cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

5751
Views
115
Helpful
77
Replies
ciscomoderator
Community Manager

Community Ask Me Anything - Secure Remote Workers

You can ask your question on your own language:

Español  Português Français Русский  日本語 简体中文

Here’s your chance to discuss Cisco Secure Remote Working technologies such as AnyConnect, ASA, FTD, Duo, and Umbrella. In this session, the experts will answer questions about emergency licenses, design, configuration, and troubleshooting. Our experts span more than 12 time zones. Also, we’ll be translating the session into multiple languages to provide you with the best experience possible.

This forum event works well as an introduction for those who are not familiar with these security solutions and/or have recently started using them.

To participate in this event, please use the Join the Discussion : Cisco Ask the Expertbutton below to ask your questions

Ask questions from Friday, March 20 to Friday, April 3, 2020

Featured experts

divyanai.jpgDivya Nair is a Technical Marketing Engineer with the Security Business Group in Raleigh, North Carolina. She has more than 10 years of experience in Cisco network security technologies, including firewalls, IPS, VPN, and AAA; and is currently focusing on VPN and firewall management platforms. Divya holds a Bachelor's degree in Computer Science and Engineering.

 

jonnoble.jpgJonny Noble leads the Technical Marketing team for Cloud Security at Cisco, with expertise in Cisco Umbrella and surrounding technologies. For more than 20 years, Jonny has obtained experience in customer-facing disciplines for global hi-tech organizations. He also has rich experience in presenting breakout sessions and proctoring labs at Cisco Live events along with representing Cisco at numerous customer and partner events, trade shows, and exhibitions. Jonny holds degrees in Electronics, Sociology, a Business MBA, and is CISSP certified.

 

adganjoo.jpgAditya Ganjoo is a Technical Marketing Engineer in Bangalore, India. He has been working with Cisco for the past seven years in Security domains such as Firewall, VPN and AAA. Aditya has delivered trainings on ASA and VPN technologies. He holds a Bachelor's degree in Information Technology. Additionally, he is a CCIE in Security (CCIE#58938). He has been a consistent contributor on Cisco Support Community and has delivered multiple sessions at Cisco Live.

 

Due to the anticipated volume for this high in-demand event, Divya, Aditya, Jonny might not be able to answer each question. Thus, remember that you can continue the conversation directly in the Security community.

By posting a question on this event you're giving permission to be translated in all languages we have in the community.

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

77 REPLIES 77
JeffFrench3318
Beginner

I have 24-hour cisco HW replacement support, will a Cisco Tech come onsite to do the replacement during the COVID-19 "stay at home" policies that are emerging?  Just concerned if a drive fails, etc that we can get a replacement.

 

Thank you

gregg.discenza1
Beginner

We have two interconnected enclaves, where the outer enclave is using AnyConnect for access from the Internet.

 

My enclave is behind an ASA-5585-X, and I need to give a very small set of user access to this enclave. My first thought was nesting one AnyConnect session within another session, creating a tunnel-within-a-tunnel, but it appears that isn't working.

 

If I had the admins of the outer enclave create a NAT that exposed the outside interface of my firewall, could end-users connect to a different IP address and bypass the outer firewall for a VPN session?

 

Conceptual layout

 

Internet ====>>  Outside firewall ====>> Outer enclave ====>> Inside firewall (my ASA) ====>> Inner enclave

 

I need this:

 

Internet ========================>> VPN ===================================>>Inner enclave

 

somehow.

 

Suggestions?

 

Thanks,

 

Gregg

You can create a Static NAT for the users to access the resources behind the inside Firewall.

 

Internet ========================>> VPN ===================================>>Inner enclave

 

Or you can allow the specific Inner enclave subnet on the VPN policy and then to restrict the outside (small set of users) configure an ingress ACL on the Inside FW.

 

Assuming the Anyconnect VPN is going to terminate on the outside FW and after that everything would be in cleartext.

 

HTH,

Aditya

 

Assuming the inner enclave subnet information is published to the outer enclave, which it isn't.

I can't use an IP-based restriction, as some of the users who need access to the inner enclave are within the outer enclave.

Is there any way to use the Windows 10 VPN adapter to connect to the ASA?

 

Gregg

 

Hi,

 

Is there an issue in using the outer VPN to terminate all connections and have different tunnel-groups/connection profile/group-policy for the outer and inner users? The reason I ask is because using the L2TP client will still be tunnel-in-a-tunnel.

Monica Lluis
Community Manager

Here is an excellent reference for AnyConnect https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215331-anyconnect-implementation-and-performanc.html
I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

Hi Monica,

 

Thank you for sharing that important document. 

 

Our global VPN experts recently delivered a podcast focused on RAVPN and how to optimize AnyConnect performance. The show notes include links to the document you referenced and more:

https://community.cisco.com/t5/security-documents/episode-57-maximizing-anyconnect-performance-during-the-covid-19/ta-p/4053676 

 

Bill

Marvin Rhoads
Hall of Fame Guru

In the case where we are using no-split-tunnel or tunnel-all-DNS for our remote access VPN and combining those features with Umbrella, we have an issue for unmanaged endpoints hitting the Umbrella block page for https sites and getting the certificate error. Given that https is used for 80% (or more) of all web traffic this is increasingly a problem.

For managed endpoints this is not much of a problem as we can push the certificate into local certificate stores via GPO (or other EMM software) as described in the Umbrella documentation:

https://docs.umbrella.com/deployment-umbrella/docs/install-cisco-umbrella-root-certificate

For unmanaged endpoints, telling end users to download and trust the Umbrella certificate is unwieldy. Is there any best practice we can adopt in order to avoid having to do this?

Hello Marvin. In case of unmanaged devices, the best practice is to split them into a different network (or identity in Umbrella dashboard) and apply a separate policy to them.

In that separate policy you should not enable the intelligent proxy (no file file inspection and hence no HTTPS decryption), and by keeping all security enforcement only at the DNS layer you will not encounter these issues.

While I understand that this split of traffic is easier when on a corporate network (i.e. guest traffic or unmanaged devices go via separate vlans or separate SSIDs), in your case right now it sounds like you're referring to remote workers who are connecting to VPN and this is the same connection type for managed and unmanaged devices.

In this case you would need to disable the file inspection in all Umbrella policies that cover identities where unmanaged devices are going to be included.

Thanks @jonnoble - I was afraid that would be the answer. Good to have it confirmed though.

jefreyoropesa
Beginner

Hi,

when I want to config router from CCP, I get an error :

 

 

'Security component has failed. Inorder to work on Router or Security features, do the following. Goto Java Control panel -> Advanced tab -> Java Plug-in tree Entry. Uncheck the check box for Enable next-generation Java Plug-in. Relaunch CiscoCP after this.'

 

I was trying to uncheck NGN java plug-in but cannot find the plug-in option in the advanced tab. Could you please help.

 

I would request you to try posting this in the Network Management section to get a better response  :



https://community.cisco.com/t5/network-management/bd-p/5931-discussions-network-management



Regards,



Aditya
tjjackson
Beginner

I have found and been pointed to step by step for split but I don't want split. Can anyone point me to NOT split tunnel step by step?

Hi,

 

Could you please elaborate on the requirement?

 

Do you want to disable the Split tunnel? If yes, then you can use TunnelAll option.

 

Please share the config if possible and what is the use case?

If you use the tunnel all how does that change affect the NAT statement. I basically had everything working with the split tunnel. When I change to tunnel all internet access is lost.
Thank you.
Content for Community-Ad