Tweet
Configure Remote Access VPN
Remote Access VPN Prerequisites
The purpose of this task is to configure a remote access VPN by using the Cisco Secure Firewall Management Center configuration wizard. Step 1
Connect to the Jump Host device in your topology.
Open the Firefox web browser and navigate to the Secure Firewall Management Center by using the FMC bookmark on the toolbar (https://192.168.111.20).
Login with the username admin and the password Cisco#1234.
Step 2
Show Me
Navigate to Objects > Object Management. From the left pane, choose PKI > Cert Enrollment and click Add Cert Enrollment.
Step 3
Click the Certificate Parameters tab.
Set the Include FQDN field to Custom FQDN and provide the following parameters to the respective fields:
Click Save.
Step 4
To associate the certificate with the HQ-FTD device, navigate to Devices > Certificates and click Add.
From the Device list choose HQ-FTD and from the Cert Enrollment list, choose the newly created certificate FTD-Public-Cert.
Click Add.
Step 5
The following window appears indicating that we need to finish certificate enrollment. The process can take a while. Monitor status until it changes from 'in progress' to 'identity certificate import required'.
Click ID icon.
Step 6
A warning message will appear asking for confirmation to generate a CSR. Click Yes.
Step 7
On the next window, copy whole CSR to the clipboard. Do not close this window.
Step 8
In a new web browser tab, go to CA (bookmarked) and click Request a certificate > Advanced certificate request and then paste the CSR content. Use Certificate Template of Web Server. Click Submit.
Step 9
Save the new certificate in Base-64 format as ftd-public.cer in the Downloads folder.
Step 10
Go back to Secure Firewall Management Center tab and click Browse Identity Certificate. Select the new certificate and click Import.
Step 11
Notice the change in the status column.
Step 12
Navigate to Objects > Object Management and choose the AAA Server > RADIUS Server Group option in the left window pane.
Click Add RADIUS Server Group.
Enter the name ISE and check two options: Enable authorize only and Enable dynamic authorization.
Step 13
Click the + icon to add a new server to the list.
Enter the IP address 192.168.20.22, and the key 1234QWer.
Under the Connect using, select Specific Interface option. Select INZONE from the drop-down list of interfaces.
Click Save and then Save again.
Step 14
Navigate to Objects > Object Management and choose the VPN > AnyConnect File option in the left window pane.
Click Add AnyConnect File.
Enter the name AC410 and browse for the file. From the Downloads folder choose the anyconnect-win-4.10.xxxxx-webdeploy-k9.pkg file.
From the File Type drop-down list choose AnyConnect Client Image.
Click Save.
Step 15
Navigate to Objects > Object Management and choose the Address Pools > IPv4 Pools option in the left window pane.
Click Add IPv4 Pools.
Enter the name SSL-VPN-POOL and enter an IPv4 Address Range of 10.10.55.1-10.10.55.254. Enter a Mask of 255.255.255.0.
Click Save. Remote Access VPN Configuration
The purpose of this task is to configure a remote access VPN by using the Cisco Secure Firewall Management Center configuration wizard.
Step 16
From Secure Firewall Management Center, navigate to Devices > VPN > Remote Access and click Add.
On the Targeted Devices and Protocols page, enter the following attributes:
Click Next.
Step 17
On the Connection Profile page, enter the following attributes:
Click + icon next to the Group Policy and add new group policy with the following settings:
Click Save and then choose the newly created group policy from the list.
Click Next.
Step 19
On the AnyConnect Client Image page, check the checkbox next to the AC410 image object.
Leave the Operating System default because the image is for Windows.
Click Next.
Step 20
On the Network Interface for Incoming VPN Access page, enter the following attributes:
Click Next.
Step 21
A summary page is displayed. Confirm all the settings for the VPN configuration and click Finish.
Step 22
In an environment where NAT is involved, it is necessary to configure a rule to not translate traffic that is traversing the VPN. In our case this will be traffic between the VPN POOL (10.10.55.0/24) and any internal network.
To configure a NAT-exempt rule for this VPN connection, navigate to Devices > NAT and click the edit icon to edit the Corporate_NAT policy. Note
The NAT-exempt rule you create in the following steps is not strictly required in this lab instance, however it is important to be familiar with the configuration process.
Step 23
Click Add Rule.
From the NAT Rule drop-down list, if not already selected, choose Manual NAT Rule, and from Type, choose Static.
On the Interface Objects tab, move INZONE to Source Interface Objects and move OUTZONE to Destination Interface Objects.
On the Translation tab, create and choose the HQ-Servers (192.168.20.0/24) object from the Original Source drop-down list. From the Original Destination drop-down list, create and choose the VPN_POOL (10.10.55.0/24) object.
Click OK.
Click Save to save the Corporate_NAT policy.
Step 24
Go to Policies > Access Control and edit Corporate_Policy. Add new Category to the policy named VPN Traffic.
Click OK.
Step 25
Put a new rule named RA VPN to AD into category VPN Traffic allowing all traffic from OUTZONE to INZONE for Networks VPN_POOL (10.10.55.0/24) to AD_Real (192.168.20.24). Click Add. Step 26
Add a second rule named RA VPN to ISE into category VPN Traffic allowing from OUTZONE to INZONE for HTTP and HTTPS traffic from Networks VPN_POOL to ISE_Real (you may need to add a new object of that name and IP of 192.168.20.22). Click Add.
Step 27
Verify configured rules with the task help screen. If everything is looking good, click Save and Deploy the changes.
Step 28
To verify the task, connect to the VPN-PC in the lab topology and log in as student/1234QWer. Open a web browser and go to https://ftd.lab.public and log in as employee1/1234QWer.
Step 29
You should see Download & Install option available. Click Download for Windows, save the file and then run it. If warning banner appears, click on continue - then the download option appears.
Step 30
Install the AnyConnect client with the default settings. When installation is completed, start the Cisco AnyConnect Mobile Security Client by clicking Windows’ start button and clicking the application link.
Step 31
Type ftd.lab.public into the VPN field and click Connect.
