{"id":1620,"date":"2025-11-22T16:01:32","date_gmt":"2025-11-22T07:01:32","guid":{"rendered":"https:\/\/mylifeisbeautiful555.net\/?page_id=1620"},"modified":"2025-11-22T16:01:32","modified_gmt":"2025-11-22T07:01:32","slug":"vpn%e3%81%8c%e8%b2%bc%e3%82%8c%e3%81%aa%e3%81%84%e5%8e%9f%e5%9b%a0tls%e3%81%ae%e5%a0%b4%e5%90%88firepower%e3%81%a7secure-client","status":"publish","type":"page","link":"https:\/\/mylifeisbeautiful555.net\/?page_id=1620","title":{"rendered":"VPN\u304c\u8cbc\u308c\u306a\u3044\u539f\u56e0(TLS\u306e\u5834\u5408)(firepower\u3067Secure Client)"},"content":{"rendered":"\n

Firepower\uff08FTD\uff09\u3067 Cisco Secure Client\u3092\u4f7f\u7528\u3059\u308b\u5834\u5408\u3001TLS \u304c\u539f\u56e0\u3067 VPN \u304c\u8cbc\u308c\u306a\u3044\u30b1\u30fc\u30b9\u306f\u201c\u975e\u5e38\u306b\u591a\u3044\u201d\u3067\u3059\u3002<\/strong>
\u7279\u306b Firepower \u306f ASA \u3068\u9055\u3044\u3001FTD \u306e SSL\/TLS \u5468\u308a\u306e\u52d5\u304d\u304c\u72ec\u7279<\/strong>\u3067\u3001\u7d30\u304b\u3044\u30dd\u30a4\u30f3\u30c8\u3092\u5916\u3059\u3068\u63a5\u7d9a\u3067\u304d\u307e\u305b\u3093\u3002<\/p>\n\n\n\n

Firepower\uff08FTD\uff09\u00d7 Cisco Secure Client<\/h1>\n\n\n\n

TLS \u304c\u539f\u56e0\u3067 VPN \u63a5\u7d9a\u3067\u304d\u306a\u3044\u5178\u578b\u30d1\u30bf\u30fc\u30f3<\/h1>\n\n\n\n

\u2460 \u8a3c\u660e\u66f8\uff08CA \/ \u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\uff09\u306e\u4e0d\u5099<\/h1>\n\n\n\n

Firepower \u306e SSL-VPN \u3067\u306f \u8a3c\u660e\u66f8\u304c\u6700\u91cd\u8981<\/strong> \u3067\u3059\u3002<\/p>\n\n\n\n

\u3088\u304f\u3042\u308bNG\u30dd\u30a4\u30f3\u30c8\uff1a<\/p>\n\n\n\n

❌ 1. FQDN \u3068 CN\/SAN \u304c\u4e00\u81f4\u3057\u3066\u3044\u306a\u3044<\/h3>\n\n\n\n

\u4f8b\uff1a<\/p>\n\n\n\n

    \n
  • \u63a5\u7d9aURL \u2192 vpn.example.com<\/code><\/li>\n\n\n\n
  • \u8a3c\u660e\u66f8\u306eCN \u2192 firepower.localdomain<\/code><\/li>\n<\/ul>\n\n\n\n

    \u2192 TLS \u30cf\u30f3\u30c9\u30b7\u30a4\u30af\u3067\u5373\u62d2\u5426<\/p>\n\n\n\n

    ❌ 2. \u4e2d\u9593\u8a3c\u660e\u66f8\u3092 Firepower \u306b\u5165\u308c\u3066\u3044\u306a\u3044<\/h3>\n\n\n\n

    \u8a3c\u660e\u66f8\u30c1\u30a7\u30fc\u30f3\u304c\u9014\u4e2d\u3067\u5207\u308c\u308b\u3068
    AnyConnect \u304c \u201c\u8a3c\u660e\u66f8\u691c\u8a3c\u5931\u6557\u201d \u3067\u63a5\u7d9a\u62d2\u5426<\/strong><\/p>\n\n\n\n

    Firepower \u306f ASA \u3088\u308a\u4e2d\u9593\u8a3c\u660e\u66f8\u306b\u53b3\u3057\u3044\u3067\u3059\u3002<\/p>\n\n\n\n

    ❌ 3. \u8a3c\u660e\u66f8\u671f\u9650\u5207\u308c<\/h3>\n\n\n\n

    \u5f53\u305f\u308a\u524d\u3067\u3059\u304c\u3001FTD \u306f\u671f\u9650\u5207\u308c cert \u3092\u305d\u306e\u307e\u307e\u63d0\u793a\u3059\u308b\u306e\u3067 TLS \u304c\u5373\u5931\u6557\u3057\u307e\u3059\u3002<\/p>\n\n\n\n

