topic Re: Community Ask Me Anything - Secure Remote Working in Network Security

Community Ask Me Anything - Secure Remote Workers

ciscomoderator — Tue, 24 Mar 2020 17:06:19 GMT

You can ask your question on your own language:

Español

Here’s your chance to discuss Cisco Secure Remote Working technologies such as AnyConnect, ASA, FTD, Duo, and Umbrella. In this session, the experts will answer questions about emergency licenses, design, configuration, and troubleshooting. Our experts span more than 12 time zones. Also, we’ll be translating the session into multiple languages to provide you with the best experience possible.

This forum event works well as an introduction for those who are not familiar with these security solutions and/or have recently started using them.

To participate in this event, please use the button below to ask your questions

Ask questions from Friday, March 20 to Friday, April 3, 2020

Featured experts

Divya Nair is a Technical Marketing Engineer with the Security Business Group in Raleigh, North Carolina. She has more than 10 years of experience in Cisco network security technologies, including firewalls, IPS, VPN, and AAA; and is currently focusing on VPN and firewall management platforms. Divya holds a Bachelor's degree in Computer Science and Engineering.

Jonny Noble leads the Technical Marketing team for Cloud Security at Cisco, with expertise in Cisco Umbrella and surrounding technologies. For more than 20 years, Jonny has obtained experience in customer-facing disciplines for global hi-tech organizations. He also has rich experience in presenting breakout sessions and proctoring labs at Cisco Live events along with representing Cisco at numerous customer and partner events, trade shows, and exhibitions. Jonny holds degrees in Electronics, Sociology, a Business MBA, and is CISSP certified.

Aditya Ganjoo is a Technical Marketing Engineer in Bangalore, India. He has been working with Cisco for the past seven years in Security domains such as Firewall, VPN and AAA. Aditya has delivered trainings on ASA and VPN technologies. He holds a Bachelor's degree in Information Technology. Additionally, he is a CCIE in Security (CCIE#58938). He has been a consistent contributor on Cisco Support Community and has delivered multiple sessions at Cisco Live.

Due to the anticipated volume for this high in-demand event, Divya, Aditya, Jonny might not be able to answer each question. Thus, remember that you can continue the conversation directly in the Security community.

By posting a question on this event you're giving permission to be translated in all languages we have in the community.

Find further events on https://community.cisco.com/t5/custom/page/page-id/Events?categoryId=technology-support

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

Re: Community Ask Me Anything - Secure Remote Working

elite2010 — Sun, 22 Mar 2020 06:41:26 GMT

Hi,

Any guidelines for troubleshooting DNS queries ,resolving local dns always giving pain when connected using anyconnet vpn

Thanks

Re: Community Ask Me Anything - Secure Remote Working

Aditya Ganjoo — Sun, 22 Mar 2020 07:42:51 GMT

Hello,

Are you facing issues with local DNS resolution through the VPN tunnel?

If yes, you can check the group-policy attributes for the specific value.

If you are looking for best practices, you can configure the following three options for DNS with Anyconnect:

Split DNS - The DNS queries which match the domain names, are configured on the Cisco Adaptive Security Appliance (ASA). They move through the tunnel (to the DNS servers that are defined on the ASA, for example) while others do not.
Tunnel-all-DNS - Only DNS traffic to the DNS servers which are defined by the ASA is allowed. This setting is configured in the group policy.
Standard DNS - All of the DNS queries move through the DNS servers which are defined by the ASA. In the case of a negative response, the DNS queries might also go to the DNS servers which are configured on the physical adapter.

You can also check the following link for more clarity on DNS behavior with Anyconnect:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116016-technote-AnyConnect-00.html#anc1

Regards,

Aditya

Please rate helpful posts

Re: Community Ask Me Anything - Secure Remote Working

elite2010 — Sun, 22 Mar 2020 10:30:06 GMT

Hi,

Thanks for the reply

"Split DNS - The DNS queries which match the domain names, are configured on the Cisco Adaptive Security Appliance (ASA). They move through the tunnel (to the DNS servers that are defined on the ASA, for example) while others do not."

