Thursday, January 7, 2021

My 1st Guide (Cisco Remote Access VPN Design Guide)

Hello,

I'm working on a personal project to have a complete guide for Cisco Remote Access VPN design and configuration guide. I started working on it during the lockdown (where all of us shift to work from home).

I started with building quick guide to provide all our customers and partners with a detailed steps how to enable the remote access VPN, but with more use cases, asks, and integrations, I found my self developing a draft for a complete technical guide that can be reused by all of us.

I started the guide using Cisco ASA, but later, I start building the same guide using Cisco FTD (in order to have a complete guide for all Cisco firewalls (ASA and FTD)).

The sections (which will be posts in this blog) will be organized like:

Cisco Remote Access VPN using Cisco ASA

  • Plan your VPN deployment (design, topology, software & hardware, interfaces, licenses, expected throughput, high availability and scalability).
  • Start with the basic (activate the VPN, connect successfully, authenticate locally, enroll the certificate, ensure the connectivity, communication matrix based on the design, split tunneling, Internet connectivity).
  • VPN advanced configurations:
    • Part#1 – configure multiple group-policies, multiple users’ assignment, and VPN filters.
    • Part#2 – configure advanced configuration for group-policies and apply the cybersecurity best practices (framed-ip-address, timeouts, banners, etc.).
    • Part#3 – configure VPN group URL and VPN group alias.
    • Part#4 – configure DST (Dynamic Split Tunneling).
  • Enable the Dynamic Access Policy (DAP) and HostCheck for RAVPN users (local posture assessment).
  • VPN enhanced authentication:
    • Part#1: Integrate the ASA with Cisco Duo for MFA (using the ASA local DB).
    • Part#2: Integrate the VPN with the organization AD for users’ authentication.
    • Part#3: Integrate the VPN with Cisco ISE for users’ authentication (local ISE DB and AD users).
    • Part#4: Integrate the MFA solution (Cisco Duo) with the AD for VPN users.
    • Part#5: Integrate the MFA solution (Cisco Duo) with Cisco ISE for VPN users.
  • VPN secure integration:
    • Integrate the ASA with Cisco ISE for Remote Access VPN posture assessment (centralized posture assessment).
    • Integrate the VPN module (Cisco AnyConnect) with Cisco Umbrella for all roaming users.
  • Advanced settings and configuration:
    • To be decided later based on the requirements and feedback.
Cisco Remote Access VPN using Cisco FTD

  • Cisco Remote Access VPN guide (the same list of applicable configurations and integrations mentioned above for ASA) using FTD managed locally by FDM.
  • Cisco Remote Access VPN guide (the same list of applicable configurations and integrations mentioned above for ASA) using FTD managed by Cisco FMC.
Based on the above, I will start posting the content I have (which will be part of the guide I'm working on as well).

Feel free to contact me (blog at network-security dot site) in case you have any feedback, and stay tuned for the next post (Subscribe!).