Saturday, September 26, 2015

Cisco FireSight and FirePower Next-Generation IPS (NGIPS)

It's been a long and remarkable journey to finally complete my CCNP Security track. I started a couple of years back by passing the old CCNP Security SECURE exam. It sure feels great not being a CCNP Security wannabe anymore! This isn't the end of my network security journey as I still have more to learn and who knows perhaps pursue CCIE Security in the near future.

Doing the proof of concept (POC) for CWS and fortunate to be trained on Cisco's next-generation IPS (NGIPS) triggered me to take the SITCS 300-207 exam. There's been a slowdown in releasing the SITCS official certification guide (OCG) so I just decided to take the plunge. I was sent to Global Knowledge Singapore to get a hands-on training on both FireSight (a.k.a Defense Center) and FirePower module on a Cisco ASA 5515-X next-genration firewall (NGFW).


ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.3(1)    // MINIMUM ASA VERSION 9.2.2 REQUIRED TO RUN FIREPOWER
Device Manager Version 7.3(1)101

Compiled on Wed 23-Jul-14 18:16 PDT by builders
System image file is "disk0:/asa931-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 18 hours 42 mins

Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is 78da.6e98.5250, irq 11
 1: Ext: GigabitEthernet0/0  : address is 78da.6e98.5254, irq 10
 2: Ext: GigabitEthernet0/1  : address is 78da.6e98.5251, irq 10
 3: Ext: GigabitEthernet0/2  : address is 78da.6e98.5255, irq 5
 4: Ext: GigabitEthernet0/3  : address is 78da.6e98.5252, irq 5
 5: Ext: GigabitEthernet0/4  : address is 78da.6e98.5256, irq 10
 6: Ext: GigabitEthernet0/5  : address is 78da.6e98.5253, irq 10
 7: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
 8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
 9: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
10: Ext: Management0/0       : address is 78da.6e98.5250, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Enabled        perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA 5515 Security Plus license.

Serial Number: FCH174374E3
Running Permanent Activation Key: 0xa205e877 0x74bc8194 0xf1e311bc 0xedec64d0 0x4016ffac
Configuration register is 0x1
Configuration last modified by enable_15 at 14:10:22.468 UTC Thu Jul 30 2015

ciscoasa# show inventory
Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515           , VID: V02     , SN: FGL1745417T

Name: "Storage Device 1", DESCR: "Micron 128 GB SSD MLC, Model Number: C400-MTFDDAC128MAM"   // 128 GB SSD REQUIRED FOR FIREPOWER TO RUN; CAN USE THIRD PARTY VENDOR
PID: N/A               , VID: N/A     , SN: MXA1729023Z

ciscoasa# session ?

Available module ID(s):
  cxsc  Module ID
  ips   Module ID
  sfr   Module ID
ciscoasa# session sfr ?

  console  Login to console port on another module.
  do       Execute a command on another module.
  ip       Configure Module logging port ip addresses
  <cr>
ciscoasa# session sfr console     // LOGIN TO FIREPOWER IPS MODULE
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

  ^
configure  Change to Configuration mode
end        Return to the default mode
exit       Exit this CLI session
expert     Invoke a shell
help       Display an overview of the CLI syntax
history    Display the current session's command line history
logout     Logout of the current CLI session
show       Change to Show Mode
system     Change to System Mode

> show time
UTC -       Thu Jul 30 12:03:36 UTC 2015
Localtime - Thu Jul 30 08:03:37 EDT 2015

> ~30
Escape Sequence detected
Console session with module sfr terminated.    // USE CTRL+SHIFT+6+X TO EXIT IPS MODULE

ciscoasa# show clock
08:03:04.219 UTC Thu Jul 30 2015
ciscoasa# clock set ?

  hh:mm:ss  Current Time
ciscoasa# clock set 12:04:00 ?

  <1-31>  Day of the month
  MONTH   Month of the year
ciscoasa# clock set 12:04:00 30 July ?

  <1993-2035>  Year
ciscoasa# clock set 12:04:00 30 July 2015     // ASA CLOCK MUST BE SYNCHRONIZED WITH FIREPOWER
ciscoasa# show clock
12:04:04.779 UTC Thu Jul 30 2015
ciscoasa# write memory
Building configuration...
Cryptochecksum: db90e6c9 1fd7c39a 6eb2b08b 39694900

3521 bytes copied in 0.700 secs
[OK]
ciscoasa# sw-module ?

  module  Act on a module
ciscoasa# sw-module module ?