Log in as employee1/1234QWer. The connection should be successful.
Step 32
Once VPN is connected, you can view more details about the connection by clicking the gear icon on the bottom left of the AnyConnect client. Step 33
Show Me
On the VPN-PC, open a command prompt and ping the following hosts:
Only ping to AD should be successful.
Step 34
From the Jump Host, open the PuTTY application and connect to the FTD-1 device (192.168.111.10).
Log in with the username admin and the password Cisco#1234. Step 35
Enter the following command to see the user session:
show vpn-sessiondb anyconnect
> show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : employee1 Index : 3
Assigned IP : 10.10.55.1 Public IP : 192.0.2.80
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
Bytes Tx : 14884 Bytes Rx : 34026
Group Policy : Corporate_GP Tunnel Group : Corporate_SSL_VPN
Login Time : 15:10:15 UTC Sat Oct 23 2022
Duration : 0h:03m:08s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c000020100003000617425d7
Security Grp : none Tunnel Zone : 0
> AnyConnect VPN User Certificate Authentication
The purpose of this task is to enroll for a user certificate and then reconfigure Cisco Secure Threat Defense device to start authenticating remote users via certificates.
Note that VPN-PC is part of a domain, and you can log in using a local student account or employee1 domain user account.
Step 36
On VPN-PC use sign out from any existing user and log in back as a domain user (employee1/1234QWer). Using AnyConnect VPN Client to connect to ftd.lab.public and authenticate as employee1/1234QWer.
Note: To sign out click Windows Start button, and then click user icon on the left side of the Start Menu. Choose Sign Out. Then on the login screen, provide domain user credentials to log in as a domain user.
Step 37
Run Certificate MMC by searching mmc and then add the certificates snap-in (go to file-add/remove snap option) and click OK.
From the tool, right-click Personal and then All Tasks > Request New Certificate…
Step 38
Show Me
Click Next on the first screen, then expand Active Directory Enrollment Policy and check if a policy is assigned.
Click Next.
Step 39
On the following screen select User and click Enroll. The enrollment process starts. Wait for success message and click Finish.
Step 40
Show Me
Expand Personal > Certificates and see if you have a new certificate for Employee One.
Step 41
Show Me
Double click the certificate and see its content.
Notice that the Subject Name has two Common Names
It will be hard to use those fields to match for a certificate. Check for Subject Alternative Name (SAN) field. There is Principal Name in a form of user’s email. We will try to match against that field in order to authorize the client.
Step 42
Show Me
Go back to the Jump Host and then to the Secure Firewall Management Center’s GUI. Go to Devices > Remote Access and then edit FTD-RA policy.
Click edit icon next to Corporate_SSL_VPN connection profile and go to AAA tab. Change the Authentication Method to Client Certificate Only.
Step 43
Expand the Map username from client certificate section and chose Primary Field of UPN (User Principal Name). Below, select ISE (RADIUS) as the Authorization Server and choose the option to Allow connection only if user exists in authorization database.
Step 44
Show Me
Click Save and then Save the policy and Deploy the changes by clicking Deploy button in the top menu, then click Deploy All.
Step 45
Go to VPN-PC and disconnect from the VPN.
Now, connect back. You should not see username and password prompt anymore. Instead, you should see the group name only.
Click OK and you should see the banner. It indicates that authentication and authorization have both been successful.
Step 46
On the Jumphost’s web browser, open up a new tab, connect to the ISE server and authenticate as admin/1234QWer.
Using the hamburger icon on the left top, go to Operations > RADIUS > Live Logs to see that authorization really happened against ISE and Active Directory.
Step 47
Click the Details icon next to the “green” event and verify all Steps on the right. They should indicate that the user was authenticated via the Active Directory.
Step 48
You can also verify that from the FTD-1 CLI by typing the following command.
> show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : employee1@lab.local Index : 7
Assigned IP : 10.10.55.2 Public IP : 192.0.2.80
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
Bytes Tx : 37417 Bytes Rx : 72663
Group Policy : Corporate_GP Tunnel Group : Corporate_SSL_VPN
Login Time : 12:40:17 UTC Sun Oct 24 2021
Duration : 0h:07m:58s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c00002010000700061755431
Security Grp : none Tunnel Zone : 0 (Optional)
Using Dynamic Access Policies
In this task, a student will use Dynamic Access Policies (DAP) to further secure VPN remote access.
You will be creating four policies:
Go to Objects > Object Management and then VPN > AnyConnect File. Click Add AnyConnect File with the following settings:
Click Save.
Step 50
Go to Devices > Dynamic Access Policy and click Create Dynamic Access Policy. Enter the name of Corporate_DAP, select HS410 HostScan package and click Save.
Step 51
Click Create DAP Record, enter the name DAP_Compliant and click Endpoint Criteria tab.
Step 52
Expand Anti-Malware section and click the + icon to add a condition.
Step 53
Provide the following settings:
Click Save.
Step 54
Move down to Personal Firewall and click the + icon to add another condition with the following parameters:
Click Save.
Step 55
Move down to Operating System and click the + icon to add another condition with the following settings:
Click Save.
Step 56
Verify the created criteria with the step help. If everything looks fine, click Save at the bottom right area of the page.
Step 57
Click Create DAP Record. Give it the name of DAP_NoAM and configure the following Display Message: “You have no Anti Malware protection enabled. It will result in limited access to the network”.
Step 58
Click Create New hyperlink next to the Apply a Network ACL on Traffic (note that this option will open in a new window tab) and configure new ACL with the name of DAP_NoAM_ACL, allowing access to AD_Real on HTTP destination port only. Go back to the DAP configuration tab and select the newly created ACL from the drop-down list.
Step 59
Go to Endpoint Criteria and expand Anti-Malware section and click the + icon to add a condition.
Set the following settings:
Click Save and then Save again in the bottom.
Step 60
Click Create DAP Record with the name of DAP_NoFW. Change the Action to Quarantine and provide a message for matching criterion:
“Our policy requires Windows Firewall to be enabled. You’ll be quarantined until you enable the firewall.”
