Ask the Expert: AnyConnect Secure Mobility - Page 2

ciscomoderator · ‎03-22-2013

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about AnyConnect Secure Mobility with Cisco expert Ameet Kulkarni. Learn about the various aspects of AnyConnect Secure Mobility such as HostScan, Client and Clientless based remote access, policies, and more.

Ameet Kulkarni is a product manager within the Secure Access and Mobility Product Group. His areas of expertise revolve around AnyConnect & ISE with a focus on posture assessment and profiler technologies. Kulkarni has managed multiple products over his career in VoIP and Security industries. He is an engineer by education with a Master of Science in Telecommunication. He has had a broad exposure in software development, solution architecture, program management and product management.

Remember to use the rating system to let Ameet know if you have received an adequate response.

Ameet might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub community shortly after the event. This event lasts through April 5, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

JG1978 · ‎04-01-2013

Hello,

My company currently uses IPsec VPN client for our VPN solution. We are getting ready to migrate to Anyconnect/SSL solution and I had a a few questions.

First, is generating a self-signed certificate an acceptable solution for the ASA or is it standard practice to purchase a certificate?

Secondly, from a security stand point, is there any advantage to using a registered name for users to connect to the ASA rather then an IP when connecting across public networks? A co-worker has told me that it is less secure to have a name for users to connect to rather then just an IP address. (example: companyname.vpn.com vs 192.168.10.1)

Third, can you give me the pro's/cons of using anyconnect SSL vs the clientless/webvpn portal?

Finally, our enviorment has many different VPN groups (20+) who have their own group policy to restrict what resources they can access. What is the best method to migrate them to anyconnect SSL easily, while keeping this structure in place. I have heard turning on group-URL is one option. The goal here is so that users cannot see all the other groups available. In the current Ipsec client setup, users are only given the "group" information for their own VPN group and are not even aware of the other groups. Any advice?

pcarco · ‎04-01-2013

Hello John,

A Self-Signed cert is really intended for evaluations, proof of concepts, lab work etc. . It is a security best practice to deploy certifcates from a CA.

More than likely you will want to use a FQDN for requesting a certificate and unless you include a Subject Alternate Name being the ip address the cert would not match. The ASA allows you to when creating the profile that is pushed to the user to show a friendly name rather than the FQDN or IP Address.

If you were load-balancing a pair of ASA using a FQDN for the VIP would be advantageous . If you had an IP address change on the ASA and using a FQDN then its just a DNS update. I am sure there are other good reasons but to your original question "from a security standpoint" maybe not since you could simply just do a nslookup and discover the IP.

In regards to AnyConnect (Client) vs WebVPN (Clientless)

Using AnyConnect is going to provide your users with the experience they are accustomed to now. Full tunnel ie, have an ip address on the lan when they connect. AnyConnect SSL utilizes both TLS and DTLS so a performance gain should be seen especially for latenc sensitive applications.

The ASA Clientless solution is an excellent option for the users you do not want to install a client on for one reason or the other. You can very easily deploy a Portal page and provide bookmarks to the network resources you permit based on the policy assigned to user based on the posture assessment.

And to answer your final question - yes we can do this dynamically. Please have a look at this link

Understanding Policy Enforcement of Permissions and Attributes

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_extserver.html#wp1773735

Best regards,

Paul

amekulka · ‎04-01-2013

Pcarco is spot on. One thing to add is that Clientless can also be used for disaster recovery when you need to quickly provide access to all your users who might not have a company provided equipment but can use their home machines and use a browser to connect to your company's network with access to defined resources.

bara.lucia · ‎04-01-2013

Hi Ameet,

Hopefully you're doing good,

I set up ASA 5505, with anyconnect, and i only use this anyconnect for mobilde device iOS & android. On my configuration, i set split tunnel to let the device can still connect to the internet by their internet access not via ASA, nah the problem is here, my iOS device can do split tunneling and voila access the internet successfully, but not with my samsung S3 mini android, my android can connect to VPN anyconnect but can't access the internet, seems like something blocked the access, but i can still chat with Gtalk and whatsapp, only access from browser (any browser) , google playstore, etc all blocked. Do you have any idea for this?

Thanks.

amekulka · ‎04-02-2013

Hi Bara, I am not sure why you are unable to access the Internet. With Android, we do support various tunneling abilities such as Split Exclude, Split Include and Full Tunneling if required. Can you share which OS version your S3 mini is on as well as the ASA version?

bara.lucia · ‎04-03-2013

Hi Ameet ,

Actually i use Split include on my ASA 5505, to only tunnel traffic to my internal network, but yesterday i tried to install anyconnect on LG android (use rooted anyconnect - downloaded from google play store) and its work, he can access the internet and still able to connect to my internal network (i dont change any configuration on my ASA). This really confusing.My S3 mini use Android 4.1.2 (use anyconnect - Samsung Anyconnect) and my ASA version is 9.0(2) with ASDM 7.1(2). Do you have any advice?

thanks so much for answer my question,

Have a good day

amekulka · ‎04-04-2013

This is odd. We might have to take a look at the logs to see what is going on. Is this a production environment or lab setup? You should get in touch with TAC.

bara.lucia · ‎04-05-2013

Ok then, maybe i'll try to root my S3 mini first, because i think there is something different with rooted anyconnect and samsung anyconnect, thank you ameet, i'll ask to TAC if im failed with root way.

Rick Rowe · ‎04-02-2013

Ameet,

I am looking at moving from Dynamic ACLs of the clientless SSLVPN to the Identity Firewall AD user ACLs. Were on 8.4(5) and wanting to know how that new feature for Identity has been going within the community.

amekulka · ‎04-02-2013

Hi Rick, we are seeing a lot of interest from the community and the pickup has been quite good as well. Was there anything in particular that you are interested in?

ToX1c1986 · ‎04-03-2013

Hello, Ameet!

While user's connecting through AnyConnect, AnyConnect doesn`t check endpoint attributes. I've configured checking proccess of "notepad.exe", but it doesn`t work. Endpoint is VM, will it wok or not?

AC is started out from Admin privilege.

amekulka · ‎04-03-2013

You need to enable HostScan on your AnyConnect deployments to check attributes and set policy based on the posture of the devices. You will need Premium licenses for that.

ToX1c1986 · ‎04-03-2013

Amett, HostScan is enable and I have Premiun linenses.

pcarco · ‎04-03-2013

Yes, it will work on an VM. A couple of questions.

1.) You have configured hostscan for notepad.exe - do you have notepad open while testing?

2.) Have you configured your Dynamic Access Policy with 'Endpoint Attribute for the process ?

ToX1c1986 · ‎04-03-2013

1) Yes, I have

2) Yes, I have

Connection is fine if endpoint attributes is empty.