Running Anyconnect VPN behind reverse proxy ?

Dieselboy · November 19, 2020, 08:47:21 PM

I have an ASA that is directly on the internet and I can VPN to it using Anyconnect. I should have a valid SSL cert so I dont get any security warnings - which I presently do although it will expire soon.

The ASA does not have any ACME certificate process, so I cannot use Let's Encrypt to generate an automated cert.

One idea I've had (but not yet tested) is to place the SSL VPN behind a reverse proxy and allow the reverse proxy to do the ACME cert generation. The proxy would then forward on over another https connection to the ASA using a private cert, trusted by the proxy.

To do this, I'd need tcp/443 and udp/443 allowed betwen `client <> proxy` and `proxy <> ASA`.

All of the above is possible in terms of configuration. I'm already doing the above for some web services, just not VPN.

What are your thoughts on this for production use? The ultimate goal is self-managed certs for the VPN. It's the only cert I'm presently needing to budget for lately.

Otanx · November 20, 2020, 08:41:11 AM

Should be fine as long as you are not doing any certificate authentication with the client for access. Alternatively you can have another system do the Let's Encrypt stuff, and a small script to copy the cert, and config to the ASA. However, if you already have a proxy in front of your other stuff that is probably easier.

-Otanx

deanwebb · November 20, 2020, 09:04:47 AM

It's either that, or install a traditional cert on the ASA and then set a reminder for 3 or 5 years later when it expires.

This is an SSL VPN, so I think that's fair play. Like Otanx said, if it's for client access auth, it needs to be on the ASA itself.

Otanx · November 20, 2020, 02:08:37 PM

Quote from: deanwebb on November 20, 2020, 09:04:47 AM
It's either that, or install a traditional cert on the ASA and then set a reminder for 3 or 5 years later when it expires.

I think that is what he is doing currently, but he wants to move to Let's Encrypt for the cert because they are free. However, they only issue for I think 90 days. Doing that by hand is a little too much work.

-Otanx

Dieselboy · November 23, 2020, 09:23:10 PM

Cool thanks guys for the insight. I dont use the client cert auth. I'll set up a test of this at somepoint and let you know

wintermute000 · November 24, 2020, 03:15:14 AM

keep us posted, I've not seen anyone bother to put VPN behind a load balancer so I'm curious

deanwebb · November 24, 2020, 09:40:26 AM

Quote from: wintermute000 on November 24, 2020, 03:15:14 AM
keep us posted, I've not seen anyone bother to put VPN behind a load balancer so I'm curious

^This. Watching.

Otanx · November 24, 2020, 01:51:39 PM

Watching as well. We considered putting our ASAs behind a load balancer when we first did VPN access. No intercept. Just load balance between two ASAs. However, the ASAs can do VPN load balancing on their own pretty well. We don't do any automated certificate stuff so that wasn't a consideration.

-Otanx

Dieselboy · November 26, 2020, 03:08:54 AM

I'm working on setting up the proxy (Traefik). Having some issue because they now have version 2.x and config is different.

Dieselboy · October 24, 2022, 08:47:35 PM

I never got to check this out in the end but when I was looking into it I was having some trouble figuring out the text file code that configures Traefik to accept and pass on udp/443 (in addition to tcp/443).

I'm just going through a FTD VPN guide for Anyconnect and the Cisco document does mention utilising Traefik for it's features to enhance the anyconnect VPN deployment: https://www.cisco.com/c/en/us/td/docs/security/asa/misc/anyconnect-faq/anyconnect-faq.html#Cisco_Reference.dita_2ec631a6-e134-4dcc-b034-cf1b197e0068

deanwebb · October 26, 2022, 02:04:50 PM

So we still don't have full closure.

Dieselboy · October 26, 2022, 09:45:51 PM

Unfortunately not, but I think we're 1 step forward in that it is possible as it's recommended by Cisco

Now all that's required is a POC design

chralg · October 28, 2022, 09:06:30 AM

Hi,

I have an old ASA 9.2 that doesn't support newer TLS. Anyconnect requires higher TLS than 1.0, so I put the ASA behind a reverse proxy (ADC) with a public let's encrypt cert.
That solved both cert and TLS issue.

Thanks
Chris

Dieselboy · October 30, 2022, 07:44:13 PM

Quote from: chralg on October 28, 2022, 09:06:30 AM
Hi,

I have an old ASA 9.2 that doesn't support newer TLS. Anyconnect requires higher TLS than 1.0, so I put the ASA behind a reverse proxy (ADC) with a public let's encrypt cert.
That solved both cert and TLS issue.

Thanks
Chris

Nice!

It was the automatic certificate management that was interesting to me.

chralg · November 16, 2022, 05:41:16 AM

Quote from: Dieselboy on October 30, 2022, 07:44:13 PM
Nice! It was the automatic certificate management that was interesting to me.

Hi again.

Actually, I use Kubernetes with CertManager and an Ingress Controller to generate the both the cert and the ADC setup. Config will be totally dynamic and updated whenever certificate is updated.

Thanks,
Christofer