Right now I have Remote Access VPN configured to use fulltunnel. Right now when I am off the VPN I can still browse external sites (google, yahoo, etc) which is using my local ISP. If I want to VPN into my network, I need to open up Cisco Anyconnect desktop client and enter the vpn URL and my credentials. Once I am connected all my traffic is going through my companies ISP circuit/ASA firewall.
Is there a way to force VPN on a Cisco ASA firewall so a user can not use their computer unless they are VPN into company network? Meaning as soon as they log on they can not browse the internet or get to email until they VPN into network.
Meaning, is there a setting in ASA that tells it to connect to VPN automatically when there is an internet connection?
Any information would be most helpful.
Thanks,
Best Answer
Yes, it can.
The Anyconnect VPN client has a feature named "Always On":
Cisco documentation: Require VPN Connections Using Always-On
Note that this feature is configured in the Anyconnect client profile, which can either be pre-deployed or pushed from the ASA. Obviously, if you want the feature to be active from day zero, even before the user makes his first VPN connection, then you need to pre-deploy the profile.
Also note that the comments mentioned concerns about the user being able to circumvent this feature by defining their home (or coffee shop) network as "trusted" in the Windows firewall settings. Anyconnect does not use the Windows firewall settings for trusted networks. Instead it uses another Anyconnect feature named Trusted Network Detection (TND) feature which allows the ASA admin to control which networks are considered trusted based on the DNS settings of the client.
cfr. Configure Trusted Network Detection