300-730 Implementing Secure Solutions with Virtual Private Networks (SVPN) Questions and Answers

one benefit of GET VPN is Simplified network design due to leveraging of native routing infrastructure (no overlay routing protocol needed) f mismatch is causing the problem with the IPsec VPN

Use the FQDN including the subdomain for the website. According to the Firepower Management Center Configuration Guide, Version 6.61, when you create a URL object, you must use the fully qualified domain name (FQDN) of the website, including any subdomains, and omit the protocol prefix (HTTP or HTTPS). For example, to match www.example.com, you must enter www.example.com as the URL object value, not http://www.example.com or https://www.example.com. The system automatically matches both HTTP and HTTPS traffic for the same FQDN. Specifying the protocol to match (HTTP or HTTPS) is not required and will result in an invalid URL object. Using the subject common name from the website certificate or defining the path to the individual webpage that uses HTTPS are not supported options for URL objects.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-easyvpn.html

According to the document Configure FlexVPN: AnyConnect IKEv2 Remote Access with Local User Database, one way to separate profiles for administrators and employees is to use group-urls on the headend and create two XML profiles to match the administrator and user group urls. This allows the headend to assign different group-policies and tunnel-groups based on the group-url that the user connects to. For example:

webvpn enable outside anyconnect image disk0:/anyconnect-win-4.6.03049-webdeploy-k9.pkg 1 anyconnect enable tunnel-group-list enable group-policy Admin internal group-policy Admin attributes vpn-tunnel-protocol ikev2 ssl-client address-pools value AdminPool group-policy User internal group-policy User attributes vpn-tunnel-protocol ikev2 ssl-client address-pools value UserPool tunnel-group Admin type remote-access tunnel-group Admin general-attributes default-group-policy Admin tunnel-group Admin webvpn-attributes group-url https://10.0.0.1/Admin enable tunnel-group User type remote-access tunnel-group User general-attributes default-group-policy User tunnel-group User webvpn-attributes group-url https://10.0.0.1/User enable

The XML profiles can be created with the AnyConnect Profile Editor and uploaded to the headend. The profile for administrators should have the server list entry as:

Admin 10.0.0.1 IPsec Admin

The profile for users should have the server list entry as:

User 10.0.0.1 IPsec User

This way, when the user connects to the headend, they can choose either Admin or User from the drop-down list and get the appropriate authorization based on their group-url.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-16-10/sec-flex-vpn-xe-16-10-book/sec-ikev2-flex-coa.html

B. In the Cisco AnyConnect XML profile, adding the hostname and host address to the server list ensures that the AnyConnect client knows the address of the VPN concentrator (router) to connect to. E. In the Cisco AnyConnect Local Policy, adding the router IP address to the Update Policy allows the client to connect to the router for updates and configuration.

HTTP (Hypertext Transfer Protocol) is used for transferring web resources, such as web pages and HTML documents, across the internet. CIFS (Common Internet File System) is used for sharing files and printers between computers on a network. ICA (Citrix), VNC (Virtual Network Computing), and RDP (Remote Desktop Protocol) are not enabled by default on the Cisco ASA Clientless SSL VPN portal.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/vpn/asa-94-vpn-config/webvpn-configure-gateway.html

"If the end user disables antivirus or personal firewall after successfully establishing the VPN connection, our Advanced Endpoint Assessment feature attempts to re-enable that application within approximately 60 seconds." https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-posture.html#ID-1407-00000047

Plug-ins are extensions to the Clientless SSL VPN feature that enable the ASA to handle non-standard applications and Web resources so that they display correctly over a Clientless SSL VPN connection. Plug-ins are software components that the ASA downloads to the remote user’s browser. The plug-ins provide support for applications and protocols that are not natively supported by Clientless SSL VPN, such as Java, ActiveX, SSH, Telnet, and RDP. Plug-ins can also provide enhanced functionality and security for Web applications, such as Outlook Web Access and Lotus iNotes.

You can read more about plug-ins and how to configure them in the document [ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.7] 1.

