Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
248
Views
0
Helpful
1
Replies

FIREPOWER and remote users

Go to solution
aaron.catt1
Level 1
Level 1

‎11-28-2016 03:47 AM - edited ‎03-12-2019 01:35 AM

Hi guys,

We are currently looking into replacing our ASA 5510 with a 5512 with FIREPOWER services. My question is, how do you guys filter/monitor web traffic from remote users? Do you have to use the AnyConnect client with Always-On VPN?

Many thanks in advance,

Aaron

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-28-2016 04:48 AM

It all depends on what you want to achieve. The first question that you have to think about is: Are your clients allowed to surf the web without additional protection. 

If you answer this question with no:

  • Using AnyConnect with Always-on as you mention it is one way.
  • You could also use CWS (Cisco Cloud Web Security) with AnyConnect on your clients. This could be a good solution if you have other branches or many remote-users and you don't want to send all your Web-traffic through the central internet-connection. In this case you don't need the URL-license on the ASA as also your internal traffic can be sent through CWS.

If you answer the above question with yes:

  • Configure the VPN-connection to use an internal proxy-server. The proxy-traffic can be protected by FirePOWER.
  • Configure the VPN without Split-Tunneling so that all client-traffic flows through your ASA.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Karsten Iwen
VIP
VIP

‎11-28-2016 04:48 AM

It all depends on what you want to achieve. The first question that you have to think about is: Are your clients allowed to surf the web without additional protection. 

If you answer this question with no:

  • Using AnyConnect with Always-on as you mention it is one way.
  • You could also use CWS (Cisco Cloud Web Security) with AnyConnect on your clients. This could be a good solution if you have other branches or many remote-users and you don't want to send all your Web-traffic through the central internet-connection. In this case you don't need the URL-license on the ASA as also your internal traffic can be sent through CWS.

If you answer the above question with yes:

  • Configure the VPN-connection to use an internal proxy-server. The proxy-traffic can be protected by FirePOWER.
  • Configure the VPN without Split-Tunneling so that all client-traffic flows through your ASA.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card