Cisco ASA Anyconnect Remote Access VPN

Hi! This is like my first or second post so If I’m in the wrong spot, please forgive me. If I wanted to ensure SHA-1 wasn’t used as the hashing algorithm for the clients when they connect, can I just change the cipher security level under Configuration → Remote Access VPN → Advanced → SSL Settings? I was going to change the Default Cipher Version to High but wasn’t sure if that will eliminate all weak SHA-1 from the suite. Thoughts?

Hello Joshua

The Cypher Security Level setting that you configure will give you a preconfigured set of ciphers that will be used. By choosing High, you include only AES-256 with SHA-2, so SHA-1 is indeed excluded. For more details on what each security level config delivers, take a look at this Cisco documentation:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/asdm74/vpn/asdm-74-vpn-config/vpn-asdm-ssl.html#ID-2215-00000005

As seen in the documentation, you are also able to apply a custom configuration where you can specify one or more ciphers explicitly within the available string box. This gives you full control of which ciphers are allowed to be used.

I hope this has been helpful!

Laz

I hope this has been helpful!

Laz

1 Like

Thank you very much Lazaros! This is exactly what I was looking for!

1 Like

Hello Laz ,
is there is any way to prevent the User from establisching any connect Vpn Session , when it comes to untrusted Self-sign Certificate ?
Thanks in Advanced .

Hello Mohammad

This behavior is configured on the actual AnyConnect client itself. The “Block Untrusted Servers” setting can be used to disallow a user from connecting using a certificate that is invalid. However, the user may be able to change the setting and successfully connect. This setting is enabled by default.

Another option is to enable the Strict Certificate Trust feature. When enabled, AnyConnect disallows any certificate that it cannot verify. Instead of prompting the user to accept such certificates, the client simply fails to connect.

More info on all of these can be found at the following Cisco documentation:

You can ensure that the strict certificate trust is set by issuing the appropriate local policy preferences using the AnyConnect profile editor. Setting the strict certificate trust policy setting to true, ensures the client is correctly configured.

Take a look at the following for details on how to set up such policies using the AnyConnect Profile Editor.

I hope this has been helpful!

Laz

Hello René, I have a question. I’m trying to complete the lab on SSL VPNs and when I type in: anyconnect image flash: /anyconnect-win-2.5.2014-k9.pkg I get the “invalid input” error. It accepts the webvpn command but that is as far as it goes. I’ve verified that I have the required packages in the flash I’m running 8.2(1) code on an ASA that I bought on EBay. I’m at wits end and wondering if one of you guys could help. Thanks

Hello Willie

Hmm, that’s interesting. It could be the syntax of the command. When you type anyconnect image ? what options does it give you? Does it include “flash” as an option? Also, you may find that on some devices it uses flash0 instead of flash.
One other thing is this. Take a look at the following command reference.

Take a look at the command history:
image

Prior to 8.4(1), the command was part of the SVC image. Since you’re using 8.2(1) it could be that you don’t have this image. Issue the following command: show webvpn svc image and see what results you get.

Take a look at these issues and see if they help in the troubleshooting process, and let us know.

I hope this has been helpful!

Laz

HI,

In the lesson we can see that client not get the IP address of the default gateway once the vpn is UP.

C:UsersVPN>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : VPN-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
   Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.10.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   **Default Gateway . . . . . . . . . :**
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

How does the PC know to reach Internet or any others network accessible only through VPN?

Hello Giovanni

What you will find is that if you enabled split tunneling, you will see no default gateway. If you’ve disabled split tunneling, then the first IP from the client’s IP address and subnet mask combination will be chosen as the default gateway. There is no way to configure this parameter as it is hard coded into the way AnyConnect works.

Now having said that, the default gateway of a VPN client is really of no consequence. The default gateway is only significant when configured on an interface in a more traditional setting. However, when using VPNs such as AnyConnect, which uses a virtual interface, it doesn’t need a default gateway. The VPN connection is being treated as a point to point connection, so you really don’t care about the next hop IP. You just send everything out of the virtual interface.

The routing logic of an AnyConnect client is that all interesting traffic is sent to the upstream VPN peer using the encrypted link. This link uses the peer address and not a default gateway address. So the actual value in the default gateway, whether blank or anything else, is just ignored.

I hope this has been helpful!

Laz

PS Take a look at this Cisco Community link for more info:

I am searching for SSL VPN for mentioned Router an found the command webvpn, but my router don’t know this command.
My router has the feature security.
What do I need?

Regards, Hannes

Hello Johann

The webvpn feature being used in this particular lesson is applied on a Cisco ASA. The ASA is a firewall device.

However, WebVPN is also available on Cisco IOS devices. However, you must remember that WebVPN is an end-of-life technology, and has been replaced with FlexVPN. That means you won’t find it on some platforms such as the c1111 as described in this Cisco community post.

