cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
40453
Views
170
Helpful
133
Replies

Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

ciscomoderator
Community Manager
Community Manager
Español  Português Français Русский  日本語 简体中文

 

This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".

Here’s your chance to discuss more about the configuration, troubleshooting and best practices for AnyConnect secure mobility client on a Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) and its integration with other Cisco security portfolio devices and technologies like ISE and Duo.

This session provides an opportunity to learn and ask questions about various aspects of AnyConnect implementation (using SSL and Ikev2) including (but not limited to) emergency licenses, configuration, deployment and troubleshooting AnyConnect that provides the security necessary to help ensure that your organization is safe and protected in such critical situation.

To participate in this event, please use the Join the Discussion : Cisco Ask the Expertbutton below to ask your questions

Ask questions from Monday 6 to Friday, April 17, 2020

Featured experts
dinesh.jpgDinesh Moudgil is a High Touch Technical Support (HTTS) Engineer with the Security team at Cisco. He has been working on Cisco technologies for more than 6 years focusing on Cisco Next Generation Firewalls, Intrusion Prevention Systems, Identity Management and Access Control (AAA) and VPNs. He holds a CCNP, CCDP and CCIE #58881 certifications, and multiple vendors certifications such as ACE, PCNSE and VCP.

pulkit.pngPulkit Saxena works as High Touch Technical Support (HTTS) Engineer in Security Domain with Cisco bring nearly 7 years of experience in the industry to the team. He has hands on experience with multiple firewalls, different VPN solutions, AAA and Next Generation IPS along with delivering multiple trainings. Pulkit holds certifications from multiple vendors, namely Cisco and Juniper, (CCIE Security and JNCIA).

jgrudier.jpgJason Grudier is the Technical leader on the VPN TAC team in Raleigh, NC. He has been working for Cisco on the VPN team for six years. Prior to joining the team, he was a network engineer at Labcorp. He works primarily with AnyConnect troubleshooting and configuration across all Cisco platforms as well as DMVPN, GETVPN, Radius, LDAP and Certificate authentications.

josemed.jpgGustavo Medina is a Systems Sales Engineer with the Enterprise Networking Sales team. He has more than 10 years of experience in security and enterprise networking. In his career he has focused on different tasks from technical escalations and partner adoption to the revision of Cisco Certification evaluations. Gustavo holds a CCNA, CCNP CCSI, and a CCIE in security (#51487).

Due to the anticipated volume for this high in-demand event, Dinesh, Pulkit, Jason and Gustavo might not be able to answer each question. Thus, remember that you can continue the conversation directly in the Security community.

By posting a question on this event you're giving permission to be translated in all languages we have in the community.

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

133 Replies 133

Hi Basavaraj,

 

What Jason meant in his earlier post is that you can configure another interface to which you can utilise the /28 subnet and terminate RA-VPN on it. This comes into perspective as you mentioned that you do not want to configure RA-VPN on the existing outside link.

 

Now in regards to routing and connectivity, the logic remains the same, we need to have the new interface connected to an uplink from where end users can have connectivity/reachability.

 

Hope this clarifies.

 

-

Pulkit

bbcstone
Level 1
Level 1

Is it possible to deliver non-Cisco software to the remote VPN user when they log in?  I'm looking for a way to deliver the Azure MFA client to the end-user.  If it not possible to deliver the software is there a way to display a message that would require the user inaction.

It is not possible to deliver anything from a third party.  It can only push anyconnect modules, customizations and xml profiles.  You could modify the login banner to tell them to download the file, but not that would require user interaction.  Additionally, you could create a login script that would start when the user connected, so if you could make a script that would run and download the program, you could do that from an ASA, but not an FTD managed by FMC or FDM.

Yanli Sun
Community Manager
Community Manager

This is a question from Chinese Community member jijunzhang

 

Hi, Experts,

 

May I ask if the FTD version of FirePower does not support l2tp over ipsec vpn function?
Sometimes, because of some customer's security requirements, the customers do not have permission to install the anyconnect client on their computer, but they need to get access through external network.

