04-03-2020 05:28 PM - last edited on 04-27-2020 09:00 AM by Hilda Arteaga
Español | Português | Français | Русский | 日本語 | 简体中文 |
This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".
Here’s your chance to discuss more about the configuration, troubleshooting and best practices for AnyConnect secure mobility client on a Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) and its integration with other Cisco security portfolio devices and technologies like ISE and Duo.
This session provides an opportunity to learn and ask questions about various aspects of AnyConnect implementation (using SSL and Ikev2) including (but not limited to) emergency licenses, configuration, deployment and troubleshooting AnyConnect that provides the security necessary to help ensure that your organization is safe and protected in such critical situation.
To participate in this event, please use the button below to ask your questions
Ask questions from Monday 6 to Friday, April 17, 2020
**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions
Solved! Go to Solution.
04-16-2020 01:53 AM
04-05-2020 12:36 AM
Hi,
Could you please confirm which method we should use to generate the csr and upload it to the FTD firewall for Anyconnect users authentication.
Objects>PKI>Cert Enrollment or using Open SSL?
Thanks
Basavaraj
04-05-2020 02:56 AM
04-05-2020 05:18 AM
04-06-2020 04:03 AM
04-05-2020 04:07 AM
Hi Dinesh,Pulkit,Jason,Gustavo,
Thanks for hosting this Q&A session, I am going to list some questions that comes to mind at the moment
Thank you all, really.
PS: To not mix up you can refer the answer with the number of the queston.
04-06-2020 05:29 AM
Hi Giovanni,
Here are answers to your queries:
1. Here is a document you can refer to understand the flow and configuration steps required for ISE posture on FTD
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215236-ise-posture-over-anyconnect-remote-acces.html
2. The option to select Bypass Access Control policy for decrypted traffic would be recommended when we don´t want to inspect the VPN traffic through the Access Control Policy. Thus, the traffic will be just forwarded to the destination without any deep inspection from the FTD. To have this feature enabled or not, that depends on what your security requirements are and of the level of trust that you have on the remote access VPN users. If you don´t trust the traffic initiated from remote access VPN users, it is advised to apply deep inspection on the traffic generated from them.
For the record, this command is disabled by default on FTD and enabled by default on the ASA.
Please note that VPN Filter ACL and authorization ACL downloaded from AAA server are still applied to VPN traffic.
Use case of having "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" unchecked is if you want to allow the u-turning of Anyconnect user traffic to be able to access internet via FTD or perhaps access internal resources. With this feature being disabled, ACP checks will be performed and you can leverage features like URL filtering to restrict Anyconnect user initiated traffic.
3. Yes, RADIUS CoA is indeed supported on FTD from 6.3.0 version onwards and fully supported with newer versions.
4. You can create an AnyConnect client profile using the AnyConnect Profile Editor. This editor is a GUI-based configuration tool that is available as part of the AnyConnect software package. It is an independent program that you run outside of the Firepower Management Center.
For more information about AnyConnect Profile Editor, please refer:
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/anyconnect-profile-editor.html
5. You can leverage the API Explorer as it provides a limited interface for the REST API as well as giving a view of the abilities of the REST API.
https://<management_center_IP_or_name>:<https_port>/api/api-explorer
Here are few links to get you started with programming firepower using FMC APIs
https://blogs.cisco.com/security/how-to-get-started-on-programming-firepower-using-fmc-apis
https://www.cisco.com/c/en/us/td/docs/security/firepower/623/api/REST/Firepower_Management_Center_REST_API_Quick_Start_Guide_623/Objects_in_the_REST_API.html#concept_xh5_lt3_bcb
Here are some non Cisco links that might be helpful:
https://www.youtube.com/watch?v=a2DNeRxnnkA
https://www.youtube.com/watch?v=iTfmLk3kwdg
6. TAC uses CLI predominantly along with FMC GUI to troubleshoot issues related to ACP rules.
You can either use packet capture option at LINA CLI, similar to what is used on a traditional ASA
or
you can use "system support firewall-engine-debug" under FTD clish to confirm whether traffic flow is evaluated against the proper Access Control rule.