Available module ID(s):
  cxsc  Module ID
  ips   Module ID
  sfr   Module ID
ciscoasa# sw-module module sfr ?

  recover    Configure recovery of this module
  reload     Reload the module
  reset      Reset the module
  shutdown   Shut down the module
  uninstall  Uninstall the module
ciscoasa# sw-module module sfr reload    // MUST RELOAD FIREPOWER MODULE

Reload module sfr? [confirm]
Reload issued for module sfr.

ciscoasa# show module ?

Available module ID(s):
  0     Module ID
  all   show all module information for all slots
  cxsc  Module ID
  ips   Module ID
  sfr   Module ID
  |     Output modifiers
  <cr>
ciscoasa# show module sfr ?

  details  show detailed hardware module information
  log      show logs for this module
  recover  show recover configuration for this module
  |        Output modifiers
  <cr>
ciscoasa# show module sfr detail
Getting details from the Service Module, please wait...
Unable to read details from module sfr

Card Type:          FirePOWER Services Software Module
Model:              ASA5515
Hardware version:   N/A
Serial Number:      FCH174374E3
Firmware version:   N/A
Software version:   5.3.1-152
MAC Address Range:  78da.6e98.524e to 78da.6e98.524e
App. name:          ASA FirePOWER
App. Status:        Not Applicable
App. Status Desc:   Not Applicable
App. version:       5.3.1-152
Data Plane Status:  Not Applicable
Console session:    Ready
Status:             Init  

ciscoasa# show module sfr detail
Getting details from the Service Module, please wait...

Card Type:          FirePOWER Services Software Module
Model:              ASA5515
Hardware version:   N/A
Serial Number:      FCH174374E3
Firmware version:   N/A
Software version:   5.3.1-152
MAC Address Range:  78da.6e98.524e to 78da.6e98.524e
App. name:          ASA FirePOWER
App. Status:        Up
App. Status Desc:   Normal Operation
App. version:       5.3.1-152
Data Plane Status:  Up
Console session:    Ready
Status:             Up      // UP AFTER 3 MINS
DC addr:            192.168.48.24                                              
Mgmt IP addr:       192.168.48.23                                              
Mgmt Network mask:  255.255.255.0                                              
Mgmt Gateway:       192.168.48.44                                              
Mgmt web ports:     443                                                        
Mgmt TLS enabled:   true     

ciscoasa# show clock
12:10:03.879 UTC Thu Jul 30 2015
ciscoasa# session sfr console           
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

Sourcefire3D login: admin
Password:
Last login: Thu Jul 30 11:57:50 UTC 2015 on ttyS1

Copyright 2001-2013, Sourcefire, Inc. All rights reserved. Sourcefire is
a registered trademark of Sourcefire, Inc. All other trademarks are
property of their respective owners.

Sourcefire Linux OS v5.3.1 (build 43)
Sourcefire ASA5515 v5.3.1 (build 152)

Last login: Thu Jul 30 12:11:15 on ttyS1
> show time
UTC -       Thu Jul 30 12:10:19 UTC 2015
Localtime - Thu Jul 30 08:11:19 EDT 2015


ciscoasa# ping 192.168.48.100    // NTP SERVER
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.48.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms


FireSight is also configured with a local NTP server in order to be synchronized with FirePower IPS.



We configure the FirePower module to apply the policies created in FireSight for all IP traffic (class-default) and traffic flow will stop if the module fails (fail-close).





A FireSight policy is created to block a website hosting a malware.











To test, I went to a website ihaveabadreputation.com/eicar.com which hosted a malware. FireSight can also detect the file trajectory and timing for spreading of the malware.










FireSight can also block URL www.poker.com based on category and reputation based filtering (RBF).







FireSight can also be granular by blocking Windows update.





Saturday, September 19, 2015

Configuring Clientless and AnyConnect Remote Access SSL VPNs Using ASDM

We've been using Cisco AnyConnect to VPN back to our corporate network and intranet resources. It gives the same experience as the Cisco's legacy VPN client and also ties back to our Active Directory (AD) profile which allows for single sign-on (SSO). VPN has many flavors and below is one of them, which is the remote access SSL VPN lab that I did on my Cisco ASA 5505 firewall.