Similarly, to the previous step, create new ACL of the name DAP_NoFW_ACL allowing ICMP traffic only (see the step help for more information).
Step 61
Add Endpoint Criteria condition for Personal Firewall with the following parameters:
Click Save.
Step 62
Verify the created criteria with the step help. If everything looks fine, click Save at the bottom right area of the page.
Step 63
Click Create DAP Record with the name of DAP_BadOS. Set the Action to Terminate and type the following message: “Your Operating System is not supported. Contact the administrator”. Step 64
Go to Endpoint Criteria and create Operating System condition with the following parameters:
Note the “not equal to” sign.
Click Save and then Save in the bottom.
Step 65
Verify the whole DAP with the step help to ensure all rules are having correct actions and matching criteria. Step 66
In the bottom, change the default record to Terminate. Click Save. Step 67
Go to Devices > Remote Access and edit FTD-RA policy. In the top-right policy corner there is Dynamic Access Policy set to None. Click on it and change it to the Corporate_DAP.
Step 68
Click Save.
Step 69
Go to Devices > Platform Settings and create a new policy for Threat Defense Settings named HA-FTD-Settings, assign it with HQ-FTD device. Click Save.
Step 70
Go to Logging Destinations tab and click Add.
Set the first filter with the following settings:
Click OK.
Step 71
Click Add again to add another filter with the following settings:
Click OK.
Step 72
Verify the Logging Destinations with the step help and if everything looks fine, click Save and Deploy the changes.
Step 73
Go to VPN-PC and disable Windows Firewall. To do so run command line CMD as an administrator. To do so, search for Command Prompt (cmd.exe), right click on it and choose Run as administrator. Provide administrator/1234QWer credentials. Note
If you cannot authenticate, connect to the VPN and try again.
Step 74
Type the following command to disable the firewall:
netsh advfirewall set allprofiles state off
Step 75
Disconnect and then reconnect to the VPN.
The connection should be successful, but the following message should appear:
Step 76
Go to FTD-1 CLI and type the following command
show vpn-sessiondb detail anyconnect
Verify if there is a Filter Name applied at the end of the command output.
> show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : employee1@lab.local Index : 8
Assigned IP : 10.10.55.2 Public IP : 192.0.2.80
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
Bytes Tx : 15218 Bytes Rx : 30988
Pkts Tx : 12 Pkts Rx : 267
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : Corporate_GP Tunnel Group : Corporate_SSL_VPN
Login Time : 17:10:25 UTC Sun Oct 24 2021
Duration : 0h:01m:57s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c00002010000800061759381
Security Grp : none Tunnel Zone : 0
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 8.1
Public IP : 192.0.2.80
Encryption : none Hashing : none
TCP Src Port : 61946 TCP Dst Port : 443
Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Client OS : win
Client OS Ver: 10.0.14393
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.03104
Bytes Tx : 7609 Bytes Rx : 0
Pkts Tx : 6 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 8.2
Assigned IP : 10.10.55.2 Public IP : 192.0.2.80
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 61953
TCP Dst Port : 443 Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.03104
Bytes Tx : 7609 Bytes Rx : 1770
Pkts Tx : 6 Pkts Rx : 25
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : DAP_NoFW_ACL
DTLS-Tunnel:
Tunnel ID : 8.3
Assigned IP : 10.10.55.2 Public IP : 192.0.2.80
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384
Encapsulation: DTLSv1.2 UDP Src Port : 56969
UDP Dst Port : 443 Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.03104
Bytes Tx : 0 Bytes Rx : 29218
Pkts Tx : 0 Pkts Rx : 242
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : DAP_NoFW_ACL
> Step 77
Disconnect from the AnyConnect VPN and enable Windows Firewall with the following command (using the command line with the administrator privileges):
netsh advfirewall set allprofiles state on
Step 78
Now, on VPN-PC, right-click Defender Control link on the Desktop and chose Run as Adminsitrator. Provide administrator credentials of administrator/1234QWer and click OK.
Click Enable Windows Defender button and wait for the tool to become green.
Connect to the VPN. You should be connected successfully. Note
When you connect successfully, this means you are compliant and meet all requirements. You can check that by going to the Firewall threat Defense CLI and type the following command: (Optional) Configuring AnyConnect Profile
In this task student will create AnyConnect profile to change the AnyConnect Client’s behavior.
Step 79
From the desktop of VPN-PC run VPN Profile Editor and make the following changes on Preferences (Part 1) tab:
Show Me
Go to Certificate Matching section configure the following:
Show Me
Go to Server List section and Add new server with the following settings:
Click OK.
Step 82
Now from the top menu select File > Save As and save this configuration as ac-ftd-profile.xml on the Desktop.
Step 83
Show Me
On VPN-PC disconnect from the VPN, open up web browser and connect to Secure Firewall Management Center using its IP address (https://192.168.111.20). Log in as admin/Cisco#1234 and end previous session if asked for it. Go to Objects > Object Management > VPN > AnyConnect File and click Add AnyConnect File. Give it the name of AC-Profile, click Browse and select ac-ftd-profile.xml from the Desktop and choose AnyConnect VPN Profile from the File Type drop-down list.
Click Save.
Step 84
Show Me
Go to Devices > Remote Access and edit FTD-RA policy, then click Advanced tab and then Group Policies section.
Edit Corporate_GP group policy and on AnyConnect tab select AC-Profile from the drop-down list. Click Save.
Step 85
Click Certificate Maps section and check Use the configured rules to match a certificate to a Connection Profile.
Step 86
Click Add Mapping and then click + next to Certificate Map Name option.
Provide the following settings on the Add Certificate Map screen:
Click OK and then Save.
Step 87
Select Corporate_SSL_VPN from the Connection Profile drop-down list to link the certificate map with the connection profile.
Click OK.
Step 88
Click Save and then Deploy the changes.
Step 89
On VPN-PC use AnyConnect to connect to ftd.lab.public. The connection should be smooth, without asking for Connection Profile. The Connection Profile will be automatically matched based on the user’s certificate.
