Re: Community Ask Me Anything - Secure Remote Workers - Page 4

ciscomoderator · ‎03-20-2020

You can ask your question on your own language:

Here’s your chance to discuss Cisco Secure Remote Working technologies such as AnyConnect, ASA, FTD, Duo, and Umbrella. In this session, the experts will answer questions about emergency licenses, design, configuration, and troubleshooting. Our experts span more than 12 time zones. Also, we’ll be translating the session into multiple languages to provide you with the best experience possible.

This forum event works well as an introduction for those who are not familiar with these security solutions and/or have recently started using them.

To participate in this event, please use the button below to ask your questions

Ask questions from Friday, March 20 to Friday, April 3, 2020

Featured experts

Divya Nair is a Technical Marketing Engineer with the Security Business Group in Raleigh, North Carolina. She has more than 10 years of experience in Cisco network security technologies, including firewalls, IPS, VPN, and AAA; and is currently focusing on VPN and firewall management platforms. Divya holds a Bachelor's degree in Computer Science and Engineering.

Jonny Noble leads the Technical Marketing team for Cloud Security at Cisco, with expertise in Cisco Umbrella and surrounding technologies. For more than 20 years, Jonny has obtained experience in customer-facing disciplines for global hi-tech organizations. He also has rich experience in presenting breakout sessions and proctoring labs at Cisco Live events along with representing Cisco at numerous customer and partner events, trade shows, and exhibitions. Jonny holds degrees in Electronics, Sociology, a Business MBA, and is CISSP certified.

Aditya Ganjoo is a Technical Marketing Engineer in Bangalore, India. He has been working with Cisco for the past seven years in Security domains such as Firewall, VPN and AAA. Aditya has delivered trainings on ASA and VPN technologies. He holds a Bachelor's degree in Information Technology. Additionally, he is a CCIE in Security (CCIE#58938). He has been a consistent contributor on Cisco Support Community and has delivered multiple sessions at Cisco Live.

Due to the anticipated volume for this high in-demand event, Divya, Aditya, Jonny might not be able to answer each question. Thus, remember that you can continue the conversation directly in the Security community.

By posting a question on this event you're giving permission to be translated in all languages we have in the community.

Find further events on https://community.cisco.com/t5/custom/page/page-id/Events?categoryId=technology-support

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

JeffFrench3318 · ‎03-25-2020

I have 24-hour cisco HW replacement support, will a Cisco Tech come onsite to do the replacement during the COVID-19 "stay at home" policies that are emerging? Just concerned if a drive fails, etc that we can get a replacement.

Thank you

gregg.discenza1 · ‎03-26-2020

We have two interconnected enclaves, where the outer enclave is using AnyConnect for access from the Internet.

My enclave is behind an ASA-5585-X, and I need to give a very small set of user access to this enclave. My first thought was nesting one AnyConnect session within another session, creating a tunnel-within-a-tunnel, but it appears that isn't working.

If I had the admins of the outer enclave create a NAT that exposed the outside interface of my firewall, could end-users connect to a different IP address and bypass the outer firewall for a VPN session?

Conceptual layout

Internet ====>> Outside firewall ====>> Outer enclave ====>> Inside firewall (my ASA) ====>> Inner enclave

I need this:

Internet ========================>> VPN ===================================>>Inner enclave

somehow.

Suggestions?

Thanks,

Gregg

Aditya Ganjoo · ‎03-26-2020

You can create a Static NAT for the users to access the resources behind the inside Firewall.

Internet ========================>> VPN ===================================>>Inner enclave

Or you can allow the specific Inner enclave subnet on the VPN policy and then to restrict the outside (small set of users) configure an ingress ACL on the Inside FW.

Assuming the Anyconnect VPN is going to terminate on the outside FW and after that everything would be in cleartext.

HTH,

Aditya

gregg.discenza1 · ‎03-26-2020

Assuming the inner enclave subnet information is published to the outer enclave, which it isn't.

