Solved: Re: ASA or Firepower for ssl vpn

passakorn.m · ‎10-17-2019

i am considering firewall for ssl vpn 100 user. should i use ASA or Firepower for this solution?

and do i need fmc for ssl vpn?

Karsten Iwen · ‎10-18-2019

If you want to use AnyConnect remote-access-VPN then you can use either. With the ASA software there are more features for VPN available, but with FTD you get Next-Gen Firewalling.

If you want to use WebVPN (through the clienteles portal), then you have to use the ASA as that is not supported on FTD.

For FTD you don't need FMC, but again, there are more features available compared to FTD managed through FDM.

View solution in original post

Rob Ingram · ‎10-20-2019

Hi,
If you are using ASA code then you would manage using ASDM/CLI.

HTH

View solution in original post

Rps-Cheers · ‎10-17-2019

Here is the SSL VPN configureation example on ASA, i hope it useful for you.
1.permit traffic on same interface.
ASA(config)# same-security-traffic permit intra-interface

2.create a ip address pool.
ASA(config)# ip local pool vpnpool 192.168.20.10-192.168.20.50 mask 255.255.255.0

3.enable webvpn.
ASA(config)# webvpn
ASA(config-webvpn)# enable outside //!--- Enable WebVPN on the outside interface
INFO: WebVPN and DTLS are enabled on 'outside'.
ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.0.00061-k9.pkg 1 //!--- Assign an order to the AnyConnect SSL VPN Client image
ASA(config-webvpn)# tunnel-group-list enable //!--- Enable the display of the tunnel-group list on the WebVPN Login page

ASA(config-webvpn)# anyconnect enable //!--- Enable the security appliance to download SVC images to remote computers

4.config Group policy.
ASA(config)# group-policy clientgroup internal //!--- Create an internal group policy "clientgroup"
ASA(config)# group-policy clientgroup attributes //!--- Encrypt all the traffic coming from the SSL VPN Clients
ASA(config-group-policy)# vpn-tunnel-protocol ssl-client //!--- Specify SSL as a permitted VPN tunneling protocol
ASA(config-group-policy)# split-tunnel-policy tunnelall

5.create a username for ssluser.
ASA(config)# username ssluser password cisco

6.config tunnel group.
ASA(config)# tunnel-group sslgroup type remote-access //!--- Create a tunnel group "sslgroup" with type as remote access
ASA(config)# tunnel-group sslgroup general-attributes
ASA(config-tunnel-general)# address-pool vpnpool //!--- Associate the address pool vpnpool created
ASA(config-tunnel-general)# default-group-policy clientgroup //!--- Associate the group policy "clientgroup" created
ASA(config-tunnel-general)# exit
ASA(config)# tunnel-group sslgroup webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias sslgroup_users enable //!--- Configure the group alias（别名） as sslgroup-users

7.config NAT
ASA(config)# object network obj-inside
ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic interface
ASA(config-network-object)# exit
ASA(config)# object network obj-SSLVPNPool
ASA(config-network-object)# subnet 192.168.20.0 255.255.255.0
ASA(config-network-object)# nat (outside,outside) dynamic interface

thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Karsten Iwen · ‎10-18-2019

If you want to use AnyConnect remote-access-VPN then you can use either. With the ASA software there are more features for VPN available, but with FTD you get Next-Gen Firewalling.

If you want to use WebVPN (through the clienteles portal), then you have to use the ASA as that is not supported on FTD.

For FTD you don't need FMC, but again, there are more features available compared to FTD managed through FDM.

passakorn.m · ‎10-20-2019

for ASA, Do i need FMC for this solution ?

Rob Ingram · ‎10-20-2019

Hi,
If you are using ASA code then you would manage using ASDM/CLI.

HTH