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.pdf

According to the Implementing Secure Solutions with Virtual Private Networks (SVPN) documents and learning resources available at cisco.com, the two features that provide headend resiliency for Cisco AnyConnect clients are:

• AnyConnect Backup Servers: This feature allows the AnyConnect client to automatically connect to a backup server in case the primary server is unreachable or fails. The backup server list is configured on the ASA or IOS headend and pushed to the client during the VPN connection establishment. The client can also manually select a backup server from the list if needed. This feature enhances the availability and reliability of the VPN service for the clients12.
• ASA failover: This feature enables two identical ASAs to be paired together as an active/standby or active/active pair. The ASAs synchronize their configuration and state information and monitor each other’s health. If the active ASA fails or becomes unreachable, the standby ASA takes over the traffic and VPN sessions without any disruption for the clients. This feature provides high availability and redundancy for the VPN headend34.

1: AnyConnect Backup Servers 2: Redundancy options for IOS Headend for AnyConnect Clients 3: ASA Failover 4: AnyConnect Implementation and Performance/Scaling Reference for COVID-19 Preparation

When you configure other group policies, any attribute that you do not explicitly specify takes its value from the default group policy. To view the default group policy. https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpngrp.html

The user group is used in conjunction with Host Address to form a group-based URL. If you specify the Primary Protocol as IPsec, the User Group must be the exact name of the connection profile (tunnel group). For SSL, the user group is the group-url of the connection profile. https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html#ID-1430-0000026c

https://community.cisco.com/t5/vpn/anyconnect-service-port-not-enabled/td-p/2968124

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/webvpn.html

NHRP network IDs are locally significant and can be different. It makes sense from a deployment and maintenance perspective to use unique network ID numbers (using the ip nhrp network-id command) across all routers in a DMVPN network, but it is not necessary that they be the same. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-dmvpn.html

HSRP (Hot Standby Router Protocol). HSRP is a Cisco proprietary protocol that provides stateful failover for IPsec virtual private networks (VPNs). It is used to create a virtual router in order to provide redundancy in the event of an IPsec VPN failure. HSRP works by assigning a single primary router to manage the connection and forwarding traffic to the secondary router if the primary router fails.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-state-fail-ipsec.html

On a FlexVPN hub-and-spoke topology where spoke-to-spoke tunnels are not allowed, the command that is needed for the hub to be able to terminate FlexVPN tunnels is interface virtual-template. The interface virtual-template command is used to configure a virtual template interface which provides a secure tunnel for FlexVPN connections. The other commands listed - interface virtual-access, ip nhrp redirect, and interface tunnel - are not related to FlexVPN and are not used to terminate FlexVPN tunnels.

KS (key server) is ‘caretaker’ of the GM group. Group registrations and authentication of GMs is taken care of by KS server. Any GM who wants to join the group is required to be successfully authenticated in the group and sends encryption keys and policy to be used within the group.

===

https://ipwithease.com/introduction-to-getvpn/

https://www.globalknowledge.com/us-en/resources/resource-library/articles/understanding-next-hop-resolution-protocol-commands/

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-3s/sec-ike-for-ipsec-vpns-xe-3s-book/sec-call-addmsn-ike.html

Reverse route injection (RRI) is a method that dynamically installs the network routes for remote tunnel endpoints. The RRI feature allows the router to automatically learn the routes for the remote networks and automatically install these routes into the routing table. This eliminates the need for the administrator to manually configure and maintain the routes for the remote networks. This feature is commonly used in VPN environments, where the router at the VPN endpoint needs to learn the routes for the remote networks behind the other VPN endpoint. The other options such as policy-based routing, CEF, and route filtering are not used to dynamically install the network routes for remote tunnel endpoints

The IKEv2 CREATE_CHILD_SA packet is used to establish a new security association (SA) between two peers. This packet contains the details of the exchange, including the traffic selectors, the cryptographic algorithms and keys to be used, and any other relevant information

DMVPN disables the EIRGP next-hop-self with "no ip next-hop-self eigrp xxx" in DMVPN phase 2, and to go from Phase 2 to 3 you need use the NHRP protocol, and again enable EIRGP next-hop-self with "ip next-hop-self eigrp 134" under the tunnel interface https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-dmvpn.html#GUID-BF561439-BCC0-4AAF-80D9-1F7876CB7B81

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html