When you say " DNS servers that are defined on the ASA" means the DNS server's configured on the ASA firewall or in the tunnel or group policy

The DNS queries which match the domain names, you mean the domain name is configured on the firewall or in the group policy ?

What if we have split domain like test.local and test.com ?

test.com (it's a forward zone in the same test.local dns server (eg:192.168.1.100)
test.com also resolves to private ip addresses

this is my current configuration
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 192.168.1.100
domain-name test.local

Thanks

Re: Community Ask Me Anything - Secure Remote Working

Aditya Ganjoo — Sun, 22 Mar 2020 15:06:43 GMT

Hello,

All the values would be under the group-policy. You can add multiple values/domains under the group-policy.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1597902

Re: Community Ask Me Anything - Secure Remote Working

BasavarajNingappa6558 — Sun, 22 Mar 2020 19:27:45 GMT

Hi,

Do we have any options in cisco anyconnect using FTD firewall for blocking non-windows joined machines and allow only domain computers to connect to anyconnect ?

Thanks

Basavaraj

Re: Community Ask Me Anything - Secure Remote Working

Divya Nair — Sun, 22 Mar 2020 19:44:06 GMT

Hi Basavaraj,

You can use machine certificate authentication for AnyConnect users to ensure that only domain machines can join. Config guide - https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/firepower_threat_defense_remote_access_vpns.html#id_login_via_clientcert

Re: Community Ask Me Anything - Secure Remote Working

BasavarajNingappa6558 — Mon, 23 Mar 2020 05:28:18 GMT

Hi Divya,

Thanks for the response

Basically what I'm looking for are domain computers I'm already enforcing DLP and all they cant copy anything of the computers and all, for example, if my employees connect to a corporate network using their personal computers and how can I prevent them not to copy anything except working on the required applications and all, basically I don't them to copy any data from the network when they connect to the network.

how can I achieve this ? can I create one tunnel-group for domain-joined machines and another tunnel-group for non-domain joined machines and enforce the policy?
Thanks
Basavaraj

Re: Community Ask Me Anything - Secure Remote Working

Aditya Ganjoo — Mon, 23 Mar 2020 05:55:26 GMT

Hi Basavaraj,

Yes, you would need to create different connection profiles and enforce the policies.

This can be done by different ways like by providing users group-URLs, through Radius attributes or by group-lock feature on ASA.

Regards,

Aditya

Re: Community Ask Me Anything - Secure Remote Working

BasavarajNingappa6558 — Mon, 23 Mar 2020 06:29:21 GMT

Hi Aditya,

Can you please provide an example configuration guide for me to follow and do it
Thanks
Basavaraj

Re: Community Ask Me Anything - Secure Remote Working

Aditya Ganjoo — Mon, 23 Mar 2020 06:48:23 GMT

Here you go:

https://community.cisco.com/t5/security-documents/steps-to-configure-group-lock-for-vpn-users-on-microsoft-radius/ta-p/3151643

https://community.cisco.com/t5/security-documents/asa-ssl-vpn-tunnel-group-group-url-and-group-alias-selection/ta-p/3111990

Re: Community Ask Me Anything - Secure Remote Working

BasavarajNingappa6558 — Mon, 23 Mar 2020 07:27:06 GMT

Hi Aditya,

Those links are configuring different group tunnel-group and group alias, but I'm looking for is enforcing DLP kind of policies on each group policy so that they won't be able to copy any data over Anyconnect tunnel.

Basically they should not copy any data over the Anyconnect VPN tunnel how can I enforce this kind of policy on the Anyconnect VPN

Re: Community Ask Me Anything - Secure Remote Working

elite2010 — Mon, 23 Mar 2020 10:58:25 GMT

Hi,

Thanks for the reply .

