hardening anyconnect ssl on cisco secure firewall 7.7

 Hardening

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Service access object (geo block anyconnect):

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222810-configure-geolocation-based-policies-for.html

Auto shun (flex config)

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html#toc-hId--1375473333

Threat detection service remote-access-authenticaiton hold-down 15 threshold 5

hold down - how long after the last failed attempt when new failures are counterd

thresthold - number of failed auths, if we fail login with in 5 mins 3 times

Show commands:

show threat-detection service remote-access-authentication

show threat-detection service remote-access-client-initiations

show threat-detection service invalid-vpn-access

Logs locations in FMC:

Some of them change depending on version of interface 

Cog (top right) > monitoring > syslog

Monitoring → VPN → Remote Access (anyconnect)

Analysis → Connections → Events (won't show auth success/failure here)

Health → Events (shows cpu/memory issues)

There is a unified log as well

Log level

FMC GUI → Devices → Platform Settings

syslog > logging

Syslog messages:

%ASA-6-113004: AAA user authenticated successfully

%ASA-6-113005: AAA user authentication Rejected

%ASA-4-722051: Group <group> User <user> IP <ip> Session connected

%ASA-6-722041: Session disconnected (reason...)

***

Enable Access Control Logging for VPN User Traffic

On the rule that allows anyconnect in (log at start/log at end/ send to FMC) (still won't show login attempts)

search messsage *x.x.x.x*

Ok so lessons learned there:

You won't see anything in analysis > connections > events (doesn't show ssl rejected stuff, only successful https etc connections)

SAML (staff profile) rejection was not showing in the logs. I will ask cisco about this maybe it's a different event ID or Duo doesn't send anytning back to the firewall when SAML fails. He could see it in Duo logs so was happy enough there.

AAA/radius (contractors profile) was where we saw the issues coming in.

We needed to enable informational level logging under devices > platform settings. (we hit a bug there it didn't set first time not sure what happened, I watched him set it so watch out for that)

Once we had informational we could see some stuff under the cog > monitor > syslog.

Filter "message" for *x.x.x.x* where x.x.x.x is the IP you are looking for

We saw ssl denied for the German IP based on geoblock

We saw username ***** denied from my UK IP

The username was hidden in the logs

Added flex config "no loggin hide username" cisco said you have to leave off the "g" loggin is not a typo

Shun settings were 20 failed logins in 10 mins, he said he had to set it high because users were actually typing password wrong 10 times so that is something he will have to live with. Attackers can still try from the approved IPs for 20 tries then get shun'd but at this stage they can change IP address and try again

*** SAML

SAML failed logins won't show in the FMC log in the same way. Best to review these in the SAML provider dashboard/logs (Duo/Azure etc). These logs can be forwarded from there to a central SIEM. Duo have a tool called duo log sync.

filter to include class “vpnc”, which outputs logs like:

%FTD-6-611102: User authentication failed: IP = IP address, Uname: user

Some syslog event IDs related to AnyConnect on cisco ASA

302013 - built inbound connection

302014 - teardown TCP connection

725012 - Device chooses cipher for the SSL session with peer interface

725008 - ssl client propose cipher

725007 - teardown new ssl connection / terminated

725001 - starting ssl handsharek

725002 - ssl handsake completed

725003 - request to resume

113005 - AAA user authentication rejected

See:

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Also:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776913

716001 - anyconnect when user logs on

716002 - anyconnect when user logs off

Each connection that passes through the ASA is 9 syslogs so that will be a lot of logs

Old TAC sec pod cast

https://community.cisco.com/t5/security-knowledge-base/tac-security-podcast-show-information-and-episode-listing/ta-p/3126414

General syslog tips

Text zip's up well so you can zip before sending

Knowing the time frame of the issue helps any source / destination IPs

Notepad++ / sublime are good for working with big files

For really big files we really want a linux box

For windows users you can run a VM as well or install cygwin

User grep to look for sev1 events

grep "ASA-1-" ASASYSLOG.txt

Looks for sev 6 and pipe to head 

grep "ASA-6" ASAlogs.txt | head -n 3

-v can be used to remove items from the log

grep "ASA-6" ASAlogs.txt | grep -v "ASA-6-302011" | grep -v "ASA-6-302015" | head -n 3