I can't use an IP-based restriction, as some of the users who need access to the inner enclave are within the outer enclave.

Is there any way to use the Windows 10 VPN adapter to connect to the ASA?

Gregg

Divya Nair · ‎03-26-2020

Hi,

Is there an issue in using the outer VPN to terminate all connections and have different tunnel-groups/connection profile/group-policy for the outer and inner users? The reason I ask is because using the L2TP client will still be tunnel-in-a-tunnel.

Monica Lluis · ‎03-27-2020

Here is an excellent reference for AnyConnect https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215331-anyconnect-implementation-and-performanc.html

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

Bill O · ‎03-27-2020

Hi Monica,

Thank you for sharing that important document.

Our global VPN experts recently delivered a podcast focused on RAVPN and how to optimize AnyConnect performance. The show notes include links to the document you referenced and more:

https://community.cisco.com/t5/security-documents/episode-57-maximizing-anyconnect-performance-during-the-covid-19/ta-p/4053676

Bill

Marvin Rhoads · ‎03-27-2020

In the case where we are using no-split-tunnel or tunnel-all-DNS for our remote access VPN and combining those features with Umbrella, we have an issue for unmanaged endpoints hitting the Umbrella block page for https sites and getting the certificate error. Given that https is used for 80% (or more) of all web traffic this is increasingly a problem.

For managed endpoints this is not much of a problem as we can push the certificate into local certificate stores via GPO (or other EMM software) as described in the Umbrella documentation:

https://docs.umbrella.com/deployment-umbrella/docs/install-cisco-umbrella-root-certificate

For unmanaged endpoints, telling end users to download and trust the Umbrella certificate is unwieldy. Is there any best practice we can adopt in order to avoid having to do this?

jonnoble · ‎03-28-2020

Hello Marvin. In case of unmanaged devices, the best practice is to split them into a different network (or identity in Umbrella dashboard) and apply a separate policy to them.

In that separate policy you should not enable the intelligent proxy (no file file inspection and hence no HTTPS decryption), and by keeping all security enforcement only at the DNS layer you will not encounter these issues.

While I understand that this split of traffic is easier when on a corporate network (i.e. guest traffic or unmanaged devices go via separate vlans or separate SSIDs), in your case right now it sounds like you're referring to remote workers who are connecting to VPN and this is the same connection type for managed and unmanaged devices.

In this case you would need to disable the file inspection in all Umbrella policies that cover identities where unmanaged devices are going to be included.

Marvin Rhoads · ‎03-29-2020

Thanks @jonnoble - I was afraid that would be the answer. Good to have it confirmed though.

jefreyoropesa · ‎03-30-2020

Hi,

when I want to config router from CCP, I get an error :

'Security component has failed. Inorder to work on Router or Security features, do the following. Goto Java Control panel -> Advanced tab -> Java Plug-in tree Entry. Uncheck the check box for Enable next-generation Java Plug-in. Relaunch CiscoCP after this.'

I was trying to uncheck NGN java plug-in but cannot find the plug-in option in the advanced tab. Could you please help.

Aditya Ganjoo · ‎03-30-2020

I would request you to try posting this in the Network Management section to get a better response :

https://community.cisco.com/t5/network-management/bd-p/5931-discussions-network-management

Regards,

Aditya

tjjackson · ‎03-31-2020

I have found and been pointed to step by step for split but I don't want split. Can anyone point me to NOT split tunnel step by step?

Aditya Ganjoo · ‎03-31-2020

Hi,

Could you please elaborate on the requirement?

Do you want to disable the Split tunnel? If yes, then you can use TunnelAll option.

Please share the config if possible and what is the use case?

tjjackson · ‎04-01-2020

If you use the tunnel all how does that change affect the NAT statement. I basically had everything working with the split tunnel. When I change to tunnel all internet access is lost.
Thank you.