Cisco Anyconnect Azure





(ASAv) in Public Cloud (Azure and AWS)

How Cisco NGFWv delivers the threat protection you need

The Cisco Firepower® Next-Generation Firewall Virtual (NGFWv), or Firewall Threat Defense (FTDv), is an industry-leading intelligent security virtual appliance. It gives you threat protection, real-time contextual awareness, and full stack visibility. This highly effective, highly reliable next-generation firewall is available at a low total cost of ownership. Threat protection can be expanded with optional subscription licenses for Cisco Firepower NGIPS Advanced Malware Protection (AMP) and URL Filtering capabilities.

Cisco Firepower NGFWv in Amazon Web Services (AWS) or Microsoft Azure must be managed by a Cisco Firepower Management Center (FMC) residing in AWS or on-premises. The virtual FCM can be deployed on VMware ESXi, on KVM, and in AWS. Figure 1 shows the various FMC dashboards.

Implementing Cloud Azure MFA (Multi Factor Authentication). Typically Cisco VPN client uses user ID and password to connect to corporate network. Configure Azure AD SAML SSO with Cisco ASA AnyConnect VPN 11th February 2020 As the 'cloud only' model continues to grow, we are starting to see an influx of environments where a legacy on-premise Active Directory domain does not exist.

Figure 1. Cisco FMC dashboards for configuring, managing, and checking events

The physical and virtual Cisco Firepower NGFW appliances offer the same threat protection features and centralized management, so you gain consistent security effectiveness and visibility across physical and virtual workloads.

Cisco® AMP for Networks protects against sophisticated, targeted, zero-day, and persistent advanced threats. AMP continuously analyses files and network traffic for threats that evade your first lines of defense.

Cisco Application Visibility and Control reduces the potential surface area of attacks through the granular control of thousands of applications. It enforces mobile, social, and other acceptable-use policies.

Cisco NGFWv in the cloud also provides advanced stateful firewall and VPN functionality (IPsec, SSL VPN, and client SSL VPN support) in one device.

The Cisco Adaptive Security Virtual Appliance (ASAv) is based on the best-selling Cisco Adaptive Security Appliance (ASA). It runs the same software as physical Cisco ASAs to deliver proven security functionality in a virtual form factor. Use Cisco ASAv to protect virtual workloads in the public cloud. And use it to deliver site-to-site, remote-access, and clientless VPN as a service in public cloud deployments. Figure 2 lists the main ASAv features.

Cisco ASAv offers the REST API, an HTTP-based interface that facilitates management of the appliance, including changing its security policy and monitoring its status. Using REST APIs, multiple solutions can be used to manage both physical and virtual instances of Cisco ASA.

What you will learn

The industry is moving toward a public cloud and hybrid cloud environment. This document covers how you can combine native security in the cloud with widely proven Cisco virtual appliances (Cisco Firepower NGFWv and Cisco ASAv) and provide a public cloud administrator with better protection and visibility.

We will cover deployment modes, licensing, use cases, High Availability (HA), stateless scale-out design, and the management of virtual appliances using on-premises or cloud resources.

Deployment modes

The Cisco NGFW virtual appliance is available in the AWS and Azure marketplaces. In AWS, it can be deployed in routed and passive modes. Passive mode design requires ERSPAN, the Encapsulated Remote Switched Port Analyzer, which is currently not available in Azure.

In passive mode, NGFWv inspects packets like an Intrusion Detection System (IDS) appliance, but no action can be taken on the packet.

In routed mode NGFWv acts as a next hop for workloads. It can inspect packets and also take action on the packet based on rule and policy definitions.

Cisco FMCv and NGFWv in the public cloud

Cisco Firepower® Next-Generation Firewall Virtual is available in AWS and Azure and Cisco Firepower Management Center Virtual is available in AWS.

Figure 3. AWS and Azure instance types for Cisco Firepower Next-Generation Firewall Virtual and Cisco Firepower Management Center

In the AWS Marketplace, we have offerings for Cisco NGFWv (FTDv) and Cisco FMCv. FMCv is required to manage the NGFWv. You can provision FMCv in AWS or use an on-premises FMC (physical or virtual). Cisco offers two FMCv models in AWS. Each model can manage up to 25 NGFWv appliances. The larger instance of FMCv has a larger RAM, so it can handle more events. Cisco NGFW is supported on the c3.xlarge instance as well as c4.xlarge, which has 4 interfaces.

Cisco ASAv in the public cloud

We offer Cisco ASAv in both AWS and Azure. It can be managed using CLI, REST API, the Cisco Adaptive Security Device Manager (ASDM), Cisco Security Manager, and the Cisco Defense Orchestrator (see Figure 6).

Figure 4. AWS and Azure instance types for Cisco ASAv

In the AWS Marketplace, we have offerings for Cisco ASAv to provide firewall functionality. Cisco ASAv10 supports 250 VPN endpoints, and Cisco ASAv30 supports 750 VPN endpoints.

