topic Thanks Marvin for your in Network Security

Ask the Expert: Configuring and Troubleshooting remote access SSL VPN on Cisco Adaptive Security Appliance

Lisa Latour — Tue, 12 Mar 2019 05:49:21 GMT

This an opportunity to learn about Cisco SSL VPN feature, clientless VPN and Anyconnect remote access client with Mohammad Alhyari.

Monday, April 27th, 2015 to Friday, May 8th, 2015

Featured Expert

Mohammad Alhyari is a customer support engineer at the Cisco Technical assistance center in Krakow, Poland. CCIE security #35093 with over 5 years of experience in the security team. Mohammed's area of expertise is security, including VPN, SSL VPN, and IPSEC VPN on the Cisco IOS and Cisco ASA platforms.

Find other https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

Hi Mohammad, I have few

Flavio Vettori — Wed, 29 Apr 2015 14:33:37 GMT

Hi Mohammad,

I have few "old" question regarding this discussion's topic, already posted around here, and a new one about licensing.

So here is the question: we manage a scenario based on a couple of old ASA5510 with A/S failover configuration; we have 150 AnyConnect Premium Peers licences but now we need to upgrade them to 200 or more. We got informed that the licensing model is changed and now we need to purchase "Apex" license as "AnyConnect Premium Peers" is no more an option. There will be platform-related problems activating and using the new licences? The old asa5510 support Apex license? It seems that our local Cisco commercial channel can't answer this question.

In my profile ( https://supportforums.cisco.com/users/flaviovettori ) you can review other "old" question, still unanswered, for example:

"our webvpn portal is deployed in a DMZ scenario, so the webvpn ASA's interface has a private address behind another firewalling gateway; we noticed that a portion of our users do access the portal from within the corporate's network, let's say from 10.0.0.0/8 ip space instead of the "outside" (the whole internet).

We would create something like a DAP which intercepts the situation (useraname: any authenticated, source ip address: from 10.0.0.0/8) and apply a message or another action to the logged user: is this possible?"

Thank you in advance.
Flavio

Mohammad,What is your opinion

laurabolda — Wed, 29 Apr 2015 16:53:27 GMT

Mohammad,

What is your opinion about setting up SSO (single sign-on) for Cisco AnyConnect? Have you run into any issues with the VPN using SSO? We have ASA 5510 and RADIUS server. Does SSO also work on Cisco VPN client? Thanks.

Hi Flavio ,Thanks for posting

Mohammad Alhyari — Thu, 30 Apr 2015 14:39:19 GMT

Hi Flavio ,

Thanks for posting your question here . Please have a look at the following :

1- There are no restrictions on ASA versions for the Plus/Apex licenses. Any ASA capable of supporting AnyConnect will support the new license model..

2- For your question about the filtering based on the source ip address . Currently this can't be done with DAP and we have the following product enhancement request for this :

CSCsl52329 Choose TG/DAP based upon source IP subnet & other endpoint conditions

As a workaround you can try one of the following :

a) configure a control plane access list to drop the traffic based on the source address . for more information please see this for the control plane option :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/a1.html#wp1558738

b) if you are using Radius you can use the calling station ID attribute .

I hope you you will find this helpful.

Cheers.

Hi Laura ,SSO works with

Mohammad Alhyari — Thu, 30 Apr 2015 14:48:57 GMT

Hi Laura ,

SSO works with clientless webvpn (ssl portal), it is is not available for the anyconnect client . The produce Enhancement request for this :

CSCti8145 Implement SSO (Single Signon) with the AnyConnect client

Cheers .

Mohammad,We are setting up

laurabolda — Thu, 30 Apr 2015 17:42:25 GMT

Mohammad,

We are setting up the cold site for DR (Disaster Recovery). Would you recommend clientless VPN for DR?

Thanks.

Hi Laura.Clientless vpn

Mohammad Alhyari — Thu, 30 Apr 2015 19:52:27 GMT

Hi Laura.

