cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5247
Views
170
Helpful
133
Replies
Highlighted
Cisco Employee

Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

Hi Basavaraj,

 

What Jason meant in his earlier post is that you can configure another interface to which you can utilise the /28 subnet and terminate RA-VPN on it. This comes into perspective as you mentioned that you do not want to configure RA-VPN on the existing outside link.

 

Now in regards to routing and connectivity, the logic remains the same, we need to have the new interface connected to an uplink from where end users can have connectivity/reachability.

 

Hope this clarifies.

 

-

Pulkit

Highlighted
Beginner

Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

Is it possible to deliver non-Cisco software to the remote VPN user when they log in?  I'm looking for a way to deliver the Azure MFA client to the end-user.  If it not possible to deliver the software is there a way to display a message that would require the user inaction.

Highlighted
Cisco Employee

Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

It is not possible to deliver anything from a third party.  It can only push anyconnect modules, customizations and xml profiles.  You could modify the login banner to tell them to download the file, but not that would require user interaction.  Additionally, you could create a login script that would start when the user connected, so if you could make a script that would run and download the program, you could do that from an ASA, but not an FTD managed by FMC or FDM.

Highlighted
Cisco Employee

Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

This is a question from Chinese Community member jijunzhang

 

Hi, Experts,

 

May I ask if the FTD version of FirePower does not support l2tp over ipsec vpn function?
Sometimes, because of some customer's security requirements, the customers do not have permission to install the anyconnect client on their computer, but they need to get access through external network.

Is there any function on Firepower as a replacement?

 

 

Highlighted
Cisco Employee

Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

Hi Yanli,

Presently we do not support L2TP over IPSEC on FTD.
The alternate option is to use anyconnect. Let me check if there are any plans for L2TP addition in upcoming release and I will update.

-
Pulkit
Highlighted
Cisco Employee

Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

Hi Yanli,

I checked with the product team as well, currently we do not have any roadmap for L2TP addition in upcoming releases of firepower as well.
So anyconnect client is the way to go. :)

-
Pulkit

View solution in original post

Highlighted
Cisco Employee

Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

This is a question from Chinese Community member sunbin03351

 

Hi, Team,

 

Can AnyConnect remote access VPN be deployed on ASAv? Is there any configuration guide?

 

Many thanks.

Highlighted
Cisco Employee

Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

Highlighted
Beginner

Anyconnect: Need to verify FIPS compliance is being used.

We have configured and are testing a client .xml where FIPS compliance is turned on and it looks like it is working just fine.  Then, someone asked "How do you know it's working?"  Other than looking at the .xml every time an auditor wants to see it, is  there somewhere else I can verify the the FIPS compliance has been engaged?

 

-Ray

 

Mac

Client 4.8.00175

Firepower 2140

Highlighted
Cisco Employee

Re: Anyconnect: Need to verify FIPS compliance is being used.

You can check the VPN statistics of the client UI. There will be a FIPS section.
Highlighted
Beginner

Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

AnyConnect is set up and I want to configure DAP for anti-malware- for antivirus.

I am configuring this via the ASDM.

My Question is there a way that to add the antivirus list other than adding each one at a time?

There are so many possible antivirus 's  for  client s as they are allowed to BYOD? Adding all manually will be time consuming and inefficient ? 

Thank you in advance for yo consideration.

Please advise.

Highlighted
Cisco Employee

Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

Hello,

 

There are 2 ways you can address this issue.

 

1. Instead of performing a check for each AV, you can perform a check based on Vendor.

 

 

Screenshot 2020-04-16 at 12.55.04 PM.png

 

 

2. To avoid adding the attributes on ASDM, you can run the commands "debug menu dap 1" and "debug menu dap 2" [these are show commands for DAP configuration], and then copy the output, modify them in a text editor as per the requirement filling in all the required AVs and then upload dap.xml on the ASA.

 

Regards,

Dinesh

Highlighted
Beginner

Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

Hello, In reference to the output from these 2 commands "debug menu dap 1" and "debug menu dap 2" to be clear about the process, combine the 2 files into one big xml file "upload dap.xml" and upload them via the ASDM?

Would you happen to have a link to doc. I already did a bunch manually because I found the output from ""debug menu dap 1" and "debug menu dap 2" "the still a bit cumbersome. Just checking. Thanks again.


Highlighted
Beginner

Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

Hi,

 

I am having a problem with FTD and AnyConnect 4.8.02042 with profiles on Windows and Mac. I make some changes with the stand alone profile editor and move it to the Profiles folder in ProgramData. Things like HostEntry and AllowManualHostInput are being recognized and applied. But changes to AuthenticationTimeout and EnableScripting are not.

 

After every change I am exiting the AnyConnect client and restarting the service, I also restarted the computer for good measure. I can see what settings are being applied from the Event Viewer.

 

Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.

 

It does not look like the FTD has a profile applied to it since no files are downloaded to the Profiles folder. I have also passed the XML file through a validator with the XSD file. 

 

Thanks

 

Highlighted
Cisco Employee

Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

Are you also uploading it to the FTD device and then applying it to the group-policy that the user is connecting to?