Router(config-if)#hostname R1
R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/0/0
R1(config)#interface fastethernet0/0
R1(config-if)#ip address 209.165.200.225 255.255.255.248
R1(config-if)#no shutdown
R1(config-if)#
*Jul  5 03:17:49.787: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Jul  5 03:17:50.787: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#
*Jul  5 03:18:07.115: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R1(config-if)#clock rate 64000


Router(config)#hostname R2
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jul  5 03:17:55.143: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jul  5 03:17:56.143: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R2(config-if)#do ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jul  5 03:18:17.699: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
R2(config-if)#clock rate 64000
R2(config-if)#exit
R2(config)#ip route 209.165.200.224 255.255.255.248 serial0/0/0
R2(config)#ip route 172.16.3.0 255.255.255.0 serial0/0/1


Router(config)#hostname R3
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 172.16.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Jul  5 03:22:00.983: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jul  5 03:22:01.983: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#
*Jul  5 03:22:24.015: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jul  5 03:22:25.015: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config-if)#do ping 10.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 serial0/0/1


R1(config)#ip http server
R1(config)#enable password cisco
R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config)#line console 0
R1(config-line)#password cisco
R1(config-line)#login


Switch(config)#hostname S1


Switch(config)#hostname S2


Switch(config)#hostname S3


ciscoasa> enable
Password: <ENTER>
ciscoasa# conf t
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: n

In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".

Please remember to save your configuration.

ciscoasa(config)# hostname CCNAS-ASA
CCNAS-ASA(config)# domain-name ccnasecurity.com
CCNAS-ASA(config)# enable password cisco
CCNAS-ASA(config)# passwd cisco
CCNAS-ASA(config)# interface ethernet0/0
CCNAS-ASA(config-if)# switchport access vlan 2
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface ethernet0/1
CCNAS-ASA(config-if)# switchport access vlan 1
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface ethernet0/2
CCNAS-ASA(config-if)# switchport access vlan 3
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface vlan1
CCNAS-ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
CCNAS-ASA(config-if)# security-level 100
CCNAS-ASA(config-if)# ip address 192.168.1.1 255.255.255.0
CCNAS-ASA(config-if)# interface vlan2
CCNAS-ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
CCNAS-ASA(config-if)# security-level 0
CCNAS-ASA(config-if)# ip address 209.165.200.226 255.255.255.248
CCNAS-ASA(config-if)# interface vlan3
CCNAS-ASA(config-if)# no forward interface vlan1
CCNAS-ASA(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
CCNAS-ASA(config-if)# security-level 70
CCNAS-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
CCNAS-ASA(config-if)# object network inside-net
CCNAS-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
CCNAS-ASA(config-network-object)# object network dmz-server
CCNAS-ASA(config-network-object)# host 192.168.2.3
CCNAS-ASA(config-network-object)# access-list OUTSIDE-DMZ extended permit ip any host 192.168.2.3
CCNAS-ASA(config)# object network inside-net
CCNAS-ASA(config-network-object)# nat (inside,outside) dynamic interface
CCNAS-ASA(config-network-object)# object network dmz-server
CCNAS-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.227
CCNAS-ASA(config-network-object)# access-group OUTSIDE-DMZ in interface outside
CCNAS-ASA(config)# route outside 0.0.0.0 0.0.0.0 209.165.200.225
CCNAS-ASA(config)# username admin password cisco123
CCNAS-ASA(config)# aaa authentication telnet console LOCAL
CCNAS-ASA(config)# aaa authentication ssh console LOCAL
CCNAS-ASA(config)# aaa authentication http console LOCAL
CCNAS-ASA(config)# http server enable
CCNAS-ASA(config)# http 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# ssh 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# telnet 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# telnet timeout 10
CCNAS-ASA(config)# ssh timeout 10
CCNAS-ASA(config)# policy-map global_policy
CCNAS-ASA(config-pmap)# class inspection_default
CCNAS-ASA(config-pmap-c)# inspect icmp
CCNAS-ASA(config-pmap-c)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait...


To configure Clientless SSL VPN Remote Access in ASDM, we go to Wizards > VPN Wizards > Clientless SSL VPN Wizard.









We verify the SSL VPN login (via HTTPS) by opening 209.165.200.226 on a web browser on PC-C.



You'll be redirected to another URL when clicking on Web Mail. For this example, I've used the web server on a Catalyst 3560 switch.


To monitor VPN session in ASDM, we go to Monitoring > VPN > VPN Statistics > Sessions. In CLI, we issue the command show vpn-sessiondb webvpn.