Is there any function on Firepower as a replacement?

 

 

Hi Yanli,

Presently we do not support L2TP over IPSEC on FTD.
The alternate option is to use anyconnect. Let me check if there are any plans for L2TP addition in upcoming release and I will update.

-
Pulkit

Hi Yanli,

I checked with the product team as well, currently we do not have any roadmap for L2TP addition in upcoming releases of firepower as well.
So anyconnect client is the way to go. :)

-
Pulkit

Yanli Sun
Community Manager
Community Manager

This is a question from Chinese Community member sunbin03351

 

Hi, Team,

 

Can AnyConnect remote access VPN be deployed on ASAv? Is there any configuration guide?

 

Many thanks.

Hello,

Yes. ASAv supports Remote Access VPN. Reference link:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/asav/quick-start/asav-quick/asav-config.html#97965

Configuration remains same as any other ASA platform but make sure that you have appropriate VPN licenses to deploy Anyconnect VPN.
Configuration example:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100936-asa8x-split-tunnel-anyconnect-config.html
Smart licensing on ASAv:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/general/asa-910-general-config/intro-license-smart.html#task_03242D29B58D4DB9B95F4F844973CE2E
Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

rhague
Level 1
Level 1

We have configured and are testing a client .xml where FIPS compliance is turned on and it looks like it is working just fine.  Then, someone asked "How do you know it's working?"  Other than looking at the .xml every time an auditor wants to see it, is  there somewhere else I can verify the the FIPS compliance has been engaged?

 

-Ray

 

Mac

Client 4.8.00175

Firepower 2140

You can check the VPN statistics of the client UI. There will be a FIPS section.

tjjackson
Level 1
Level 1

AnyConnect is set up and I want to configure DAP for anti-malware- for antivirus.

I am configuring this via the ASDM.

My Question is there a way that to add the antivirus list other than adding each one at a time?

There are so many possible antivirus 's  for  client s as they are allowed to BYOD? Adding all manually will be time consuming and inefficient ? 

Thank you in advance for yo consideration.

Please advise.

Hello,

 

There are 2 ways you can address this issue.

 

1. Instead of performing a check for each AV, you can perform a check based on Vendor.

 

 

Screenshot 2020-04-16 at 12.55.04 PM.png

 

 

2. To avoid adding the attributes on ASDM, you can run the commands "debug menu dap 1" and "debug menu dap 2" [these are show commands for DAP configuration], and then copy the output, modify them in a text editor as per the requirement filling in all the required AVs and then upload dap.xml on the ASA.

 

Regards,

Dinesh

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Hello, In reference to the output from these 2 commands "debug menu dap 1" and "debug menu dap 2" to be clear about the process, combine the 2 files into one big xml file "upload dap.xml" and upload them via the ASDM?

Would you happen to have a link to doc. I already did a bunch manually because I found the output from ""debug menu dap 1" and "debug menu dap 2" "the still a bit cumbersome. Just checking. Thanks again.


evan_stockton
Level 1
Level 1

Hi,

 

I am having a problem with FTD and AnyConnect 4.8.02042 with profiles on Windows and Mac. I make some changes with the stand alone profile editor and move it to the Profiles folder in ProgramData. Things like HostEntry and AllowManualHostInput are being recognized and applied. But changes to AuthenticationTimeout and EnableScripting are not.

 

After every change I am exiting the AnyConnect client and restarting the service, I also restarted the computer for good measure. I can see what settings are being applied from the Event Viewer.

 

Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.

 

It does not look like the FTD has a profile applied to it since no files are downloaded to the Profiles folder. I have also passed the XML file through a validator with the XSD file. 

 

Thanks

 

Are you also uploading it to the FTD device and then applying it to the group-policy that the user is connecting to?