Suggestions? my Anyconnect ASA is getting attacked with login attempts

using Cisco ASA fw code 9.x.x for anyconnect vpn. getting huge amounts of attacks trying to login via anyconnect…

Tried blocking by IP, this isn’t a long term solution. is there some cloud vendor WAF I can push my asa anyconnect traffic to for blocking and inspection then to my asa. .

Replacement of the ASA for something else isn’t possible.

Need suggestions.

Thanks!

Do you have a cert on your firewall? If you put your authentication to client certificate & AAA, they wont even get to the login unless they have your cert.

Check out this thread:

I run an ASA at home and have been getting hammered by probably the same guys as you. They hit all the LDAP heroes like ‘printer’, ‘scanner’, ‘admin’, and so forth looking for a weak login and bad permissions setups. Only way to really block them is to setup the ACL on the control plane like the thread above or to use certificate authentication for your VPN logins. Was hoping someone would chime in with a better way in this thread. =)

The trick is to move your user logins to a connection profile using a different url other than the default/bare url and then set the bare/default to deny all connections.

Put large blocks of ips in an object group and apply it to the control plane. Resist the urge to add a network size smaller than /24

Can someone tell me how to identify if anyconnect is getting attacked with login attempts? I dont have a real SIEM running, so what event numbers should i be looking at^

Sure wish ASA/FTD supported geo-blocking for to-the-box traffic. Maybe put a Palo Alto in front of it in transparent mode? :joy:

I know geo-blocking won’t stop all of it, but if none of your users are in India or China, no need to allow those blocks to attempt connection.

we are using radius with certs. There isn’t an option for Certs then radius when defining the auth.

great article, but not us. They are trying to “login” via anyconnect using username and password. They are not trying to establish ipsec tunnels.

I we have cert auth with radius, but doesn’t seem to be working.

Tell me about it, we have people with the last name of “smith”. That were getting popped for a while

can you give example how you deny default/url

are you saying that FTD 7.x won’t support geo-blocks for anyconnect vpn? I would hope it would. Wonder if FTD’s anyconnect vpn is now finally equal to the anyconnect vpn on the native ASA code?

In the DefaultWebVPNGroup connection profile, make sure there isn’t an alias or group url, then set the Group Policy (usually DfltGrpPolicy) that is assigned to it to 0 simultaneous logins.

You could also use DAP to set the action to Terminate for AAA Attribute Type Cisco, Group Policy = DfltGrpPolicy (making sure the other connection profiles use a different Group Policy)

You still have to do flexconfig to create a control-plane policy to block VPN. This does not support dynamic lists.

Yes, FTD AnyConnect is on par with ASA AnyConnect.

Did you have success with this? A guide for this would be lovely, I need to fumble through until we can move to another solution