Clientless vpn provides the access to internal web based applications through the ssl tunnel that is built between the user browser and the ASA so it requires no client to be installed on the machine. it also supports SSO for those internal resources. It can be used to provide access to the following as an example :

http/https websites .

OWA access

Citrix environments .

File access such as CIFS

Here is a good document that explains the detail :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70475-webvpnasa.html

On the other hand anyconnect provides a full IP tunnel. So it provides full connectivity with the inside resources .

Based on that and with respect to your requirements you can decide which one is needed .

HTH .

Czesc,simply question

marcin_nieweglowski — Thu, 30 Apr 2015 20:31:28 GMT

Czesc,

simply question Mohammad - when we have to use AnyConnect client and when VPN Client 5.x for

IPSec VPN with MS LDAP authentication (except situation when we have GPRS/LTE modem on USB) ?

Thanks and regards,

Marcin

Dear Mr Mohammad Alhyari,I

Ronald RiemVis — Fri, 01 May 2015 11:59:19 GMT

Dear Mr Mohammad Alhyari,

I have installed the Cisco mobility client 3.1.01065 in a win 7 (x64) system and try to connect to a SRP527 router.

When enter the WAN IP address from the SRP I get: could not connect to server.

With my XP computer where version 5 is installed all is working fine and the VPN is activated. How do I get the things running with the Win 7 system?

Hi Marcin ,Thanks for the

Mohammad Alhyari — Fri, 01 May 2015 13:55:44 GMT

Hi Marcin ,

Thanks for the sharing your question here . First i would like to mention that the ipsec client is EOL :

http://www.cisco.com/c/en/us/products/collateral/security/vpn-client/end_of_life_c51-680819.html

Anyconnect provide full tunnel using TLS, DTLS and IPSEC (with IKEv2 integration) and all the new features are integrated into the cisco anyconnect client so we recommend to migrate from the legacy ipsec client to the cisco anyconnect solution . Anyconnect doesn't have the limitations ipsec client has .

For example :

1- End point assessment features (hostscan , prelogin check .... )

2- More control on the client machine (Trusted network detection and always on).

3- IKEv2 support .

4- optimal gateway selection .

This is just an example 🙂

one big difference was that the legacy client provided ipsec tunnel functionality which has been added to anyconnect when we started supporting ikev2 .

I encourage you to go through the following :

http://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/qa_c67-712937.html?cachemode=refresh

http://www.cisco.com/c/en/us/solutions/enterprise-networks/anyconnect-secure-mobility-solution/index.html

Please feel free to post any concerns related to this .

regards.

Mohammad.

Hi Ronald,It might be a

Mohammad Alhyari — Fri, 01 May 2015 13:59:01 GMT

Hi Ronald,

It might be a connectivity issue from your machine to the router on TCP port 443 . can you telnet from the machine to the Router on that port ? If you use your Browser, Do you see a response for https://WAN-ADDRESS ?

Please show me your configuration if possible .

Cheers.

Ronald,Your XP computer with

Marvin Rhoads — Fri, 01 May 2015 14:33:04 GMT

Ronald,

Your XP computer with version 5 would be version 5 of the Cisco IPsec (IKEv1) VPN client.

AnyConnect Secure Mobility Client is a client primarily for SSL VPN (although it also works with the newer and less common IPsec IKEv2).

The router would need to have a configuration change to additionally support AnyConnect-based clients.

Thanks Marvin for your

Mohammad Alhyari — Fri, 01 May 2015 15:54:02 GMT

Thanks Marvin for your comments. And Ronald if you have not configured your router for anyconnect then here is a good example to start with :

http://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/110608-ssl-ios-00.html

As Marvin mentioned these are two different client and you have to setup your router for anyconnect.