Go to AnyConnect client and click gear icon. You should see that most of the preferences are gone.
Step 90
Disconnect from the VPN and check the connections list. You should now see the new Corporate Headend user-friendly name instead of the FQDN you’ve used before.
Step 91
Click on the Corporate Headend and the connection should be smooth.
Configuring Remote Access VPN for Contractors
In this task student will configure additional Connection Profile for Contractors that will be accessible via https://ftd.lab.public/contractors URL. Contractors should authenticate against ISE using username/password only. They should have access to Bleda server over port 443.
Step 92
Using the Jumphost, connect to the Secure Firewall Management Center and go to Devices > Remote Access, edit FTD-RA policy and click + sign to add new Connection Profile. Enter the name of Contractors_SSL_VPN and select DfltGrpPolicy. On a Client Address Assignment add IPv4 pool of a name of SSL-VPN-POOL.
Step 93
Show Me
On AAA tab leave AAA Only as an authentication method but select ISE (RADIUS) for Authentication, Authorization and Accounting server.
Step 94
Go to Aliases tab and configure new URL Alias by clicking + sign. Then, under Add URL Alias window click + sign again. Give the alias name of CONTR_ALIAS and type URL https://ftd.lab.public/contractors.
Click Save.
Step 95
Select Enabled and click OK.
Step 96
Verify with the step help that you see the new alias on the list.
Step 97
Click Edit Group Policy hyperlink located under the Group Policy drop-down list and configure DNS/WINS > Primary DNS Server to be AD_Real object.
Click Save.
Step 98
Verify Connection Profiles with the step help to continue. If everything looks fine, Save the VPN configuration.
Step 99
Go to Policies > Access Control and edit Corporate_Policy. Add Contractors to BLEDA rule in the VPN Traffic category that will Allow HTTPS traffic from VPN_POOL to Bleda_real.
Click Save.
Step 100
Go to Devices > NAT, edit the Corporate_NAT policy, and configure Manual NAT rule to exempt VPN_POOL to Bleda_real from translation. See the step help for more information.
Click Add.
Step 101
Click OK then click Save to save the NAT policy and Deploy changes. Note
You probably have noticed that we used the same VPN_POOL to allow traffic for Contractors and rest of users. This is obviously not secure enough. Fortunately, there is another layer of security which is ISE that puts an ACL on Contractor’s VPN tunnel.
Step 102
On VPN-PC sign out from employee1 user and log in as a local student user. You can enforce logging locally by specifying ‘.\student’ as a username and ‘1234QWer’ as password.
Step 103
In the AnyConnect hostname field enter ftd.lab.public/contractors and click Connect. Provide contractor1/1234QWer credentials to authenticate. The connection should be successful.
Step 104
On the FTD-1 CLI type the following command to verify the connection:
show vpn-sessiondb detail anyconnect
Check if the contractor1 user is connected, how authenticated and if there is any ACL applied to limit the user’s traffic.
> show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : contractor1 Index : 23
Assigned IP : 10.10.55.2 Public IP : 192.0.2.80
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
Bytes Tx : 14404 Bytes Rx : 36401
Pkts Tx : 10 Pkts Rx : 173
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : DfltGrpPolicy Tunnel Group : Contractors_SSL_VPN
Login Time : 13:42:19 UTC Mon Oct 25 2021
Duration : 0h:01m:18s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0000201000170006176b43b
Security Grp : 5 Tunnel Zone : 0
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 23.1
Public IP : 192.0.2.80
Encryption : none Hashing : none
TCP Src Port : 65287 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Client OS : win
Client OS Ver: 10.0.14393
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.03104
Bytes Tx : 7202 Bytes Rx : 0
Pkts Tx : 5 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 23.2
Assigned IP : 10.10.55.2 Public IP : 192.0.2.80
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 65299
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.03104
Bytes Tx : 7202 Bytes Rx : 21631
Pkts Tx : 5 Pkts Rx : 99
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-CONTR_ACL-6176b3da
DTLS-Tunnel:
Tunnel ID : 23.3
Assigned IP : 10.10.55.2 Public IP : 192.0.2.80
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384
Encapsulation: DTLSv1.2 UDP Src Port : 53613
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.03104
Bytes Tx : 0 Bytes Rx : 14770
Pkts Tx : 0 Pkts Rx : 74
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-CONTR_ACL-6176b3da
>
Step 105
On the VPN-PC, open up a web browser and go to Bleda website over its real IP address/FQDN. The connection should be successful. Note that you may have an certificate warning as Bleda server is using certificate with bleda.lab.public name. Make an exception and connect to the server.
Remote Access VPN Prerequisites
The purpose of this task is to configure a remote access VPN by using the Cisco Secure Firewall Management Center configuration wizard. Step 1
Connect to the Jump Host device in your topology.
Open the Firefox web browser and navigate to the Secure Firewall Management Center by using the FMC bookmark on the toolbar (https://192.168.111.20).
Login with the username admin and the password Cisco#1234.
Step 2
Show Me
Navigate to Objects > Object Management. From the left pane, choose PKI > Cert Enrollment and click Add Cert Enrollment.
Step 3
Click the Certificate Parameters tab.
Set the Include FQDN field to Custom FQDN and provide the following parameters to the respective fields:
- Custom FQDN: ftd.lab.public
- Include Device’s IP Address: 192.0.2.1
- Common Name (CN): ftd.lab.public
- Organizational Unit (OU): Cisco LAB
- Organization (O): Cisco
- Locality (L): San Jose
- State (ST): California
- Country Code (C): US
Click Save.
Step 4
To associate the certificate with the HQ-FTD device, navigate to Devices > Certificates and click Add.
From the Device list choose HQ-FTD and from the Cert Enrollment list, choose the newly created certificate FTD-Public-Cert.
Click Add.
Step 5
The following window appears indicating that we need to finish certificate enrollment. The process can take a while. Monitor status until it changes from 'in progress' to 'identity certificate import required'.
Click ID icon.