I have tried all split-dns ,standard ,tunnel all dns ... Still I cannot resolve (Dns server is reachable from the server ) . I am using anyconnect 4.8 and asa code 9.2

Please advise

Re: Community Ask Me Anything - Secure Remote Working

Aditya Ganjoo — Mon, 23 Mar 2020 11:18:20 GMT

Hi,

Can you share the output of show run group-policy <policy-name>?

Regards,

Aditya

Re: Community Ask Me Anything - Secure Remote Working

Divya Nair — Mon, 23 Mar 2020 14:57:04 GMT

Hi,

If I understand, you are looking to enforce DLP for BYOD users. The best way to do this on the FTD would be to have the BYOD users connect to a separate connection profile/group-policy. I would give this connection a different address pool from the domain users. You can then use application filters on the FTD access policy to block file transfer protocols for the BYOD VPN pool. Keep in mind that FTD is not a true DLP application, but the application filter will help accomplish what you need to do - https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/rule_management_common_characteristics.html#id_16281

HTH

Re: Community Ask Me Anything - Secure Remote Working

Aditya Ganjoo — Mon, 23 Mar 2020 18:02:34 GMT

In addition to what Divya said you can also do On-demand Scripts using Anyconnect:

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/customize-localize-anyconnect.html#ID-1408-00000396

Regards,

Aditya

Re: Community Ask Me Anything - Secure Remote Working

elite2010 — Tue, 24 Mar 2020 04:37:08 GMT

Hi,

Here is my sh run group policy

1)
group-policy it-test internal
group-policy it-test attributes
dns-server value 192.168.1.100
vpn-idle-timeout 20
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value it-test-acl
default-domain value test.local
address-pools value it-test-pool

2 )group-policy it-test2 internal
group-policy it-test2 attributes
wins-server none
dns-server value 192.168.1.100
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value it-test2-acl
default-domain value test.local
split-dns value test.local test.com
split-tunnel-all-dns disable
address-pools value it-test2-Pool

Tried the below also after removing "split-tunnel-all-dns disable" but did not help .

3 )group-policy it-test2 internal
group-policy it-test2 attributes
wins-server none
dns-server value 192.168.1.100
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value it-test2-acl
default-domain value test.local
split-dns value test.local test.com
~~split-tunnel-all-dns disable~~
address-pools value it-test2-Pool

Thanks

Re: Community Ask Me Anything - Secure Remote Working

Aditya Ganjoo — Tue, 24 Mar 2020 07:11:07 GMT

Hi,

Please disable/remove the tunnel-all split dns config and keep the split-dns values, also ensure that the DNS servers (IP) is a part of the split tunnel ACL.

To confirm the DNS lookups (if they are going through Anyconnect) you can use Wireshark, start a capture on the machine and check on which adapter the DNS requests go out to.

Please share the output of ipconfig /all from the test machine and the captures if possible.

Regards,

Aditya

Re: Community Ask Me Anything - Secure Remote Workers

Marvin Rhoads — Tue, 24 Mar 2020 12:08:10 GMT

Hello all, I have several questions:

1. Am I correct in understanding that webvpn customization (i.e. the webvpn home page) and AnyConnect customization (messages, languages etc.) are not currently supported when using Firepower Threat Defense (FTD) device as the headend? (either FMC-managed or FDM/CDO-managed)

2. Basic posture checking like we are able to do with ASA and DAP/Hostscan is not currently an option with FTD alone (i.e. we must refer to an external solution like ISE) - correct?

3. For DAP/Hostscan with ASA, does it require AnyConnect Premium and is it supported on ASAv platform models?

Re: Community Ask Me Anything - Secure Remote Workers

Divya Nair — Tue, 24 Mar 2020 12:44:37 GMT

Hi Marvin,

That is correct. Clientless WebVPN and AnyConnect customization are not supported today on FTD.
You will need to use ISE Posture for client posture assessment today on FTD.
ASA with DAP requires the Apex license (previously the Premium license) and is supported on ASAv models.