding on split-tunneling vs all-tunneling. The difference being on the client would you like all traffic to be forced across the tunnel or allow clients to communicate with both their local network and the networks on the otherside of the VPN. For best practice and security, all-tunneling is recommended.
Third, Access Lists and tunneled networks. Here we will decided what Remote VPN users will have access to other networks. We will also, in the case of split-tunneling, create an access-list of what networks to tunnel for the Remote VPN user.
Fourth, provisioning standard network services for VPN user’s. Remote VPN user’s will need a default gateway, DNS servers, domain suffix, an address pool, proxy settings, etc.

Hi All, so you’ve probably heard of goDaddy.com to register DNS names publicly. However have you ever done a dig or nslookup on your registered name? It probably returns the name you queryied and the IP address just as you expected, however this is because dig is by default recusive. This means that it will ask it’s known DNS server if it knows the DNS resolution for your query, if not, forward it on and on and on until it is found through the DNS hiearchy or it times out. See the diagram below.

DNS Hierarchy

Let’s walk through this.

TLD (Top-Level Domains) — These are the highest level on the DNS hierarchy. You can find a list here.
SLD (Secondary Level Domains) — These are they domain names you are most familary with, like google.com, slashdot.org, thejimmahknows.com. Notice each of there suffix’s
Sub Domains — Logically grouped resources, such as mail.google.com and linux.slashdot.org. Can have multiple prefix subdomains (i.e. a.b.c.d.google.com)
Resource Records — There are several different types. The most common are A reocrds, MX records, and CNAME records.

Cisco ASA — Easy Remote Client VPN Solution

Creating a Public DNS Server and advertising an Authoritative Domain

DNS Hierarchy

Let’s walk through this.