Step 6
A warning message will appear asking for confirmation to generate a CSR. Click Yes.
Step 7
On the next window, copy whole CSR to the clipboard. Do not close this window.
Step 8
In a new web browser tab, go to CA (bookmarked) and click Request a certificate > Advanced certificate request and then paste the CSR content. Use Certificate Template of Web Server. Click Submit.
Step 9
Save the new certificate in Base-64 format as ftd-public.cer in the Downloads folder.
Step 10
Go back to Secure Firewall Management Center tab and click Browse Identity Certificate. Select the new certificate and click Import.
Step 11
Notice the change in the status column.
Step 12
Navigate to Objects > Object Management and choose the AAA Server > RADIUS Server Group option in the left window pane.
Click Add RADIUS Server Group.
Enter the name ISE and check two options: Enable authorize only and Enable dynamic authorization.
Step 13
Click the + icon to add a new server to the list.
Enter the IP address 192.168.20.22, and the key 1234QWer.
Under the Connect using, select Specific Interface option. Select INZONE from the drop-down list of interfaces.
Click Save and then Save again.
Step 14
Navigate to Objects > Object Management and choose the VPN > AnyConnect File option in the left window pane.
Click Add AnyConnect File.
Enter the name AC410 and browse for the file. From the Downloads folder choose the anyconnect-win-4.10.xxxxx-webdeploy-k9.pkg file.
From the File Type drop-down list choose AnyConnect Client Image.
Click Save.
Step 15
Navigate to Objects > Object Management and choose the Address Pools > IPv4 Pools option in the left window pane.
Click Add IPv4 Pools.
Enter the name SSL-VPN-POOL and enter an IPv4 Address Range of 10.10.55.1-10.10.55.254. Enter a Mask of 255.255.255.0.
Click Save. Remote Access VPN Configuration
The purpose of this task is to configure a remote access VPN by using the Cisco Secure Firewall Management Center configuration wizard.
Step 16
From Secure Firewall Management Center, navigate to Devices > VPN > Remote Access and click Add.
On the Targeted Devices and Protocols page, enter the following attributes:
- Name: FTD-RA
- VPN Protocols: [Uncheck the IPsec-IKEv2 checkbox.]
- Targeted Devices: [Choose the HQ-FTD device and click Add.]
Click Next.
Step 17
On the Connection Profile page, enter the following attributes:
- Connection Profile Name: Corporate_SSL_VPN
- Authentication Server: ISE
- Authorization Server: ISE
- Accounting Server: ISE
- IPv4 Address Pools: [Click the pencil icon and select SSL-VPN-POOL.]
Click + icon next to the Group Policy and add new group policy with the following settings:
- Name: Corporate_GP
- General > VPN Protocols: SSL
- General > IP Address Pools: SSL-VPN-POOL
- General > Banner: *** Welcome to our Corporate VPN ***
- General > DNS/WINS > Primary DNS Server: AD_Real (create new object with this name and IP address of 192.168.20.24).
Click Save and then choose the newly created group policy from the list.
Click Next.
Step 19
On the AnyConnect Client Image page, check the checkbox next to the AC410 image object.
Leave the Operating System default because the image is for Windows.
Click Next.
Step 20
On the Network Interface for Incoming VPN Access page, enter the following attributes:
- Interface group/Security Zone: OUTZONE
- Certificate Enrollment: FTD-Public-Cert
Click Next.
Step 21
A summary page is displayed. Confirm all the settings for the VPN configuration and click Finish.
Step 22
In an environment where NAT is involved, it is necessary to configure a rule to not translate traffic that is traversing the VPN. In our case this will be traffic between the VPN POOL (10.10.55.0/24) and any internal network.
To configure a NAT-exempt rule for this VPN connection, navigate to Devices > NAT and click the edit icon to edit the Corporate_NAT policy. Note
The NAT-exempt rule you create in the following steps is not strictly required in this lab instance, however it is important to be familiar with the configuration process.
Step 23
Click Add Rule.
From the NAT Rule drop-down list, if not already selected, choose Manual NAT Rule, and from Type, choose Static.
On the Interface Objects tab, move INZONE to Source Interface Objects and move OUTZONE to Destination Interface Objects.
On the Translation tab, create and choose the HQ-Servers (192.168.20.0/24) object from the Original Source drop-down list. From the Original Destination drop-down list, create and choose the VPN_POOL (10.10.55.0/24) object.
Click OK.
Click Save to save the Corporate_NAT policy.
Step 24
Go to Policies > Access Control and edit Corporate_Policy. Add new Category to the policy named VPN Traffic.
Click OK.
Step 25
Put a new rule named RA VPN to AD into category VPN Traffic allowing all traffic from OUTZONE to INZONE for Networks VPN_POOL (10.10.55.0/24) to AD_Real (192.168.20.24). Click Add. Step 26
Add a second rule named RA VPN to ISE into category VPN Traffic allowing from OUTZONE to INZONE for HTTP and HTTPS traffic from Networks VPN_POOL to ISE_Real (you may need to add a new object of that name and IP of 192.168.20.22). Click Add.
Step 27
Verify configured rules with the task help screen. If everything is looking good, click Save and Deploy the changes.
Step 28
To verify the task, connect to the VPN-PC in the lab topology and log in as student/1234QWer. Open a web browser and go to https://ftd.lab.public and log in as employee1/1234QWer.
Step 29
You should see Download & Install option available. Click Download for Windows, save the file and then run it. If warning banner appears, click on continue - then the download option appears.
Step 30
Install the AnyConnect client with the default settings. When installation is completed, start the Cisco AnyConnect Mobile Security Client by clicking Windows’ start button and clicking the application link.
Step 31
Type ftd.lab.public into the VPN field and click Connect.
Log in as employee1/1234QWer. The connection should be successful.
Step 32
Once VPN is connected, you can view more details about the connection by clicking the gear icon on the bottom left of the AnyConnect client. Step 33
Show Me
On the VPN-PC, open a command prompt and ping the following hosts:
- 192.168.20.22 (ISE)
- 192.168.20.24 (AD)
Only ping to AD should be successful.