We can build up our command adding more -v items

grep "ASA-6" ASAlogs.txt | grep -v "ASA-6-302011" | grep -v "ASA-6-302015" | grep -v "ASA-6-305011" | head -n 3

Other linux CLI tools that are very useful

count / sed / awk / uniq / sort / bc

To remove all the charactors on the line leading up to "Mar 28",  use the sed program to find and replace that text with "nothing":

cat ASAlogs.txt | sed 's/^.*Mar 28/Mar 28/g' | head -n 4

cut can be used to display something specific from each line:

grep "ASA-6-305011" ASAlogs.txt  | cut -f 13 -d ' '

<166>Mar 28 2013 08:22:50: %ASA-6-305011: Built dynamic TCP translation from inside:10.10.103.38/63894 to outside:192.168.124.149/63894

becomes

outside:192.168.124.149/61128

Now lets say you wanted to get rid of the 'outside' text at the start of each line. Use sed to replace that text with nothing:

grep "ASA-6-305011" ASAlogs.txt  | cut -f 13 -d ' ' | sed 's/outside://g'

When connection is torn down (teardown event) there is a byte count included

You could look for the initiator and the byte count

IP and how many bytes transfer

Then sort that based on byte count

This would give you talker

Sort by IP addresses 

Use bc to sum up all the ip and sort on byte counts and see which IP was the top talker over all

You could also work on top number of connections. Look for usernames instead of IP's etc. A ddos may make a lot of connections but small amount of data transfered 

You could look at denied connections

Use windows DHCP server instead of IP pool for cisco anyconnect on cisco ASA

Connect to your anyconnect so you can see what tunnels/profiles are enabled

Use "show run tun" to see your tunnel config

Re-enable anyconnect

• Disable anyconnect (so pool is not in use)

webvpn

no enable OUTSIDE

• Remove the pool from the tunnel-group

tunnel-group STAFF general-attributes

no address-pool STAFF-POOL

• Install enntry in the ‘Tunnel-Group’ for your AnyConnect

dhcp-server 10.60.1.6 10.60.1.7

• Install entry in the AnyConnect ‘Group-Policy’ as well.

group-policy GP-STAFF attributes

dhcp-network-scope 10.60.6.0

• Remove pool if no longer in use

no ip local pool STAFF-POOL

https://www.petenetlive.com/KB/Article/0001050

cisco firepower flex config gothcha

 I was trying to apply some flex config but it wasn't appearing in the CLI.

After opening a case with TAC he showed that we need to edit the objects in

Device -> Flexconfig

Now we can deploy the policy to make the changes.

He also mentioned we should use AD authentication method

Also we found from the debug the mapping of our group should be as follows

CN=AD_GROUP_NAME,OU=VPN,OU=Groups,DC=CUSTOMER,DC=COM

Cisco anyconnect - MTU-D packet 1200 bytes greater than effective mtu 986

MTU issues with anyconnect – traffic coming back in from outside as being dropped as it was too big

An error message like this was appearing in ASDM logs
MTU-D packet 1200 bytes greater than effective mtu 986

- conf t

- group-policy SSL--CLIENTS attributes

- webvpn

- anyconnect ssl df-bit-ignore enable

wr

disconnect/reconnect anyconnect and retest

This will ignore the defragmentation of the bits and it will allow the packets to pass through no matter of the MTU size.

troubleshoot cisco anyconnect

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect43/administration/guide/b_AnyConnect_Administrator_Guide_4-3/troubleshoot-anyconnect.pdf

anyconnect syslog ids for logon logoff

When user logs on: syslog# 716001

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776913

When user logs off: syslog# 716002

install cisco anyconnect client on linux mint

visit the IP of a server where its setup
login
you should get prompted to do manual install
download vpnsetup.sh
make it executable (chmod +x)
sudo ./vpnsetup.sh