Cisco NGFWv and ASAv performance

Cisco NGFWv and ASAv are offered as 1 Gbps virtual appliances in Azure and AWS. Performance may vary based on the features used on the virtual appliance. Example VPN, NGIPS, URL filtering, and AMP. Please refer to Cisco NGFW performance estimator:

Cisco NGFWv and ASAv licensing

Cisco NGFWv and ASAv are licensed through Cisco Smart Licensing. Cisco Smart Software Licensing is a new way of thinking about licensing. It adds flexibility to your licensing and simplifies it across the enterprise.

Smart Software licensing delivers visibility into your license ownership and consumption. Know what you own and how you are using it. Benefit from more straightforward, standardized offers, license platforms, and policies. Make better educated purchase decisions to lower your operating costs. Discover the ease of deployment with automatic license activation.

This licensing model is:

Simple: Procure, deploy, and manage licenses easily. Devices self-register, removing the need for product Activation Keys (PAKs).

Flexible: Pool license entitlements in a single account. Move licenses freely through the network, wherever you need them.

Smart: Manage your license deployments with real-time visibility of ownership and consumption.

We support a Bring-Your-Own-License (BYOL) in Azure and AWS. We also have a flexible “hourly or annual” license for AWS. There is no Cisco Technical Assistance Center (TAC) support on the hourly or annual license. Users are billed for the license and instance cost by AWS.

The NGFWv base license is required to enable firewall throughput plus application visibility and control. We also offer term-based licenses for IPS, URL Filtering and AMP functionality. If no license is installed, you get a lab license that entitles you to use 100 Kbps and 100 connections per second. (See Figure 6.)

Figure 5. Base and term-based licenses in AWS and Azure

Note: No Cisco TAC support from AWS pay-as-you-go model license model but you can purchase one-year TAC support from listed partner:

An ASAv standard license is required to enable throughput. If no license is installed, you get a lab license that entitles you to 100 Kbps and 100 connections per second. In addition to the standard license, we also offer Cisco AnyConnect® VPN licenses (ASAv10 supports 250 VPN endpoints, and ASAv30 supports 750 VPN endpoints.)

An Azure ASAv10 (Standard D3 and D3v2) instance can support 750 VPN endpoints. (See Figure7.)

Figure 6. Standard and Cisco AnyConnect licenses in AWS and Azure

Deployment Models for Cisco NGFWv in Azure and AWS

Cisco NGFWv in Azure (routed mode)

Cisco NGFWv is deployed in routed mode and managed by an on-premises FMC or FMC running in AWS. Interfaces are numbered from eth0 through eth3. By default, eth0 gets an IP address from the private range, and it is mapped to a public IP address on the Azure Gateway. You can manage NGFWv using the public IP address or an internal address for Azure express route connectivity.

eth1 is a diagnostics interface, and eth2 and eth3 are data interfaces.

Multiple IP addresses can be assigned on eth2 for one-to-one translation to internal workloads (Figure 12).

Figure 7. Deployment model for Cisco NGFWv in Azure (routed mode)

Cisco NGFWv in AWS (routed mode)

Cisco NGFWv is deployed in routed mode and managed by an on-premises FMC or FMC running in AWS. Interfaces are numbered from eth0 through eth3. By default, eth0 gets an IP address from the private range, and it is mapped to a public IP address on the Azure Gateway. You can manage NGFWv using the public IP address or an internal address for AWS Direct Connect. eth1 is a diagnostics interface, and eth2 and eth3 are data interfaces.

Multiple IP addresses can be assigned on eth2 for one-to-one translation to internal workloads (Figure. 9).

Figure 8. Deployment model for Cisco NGFWv in AWS (routed mode)

Cisco NGFWv in AWS (passive mode)

Cisco NGFWv can be deployed in passive mode. It works like an intrusion detection system (IDS) device. In a passive IPS deployment, the NGFWv uses ERSPAN to monitor traffic flowing across a network. ERSPAN allows for traffic to be copied. This capability gives you system visibility without being in the flow of network traffic. When configured in a passive deployment, the system cannot take certain actions such as blocking or shaping traffic.

Passive interfaces receive all traffic unconditionally, and no traffic received on these interfaces is retransmitted (Figure 10).

Figure 9. Deployment model for Cisco NGFWv in AWS (passive mode)

Deployment Models for Cisco ASAv in Azure and AWS

Cisco ASAv in Azure (routed mode)

Cisco ASAv can be deployed in routed mode with 4 interfaces (see Figure 11). Of these, eth0 is a management and data interface. It gets an IP from the private range, and it is translated to an external IP address on the Azure Gateway. The Cisco ASAv image is bundled with the Cisco ASDM image and a REST API plug-in for orchestration. In case of Azure express route connectivity, ASAv can be managed using an internal IP address.

We support active/standby high availability on ASAv running in Azure.

Cisco ASAv supports IPsec and Cisco AnyConnect VPNs.