Step 34
From the Jump Host, open the PuTTY application and connect to the FTD-1 device (192.168.111.10).
Log in with the username admin and the password Cisco#1234. Step 35
Enter the following command to see the user session:
show vpn-sessiondb anyconnect
> show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : employee1 Index : 3
Assigned IP : 10.10.55.1 Public IP : 192.0.2.80
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
Bytes Tx : 14884 Bytes Rx : 34026
Group Policy : Corporate_GP Tunnel Group : Corporate_SSL_VPN
Login Time : 15:10:15 UTC Sat Oct 23 2022
Duration : 0h:03m:08s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c000020100003000617425d7
Security Grp : none Tunnel Zone : 0
> AnyConnect VPN User Certificate Authentication
The purpose of this task is to enroll for a user certificate and then reconfigure Cisco Secure Threat Defense device to start authenticating remote users via certificates.
Note that VPN-PC is part of a domain, and you can log in using a local student account or employee1 domain user account.
Step 36
On VPN-PC use sign out from any existing user and log in back as a domain user (employee1/1234QWer). Using AnyConnect VPN Client to connect to ftd.lab.public and authenticate as employee1/1234QWer.
Note: To sign out click Windows Start button, and then click user icon on the left side of the Start Menu. Choose Sign Out. Then on the login screen, provide domain user credentials to log in as a domain user.
Step 37
Run Certificate MMC by searching mmc and then add the certificates snap-in (go to file-add/remove snap option) and click OK.
From the tool, right-click Personal and then All Tasks > Request New Certificate…
Step 38
Show Me
Click Next on the first screen, then expand Active Directory Enrollment Policy and check if a policy is assigned.
Click Next.
Step 39
On the following screen select User and click Enroll. The enrollment process starts. Wait for success message and click Finish.
Step 40
Show Me
Expand Personal > Certificates and see if you have a new certificate for Employee One.
Step 41
Show Me
Double click the certificate and see its content.
Notice that the Subject Name has two Common Names
- Employee One
- Users
It will be hard to use those fields to match for a certificate. Check for Subject Alternative Name (SAN) field. There is Principal Name in a form of user’s email. We will try to match against that field in order to authorize the client.
Step 42
Show Me
Go back to the Jump Host and then to the Secure Firewall Management Center’s GUI. Go to Devices > Remote Access and then edit FTD-RA policy.
Click edit icon next to Corporate_SSL_VPN connection profile and go to AAA tab. Change the Authentication Method to Client Certificate Only.
Step 43
Expand the Map username from client certificate section and chose Primary Field of UPN (User Principal Name). Below, select ISE (RADIUS) as the Authorization Server and choose the option to Allow connection only if user exists in authorization database.
Step 44
Show Me
Click Save and then Save the policy and Deploy the changes by clicking Deploy button in the top menu, then click Deploy All.
Step 45
Go to VPN-PC and disconnect from the VPN.
Now, connect back. You should not see username and password prompt anymore. Instead, you should see the group name only.
Click OK and you should see the banner. It indicates that authentication and authorization have both been successful.
Step 46
On the Jumphost’s web browser, open up a new tab, connect to the ISE server and authenticate as admin/1234QWer.
Using the hamburger icon on the left top, go to Operations > RADIUS > Live Logs to see that authorization really happened against ISE and Active Directory.
Step 47
Click the Details icon next to the “green” event and verify all Steps on the right. They should indicate that the user was authenticated via the Active Directory.
Step 48
You can also verify that from the FTD-1 CLI by typing the following command.
> show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : employee1@lab.local Index : 7
Assigned IP : 10.10.55.2 Public IP : 192.0.2.80
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
Bytes Tx : 37417 Bytes Rx : 72663
Group Policy : Corporate_GP Tunnel Group : Corporate_SSL_VPN
Login Time : 12:40:17 UTC Sun Oct 24 2021
Duration : 0h:07m:58s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c00002010000700061755431
Security Grp : none Tunnel Zone : 0 (Optional)
Using Dynamic Access Policies
In this task, a student will use Dynamic Access Policies (DAP) to further secure VPN remote access.
You will be creating four policies:
- DAP_Compliant – to check for Anti-Malware software installed and running + Firewall enabled
- DAP_NoAM – to apply an ACL with limited access to a client that has no AM software running
- DAP_NoFW – to quarantine the client with no firewall enabled
- DAP_BadOS – to check if the OS is Windows 10, if it’s NOT then disconnect the user
Go to Objects > Object Management and then VPN > AnyConnect File. Click Add AnyConnect File with the following settings:
- Name: HS410
- File Name: browse for file hostscan_4.10.xxxxx-k9-pkg in the Downloads folder
- File Type: HostScan Package
Click Save.
Step 50
Go to Devices > Dynamic Access Policy and click Create Dynamic Access Policy. Enter the name of Corporate_DAP, select HS410 HostScan package and click Save.
Step 51
Click Create DAP Record, enter the name DAP_Compliant and click Endpoint Criteria tab.
Step 52
Expand Anti-Malware section and click the + icon to add a condition.
Step 53
Provide the following settings:
- Installed: checked
- Real Time Scanning: Enabled
- Vendor: Microsoft Corporation
- Product Description: Windows Defender
Click Save.
Step 54
Move down to Personal Firewall and click the + icon to add another condition with the following parameters:
- Installed: checked
- Firewall Protection: Enabled
- Vendor: Microsoft Corporation
- Product Description: Windows Firewall
Click Save.
Step 55
Move down to Operating System and click the + icon to add another condition with the following settings:
- Operating System: Windows 10
Click Save.
Step 56
Verify the created criteria with the step help. If everything looks fine, click Save at the bottom right area of the page.
Step 57
Click Create DAP Record. Give it the name of DAP_NoAM and configure the following Display Message: “You have no Anti Malware protection enabled. It will result in limited access to the network”.
