ASA AnyConnect SBL

This post describes how to configure the Cisco ASA and AnyConnect VPN to use the Start-Before Logon (SBL) feature. This allows the user to connect to the VPN before logging onto Windows, thus allowing login scripts and Windows Group Policies to be applied.

Create/Modify the AnyConnect Profile

  • Open the AnyConnect VPN Profile Editor
  • Open the existing VPN Profile or create a new file
  • Under VPN > Preferences (Part 1) select User Start Before Logon
  • Ensure the Certificate Store is All
Continue reading “ASA AnyConnect SBL”

ASA Split Tunnelling

When using a Cisco ASA for Remote Access VPN (SSL-VPN or IKEv2/IPSec) with the AnyConnect client, in most typical scenarios ALL traffic from the AnyConnect VPN client is encrypted and tunnelled back to the ASA. When using the ASA as the VPN headend device with the AnyConnect client you can use split tunnelling feature, which can be configured to include or exclude certain networks from the VPN tunnel.

The basic configuration of a Remote Access VPN to tunnel all traffic back to the ASA

group-policy GP-1 internal
group-policy GP-1 attributes
dns-server value
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
address-pools value VPN_POOL

On Windows the AnyConnect Route Details would indicate is a Secured Route, meaning all traffic is tunnelled back to the ASA.

Continue reading “ASA Split Tunnelling”

ASA VPN Filter

When configuring a VPN (crypto map or VTI) on a Cisco ASA firewall, by default all traffic is permitted. The command sysopt connection permit-vpn is enabled by default, with this command the interface ACLs will be ignored for traffic traversing the VPN tunnel, therefore permitting all traffic over the VPN tunnels. In order to restrict traffic within the VPN tunnel on an ASA a VPN Filter must be configured, multiple VPN Filters can be and assigned per group-policy, therefore per VPN tunnel.

The VPN Filter uses an Access List, however the ACE are not written as per a normal ACL, the SOURCE network/port is always the REMOTE network and the DESTINATION is always the LOCAL network/port. The VPN Filter is stateful and will therefore permit the return the traffic without having to explicitly permit the traffic.

This post will not cover the configuration of a VPN on the ASA, this has been covered in the following posts: – VTI or Crypto Map.

ASA Configuration

In this example a VPN between HQ_ASA and BRANCH-3_ASA is already configured and operational. A VPN Filter will be configured and applied only to the HQ ASA. Important to remember as far as the VPN Filter ACL is concerned the SOURCE network is BRANCH-3 network ( and the DESTINATION will be HQ network (

Continue reading “ASA VPN Filter”

Cisco TrustSec on ASA Firewall

In a previous post Cisco TrustSec was discussed and enforcement implemented on Cisco CSR1000v router using Cisco ISE to dynamically classify the traffic. In this post we will implement enforcement on a Cisco ASA Firewall. Unlike a Cisco switch or router when configuring TrustSec enforcement, when using the ASA as the enforcement point the TrustSec matrix on ISE is not utilised. Instead the ASA downloads the CTS environment data (SGTs), these are defined in a normal ASA access list as the source and destination.

The advantage of using an ASA Firewall for TrustSec enforcement over a Cisco switch or router is that the ASA firewall rules are stateful, unlike the ACLs on a switch or router which are not stateful.

In this blog post we will setup a simple lab, using ISE and ASAv. ISE will be configured with TrustSec SGTs’, SXP and a basic Authorization Policy. Secure communication between the ASA and ISE will be established by the use of a PAC file (Protected Access Credential). The ASA will use this secure channel to authenticate and establish a radius connection to ISE to download the CTS environment data, which contains the SGT table. An SXP connection between ISE and ASA will be established to transfer the static SXP bindings (the servers in the DC) and the dynamically assigned bindings for the authenticated users.

Basic configuration of ISE is not covered in this post. The posts below describe in greater detail configuration of ISE and TrustSec:-

Initial Cisco ISE Configuration – Basic configuration ISE
Configured Wired 802.1x/MAB authentication with Cisco ISE – Configuring dot1x authentication on ISE
Cisco TrustSec Enforcement using Cisco ISE – ISE configuration and enforcement on a Cisco CSR1000v router

Continue reading “Cisco TrustSec on ASA Firewall”

Allow ICMP/Traceroute through Cisco ASA

By default the ASA does permit ICMP replies TO any ASA interface, but does not
permit ICMP THROUGH the ASA. In other words you need to specifically configure the ASA to permit the ICMP replies. This can be achieved in 2 ways, either by enabling icmp inspection or by configuring an ACL inbound on the outside interface, permitting echo-reply.

From an LAN switch on the inside of the ASA we ping a device on the outside, with no specific configuration this should fail.

Continue reading “Allow ICMP/Traceroute through Cisco ASA”

Install FTD 6.2.3 on Cisco ASA 5506-X

This post will describe the process to install the FTD boot image and FTD system image v6.2.3 on a Cisco ASA 5506-X firewall. The images listed below will be required and can be downloaded from the Cisco website here.

  • FTD Boot Image (ftd-boot-
  • FTD System Image (ftd-6.2.3-83.pkg)

In order to download the images to the ASA a TFTP, FTP or HTTP server will be required.

  • TFTP Server (e.g. Solarwinds TFTP) required to load the Boot Image
  • FTP or HTTP Server required to load the FTD System Image
Continue reading “Install FTD 6.2.3 on Cisco ASA 5506-X”

IKEv2/IPSec VTI tunnel between ASA Firewall and IOS Router

Cisco introduced VTI to ASA Firewalls in version 9.7.1 as an alternative to policy based crypto maps. Cisco IOS routers have long supported VTI (sVTI, DVTI, DMVPN, FlexVPN etc). This post will describe the steps on how to configure a VTI between a Cisco ASA Firewall and a Cisco IOS Router.

Hardware/Software used:
Cisco ASAv (v9.9.1)
Cisco CSR1000v (v16.3.3)

Continue reading “IKEv2/IPSec VTI tunnel between ASA Firewall and IOS Router”