Cisco Anyconnect 4.5 Download

Figure 10. Deployment model for Cisco ASAv in Azure (routed mode)

Cisco ASAv in AWS (routed mode)

Cisco ASAv can be deployed in routed mode with 4 interfaces (see Figure 12). Of these, eth0 is a management and data interface. It gets an IP from the private range, and it is translated to an external IP address on the AWS gateway. The Cisco ASAv image is bundled with the ASDM image and a REST API plug-in for orchestration. ASAv can be managed using an internal IP address for AWS Direct Connect.

Cisco ASAv supports IPsec and AnyConnect VPNs.

Figure 11. Deployment model for Cisco ASAv in AWS (routed mode)

ARM template deployment for Cisco NGFWv and ASAv in Azure

In Azure, the Azure Resource Manager (ARM) is the management layer (API). You can deploy Cisco ASAv and NGFWv using the ARM template. But before you can actually deploy those resources, you have to provide the group, storage account, availability set and virtual network with the appropriate subnet. The steps for deploying ARM are in Figure 13.

Figure 12. Deploying NGFWv and ASAv using the Azure Resource Manager

Here are more resources about templates:

Cisco NGFWv ARM Template: https://cs.co/NGFWvARMTemplate

Cisco ASAv ARM Template: https://cs.co/ASAvARMTemplate

Cisco ASAv template deployment (video): https://cs.co/CiscoASAvTDeploymentAzure

Cisco NGFWv template deployment (video):

Cisco NGFWv and ASAv cloud formation template in AWS

In AWS, a cloud formation template (CF template) is the management layer (API where you connect to for deploying resources). You can deploy Cisco ASAv and NGFWv using a CF template. (See Figure 18.)

Figure 13. Deploying a CF template in AWS

Additional resources

Cisco Next-Generation Firewall Virtual (NGFWv) data sheet:

Cisco Firepower Management Center (FMC) data sheet:

Cisco Adaptive Security Virtual Appliance (ASAv) data sheet:

Cisco NGFWv in AWS Marketplace offering (BYOL): https://cs.co/CiscoNGFWvBYOL

Cisco NGFWv in AWS Marketplace offering (hourly and annual): https://cs.co/CiscoNGFWvHourlyAnnual

Cisco FMCv in AWS Marketplace offering (BYOL): https://cs.co/CiscoFMCvBYOL

Cisco ASAv in AWS Marketplace offering (BYOL, hourly and annual): https://cs.co/CiscoASAvBYOLHourlyAnnual

Cisco NGFWv in Azure Marketplace offering (BYOL): https://cs.co/CiscoNGFWv

Cisco ASAv in Azure Marketplace offering (BYOL): https://cs.co/CiscoASAv Lightroom torrent for mac os x.

Cisco ASAv licensing (BYOL): https://cs.co/ASAvLicensing

Cisco NGFWv licensing (BYOL): https://cs.co/CiscoNGFWvLicensing

Cisco NGFWv ARM Template: https://cs.co/NGFWvARMTemplate

Actionscript for mac. Cisco ASAv ARM Template: https://cs.co/ASAvARMTemplate

Cisco Anyconnect Azure Access

Cisco NGFWv and ASAv in Public Cloud YouTube Channel: https://cs.co/DCandCloudSecurity

Integration

Cisco Security TME YouTube channel (Cisco Application Centric Infrastructure security, private and public cloud security): https://cs.co/AdvanceSecurityPrivatePublicCloud

Cisco NGFWv and FMCv deployment in AWS and threat policy blocking malware:

Part 1: https://cs.co/CiscoNGFWvinAWS1

Part 2: https://cs.co/CiscoNGFWvinAWS2

Part 3: https://cs.co/CiscoNGFWvinAWS3

Cisco NGFWv deployment in Azure: https://cs.co/NGFWvAzureDeployment

Cisco Firepower NGFWv in Azure: Protect vNET workloads in north-south and east-west traffic: https://cs.co/CiscoNGFWvNSEW

Cisco Anyconnect Single Sign On

Cisco NGFWv micro segmentation use case in Azure: https://cs.co/MicroSegmentation

Cisco NGFWv template deployment in Azure:

https://www.youtube.com/watch?v=nczS4HznPaA&list=PL5SvLIjumxqIzv2I0ZU9BCBgwqmEac_3G&index=1Cisco ASAv deployment in AWS: https://cs.co/CiscoASAvDeploymentAWS

Cisco ASAv deployment in Azure: https://cs.co/CiscoASAvDeploymentAzure

Cisco ASAv template deployment: https://cs.co/CiscoASAvTDeploymentAzure

Cisco ASAv scale out design in AWS: https://cs.co/CiscoASAvScaleoutAWS

Cisco ASAv scale out design in Azure: https://cs.co/CiscoASAvAzureScaleout

Cisco Anyconnect Azure Cloud

Cisco NGFWv and ASAv multiple IP assignments: https://www.youtube.com/watch?v=FUZMTBZrA74