Solved: Re: Anyconnect vpn

adamgibs7 · ‎02-22-2018

dears,

I have some question please answer

Is it 3DES can be brake or it still considered secure. pls suggest

corporate users are using anyconnect client vpn , to get a vpn client we have to enter the https://public ip address of the firewall and they get certificate error and then they get a chance to download the client.

Now it seems to me that https://public ip address to access the ASA for anyconnect client for first time it seem to me insecure, is it insecure pls suggest ?? or instead manually installing the client is best practice.

Rob Ingram · ‎02-22-2018

Hi, According to this cisco document, 3DES is considered legacy and provides marginal but acceptable security. AES should be an acceptable minimum nowadays, use the link provided to decide which algorithms to use.

I would recommend installing a signed certificate from a public certificate authority (eg Verisign, Comodo etc) and ensure the users laptops trust this certificate.

View solution in original post

Dennis Mink · ‎02-23-2018

if i was running 9.2 i would patch it: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

;-)

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Marvin Rhoads · ‎02-26-2018

No - on an ASA SSL VPN trustpoint must be associated with the interface on which the client traffic arrives.

View solution in original post

Rob Ingram · ‎02-22-2018

Hi, According to this cisco document, 3DES is considered legacy and provides marginal but acceptable security. AES should be an acceptable minimum nowadays, use the link provided to decide which algorithms to use.

I would recommend installing a signed certificate from a public certificate authority (eg Verisign, Comodo etc) and ensure the users laptops trust this certificate.

Marvin Rhoads · ‎02-23-2018

As noted in the other reply, 3DES should be avoided.

Assuming you have current code (9.2 or later), you can setup your ASA to only negotiate strong SSL ciphers with the client. The following commands will do that:

ssl cipher default custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA;AES128-SHA256"
ssl cipher tlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA;AES128-SHA256"
ssl cipher dtlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA"

That plus a certificate signed by a trusted Certificate Authority (CA) will help secure your SSL VPN better.

adamgibs7 · ‎02-23-2018

Dears,

Thanks for your replies

the main goal here is to stop the https://public ip address of the ASA to be accessible directly by outside by keeping the anyconnect ssl vpn for the users.

thanks

Dennis Mink · ‎02-23-2018

if i was running 9.2 i would patch it: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

;-)

Please remember to rate useful posts, by clicking on the stars below.

adamgibs7 · ‎02-23-2018

Dears

By patching to fixed version what will be new, ASA will not be accessible by https:// <outside public IP> for hacking ??

thanks

Marvin Rhoads · ‎02-24-2018

As long as you are running SSL VPN for your Anyconnect users, the ASA outside address must be listening for the incoming SSL sessions.

By default it uses tcp/443 but it can be changed to use a non-standard tcp port if you like.

Marvin Rhoads · ‎02-24-2018

@Dennis Mink wrote:

if i was running 9.2 i would patch it: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

;-)

I only mentioned 9.2 because that is the first release that introduced support for the stronger ciphers.

One should always consult the release notes and choose the best release for their environment based on platform, features, stability and security.

adamgibs7 · ‎02-26-2018

Dears,

Instead of outside interface can I enable a SSl termination on the public IP which is not assigned to any interface but lies in the configuration of ssl vpn in global config , I mean to say the logic of natting a server from public ip to a private ip only exception is there is no interface assigned.

Thanks

Marvin Rhoads · ‎02-26-2018

No - on an ASA SSL VPN trustpoint must be associated with the interface on which the client traffic arrives.

adamgibs7 · ‎02-26-2018

thanks for your reply Marvin

I m running Version 9.6(3) so I must upgrade to the fix version ,

adamgibs7 · ‎03-03-2018

Dears,

Thanks for all you have contributed in this thread, i have rated to all.

regards

Adam