Step 58
Click Create New hyperlink next to the Apply a Network ACL on Traffic (note that this option will open in a new window tab) and configure new ACL with the name of DAP_NoAM_ACL, allowing access to AD_Real on HTTP destination port only. Go back to the DAP configuration tab and select the newly created ACL from the drop-down list.
Step 59
Go to Endpoint Criteria and expand Anti-Malware section and click the + icon to add a condition.
Set the following settings:
- Installed: checked
- Real Time Scanning: Disabled
- Vendor: Sourcefire, Inc
- Product Description: Immunet
Click Save and then Save again in the bottom.
Step 60
Click Create DAP Record with the name of DAP_NoFW. Change the Action to Quarantine and provide a message for matching criterion:
“Our policy requires Windows Firewall to be enabled. You’ll be quarantined until you enable the firewall.”
Similarly, to the previous step, create new ACL of the name DAP_NoFW_ACL allowing ICMP traffic only (see the step help for more information).
Step 61
Add Endpoint Criteria condition for Personal Firewall with the following parameters:
- Installed: checked
- Firewall Protection: Disabled
- Vendor: Microsoft Corporation
- Product Description: Windows Firewall
Click Save.
Step 62
Verify the created criteria with the step help. If everything looks fine, click Save at the bottom right area of the page.
Step 63
Click Create DAP Record with the name of DAP_BadOS. Set the Action to Terminate and type the following message: “Your Operating System is not supported. Contact the administrator”. Step 64
Go to Endpoint Criteria and create Operating System condition with the following parameters:
- Operating System: (not equals) Windows 10
Note the “not equal to” sign.
Click Save and then Save in the bottom.
Step 65
Verify the whole DAP with the step help to ensure all rules are having correct actions and matching criteria. Step 66
In the bottom, change the default record to Terminate. Click Save. Step 67
Go to Devices > Remote Access and edit FTD-RA policy. In the top-right policy corner there is Dynamic Access Policy set to None. Click on it and change it to the Corporate_DAP.
Step 68
Click Save.
Step 69
Go to Devices > Platform Settings and create a new policy for Threat Defense Settings named HA-FTD-Settings, assign it with HQ-FTD device. Click Save.
Step 70
Go to Logging Destinations tab and click Add.
Set the first filter with the following settings:
- Logging Destination: Internal Buffer
- Event Class: Filter on Severity = debugging
Click OK.
Step 71
Click Add again to add another filter with the following settings:
- Logging Destination: Console
- Event Class: Use Event List = Event_Classes
Click OK.
Step 72
Verify the Logging Destinations with the step help and if everything looks fine, click Save and Deploy the changes.
Step 73
Go to VPN-PC and disable Windows Firewall. To do so run command line CMD as an administrator. To do so, search for Command Prompt (cmd.exe), right click on it and choose Run as administrator. Provide administrator/1234QWer credentials. Note
If you cannot authenticate, connect to the VPN and try again.
Step 74
Type the following command to disable the firewall:
netsh advfirewall set allprofiles state off
Step 75
Disconnect and then reconnect to the VPN.
The connection should be successful, but the following message should appear:
Step 76
Go to FTD-1 CLI and type the following command
show vpn-sessiondb detail anyconnect
Verify if there is a Filter Name applied at the end of the command output.
> show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : employee1@lab.local Index : 8
Assigned IP : 10.10.55.2 Public IP : 192.0.2.80
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
Bytes Tx : 15218 Bytes Rx : 30988
Pkts Tx : 12 Pkts Rx : 267
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : Corporate_GP Tunnel Group : Corporate_SSL_VPN
Login Time : 17:10:25 UTC Sun Oct 24 2021
Duration : 0h:01m:57s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c00002010000800061759381
Security Grp : none Tunnel Zone : 0
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 8.1
Public IP : 192.0.2.80
Encryption : none Hashing : none
TCP Src Port : 61946 TCP Dst Port : 443
Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Client OS : win
Client OS Ver: 10.0.14393
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.03104
Bytes Tx : 7609 Bytes Rx : 0
Pkts Tx : 6 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 8.2
Assigned IP : 10.10.55.2 Public IP : 192.0.2.80
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 61953
TCP Dst Port : 443 Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.03104
Bytes Tx : 7609 Bytes Rx : 1770
Pkts Tx : 6 Pkts Rx : 25
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : DAP_NoFW_ACL
DTLS-Tunnel:
Tunnel ID : 8.3
Assigned IP : 10.10.55.2 Public IP : 192.0.2.80
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384
Encapsulation: DTLSv1.2 UDP Src Port : 56969
UDP Dst Port : 443 Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.03104
Bytes Tx : 0 Bytes Rx : 29218
Pkts Tx : 0 Pkts Rx : 242
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : DAP_NoFW_ACL
> Step 77
Disconnect from the AnyConnect VPN and enable Windows Firewall with the following command (using the command line with the administrator privileges):
netsh advfirewall set allprofiles state on
Step 78
Now, on VPN-PC, right-click Defender Control link on the Desktop and chose Run as Adminsitrator. Provide administrator credentials of administrator/1234QWer and click OK.
Click Enable Windows Defender button and wait for the tool to become green.
Connect to the VPN. You should be connected successfully. Note
When you connect successfully, this means you are compliant and meet all requirements. You can check that by going to the Firewall threat Defense CLI and type the following command: (Optional) Configuring AnyConnect Profile
In this task student will create AnyConnect profile to change the AnyConnect Client’s behavior.
Step 79
From the desktop of VPN-PC run VPN Profile Editor and make the following changes on Preferences (Part 1) tab:
- Uncheck all User Controllable options
- Uncheck Use Start Before Logon
- Uncheck Minimize On Connect
Show Me
Go to Certificate Matching section configure the following:
- Extended Key Usage: check ClientAuth
- Distinguished Name >Add: ISSUER-CN Equal ca
Show Me
Go to Server List section and Add new server with the following settings:
- Display Name – Corporate Headend
- FQDN or IP Address – ftd.lab.public
Click OK.
Step 82
Now from the top menu select File > Save As and save this configuration as ac-ftd-profile.xml on the Desktop.
