What protocols are used on Anyconnect mobility client

hayden101 · ‎10-31-2022

Hey all,

We're configuring a firewall for a client. On our internet facing outside we're wanting to configure connection rules to block basically everything except our clients, they connect via a remote access VPN, using Anyconnect, and using a site-to-site IPsec VPN.

What ports/protocols should we allow so that these methods aren't affected?

Rob Ingram · ‎10-31-2022

@hayden101 Site-to-Site VPN will use UDP/500, ESP (and UDP/4500 if natted). AnyConnect VPN client will use TCP/443 (TLS) and UDP/443 (DTLS) if using SSL-VPN or if using IPSec VPN, will use UDP/500 and UDP/4500.

If you are allowing/blocking this communication on the same firewall that the VPN are terminated on, you'd have to use a control-plane ACL.

hayden101 · ‎10-31-2022

As this firewall is both the effective front end conencting to our internet connection, and where are VPNs are connecting to, I guess I'll need to allow any IPs access, assuming they're on these ports and the destination is the correct IP range for our network. Is a control Plane ACL an object that can be configured on this device?

Marvin Rhoads · ‎11-01-2022

Traffic coming from clients that are connected via either type of VPN will be seen as destined for the firewall outside address until after that traffic has been internally decrypted in the firewall itself - i.e., after any ACL on the ingress is processed (control plane or otherwise).

Karsten Iwen · ‎10-31-2022

The Site-to-Site VPNs use IPSec:

UDP/500, UDP/4500, ESP IP/50

AnyConnect uses TLS/DTLS:

TCP/443, UDP/443 (or the port you configured on your VPN gateway, but 443 is the default)

Marvin Rhoads · ‎10-31-2022

There are two things to consider:

1. Traffic THROUGH the firewall. This is what we normally setup in an Access Control Policy. It normally does not affect either site-site or remote access VPN (AnyConnect) traffic unless we override some default behavior ("no sysopt connection permit-vpn"). The firewall decrypts the VPN traffic and then passes it out the inside interface unencrypted with the original IP address of the client.

2. Traffic TO the firewall. This is your VPN traffic's encrypted flows. The firewall only listens on configured ports (for AnyConnect) and further restricts site-site VPNs to configured addresses (i.e. your peer IPs). We do not and cannot generally restrict what client addresses login with AnyConnect as that's the nature of a remote access VPN.

hayden101 · ‎10-31-2022

As our firewall is connected to a static IP router direct to the internet, my hope is limit everything other than these two methods of connecting to the firewall in the first place.

And yes as our clients can in theory be anywhere we won't be able to restrict based on IPs as they'll be using this any Connect software.

Aref Alsouqi · ‎11-01-2022

I wouldn't recommend using the control plane ACL and honestly saw it in use very rarely. The firewall will only listen to the ports of the services it has enabled as already mentioned and because of the nature of the remote access VPN you wouldn't be able to be sophisticated in saying allow these sources etc, and I think AnyConnect would only use the 443/udp if it is allowed, if not it will keep using the 443/tcp port. For example if you are in a cafe' and there is a firewall blocking any outbound traffic with the exception for port 80/tcp and 443/tcp, AnyConnect in this case will still working using port 443/tcp.

One thing is unfortunately missing on the ASA/FTD is the country-based block of the traffic destined to itself. On some other vendors firewalls you can block the traffic per countries, and you can also shut down the remote access VPN portal, last time I looked into this the FTD was not providing any support to shut down AnyConnect portal. Please take a look at this post of mine if you should be interested in applying the per country-based policies on the traffic passing-through the firewall:

Using the Firepower geolocation | Blue Network Security (bluenetsec.com)