CCNAS-ASA# show vpn-sessiondb webvpn

Session Type: WebVPN

Username     : VPN-User               Index        : 3
Public IP    : 172.16.3.3
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
Bytes Tx     : 236858                 Bytes Rx     : 15757
Group Policy : ClientlessVPN-Grp-Pol  Tunnel Group : DefaultWEBVPNGroup
Login Time   : 04:55:06 UTC Sun Jul 5 2015
Duration     : 0h:01m:14s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none


CCNAS-ASA# write erase
Erase configuration in flash memory? [confirm]
[OK]
CCNAS-ASA# reload
System config has been modified. Save? [Y]es/[N]o:
Proceed with reload? [confirm]
CCNAS-ASA#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down License Controller
Shutting down File system



***
*** --- SHUTDOWN NOW ---
Process shutdown finished


<OUTPUT TRUNCATED>

ciscoasa> enable
Password:
ciscoasa# conf t
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: n

In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".

Please remember to save your configuration.

ciscoasa(config)# hostname CCNAS-ASA
CCNAS-ASA(config)# domain-name ccnasecurity.com
CCNAS-ASA(config)# enable password cisco
CCNAS-ASA(config)# passwd cisco
CCNAS-ASA(config)# interface ethernet0/0
CCNAS-ASA(config-if)# switchport access vlan 2
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface ethernet0/1
CCNAS-ASA(config-if)# switchport access vlan 1
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface ethernet0/2
CCNAS-ASA(config-if)# switchport access vlan 3
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface vlan 1
CCNAS-ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
CCNAS-ASA(config-if)# security-level 100
CCNAS-ASA(config-if)# ip address 192.168.1.1 255.255.255.0
CCNAS-ASA(config-if)# interface vlan 2
CCNAS-ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
CCNAS-ASA(config-if)# security-level 0
CCNAS-ASA(config-if)# ip address 209.165.200.226 255.255.255.248
CCNAS-ASA(config-if)# interface vlan 3
CCNAS-ASA(config-if)# no forward interface vlan 1
CCNAS-ASA(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
CCNAS-ASA(config-if)# security-level 70
CCNAS-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
CCNAS-ASA(config-if)# object network inside-net
CCNAS-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
CCNAS-ASA(config-network-object)# nat (inside,outside) dynamic interface
CCNAS-ASA(config-network-object)# exit
CCNAS-ASA(config)# object network dmz-server
CCNAS-ASA(config-network-object)# host 192.168.2.3
CCNAS-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.227
CCNAS-ASA(config-network-object)# exit
CCNAS-ASA(config)# access-list OUTSIDE-DMZ extended permit ip any host 192.168.2.3
CCNAS-ASA(config)# access-group OUTSIDE-DMZ in interface outside
CCNAS-ASA(config)# route outside 0 0 209.165.200.225
CCNAS-ASA(config)# username admin password cisco123 privilege 15
CCNAS-ASA(config)# aaa authentication telnet console LOCAL
CCNAS-ASA(config)# aaa authentication ssh console LOCAL
CCNAS-ASA(config)# aaa authentication http console LOCAL
CCNAS-ASA(config)# http server enable
CCNAS-ASA(config)# http 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# ssh 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# telnet 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# telnet timeout 10
CCNAS-ASA(config)# ssh timeout 10
CCNAS-ASA(config)# policy-map global_policy
CCNAS-ASA(config-pmap)# class inspection_default
CCNAS-ASA(config-pmap-c)# inspect icmp
CCNAS-ASA(config-pmap-c)# exit
CCNAS-ASA(config-pmap)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait...
CCNAS-ASA(config)#


To configure AnyConnect SSL VPN Remote Access using ASDM, we to go Wizards > VPN Wizards > AnyConnect VPN.















We login to https://209.165.200.226 from PC-C and it will automatically go through the process of downloading the AnyConnect VPN client.











CCNAS-ASA# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : VPN-User               Index        : 2
Assigned IP  : 192.168.1.33           Public IP    : 172.16.3.3
Protocol     : Clientless SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : Clientless: (1)RC4  SSL-Tunnel: (1)RC4  DTLS-Tunnel: (1)AES128
Hashing      : Clientless: (1)SHA1  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 118089                 Bytes Rx     : 112949
Group Policy : GroupPolicy_AnyC-SSL-VPN-Con-Prof
Tunnel Group : AnyC-SSL-VPN-Con-Prof
Login Time   : 10:35:42 UTC Sun Jul 5 2015
Duration     : 0h:06m:42s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none