This post describes how to configure the Cisco ASA and AnyConnect VPN to use the Start-Before Logon (SBL) feature. This allows the user to connect to the VPN before logging onto Windows, thus allowing login scripts and Windows Group Policies to be applied.
Create/Modify the AnyConnect Profile
Open the AnyConnect VPN Profile Editor
Open the existing VPN Profile or create a new file
Under VPN > Preferences (Part 1) select User Start Before Logon
When using a Cisco ASA for Remote Access VPN (SSL-VPN or IKEv2/IPSec) with the AnyConnect client, in most typical scenarios ALL traffic from the AnyConnect VPN client is encrypted and tunnelled back to the ASA. When using the ASA as the VPN headend device with the AnyConnect client you can use split tunnelling feature, which can be configured to include or exclude certain networks from the VPN tunnel.
The basic configuration of a Remote Access VPN to tunnel all traffic back to the ASA
group-policy GP-1 internal group-policy GP-1 attributes dns-server value 192.168.10.5 192.168.10.6 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelall address-pools value VPN_POOL
On Windows the AnyConnect Route Details would indicate 0.0.0.0/0 is a Secured Route, meaning all traffic is tunnelled back to the ASA.
When configuring a VPN (crypto map or VTI) on a Cisco ASA firewall, by default all traffic is permitted. The command sysopt connection permit-vpn is enabled by default, with this command the interface ACLs will be ignored for traffic traversing the VPN tunnel, therefore permitting all traffic over the VPN tunnels. In order to restrict traffic within the VPN tunnel on an ASA a VPN Filter must be configured, multiple VPN Filters can be and assigned per group-policy, therefore per VPN tunnel.
The VPN Filter uses an Access List, however the ACE are not written as per a normal ACL, the SOURCE network/port is always the REMOTE network and the DESTINATION is always the LOCAL network/port. The VPN Filter is stateful and will therefore permit the return the traffic without having to explicitly permit the traffic.
This post will not cover the configuration of a VPN on the ASA, this has been covered in the following posts: – VTI or Crypto Map.
In this example a VPN between HQ_ASA and BRANCH-3_ASA is already configured and operational. A VPN Filter will be configured and applied only to the HQ ASA. Important to remember as far as the VPN Filter ACL is concerned the SOURCE network is BRANCH-3 network (10.30.0.0/22) and the DESTINATION will be HQ network (10.10.0.0/22).
In a previous post Cisco TrustSec was discussed and enforcement implemented on Cisco CSR1000v router using Cisco ISE to dynamically classify the traffic. In this post we will implement enforcement on a Cisco ASA Firewall. Unlike a Cisco switch or router when configuring TrustSec enforcement, when using the ASA as the enforcement point the TrustSec matrix on ISE is not utilised. Instead the ASA downloads the CTS environment data (SGTs), these are defined in a normal ASA access list as the source and destination.
The advantage of using an ASA Firewall for TrustSec enforcement over a Cisco switch or router is that the ASA firewall rules are stateful, unlike the ACLs on a switch or router which are not stateful.
Scenario In this blog post we will setup a simple lab, using ISE and ASAv. ISE will be configured with TrustSec SGTs’, SXP and a basic Authorization Policy. Secure communication between the ASA and ISE will be established by the use of a PAC file (Protected Access Credential). The ASA will use this secure channel to authenticate and establish a radius connection to ISE to download the CTS environment data, which contains the SGT table. An SXP connection between ISE and ASA will be established to transfer the static SXP bindings (the servers in the DC) and the dynamically assigned bindings for the authenticated users.
Basic configuration of ISE is not covered in this post. The posts below describe in greater detail configuration of ISE and TrustSec:-
By default the ASA does permit ICMP replies TO any ASA interface, but does not permit ICMP THROUGH the ASA. In other words you need to specifically configure the ASA to permit the ICMP replies. This can be achieved in 2 ways, either by enabling icmp inspection or by configuring an ACL inbound on the outside interface, permitting echo-reply.
From an LAN switch on the inside of the ASA we ping a device on the outside, with no specific configuration this should fail.
This post will describe the process to install the FTD boot image and FTD system image v6.2.3 on a Cisco ASA 5506-X firewall. The images listed below will be required and can be downloaded from the Cisco website here.
FTD Boot Image (ftd-boot-22.214.171.124.lfbff)
FTD System Image (ftd-6.2.3-83.pkg)
In order to download the images to the ASA a TFTP, FTP or HTTP server will be required.
TFTP Server (e.g. Solarwinds TFTP) required to load the Boot Image
FTP or HTTP Server required to load the FTD System Image
Cisco introduced VTI to ASA Firewalls in version 9.7.1 as an alternative to policy based crypto maps. Cisco IOS routers have long supported VTI (sVTI, DVTI, DMVPN, FlexVPN etc). This post will describe the steps on how to configure a VTI between a Cisco ASA Firewall and a Cisco IOS Router.