Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
5
Helpful
11
Replies

SSL VPN Requirements

Najib Akbari
Level 1
Level 1

‎09-06-2024 02:16 PM

Hi,

I have been informed that there is a potential vulnerability on our ASA SSL VPN since the webvpn is enabled. here is the config on the ASA with specific questions. please advise:

webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/cisco-secure-client-macos-5.1.3.62-webdeploy-k9.pkg 1
anyconnect image disk0:/cisco-secure-client-win-5.1.3.62-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-macos-4.10.08025-webdeploy-k9.pkg 3
anyconnect image disk0:/anyconnect-win-4.10.08025-webdeploy-k9.pkg 4
anyconnect profiles AlwaysOn disk0:/alwayson.xml
anyconnect profiles anyvpn_client_profile disk0:/anyvpn_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable

- the only service is needed to be active on this ASA is Client Based SSL VPN, so based on that what needs to be modified or can be removed from config? I guess i can not just disable webvpn because even though i am only using anyconnect client still it relies on webvpn service?

- if webvpn should not be disabled then what do i do to minimize it to ssl client vpn? here is the tunnel-protocol on policy config:

show run group-policy group_policy
group-policy group_policy internal
group-policy group_policy attributes
wins-server none
dns-server value A B
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_clients
default-domain value corporate.int
webvpn

- I basically want to use ASA only for client based vpn, no need for web access, not even for downloading client

 

Thanks

Labels:
0 Helpful
11 Replies 11

Aref Alsouqi
VIP
VIP

‎09-11-2024 01:57 AM

Webvpn is required for the VPN clients to connect to the firewall. What vulnerability are you referring to? did you check if there is any suggested code upgrade to fix it?

0 Helpful

Najib Akbari
Level 1
Level 1
In response to Aref Alsouqi

‎09-11-2024 10:20 AM

I have been asked to see if I can disable webpage accessibility on public interface which if I do no ip http .... then it will affect ASDM. so basically I want to see if I can disable it without affecting anyconnet and ASDM

0 Helpful

MHM Cisco World
VIP
VIP
In response to Najib Akbari

‎09-11-2024 10:46 AM

Change port for webvpn 

For ASDM ypu can also change it port via

hostname(config)# http server enable [port]

Lastly you can use control plane ACL and deny any any traffic using http toward ASA

MHM

0 Helpful

Najib Akbari
Level 1
Level 1
In response to MHM Cisco World

‎09-11-2024 04:19 PM

can you elaborate a bit please? here is my confusion :

- you said change the port on webvpn, but this is just changing port and can be figured out with port scan.

- you mentioned change ASDM port on http: this is not a concern in my case as http is only enabled on inside interface hence using control plane ACL also will not be required in this case.

the only two ports open on outside is ssl 443, which makes the HTTPS webpase open, and I am trying to mitigate that while anyconnect works in tact

Aref Alsouqi
VIP
VIP
In response to Najib Akbari

‎09-12-2024 08:10 AM

You're right, changing the Webvpn port won't fix the issue here, although it will add a tiny bit of security until the malicious actors discover the new port.

Unlike the transit ACLs that we usually apply to the ASA that will inspect the transit traffic passing through the firewall, the control plane ACLs are the ACLs that will be inspecting the traffic destined to the firewall itself. For instance, if you want to deny certain countries from hitting your ASA then you can configure a control plane ACL with those countries IP addresses and apply it to the ASA.

In your case you could potentially configure a control plane ACL allowing the Webvpn traffic only from specific countries denying it from all other sources. The control plane ACL look and feel is pretty much the same as the normal ACLs, the big two differences is that when you apply the control plane ACLs you have to add the keyword "control-plane" to the "access-group" command at the very end. The other major difference is that the control plane ACLs do not have an implicit deny at the end. You don't have to add any explicit deny to the control plane ACL.

Finally, the control plane ACLs are usually applied to the outside interfaces to protect against the unwanted public internet traffic.

Najib Akbari
Level 1
Level 1
In response to Aref Alsouqi

‎09-12-2024 11:19 AM

Thank you for the clarification and details. I guess it won't be easy to block certain countries on ASA as it deals with IP? on FGate as its nextgen and have DB its easy

0 Helpful

Aref Alsouqi
VIP
VIP
In response to Najib Akbari

‎09-13-2024 02:06 AM

You're welcome. Yes that's true. Unfortunately it is still the same with the FTDs as well unless something changed in the very last release which I didn't test yet. I know other vendors have a more handy way to do this such as Fortinet and Palo where you can select the country from the internal DB and all the IP addresses lookup will be done by the device itself.

MHM Cisco World
VIP
VIP
In response to Najib Akbari

‎09-12-2024 08:12 AM - edited ‎09-12-2024 08:24 AM

You need to change anyconnect port to be for example 4443 instead of 443 

Then add acl control plane deny tcp any any eq 443 

This make any attack to port 443 drop by asa

I suggest country public IP ACL for other' but I prefer using different anyconnect port in FW

https://community.cisco.com/t5/routing/increase-max-nat-translation-limit-on-c8000v-router/m-p/5193624#M403709

MHM

Najib Akbari
Level 1
Level 1

‎09-30-2024 11:50 AM

ASA experts, is it recommended to put ASA ( only used for cisco secure/Any connect remote VPN ) behind the Fortigate firewall ? just to make use of Fortigate country block feature?

I just setup a LAB of one ASA and connected outside interface directly to one of Fortigate ports as L3 with ASA 10.1.1.2 and Fortigate 10.1.1.1 then set 0 route on ASA to point to 10.1.1.1. on fortigate create an incoming firewall policy for VPN traffic from putblic interface toward the link connected to ASA and  put the destination a VIP ( static NAT of one public IP to private IP 10.1.1.1  with port forwarding 443 only ). I am testing it and so far it works fine.

please advise on this design if it is recommended, any changes? any concern about the setup and or performance tips and so on ...

Thank you!

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Najib Akbari

‎09-30-2024 11:56 AM

@Najib Akbari yes that is a good solution (and has been recommended on here before) putting the ASA behind an NGFW such as fortinet and using Geolocation block functionality, as that feature is not supported on the ASA.

I believe in future versions of FTD software you might be able to use Geolocation on the control plane to restrict VPN access from country, but as of now that functionality is not available.

Najib Akbari
Level 1
Level 1
In response to Rob Ingram

‎09-30-2024 12:01 PM

Thank you very much!

0 Helpful
Customers Also Viewed These Support Documents