04-03-2020 05:28 PM - last edited on 04-27-2020 09:00 AM by Hilda Arteaga
Español | Português | Français | Русский | 日本語 | 简体中文 |
This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".
Here’s your chance to discuss more about the configuration, troubleshooting and best practices for AnyConnect secure mobility client on a Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) and its integration with other Cisco security portfolio devices and technologies like ISE and Duo.
This session provides an opportunity to learn and ask questions about various aspects of AnyConnect implementation (using SSL and Ikev2) including (but not limited to) emergency licenses, configuration, deployment and troubleshooting AnyConnect that provides the security necessary to help ensure that your organization is safe and protected in such critical situation.
To participate in this event, please use the button below to ask your questions
Ask questions from Monday 6 to Friday, April 17, 2020
**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions
Solved! Go to Solution.
04-15-2020 02:24 AM
Hi Basavaraj,
What Jason meant in his earlier post is that you can configure another interface to which you can utilise the /28 subnet and terminate RA-VPN on it. This comes into perspective as you mentioned that you do not want to configure RA-VPN on the existing outside link.
Now in regards to routing and connectivity, the logic remains the same, we need to have the new interface connected to an uplink from where end users can have connectivity/reachability.
Hope this clarifies.
-
Pulkit
04-14-2020 11:27 AM
Is it possible to deliver non-Cisco software to the remote VPN user when they log in? I'm looking for a way to deliver the Azure MFA client to the end-user. If it not possible to deliver the software is there a way to display a message that would require the user inaction.
04-14-2020 11:53 AM
It is not possible to deliver anything from a third party. It can only push anyconnect modules, customizations and xml profiles. You could modify the login banner to tell them to download the file, but not that would require user interaction. Additionally, you could create a login script that would start when the user connected, so if you could make a script that would run and download the program, you could do that from an ASA, but not an FTD managed by FMC or FDM.
04-15-2020 04:58 AM
This is a question from Chinese Community member jijunzhang
Hi, Experts,
May I ask if the FTD version of FirePower does not support l2tp over ipsec vpn function?
Sometimes, because of some customer's security requirements, the customers do not have permission to install the anyconnect client on their computer, but they need to get access through external network.
Is there any function on Firepower as a replacement?
04-15-2020 07:02 AM
04-16-2020 01:53 AM
04-15-2020 05:02 AM
This is a question from Chinese Community member sunbin03351
Hi, Team,
Can AnyConnect remote access VPN be deployed on ASAv? Is there any configuration guide?
Many thanks.
04-15-2020 05:31 AM
04-15-2020 10:53 AM
We have configured and are testing a client .xml where FIPS compliance is turned on and it looks like it is working just fine. Then, someone asked "How do you know it's working?" Other than looking at the .xml every time an auditor wants to see it, is there somewhere else I can verify the the FIPS compliance has been engaged?
-Ray
Mac
Client 4.8.00175
Firepower 2140
04-15-2020 11:28 AM
04-15-2020 11:03 AM
AnyConnect is set up and I want to configure DAP for anti-malware- for antivirus.
I am configuring this via the ASDM.
My Question is there a way that to add the antivirus list other than adding each one at a time?
There are so many possible antivirus 's for client s as they are allowed to BYOD? Adding all manually will be time consuming and inefficient ?
Thank you in advance for yo consideration.
Please advise.
04-16-2020 01:01 AM
Hello,
There are 2 ways you can address this issue.
1. Instead of performing a check for each AV, you can perform a check based on Vendor.
2. To avoid adding the attributes on ASDM, you can run the commands "debug menu dap 1" and "debug menu dap 2" [these are show commands for DAP configuration], and then copy the output, modify them in a text editor as per the requirement filling in all the required AVs and then upload dap.xml on the ASA.
Regards,
Dinesh
04-20-2020 05:36 PM
04-15-2020 02:08 PM - edited 04-15-2020 02:09 PM
Hi,
I am having a problem with FTD and AnyConnect 4.8.02042 with profiles on Windows and Mac. I make some changes with the stand alone profile editor and move it to the Profiles folder in ProgramData. Things like HostEntry and AllowManualHostInput are being recognized and applied. But changes to AuthenticationTimeout and EnableScripting are not.
After every change I am exiting the AnyConnect client and restarting the service, I also restarted the computer for good measure. I can see what settings are being applied from the Event Viewer.
Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
It does not look like the FTD has a profile applied to it since no files are downloaded to the Profiles folder. I have also passed the XML file through a validator with the XSD file.
Thanks
04-15-2020 02:53 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide