cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2279
Views
115
Helpful
77
Replies
Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Working

Hi,

 

Can you share the output of show run group-policy <policy-name>?

 

Regards,

 

Aditya

 

Highlighted
Participant

Re: Community Ask Me Anything - Secure Remote Working

Hi,

Here is my sh run group policy 

 

1)
group-policy it-test internal
group-policy it-test attributes
dns-server value 192.168.1.100
vpn-idle-timeout 20
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value it-test-acl
default-domain value test.local
address-pools value it-test-pool

2 )group-policy it-test2 internal
group-policy it-test2 attributes
wins-server none
dns-server value 192.168.1.100
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value it-test2-acl
default-domain value test.local
split-dns value test.local test.com
split-tunnel-all-dns disable
address-pools value it-test2-Pool

 

 

Tried the below also after removing "split-tunnel-all-dns disable"    but did not help .

 

 

3 )group-policy it-test2 internal
group-policy it-test2 attributes
wins-server none
dns-server value 192.168.1.100
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value it-test2-acl
default-domain value test.local
split-dns value test.local test.com
split-tunnel-all-dns disable
address-pools value it-test2-Pool

Thanks

 

 

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Working

Hi,

Please disable/remove the tunnel-all split dns config and keep the split-dns values, also ensure that the DNS servers (IP) is a part of the split tunnel ACL.

To confirm the DNS lookups (if they are going through Anyconnect) you can use Wireshark, start a capture on the machine and check on which adapter the DNS requests go out to.

Please share the output of ipconfig /all from the test machine and the captures if possible.

Regards,

Aditya
Highlighted
Participant

Re: Community Ask Me Anything - Secure Remote Working

Hi @Aditya Ganjoo 

Please disable/remove the tunnel-all split dns config and keep the split-dns values, also ensure that the DNS servers (IP) is a part of the split tunnel ACL.

disabled and full subnet is (192.168.1.0/24 ) is part of split tunnel acl 

 

To confirm the DNS lookups (if they are going through Anyconnect) you can use Wireshark, start a capture on the machine and check on which adapter the DNS requests go out to.

yes it is going through any connect 

 

Please share the output of ipconfig /all from the test machine and the captures if possible.

attached 

 

 

 

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Working

I could see requests reaching DNS server but it returns a server error:

Standard query response, Server failure

You told that it works fine when you are not on Anyconnect.

If possible please share captures for the working one.

Regards,

Aditya
Highlighted
Participant

Re: Community Ask Me Anything - Secure Remote Working

Hi @Aditya Ganjoo 

 

Thanks for the reply . 

What I mean by it is working when I am on anyconnect , If I remove "split-dns  value test.com " it is going to  public dns ( ISP) through physical adapter and public ip address . 

and the internal dns server working from our local lan ( I can share the packet capture soon ) 

And can you tell me why the anyconnect mac address is shown as 00:11:22:33:44:55

 

mac.JPG

 

Thanks

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Working

The MAC address is for the Destination IP, your next hop.

MAC address for AC is 0-05-9A-3C-7A-00.

"AnyConnect driver does not interfere with the native DNS resolver. Therefore, DNS resolution is performed based on the order of network adapters where AnyConnect is always the preferred adapter when VPN is connected. Moreover, a DNS query is first sent via the tunnel and if it does not get resolved, the resolver attempts to resolve it via public interface. The split-include access-list includes the subnet which covers the Tunnel DNS server(s). To start with AnyConnect 4.2, host routes for the Tunnel DNS server(s) are automatically added as split-include networks (secure routes) by the AnyConnect client, and therefore the split-include access-list no longer requires explicit addition of the tunnel DNS server subnet."

I think this is happening in your case.

Regards,

Aditya

Highlighted
Participant

Re: Community Ask Me Anything - Secure Remote Working

Hi @Aditya Ganjoo 

Thanks for the reply ,

I have removed the subnet from acl , but it is giving the same issue . 

 

From the wireshark capture analysis  , the dns query  is responding with an error ? 

When you say "The MAC address is for the Destination IP, your next hop."

It could be the ASA firewall interface ? 

Thanks

 

 

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Working

That needs to be checked, I don't think its ASA's MAC address. I looked for the MAC address and it seems CIMSYS Inc based device.

Regards,

Aditya

Highlighted
Hall of Fame Guru

Re: Community Ask Me Anything - Secure Remote Workers

Hello all, I have several questions:

1. Am I correct in understanding that webvpn customization (i.e. the webvpn home page) and AnyConnect customization (messages, languages etc.) are not currently supported when using Firepower Threat Defense (FTD) device as the headend? (either FMC-managed or FDM/CDO-managed)

2. Basic posture checking like we are able to do with ASA and DAP/Hostscan is not currently an option with FTD alone (i.e. we must refer to an external solution like ISE) - correct?

3. For DAP/Hostscan with ASA, does it require AnyConnect Premium and is it supported on ASAv platform models?

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

Hi Marvin,

 

  1. That is correct. Clientless WebVPN and AnyConnect customization are not supported today on FTD.
  2. You will need to use ISE Posture for client posture assessment today on FTD.
  3. ASA with DAP requires the Apex license (previously the Premium license) and is supported on ASAv models.
Highlighted
Hall of Fame Guru

Re: Community Ask Me Anything - Secure Remote Workers

Thanks Divya,

One followup - a couple of us have tried getting DAP going on ASAv and ran into problems. Please see this thread:

https://community.cisco.com/t5/vpn/asa-virtual-unable-to-activate-hostscan/td-p/4044100

Is that something you can answer here or should we open a TAC case?

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

Updated on the post you mentioned too.

Highlighted
Hall of Fame Guru

Re: Community Ask Me Anything - Secure Remote Workers

Thanks @Divya Nair and @Aditya Ganjoo !

 

To fill in readers here, bumping the memory to run the ASAv as an ASAv10 (vs. ASAv5) model fixes the inability to add in hostscan which is necessary to use DAP.