I have a ASA5505. I am

dkajohn123 — Fri, 01 May 2015 19:17:43 GMT

I have a ASA5505. I am failing on my PCI compliancy tests because my device only supports TLSv1.0. I needs to support TLSv1.1 or 1.2 Does anyone know how I can fix this? Is there a software upgrade?

Hi ,Thanks a lot for sharing

Mohammad Alhyari — Sat, 02 May 2015 00:10:57 GMT

Hi ,

Thanks a lot for sharing the question here . Unfortunately TLS1.1 and TLS1.2 are not available for the legacy ASA models listed below :

5505
5510
5520
5540
5550

it is available on the ASA next generation firewalls 5500-X starting with the software version 9.3.2:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/release/notes/asarn93.html

"We now support TLS version 1.2 for secure message transmission for ASDM, Clientless SSVPN, and AnyConnect VPN."

Cheers.

Thanks Marvin,The SRP500

Ronald RiemVis — Sat, 02 May 2015 05:06:25 GMT

Thanks Marvin,

The SRP500 series is out of service but loaded with the latest firmware.

I only have the choice for a group + password and users + password.

Is there no way to make a configuration file which I can use on the client side to connect to that router?

Hi Mohammad,I can telnet to

Ronald RiemVis — Sat, 02 May 2015 05:10:54 GMT

Hi Mohammad,

I can telnet to that port from remote but will see no answer, port 443 is accepted

What would be the sequence from the client side to make the connection possible based on user group and single user?

The client will make his own script after a success full connection?

I can send pictures from the GUI interface, I have no configuration files to show you

I have a Cisco 2851

matthew wolf — Sat, 02 May 2015 10:22:12 GMT

I have a Cisco 2851 Adventerprise-k9 with the latest cisco anyconnect pkg installed on the router. I am able to get everything to work fine as far as connecting to my private network but I would like to change the self signed cert for one that was purchased from a third party that I would like to insert into the router to make the untrusted servers pop ups go away. Can you provide me with any insight on how to install those 4 certs they provided me with as to how to get them on the router.

Thanks,

Matthew

Hi Mathew ,For Certificates

Mohammad Alhyari — Sat, 02 May 2015 15:38:30 GMT

Hi Mathew ,

For Certificates you have two types :

identity certificate : A certificate that is issued to the device .

CA/Sub-CA certificates: A certificate authority that signs certificate for end points .

Since that you mentioned you have 4 certificates then i'm assuming that you have a chain of certificates . Now to install the certificates let us look at this example :

Root-CA-----Sub-CA1-----Sub-CA2---identity .

On cisco Routers and ASAs the certificate is installed in a containter that is called Trustpoint ,one trustpoint contains an identity certificate and another CA certificate Please see the following for the steps to install certificates :

1-if the CSR was generated on the router itself then :

a) authenticate the trustpoint (install the CA certificate) :

crypto pki authenticate <trustpoint name>

<<paste the CA certificate encoded using Base64 PEM>>

b)Import the identity certificate :

crypto pki import <trustpoint name> certificates

2- if the CSR was generated externally then most probably they provided you with a p12/pfx file . and in this case you need to use this command :

cry pki import trustpoint-name pkcs12 terminal pass

you dont need to create the trustpoints, the router will do it automatically .

Finally, you need to configure the ssl gateway to user that trustpoint :

ssl trustpoint

Moh

Hi Ronald .Thanks for the

Mohammad Alhyari — Sat, 02 May 2015 16:35:05 GMT

Hi Ronald .

Thanks for the reply . Nothing is needed from the client side other than installing the anyconnect secure mobility client . And for anyconnect there is no group password as in the ipsec client .

On the router you need to configure it for anyconnect .The most important point is to make sure the hardware you are using supports anyconnect .Here is the datasheet for ssl vpn:

http://www.cisco.com/c/en/us/products/collateral/security/ios-sslvpn/product_data_sheet0900aecd80405e25.htmlRegards.

As you can see the SPR500 series is not included there .

Thanks again for your participation.