Running Anyconnect VPN behind reverse proxy ?

Started by Dieselboy, November 19, 2020, 08:47:21 PM

Previous topic - Next topic

Dieselboy

I have an ASA that is directly on the internet and I can VPN to it using Anyconnect. I should have a valid SSL cert so I dont get any security warnings - which I presently do although it will expire soon.

The ASA does not have any ACME certificate process, so I cannot use Let's Encrypt to generate an automated cert.

One idea I've had (but not yet tested) is to place the SSL VPN behind a reverse proxy and allow the reverse proxy to do the ACME cert generation. The proxy would then forward on over another https connection to the ASA using a private cert, trusted by the proxy.

To do this, I'd need tcp/443 and udp/443 allowed betwen `client <> proxy` and `proxy <> ASA`.

All of the above is possible in terms of configuration. I'm already doing the above for some web services, just not VPN.

What are your thoughts on this for production use? The ultimate goal is self-managed certs for the VPN. It's the only cert I'm presently needing to budget for lately.

Otanx

Should be fine as long as you are not doing any certificate authentication with the client for access. Alternatively you can have another system do the Let's Encrypt stuff, and a small script to copy the cert, and config to the ASA. However, if you already have a proxy in front of your other stuff that is probably easier.

-Otanx

deanwebb

It's either that, or install a traditional cert on the ASA and then set a reminder for 3 or 5 years later when it expires.

This is an SSL VPN, so I think that's fair play. Like Otanx said, if it's for client access auth, it needs to be on the ASA itself.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Quote from: deanwebb on November 20, 2020, 09:04:47 AM
It's either that, or install a traditional cert on the ASA and then set a reminder for 3 or 5 years later when it expires.

I think that is what he is doing currently, but he wants to move to Let's Encrypt for the cert because they are free. However, they only issue for I think 90 days. Doing that by hand is a little too much work.

-Otanx

Dieselboy

Cool thanks guys for the insight. I dont use the client cert auth. I'll set up a test of this at somepoint and let you know :)

wintermute000

keep us posted, I've not seen anyone bother to put VPN behind a load balancer so I'm curious

deanwebb

Quote from: wintermute000 on November 24, 2020, 03:15:14 AM
keep us posted, I've not seen anyone bother to put VPN behind a load balancer so I'm curious

^This. Watching.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Watching as well. We considered putting our ASAs behind a load balancer when we first did VPN access. No intercept. Just load balance between two ASAs. However, the ASAs can do VPN load balancing on their own pretty well. We don't do any automated certificate stuff so that wasn't a consideration.

-Otanx

Dieselboy

I'm working on setting up the proxy (Traefik). Having some issue because they now have version 2.x and config is different.

Dieselboy

I never got to check this out in the end but when I was looking into it I was having some trouble figuring out the text file code that configures Traefik to accept and pass on udp/443 (in addition to tcp/443).

I'm just going through a FTD VPN guide for Anyconnect and the Cisco document does mention utilising Traefik for it's features to enhance the anyconnect VPN deployment: https://www.cisco.com/c/en/us/td/docs/security/asa/misc/anyconnect-faq/anyconnect-faq.html#Cisco_Reference.dita_2ec631a6-e134-4dcc-b034-cf1b197e0068

deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

Unfortunately not, but I think we're 1 step forward in that it is possible as it's recommended by Cisco :)

Now all that's required is a POC design ;)

chralg

Hi,

I have an old ASA 9.2 that doesn't support newer TLS. Anyconnect requires higher TLS than 1.0, so I  put the ASA behind a reverse proxy (ADC) with a public let's encrypt cert.
That solved both cert and TLS issue.

Thanks
Chris

Dieselboy

Quote from: chralg on October 28, 2022, 09:06:30 AM
Hi,

I have an old ASA 9.2 that doesn't support newer TLS. Anyconnect requires higher TLS than 1.0, so I  put the ASA behind a reverse proxy (ADC) with a public let's encrypt cert.
That solved both cert and TLS issue.

Thanks
Chris

Nice! :) It was the automatic certificate management that was interesting to me. :)

chralg

Quote from: Dieselboy on October 30, 2022, 07:44:13 PM
Nice! :) It was the automatic certificate management that was interesting to me. :)

Hi again.

Actually, I use Kubernetes with CertManager and an Ingress Controller to generate the both the cert and the ADC setup. Config will be totally dynamic and updated whenever certificate is updated.

Thanks,
Christofer