Here’s your chance to discuss more about the configuration, troubleshooting and best practices for AnyConnect secure mobility client on a Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) and its integration with other Cisco security portfolio devices and technologies like ISE and Duo.
This session provides an opportunity to learn and ask questions about various aspects of AnyConnect implementation (using SSL and Ikev2) including (but not limited to) emergency licenses, configuration, deployment and troubleshooting AnyConnect that provides the security necessary to help ensure that your organization is safe and protected in such critical situation.
To participate in this event, please use the button below to ask your questions
Ask questions from Monday 6 to Friday, April 17, 2020
**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions
Solved! Go to Solution.
Could you please confirm which method we should use to generate the csr and upload it to the FTD firewall for Anyconnect users authentication.
Objects>PKI>Cert Enrollment or using Open SSL?
Thanks for hosting this Q&A session, I am going to list some questions that comes to mind at the moment
Thank you all, really.
PS: To not mix up you can refer the answer with the number of the queston.
Here are answers to your queries:
1. Here is a document you can refer to understand the flow and configuration steps required for ISE posture on FTD
2. The option to select Bypass Access Control policy for decrypted traffic would be recommended when we don´t want to inspect the VPN traffic through the Access Control Policy. Thus, the traffic will be just forwarded to the destination without any deep inspection from the FTD. To have this feature enabled or not, that depends on what your security requirements are and of the level of trust that you have on the remote access VPN users. If you don´t trust the traffic initiated from remote access VPN users, it is advised to apply deep inspection on the traffic generated from them.
For the record, this command is disabled by default on FTD and enabled by default on the ASA.
Please note that VPN Filter ACL and authorization ACL downloaded from AAA server are still applied to VPN traffic.
Use case of having "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" unchecked is if you want to allow the u-turning of Anyconnect user traffic to be able to access internet via FTD or perhaps access internal resources. With this feature being disabled, ACP checks will be performed and you can leverage features like URL filtering to restrict Anyconnect user initiated traffic.
3. Yes, RADIUS CoA is indeed supported on FTD from 6.3.0 version onwards and fully supported with newer versions.
4. You can create an AnyConnect client profile using the AnyConnect Profile Editor. This editor is a GUI-based configuration tool that is available as part of the AnyConnect software package. It is an independent program that you run outside of the Firepower Management Center.
For more information about AnyConnect Profile Editor, please refer:
5. You can leverage the API Explorer as it provides a limited interface for the REST API as well as giving a view of the abilities of the REST API.
Here are few links to get you started with programming firepower using FMC APIs
6. TAC uses CLI predominantly along with FMC GUI to troubleshoot issues related to ACP rules.
You can either use packet capture option at LINA CLI, similar to what is used on a traditional ASA
you can use "system support firewall-engine-debug" under FTD clish to confirm whether traffic flow is evaluated against the proper Access Control rule.
Here is a document for your reference:
In addition to what Pulkit already mentioned, some companies use Always-On which prevents access to Internet resources when the computer is not on a trusted network, unless a VPN session is active. Enforcing the VPN to always be on in this situation protects the computer from security threats.
For companies that to do not enforce Always-On, besides the posture checks already mentioned + 2FA like DUO (to ensure only authorized people are using the VPN) we must add additional protection to the remote users as threat actors are taking advantage of the increase of unprotected remote workers to launch different campaigns. You can read our TALOS blog for more:
With Cisco Umbrella you can protect users from malicious Internet destinations even when they are not connected to the VPN at the DNS layer. Because it is delivered from the cloud, Umbrella makes it easy to protect users everywhere in minutes.
Also, we have the last line of defense which is Cisco Advanced Malware Protection (AMP) for Endpoints. This technology prevents breaches and blocks malware at the point of entry as well as detects, contains and remediates advanced threats if they evade the frontline of defense.
I want to ask how to allow users communicate voice through skype for business or cisco jabber Anyconnect Remote Access VPN on ASA, and is below commends safe to be done from security prospective. also how I can make this internal communications monitored from our SIEM solution.
Enter the same-security-traffic command in order to make the FW as a HUB. And You’ll need to configure a nat rule for nat (outside , outside) for the pool address space to reach each other.
ciscoasa(config)#same-security-traffic permit intra-interface
Please note that this command allows traffic to enter and exit the same interface, which is disabled by default for security.
nat(outside,outside) source static “address pool obj” “address pool obj” dest static “address pool obj” “address pool obj” no-proxy-arp – route-lookup
And be place towards the top of your nat rules.
This is the only way to set up hairpining on the ASA to allow AnyConnect clients to talk to other AnyConnect clients. I would not consider this a great security threat, but it all depends on the needs of your company, and only you can make those decisions.
From the command reference:
The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed. This feature might be useful for VPN traffic that enters an interface, but is then routed out the same interface. The VPN traffic might be unencrypted in this case, or it might be reencrypted for another VPN connection. For example, if you have a hub and spoke VPN network, where the ASA is the hub, and remote VPN networks are spokes, for one spoke to communicate with another spoke, traffic must go into the ASA and then out again to the other spoke.
Note All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall rules. Be careful not to create an asymmetric routing situation that can cause return traffic not to traverse the ASA.
What is it that your are trying to monitor via SIEM solution?
Hello Ahmed and Jason,
Couple of comments:
You can definitely monitor these communications on your SIEM the same way you are doing for other traffic. For better visibility of what your Remote Users are doing you can use Stealthwatch Enterprise or Stealthwatch Cloud as shown in these videos:
*We could even get to workload/app granularity with Tetration but that's a conversation for another day :)
I configure the Remote VPN with realms on the FTD via FMC. When I try to connect with AnyConnect I take the error "Login error".
Below is debug output from ldap 255 and webvpn anyconnect 127:
ldap_client_server_add: Add server:0.0.0.0, group=4
ldap_client_server_unlock: Free server:0.0.0.0, group=4
 Session Start
 New request Session, context 0x00002b5de5d453b0, reqType = Authentication
 Fiber started
 Failed to convert ip address 0.0.0.0
 Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
 Session End
Thanks for your help