For more information about FlexVPN, take a look at this lesson:

I hope this has been helpful!

Laz

1 Like

Oh, so great!
Thanks a lot!

1 Like

I have connected to 100 Mbps internet.
After connecting to office cisco any connect vpn i am getting less speed when i do speed test.

Is there any reason for this.

In my ASA all traffic is going through tunnel and specified acl traffic going through my home internet
Is this full tunnel?

in secured routes we have 0.0.0.0/0 --so this mean we are not using split tunnel and all traffic going through vpn and unsecured routes going through local internet. Pls clarify.

Hello Pavan

The first thing that came to mind was that all your internet traffic may be routed over the VPN, and that the split tunnelling is not operating correctly. If that is indeed the case, then it would make sense that your speedtest is slower. How much slower is it? If it is substantially slower, then it is likely that this is the case. However, you can verify this…

If this is indeed how you have configured it, then yes, you should be OK. Your internet traffic should be routed out of your local internet connection, and your traffic that goes to your office should be routed over the VPN.

If you are routing all of your traffic over the VPN, then you will get a much slower speed. A way to check this is to run a traceroute to a destination on the Internet, say 8.8.8.8 (Google’s DNS server), with and without the VPN. See if there is a difference in how it is routed. From the IP addresses in the output, you should be able to determine if the traffic is exiting your local Internet connection or is being routed over the VPN and out via your office’s Internet connection. Once you determine this, then you can continue troubleshooting the problem.

Let us know how you get along!

I hope this has been helpful!

Laz

Hello Community, I am new to this and I have some questions about a scenario that I have at work. I am new to this VPN topic so I am not sure how to achieve this.

Peter and Mary have access to the Main Plants IP 192.168.150.6 and 192.168.160.10 and Peter is working on a project with a special team 192.168.120.240. While they are at the Plant, Peter can use all three IP addresses with no problem. Mary can only use the Main Plants and doesn’t have access to the third one. When they go off site, both Peter and Mary could use the Cisco AnyConnect to connect to the Main Plants IP Addresses. So I want to add 192.168.120.240 to the cisco AnyConnect so Peter can connect to it offsite. Is there there any possible way that I can achieve this? Do I need to change anything in ASDM? Is this related to a tunnel group addition or AnyConnect profile?

Thanks for taking the time to check at this!

Hello Johan

From my understanding, you want to allow Peter and Mary to have access to the IP addresses of specific hosts. So when Peter is on site, he has access to:

  • 192.168.150.6
  • 192.168.160.10
  • 192.168.120.240 (special project)

At the same time, Mary has access to the first two addresses but not to the third.

Now you want to be able to recreate these same allowances and restrictions for their AnyConnect connection.

In the scenario where Peter and Mary are both on-site, I assume this restriction is achieved using access lists. Using an extended access list, you can match Mary’s IP address as a source and the special team address as a destination and block any communication.

Now how can you achieve this using AnyConnect? Well, there are a couple of ways you can do this. Assuming AnyConnect gives you access to all your internal networks and assuming that each AnyConnect user is assigned the same IP address every time they connect (or at least the same IP address range), then you can use the same extended access list solution to achieve the same results. In this case, AnyConnect configurations are not directly involved in the allowing or disallowing of access. It’s still the access lists internally on the network that are doing this.

Alternatively, you can configure AnyConnect to give access to particular subnets within the corporate network. From the Cisco ASA Anyconnect Remote Access VPN lesson, you can use the split tunnel feature to specify in that access list what traffic will be sent over the VPN (based on destination) and what will be routed over the local internet.

You can also find additional information that will help you to decide how to set it up in the following Cisco documentation:

I hope this has been helpful!

Laz

1 Like

The information has been extremely helpful! Thanks a lot for taking the time to respond!
Much appreciated!

1 Like

Hello group.
Good afternoon to everyone. I have a scenario in my company:
My company has bought around 100 computers with ARM64 architecture and we have around 200 computers with Win11 running Anyconnect 4.10.
Our CEO wants all of those, computers running but our production Anyconnect will not be compatible with ARM64 so we will have to install another Anyconnect version with ARM64, which means two Anyconnect packages will be running in the same ASA. Does someone know how to achieve this?
I have never seen a case where this might be needed, but the time has come and I am totally lost with it.

Thanks everyone for taking a look into this.

Hello Johan

The short answer is that you cannot run two different AnyConnect packages on the same ASA. This is because if you install a new AnyConnect package on the ASA, it replaces the existing package. The only way to run two packages simultaneously is to actually have two ASAs, each one running a different package.

I hope this has been helpful!

Laz

1 Like

It has been extremely helpful. Thanks a lot for the answer!

1 Like