How to save anyconnect client connections

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

Make a file customer.xml

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">;
  <ServerList>
    <HostEntry>
      <HostName>CUSTOMER-100.200.300.10</HostName>
      <HostAddress>100.200.300.10</HostAddress>
    </HostEntry>
  </ServerList>
</AnyConnectProfile>

See also
https://www.tunnelsup.com/locating-the-cisco-anyconnect-profiles/

Quick Powershell script to create them as you need

Write-Host 'Must be run as administrator so it can create the file'

Write-Host 'C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile'

$DisplayName = Read-Host Prompt 'Enter customer diplay name (eg CUST)'

$XML = Read-Host Prompt 'Enter xml file name (eg cust.xml)'

$Peer = Read-Host Prompt 'Enter anyconnect IP or URL (eg 100.10.10.1)'

$FileName = "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\" + $XML

$FileText = @"

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">;

  <ServerList>

    <HostEntry>

      <HostName>$($DisplayName)</HostName>

      <HostAddress>$($Peer)</HostAddress>

    </HostEntry>

  </ServerList>

</AnyConnectProfile>

"@

$FileText | Out-File -FilePath $FileName -Encoding utf8

cisco anyconnect reconnecting after a short time then stays connected

Had an issue where cisco anyconnect would connect but then after a short time reconnect and stay connected for good then.

The issue was the ISP was blocking DTLS protocol. The anyconnect tries to use it as its better for voice etc, once it realizes it can't use it, it reconnects with it disabled.

Solution 1: Get your ISP to unblock it and get the benefits from DTLS. In my case I didn't have control of the ISP.

Solution 2 turn it off
under group policy for anyconnect profile
group-policy VPN-GRP-POL attributes
webvpn
anyconnect ssl dtls none

Log off a stuck session off anyconnect

User is stuck logged in via anyconnect

vpn session-db logoff name [username]

How to save hosts cisco anyconnect client

https://supportforums.cisco.com/discussion/11489861/anyconnect-30-profile-drop-down-list

Save .xml files in  %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">;
  <ServerList>
    <HostEntry>
      <HostName>VPN2</HostName>
      <HostAddress>VPN2 ADDRESS</HostAddress>
    </HostEntry>
  </ServerList>
</AnyConnectProfile>

Cisco ASA anyconnect remote access VPN

Set up a network object to use later
object network CUST_RA_NET_172.19.166.0_24
 subnet 172.19.166.0 255.255.255.0

Set up ACL for use in the group policy
Also look at your outside in ACL as this is where the VPN users come from
access-list CUST-Rmte-ACL remark ACL to allow RA users to connect to the jump server
access-list CUST-Rmte-ACL extended permit tcp object MG_RA_NET_172.19.166.0_24 host 172.19.150.4 object-group DMZ_PORTS_ALLOWED_OUT
access-list CUST-Rmte-ACL extended permit tcp object MG_RA_NET_172.19.166.0_24 host 172.19.150.3 object-group DMZ_PORTS_ALLOWED_OUT

Set up an IP pool 
RA users get assigned an address from this pool when they connect
ip local pool CUST-pool 172.19.166.200-172.19.166.230 mask 255.255.255.0

Setup your Group Policy
There are many options that can be configured here this is just a basic one
group-policy CUST-Rmte-Users internal
group-policy CUST-Rmte-Users attributes
 banner value Warning:
 banner value
 banner value This system is restricted to authorized users for business purposes only and is subject to the Security Policy.
 banner value
 banner value Unauthorized access or use is a violation of company policy and the law.
 banner value
 banner value This system may be monitored for administrative and security reasons.
 banner value
 banner value By proceeding, you acknowledge that you have read and understand this notice and you consent to the system monitoring
 wins-server none
 dns-server none
 vpn-filter value CUST-Rmte-ACL
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelall
 default-domain value custdomain.com
 split-tunnel-all-dns enable
 address-pools value CUST-pool

