CMPivot Your VPN IP Ranges

Profile picture for user PaulW
Submitted by PaulW on Tue, 01/05/2021 - 07:00pm

I know there are the new VPN boundaries for making CM management easier.  But, I'm still stuck on using the tried and true IP ranges for boundaries.  Why because they are tried and true and just work.  And because there is no "magic" in the background.  (I call it magic because I haven't dug into them too much yes so don't know how they do their determination).

But anyway, since I use ranges and do not trust that the network team will always let us know when they add ranges, why not use a tool in CM to quickly confirm the ranges in use.  How about... CMPivot?  Yes, that can do the job nicely!  Let's look at some queries and review the results.

Query IP Ranges

For AnyConnect, it would look like this:

IPConfig 
| where InterfaceDescription like 'Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64' 
| summarize count() by substring(IPV4Address, 0, 9) 
| render barchart with (title='AnyConnect Subnet Assignment', xtitle='Subnet', ytitle='Number of Devices')

If you use GlobalProtect, it would look like this (note the wildcard at the end of the name as I've found this as #1, #2, etc):

IPConfig 
| where InterfaceDescription like 'PANGP Virtual Ethernet Adapter%' 
| summarize count() by substring(IPV4Address, 0, 9) 
| render barchart with (title='GlobalProtect Subnet Assignment', xtitle='Subnet', ytitle='Number of Devices')

For any other VPN client, just find the Interface Description.  Run an IPCONFIG /ALL and look at the Description on the VPN adapter.

The "substring(IPV4Address, 0, 9)" will summarize by the first 9 characters of the IP address.  So, you may need to experiment here a bit.

This is what one of those queries would look like:

CMPivot of AnyConnect Results

So...

So, run this CM Pivot query in the middle of the day periodically and make sure the network team didn't forget to tell you something. ;-)

 

P.S. - Query if IP is Assigned

Something else...

Lets see of all the VPN clients found and installed, if the VPN adapter has an IP address assigned to it.  That is, is the VPN adapter actually in use.

AnyConnect:

NetworkAdapterConfiguration 
| where Description like 'Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64' 
| summarize count() by IPEnabled 
| render piechart with (title='AnyConnect Status')

GlobalProtect:

NetworkAdapterConfiguration 
| where Description like 'PANGP Virtual Ethernet Adapter%' 
| summarize count() by IPEnabled 
| render piechart with (title='GlobalProtect Status')

And one of these would look like this:

CMPivot of AnyConnect Active or Enabled

Related Technology
Configuration Manager

Add new comment

The content of this field is kept private and will not be shown publicly.
About text formats
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.