Step 83
Show Me
On VPN-PC disconnect from the VPN, open up web browser and connect to Secure Firewall Management Center using its IP address (https://192.168.111.20). Log in as admin/Cisco#1234 and end previous session if asked for it. Go to Objects > Object Management > VPN > AnyConnect File and click Add AnyConnect File. Give it the name of AC-Profile, click Browse and select ac-ftd-profile.xml from the Desktop and choose AnyConnect VPN Profile from the File Type drop-down list.
Click Save.
Step 84
Show Me
Go to Devices > Remote Access and edit FTD-RA policy, then click Advanced tab and then Group Policies section.
Edit Corporate_GP group policy and on AnyConnect tab select AC-Profile from the drop-down list. Click Save.
Step 85
Click Certificate Maps section and check Use the configured rules to match a certificate to a Connection Profile.
Step 86
Click Add Mapping and then click + next to Certificate Map Name option.
Provide the following settings on the Add Certificate Map screen:
- Map Name: Cert-Map
- Mapping Rule: Alternative Subject Contains lab.local
Click OK and then Save.
Step 87
Select Corporate_SSL_VPN from the Connection Profile drop-down list to link the certificate map with the connection profile.
Click OK.
Step 88
Click Save and then Deploy the changes.
Step 89
On VPN-PC use AnyConnect to connect to ftd.lab.public. The connection should be smooth, without asking for Connection Profile. The Connection Profile will be automatically matched based on the user’s certificate.
Go to AnyConnect client and click gear icon. You should see that most of the preferences are gone.
Step 90
Disconnect from the VPN and check the connections list. You should now see the new Corporate Headend user-friendly name instead of the FQDN you’ve used before.
Step 91
Click on the Corporate Headend and the connection should be smooth.
Configuring Remote Access VPN for Contractors
In this task student will configure additional Connection Profile for Contractors that will be accessible via https://ftd.lab.public/contractors URL. Contractors should authenticate against ISE using username/password only. They should have access to Bleda server over port 443.
Step 92
Using the Jumphost, connect to the Secure Firewall Management Center and go to Devices > Remote Access, edit FTD-RA policy and click + sign to add new Connection Profile. Enter the name of Contractors_SSL_VPN and select DfltGrpPolicy. On a Client Address Assignment add IPv4 pool of a name of SSL-VPN-POOL.
Step 93
Show Me
On AAA tab leave AAA Only as an authentication method but select ISE (RADIUS) for Authentication, Authorization and Accounting server.
Step 94
Go to Aliases tab and configure new URL Alias by clicking + sign. Then, under Add URL Alias window click + sign again. Give the alias name of CONTR_ALIAS and type URL https://ftd.lab.public/contractors.
Click Save.
Step 95
Select Enabled and click OK.
Step 96
Verify with the step help that you see the new alias on the list.
Step 97
Click Edit Group Policy hyperlink located under the Group Policy drop-down list and configure DNS/WINS > Primary DNS Server to be AD_Real object.
Click Save.
Step 98
Verify Connection Profiles with the step help to continue. If everything looks fine, Save the VPN configuration.
Step 99
Go to Policies > Access Control and edit Corporate_Policy. Add Contractors to BLEDA rule in the VPN Traffic category that will Allow HTTPS traffic from VPN_POOL to Bleda_real.
Click Save.
Step 100
Go to Devices > NAT, edit the Corporate_NAT policy, and configure Manual NAT rule to exempt VPN_POOL to Bleda_real from translation. See the step help for more information.
Click Add.
Step 101
Click OK then click Save to save the NAT policy and Deploy changes. Note
You probably have noticed that we used the same VPN_POOL to allow traffic for Contractors and rest of users. This is obviously not secure enough. Fortunately, there is another layer of security which is ISE that puts an ACL on Contractor’s VPN tunnel.
Step 102
On VPN-PC sign out from employee1 user and log in as a local student user. You can enforce logging locally by specifying ‘.\student’ as a username and ‘1234QWer’ as password.
Step 103
In the AnyConnect hostname field enter ftd.lab.public/contractors and click Connect. Provide contractor1/1234QWer credentials to authenticate. The connection should be successful.
Step 104
On the FTD-1 CLI type the following command to verify the connection:
show vpn-sessiondb detail anyconnect
Check if the contractor1 user is connected, how authenticated and if there is any ACL applied to limit the user’s traffic.
> show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : contractor1 Index : 23
Assigned IP : 10.10.55.2 Public IP : 192.0.2.80
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
Bytes Tx : 14404 Bytes Rx : 36401
Pkts Tx : 10 Pkts Rx : 173
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : DfltGrpPolicy Tunnel Group : Contractors_SSL_VPN
Login Time : 13:42:19 UTC Mon Oct 25 2021
Duration : 0h:01m:18s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0000201000170006176b43b
Security Grp : 5 Tunnel Zone : 0
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 23.1
Public IP : 192.0.2.80
Encryption : none Hashing : none
TCP Src Port : 65287 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Client OS : win
Client OS Ver: 10.0.14393
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.03104
Bytes Tx : 7202 Bytes Rx : 0
Pkts Tx : 5 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 23.2
Assigned IP : 10.10.55.2 Public IP : 192.0.2.80
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 65299
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.03104
Bytes Tx : 7202 Bytes Rx : 21631
Pkts Tx : 5 Pkts Rx : 99
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-CONTR_ACL-6176b3da
DTLS-Tunnel:
Tunnel ID : 23.3
Assigned IP : 10.10.55.2 Public IP : 192.0.2.80
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384
Encapsulation: DTLSv1.2 UDP Src Port : 53613
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.03104
Bytes Tx : 0 Bytes Rx : 14770
Pkts Tx : 0 Pkts Rx : 74
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-CONTR_ACL-6176b3da
>
Step 105
On the VPN-PC, open up a web browser and go to Bleda website over its real IP address/FQDN. The connection should be successful. Note that you may have an certificate warning as Bleda server is using certificate with bleda.lab.public name. Make an exception and connect to the server.