Tunnel Group

tunnel-group CUST-Rmte type remote-access

tunnel-group CUST-Rmte general-attributes

 default-group-policy CUST-Rmte-Users (or NoAccess, depend if set GP with ldap map later)

tunnel-group CUST-Rmte webvpn-attributes

 group-alias CUST enable

Quick enable/disable (make it appear in anyconnect prompt or not)

tunnel-group CUST-Rmte webvpn-attributes

 group-alias CUST enable

Set up your users

username johndoe password 1234

username johndoe attributes

 vpn-group-policy CUST-Rmte-Users

Don't forget NAT

RA users come from OUTSIDE

In this case we don't want to translate them and let them connect to another internal server

nat (OUTSIDE,DMZ) source static CUST_RA_NET_172.19.166.0_24 CUST_RA_NET_172.19.166.0_24 destination static obj-172.19.150.0 obj-172.19.150.0 no-proxy-arp route-lookup

============================
Setting up so we can match anyconnect profiles to AD groups
You need aaa servers for each profile as they map to the LDAP MAP.
You should create a group policy, aaa-server groups ad ldap map for each one your want to use.

Setup group policy
group-policy GP-AC-WX-EXTERNAL internal
group-policy GP-AC-WX-EXTERNAL attributes
 banner value Warning:
 banner value
 banner value This system is restricted to authorized users for business purposes only and is subject to the Security Policy.
 banner value
 banner value Unauthorized access or use is a violation of company policy and the law.
 banner value
 banner value This system may be monitored for administrative and security reasons.
 banner value
 banner value By proceeding, you acknowledge that you have read and understand this notice and you consent to the system monitoring
 banner value
 wins-server none
 dns-server value 10.10.0.1 10.10.0.2
 vpn-simultaneous-logins 3
 vpn-filter value AC_VPN_FILTER_ACL
 vpn-tunnel-protocol ssl-client ssl-clientless
 default-domain value MYCUST.lgov
 webvpn
  anyconnect ssl dtls none

NoAccess group policy 

group-policy NoAccess internal

group-policy NoAccess attributes

wins-server none

dns-server value 10.65.65.1 10.65.65.2

vpn-simultaneous-logins 0

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

default-domain value WCCC.LGOV

address-pools none

ipv6-address-pools none

Find the CN path of the group in AD

dsquery group -name AnyconnectGroup

Setup the map 
Make sure your test user is a member of AnyconnectGroup
ldap attribute-map WXCC_EXT_LDAP_MAP
map-name  memberOf Group-Policy
  map-value memberOf "CN=AnyconnectGroup,OU=SITE1 Groups,DC=MYCUST,DC=lgov" GP-AC-WX-EXTERNAL
  map-name  msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address
  map-value msRADIUSFramedIPAddress "msRADIUSFramedIPAddress" IETF-Radius-Framed-IP-Address (reads the static IP configured in from)

Find the CN path for the ASA user
dsquery user -name asa

Setup aaa servers
Look out for users being inside containers or OU's
aaa-server WXCC_EXT_LDAP protocol ldap
aaa-server WXCC_EXT_LDAP (inside) host 10.10.0.111
 timeout 3
 ldap-base-dn dc=MYCUST, dc=lgov
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password P@55w0rd
 ldap-login-dn CN=ASA,OU=Managed Service Accounts,DC=wxcc,DC=lgov
 server-type microsoft
 ldap-attribute-map WXCC_EXT_LDAP_MAP

aaa-server WXCC_EXT_LDAP (inside) host 10.10.0.112
 timeout 3
 ldap-base-dn dc=MYCUST, dc=lgov
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password P@55w0rd
 ldap-login-dn CN=ASA,OU=Managed Service Accounts,DC=wxcc,DC=lgov
 server-type microsoft
 ldap-attribute-map WXCC_EXT_LDAP_MAP

Testing
Connect the AC client
Check assigned IP
Ping/RDP/HTTPS to the LAN
Is DNS working ? Correct DNS servers set ?

Default domain configured ?
Intranet access

Browse into file shares

Customer test web apps

Test connecting as different users to diff profiles are we blocked from logging in ?

NPS server
conditions

calling from ASA
member of windows group