using Cisco ASA fw code 9.x.x for anyconnect vpn. getting huge amounts of attacks trying to login via anyconnect…
Tried blocking by IP, this isn’t a long term solution. is there some cloud vendor WAF I can push my asa anyconnect traffic to for blocking and inspection then to my asa. .
Replacement of the ASA for something else isn’t possible.
Do you have a cert on your firewall? If you put your authentication to client certificate & AAA, they wont even get to the login unless they have your cert.
I run an ASA at home and have been getting hammered by probably the same guys as you. They hit all the LDAP heroes like ‘printer’, ‘scanner’, ‘admin’, and so forth looking for a weak login and bad permissions setups. Only way to really block them is to setup the ACL on the control plane like the thread above or to use certificate authentication for your VPN logins. Was hoping someone would chime in with a better way in this thread. =)
The trick is to move your user logins to a connection profile using a different url other than the default/bare url and then set the bare/default to deny all connections.
Can someone tell me how to identify if anyconnect is getting attacked with login attempts? I dont have a real SIEM running, so what event numbers should i be looking at^
are you saying that FTD 7.x won’t support geo-blocks for anyconnect vpn? I would hope it would. Wonder if FTD’s anyconnect vpn is now finally equal to the anyconnect vpn on the native ASA code?
In the DefaultWebVPNGroup connection profile, make sure there isn’t an alias or group url, then set the Group Policy (usually DfltGrpPolicy) that is assigned to it to 0 simultaneous logins.
You could also use DAP to set the action to Terminate for AAA Attribute Type Cisco, Group Policy = DfltGrpPolicy (making sure the other connection profiles use a different Group Policy)