Here is a document for your reference:
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html#anc13
Regards,
Dinesh Moudgil
04-06-2020 11:33 PM
That's a question from Cisco customer:
How to ensure that the threat of the user's computer does not affect the server, when the user's computer uses VPN
Thanks.
04-07-2020 05:50 AM
04-07-2020 06:46 AM
Hi Yanli,
In addition to what Pulkit already mentioned, some companies use Always-On which prevents access to Internet resources when the computer is not on a trusted network, unless a VPN session is active. Enforcing the VPN to always be on in this situation protects the computer from security threats.
For companies that to do not enforce Always-On, besides the posture checks already mentioned + 2FA like DUO (to ensure only authorized people are using the VPN) we must add additional protection to the remote users as threat actors are taking advantage of the increase of unprotected remote workers to launch different campaigns. You can read our TALOS blog for more:
https://blog.talosintelligence.com/2020/03/covid-19-pandemic-threats.html
With Cisco Umbrella you can protect users from malicious Internet destinations even when they are not connected to the VPN at the DNS layer. Because it is delivered from the cloud, Umbrella makes it easy to protect users everywhere in minutes.
Also, we have the last line of defense which is Cisco Advanced Malware Protection (AMP) for Endpoints. This technology prevents breaches and blocks malware at the point of entry as well as detects, contains and remediates advanced threats if they evade the frontline of defense.
Regards,
Gustavo
04-07-2020 04:20 AM
I want to ask how to allow users communicate voice through skype for business or cisco jabber Anyconnect Remote Access VPN on ASA, and is below commends safe to be done from security prospective. also how I can make this internal communications monitored from our SIEM solution.
Enter the same-security-traffic command in order to make the FW as a HUB. And You’ll need to configure a nat rule for nat (outside , outside) for the pool address space to reach each other.
ciscoasa(config)#same-security-traffic permit intra-interface
Please note that this command allows traffic to enter and exit the same interface, which is disabled by default for security.
nat(outside,outside) source static “address pool obj” “address pool obj” dest static “address pool obj” “address pool obj” no-proxy-arp – route-lookup
And be place towards the top of your nat rules.
04-07-2020 06:37 AM
Hello ahmedmohsen56,
This is the only way to set up hairpining on the ASA to allow AnyConnect clients to talk to other AnyConnect clients. I would not consider this a great security threat, but it all depends on the needs of your company, and only you can make those decisions.
From the command reference:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html
The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed. This feature might be useful for VPN traffic that enters an interface, but is then routed out the same interface. The VPN traffic might be unencrypted in this case, or it might be reencrypted for another VPN connection. For example, if you have a hub and spoke VPN network, where the ASA is the hub, and remote VPN networks are spokes, for one spoke to communicate with another spoke, traffic must go into the ASA and then out again to the other spoke.
Note All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall rules. Be careful not to create an asymmetric routing situation that can cause return traffic not to traverse the ASA.
What is it that your are trying to monitor via SIEM solution?
04-07-2020 07:26 AM
Hello Ahmed and Jason,
Couple of comments:
You can definitely monitor these communications on your SIEM the same way you are doing for other traffic. For better visibility of what your Remote Users are doing you can use Stealthwatch Enterprise or Stealthwatch Cloud as shown in these videos:
https://cs.co/SWE-RemoteMonitoring
https://cs.co/SWC-RemoteMonitoring
*We could even get to workload/app granularity with Tetration but that's a conversation for another day :)
Regards,
Gustavo
04-07-2020 04:49 AM
Hello,
I configure the Remote VPN with realms on the FTD via FMC. When I try to connect with AnyConnect I take the error "Login error".
Below is debug output from ldap 255 and webvpn anyconnect 127:
ldap_client_server_add: Add server:0.0.0.0, group=4
ldap_client_server_unlock: Free server:0.0.0.0, group=4
[12] Session Start
[12] New request Session, context 0x00002b5de5d453b0, reqType = Authentication
[12] Fiber started
[12] Failed to convert ip address 0.0.0.0
[12] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[12] Session End
Thanks for your help
04-07-2020 06:04 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide