cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2508
Views
115
Helpful
77
Replies
Highlighted
Beginner

Re: Community Ask Me Anything - Secure Remote Workers

I have 24-hour cisco HW replacement support, will a Cisco Tech come onsite to do the replacement during the COVID-19 "stay at home" policies that are emerging?  Just concerned if a drive fails, etc that we can get a replacement.

 

Thank you

Highlighted

Re: Community Ask Me Anything - Secure Remote Workers

We have two interconnected enclaves, where the outer enclave is using AnyConnect for access from the Internet.

 

My enclave is behind an ASA-5585-X, and I need to give a very small set of user access to this enclave. My first thought was nesting one AnyConnect session within another session, creating a tunnel-within-a-tunnel, but it appears that isn't working.

 

If I had the admins of the outer enclave create a NAT that exposed the outside interface of my firewall, could end-users connect to a different IP address and bypass the outer firewall for a VPN session?

 

Conceptual layout

 

Internet ====>>  Outside firewall ====>> Outer enclave ====>> Inside firewall (my ASA) ====>> Inner enclave

 

I need this:

 

Internet ========================>> VPN ===================================>>Inner enclave

 

somehow.

 

Suggestions?

 

Thanks,

 

Gregg

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

You can create a Static NAT for the users to access the resources behind the inside Firewall.

 

Internet ========================>> VPN ===================================>>Inner enclave

 

Or you can allow the specific Inner enclave subnet on the VPN policy and then to restrict the outside (small set of users) configure an ingress ACL on the Inside FW.

 

Assuming the Anyconnect VPN is going to terminate on the outside FW and after that everything would be in cleartext.

 

HTH,

Aditya

 

Highlighted

Re: Community Ask Me Anything - Secure Remote Workers

Assuming the inner enclave subnet information is published to the outer enclave, which it isn't.

I can't use an IP-based restriction, as some of the users who need access to the inner enclave are within the outer enclave.

Is there any way to use the Windows 10 VPN adapter to connect to the ASA?

 

Gregg

 

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

Hi,

 

Is there an issue in using the outer VPN to terminate all connections and have different tunnel-groups/connection profile/group-policy for the outer and inner users? The reason I ask is because using the L2TP client will still be tunnel-in-a-tunnel.

Highlighted
Community Manager

Re: Community Ask Me Anything - Secure Remote Workers

Here is an excellent reference for AnyConnect https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215331-anyconnect-implementation-and-performanc.html
I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead
Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

Hi Monica,

 

Thank you for sharing that important document. 

 

Our global VPN experts recently delivered a podcast focused on RAVPN and how to optimize AnyConnect performance. The show notes include links to the document you referenced and more:

https://community.cisco.com/t5/security-documents/episode-57-maximizing-anyconnect-performance-during-the-covid-19/ta-p/4053676 

 

Bill

Highlighted
Hall of Fame Guru

Re: Community Ask Me Anything - Secure Remote Workers

In the case where we are using no-split-tunnel or tunnel-all-DNS for our remote access VPN and combining those features with Umbrella, we have an issue for unmanaged endpoints hitting the Umbrella block page for https sites and getting the certificate error. Given that https is used for 80% (or more) of all web traffic this is increasingly a problem.

For managed endpoints this is not much of a problem as we can push the certificate into local certificate stores via GPO (or other EMM software) as described in the Umbrella documentation:

https://docs.umbrella.com/deployment-umbrella/docs/install-cisco-umbrella-root-certificate

For unmanaged endpoints, telling end users to download and trust the Umbrella certificate is unwieldy. Is there any best practice we can adopt in order to avoid having to do this?

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

Hello Marvin. In case of unmanaged devices, the best practice is to split them into a different network (or identity in Umbrella dashboard) and apply a separate policy to them.

In that separate policy you should not enable the intelligent proxy (no file file inspection and hence no HTTPS decryption), and by keeping all security enforcement only at the DNS layer you will not encounter these issues.

While I understand that this split of traffic is easier when on a corporate network (i.e. guest traffic or unmanaged devices go via separate vlans or separate SSIDs), in your case right now it sounds like you're referring to remote workers who are connecting to VPN and this is the same connection type for managed and unmanaged devices.

In this case you would need to disable the file inspection in all Umbrella policies that cover identities where unmanaged devices are going to be included.

Highlighted
Hall of Fame Guru

Re: Community Ask Me Anything - Secure Remote Workers

Thanks @jonnoble - I was afraid that would be the answer. Good to have it confirmed though.

Highlighted
Beginner

Re: Community Ask Me Anything - Secure Remote Workers

Hi,

when I want to config router from CCP, I get an error :

 

 

'Security component has failed. Inorder to work on Router or Security features, do the following. Goto Java Control panel -> Advanced tab -> Java Plug-in tree Entry. Uncheck the check box for Enable next-generation Java Plug-in. Relaunch CiscoCP after this.'

 

I was trying to uncheck NGN java plug-in but cannot find the plug-in option in the advanced tab. Could you please help.

 

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

I would request you to try posting this in the Network Management section to get a better response  :



https://community.cisco.com/t5/network-management/bd-p/5931-discussions-network-management



Regards,



Aditya
Highlighted
Beginner

Re: Community Ask Me Anything - Secure Remote Workers

I have found and been pointed to step by step for split but I don't want split. Can anyone point me to NOT split tunnel step by step?

Highlighted
Cisco Employee

Re: Community Ask Me Anything - Secure Remote Workers

Hi,

 

Could you please elaborate on the requirement?

 

Do you want to disable the Split tunnel? If yes, then you can use TunnelAll option.

 

Please share the config if possible and what is the use case?

Highlighted
Beginner

Re: Community Ask Me Anything - Secure Remote Workers

If you use the tunnel all how does that change affect the NAT statement. I basically had everything working with the split tunnel. When I change to tunnel all internet access is lost.
Thank you.