cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
787
Views
5
Helpful
11
Replies

SSL VPN Requirements

Najib Akbari
Level 1
Level 1

Hi,

I have been informed that there is a potential vulnerability on our ASA SSL VPN since the webvpn is enabled. here is the config on the ASA with specific questions. please advise:

webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/cisco-secure-client-macos-5.1.3.62-webdeploy-k9.pkg 1
anyconnect image disk0:/cisco-secure-client-win-5.1.3.62-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-macos-4.10.08025-webdeploy-k9.pkg 3
anyconnect image disk0:/anyconnect-win-4.10.08025-webdeploy-k9.pkg 4
anyconnect profiles AlwaysOn disk0:/alwayson.xml
anyconnect profiles anyvpn_client_profile disk0:/anyvpn_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable

- the only service is needed to be active on this ASA is Client Based SSL VPN, so based on that what needs to be modified or can be removed from config? I guess i can not just disable webvpn because even though i am only using anyconnect client still it relies on webvpn service?

- if webvpn should not be disabled then what do i do to minimize it to ssl client vpn? here is the tunnel-protocol on policy config:

show run group-policy group_policy
group-policy group_policy internal
group-policy group_policy attributes
wins-server none
dns-server value A B
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_clients
default-domain value corporate.int
webvpn

- I basically want to use ASA only for client based vpn, no need for web access, not even for downloading client

 

Thanks

11 Replies 11

Webvpn is required for the VPN clients to connect to the firewall. What vulnerability are you referring to? did you check if there is any suggested code upgrade to fix it?

I have been asked to see if I can disable webpage accessibility on public interface which if I do no ip http .... then it will affect ASDM. so basically I want to see if I can disable it without affecting anyconnet and ASDM

Change port for webvpn 

For ASDM ypu can also change it port via

hostname(config)# http server enable [port]

Lastly you can use control plane ACL and deny any any traffic using http toward ASA

MHM

can you elaborate a bit please? here is my confusion :

- you said change the port on webvpn, but this is just changing port and can be figured out with port scan.

- you mentioned change ASDM port on http: this is not a concern in my case as http is only enabled on inside interface hence using control plane ACL also will not be required in this case.

the only two ports open on outside is ssl 443, which makes the HTTPS webpase open, and I am trying to mitigate that while anyconnect works in tact

You're right, changing the Webvpn port won't fix the issue here, although it will add a tiny bit of security until the malicious actors discover the new port.

Unlike the transit ACLs that we usually apply to the ASA that will inspect the transit traffic passing through the firewall, the control plane ACLs are the ACLs that will be inspecting the traffic destined to the firewall itself. For instance, if you want to deny certain countries from hitting your ASA then you can configure a control plane ACL with those countries IP addresses and apply it to the ASA.

In your case you could potentially configure a control plane ACL allowing the Webvpn traffic only from specific countries denying it from all other sources. The control plane ACL look and feel is pretty much the same as the normal ACLs, the big two differences is that when you apply the control plane ACLs you have to add the keyword "control-plane" to the "access-group" command at the very end. The other major difference is that the control plane ACLs do not have an implicit deny at the end. You don't have to add any explicit deny to the control plane ACL.

Finally, the control plane ACLs are usually applied to the outside interfaces to protect against the unwanted public internet traffic.

Thank you for the clarification and details. I guess it won't be easy to block certain countries on ASA as it deals with IP? on FGate as its nextgen and have DB its easy

You're welcome. Yes that's true. Unfortunately it is still the same with the FTDs as well unless something changed in the very last release which I didn't test yet. I know other vendors have a more handy way to do this such as Fortinet and Palo where you can select the country from the internal DB and all the IP addresses lookup will be done by the device itself.

You need to change anyconnect port to be for example 4443 instead of 443 

Then add acl control plane deny tcp any any eq 443 

This make any attack to port 443 drop by asa

I suggest country public IP ACL for other' but I prefer using different anyconnect port in FW

https://community.cisco.com/t5/routing/increase-max-nat-translation-limit-on-c8000v-router/m-p/5193624#M403709

MHM

Najib Akbari
Level 1
Level 1

ASA experts, is it recommended to put ASA ( only used for cisco secure/Any connect remote VPN ) behind the Fortigate firewall ? just to make use of Fortigate country block feature?

I just setup a LAB of one ASA and connected outside interface directly to one of Fortigate ports as L3 with ASA 10.1.1.2 and Fortigate 10.1.1.1 then set 0 route on ASA to point to 10.1.1.1. on fortigate create an incoming firewall policy for VPN traffic from putblic interface toward the link connected to ASA and  put the destination a VIP ( static NAT of one public IP to private IP 10.1.1.1  with port forwarding 443 only ). I am testing it and so far it works fine.

please advise on this design if it is recommended, any changes? any concern about the setup and or performance tips and so on ...

Thank you!

 

@Najib Akbari yes that is a good solution (and has been recommended on here before) putting the ASA behind an NGFW such as fortinet and using Geolocation block functionality, as that feature is not supported on the ASA.

I believe in future versions of FTD software you might be able to use Geolocation on the control plane to restrict VPN access from country, but as of now that functionality is not available.

Thank you very much!