    \u5bfe\u7b56\uff08\u8a3c\u660e\u66f8\uff09<\/h1>\n\n\n\n

    FMC\uff08\u307e\u305f\u306fFDM\uff09\u3067\uff1a<\/p>\n\n\n\n

    Objects > PKI > Internal Certs > Import\nObjects > PKI > CA > Import\n<\/code><\/pre>\n\n\n\n
    \u305d\u3057\u3066 Connection Profile<\/strong> \u3067\u6b63\u3057\u3044\u8a3c\u660e\u66f8\u3092\u9078\u629e\u3057\u3066\u3044\u308b\u304b\u78ba\u8a8d\u3002<\/p>\n\n\n\n
    \u2461 TLS \u30d0\u30fc\u30b8\u30e7\u30f3\u306e\u30df\u30b9\u30de\u30c3\u30c1\uff08\u975e\u5e38\u306b\u591a\u3044\uff09<\/h1>\n\n\n\n
    Firepower \u306e \u201cSSL Settings\u201d \u3067
    TLS1.0 \/ 1.1 \u3092\u6709\u52b9\u306b\u3057\u305f\u307e\u307e<\/strong>\u3001
    Secure Client \u304c TLS1.2\/1.3 \u5f37\u5236<\/strong> \u306b\u306a\u3063\u3066\u3044\u308b\u3068\u5931\u6557\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
    \u7279\u306b\u6700\u8fd1\u306e Secure Client \u306f \u201cTLS1.2 \u672a\u6e80\u306f\u62d2\u5426\u201d \u306e\u3053\u3068\u304c\u591a\u3044\u3002<\/p>\n\n\n\n
    ▶ \u5bfe\u7b56\uff08TLS version\uff09<\/h1>\n\n\n\n
    FTD\uff08FMC\u7ba1\u7406\uff09\u306e\u5834\u5408\uff1a<\/p>\n\n\n\n
    Devices > VPN > Remote Access > SSL Settings<\/strong><\/p>\n\n\n\n
    \u3067 TLS1.2 \u3092\u6709\u52b9\uff0f\u512a\u5148\u306b\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
    \u63a8\u5968\uff1a<\/p>\n\n\n\n
      \n
    • ✔ TLS1.2 \u306e\u307f<\/strong><\/li>\n\n\n\n
    • ❌ TLS1.0\/1.1 \u306f\u7121\u52b9\uff08\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u7684\u306b\u3082\u7981\u6b62\u63a8\u5968\uff09<\/li>\n<\/ul>\n\n\n\n
      \u2463 MTU\/MSS \u554f\u984c\uff08Firepower \u3067\u304b\u306a\u308a\u591a\u3044\uff09<\/h1>\n\n\n\n
      \u7279\u306b PPPoE \u56de\u7dda\u3067 MTU=1454<\/strong> \u306e\u74b0\u5883\u3067\u306f TLS \u306e ClientHello \u304c\u65ad\u7247\u5316\u3057\u3001\u9014\u4e2d\u3067\u6d88\u5931\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
      \u75c7\u72b6\uff1a<\/p>\n\n\n\n
        \n
      • Secure Client\u300c\u63a5\u7d9a\u4e2d\u2026\u300d\u3067\u6b62\u307e\u308b<\/li>\n\n\n\n
      • TLS \u30cf\u30f3\u30c9\u30b7\u30a4\u30af\u304c\u5b8c\u4e86\u3057\u306a\u3044<\/li>\n<\/ul>\n\n\n\n
        ▶ \u5bfe\u7b56\uff08MTU\/MSS\uff09<\/h1>\n\n\n\n
        Firepower CLI\uff1a<\/p>\n\n\n\n
        system support diagnostic-cli\nconfigure firewall\nsysopt connection tcpmss 1300\n<\/code><\/pre>\n\n\n\n
        \u307e\u305f\u306f VPN \u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u3067 1300\u301c1350\u63a8\u5968<\/strong><\/p>\n\n\n\n
        \u2464 NAT \/ ACL \/ Policy \u4e2d\u3067 SSL-VPN \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304c\u843d\u3061\u3066\u3044\u308b<\/h1>\n\n\n\n
        Firepower \u306f NAT \u3068 Access Control Policy \u304c ASA \u3088\u308a\u8907\u96d1\u3067\u3059\u3002<\/p>\n\n\n\n
        TLS \u30cf\u30f3\u30c9\u30b7\u30a4\u30af\u4e2d\u306e\u30d1\u30b1\u30c3\u30c8\u304c\u4ee5\u4e0b\u3067\u30d6\u30ed\u30c3\u30af\u3055\u308c\u308b\u3053\u3068\u304c\u3042\u308a\u307e\u3059\uff1a<\/p>\n\n\n\n
          \n
        • access-control-policy<\/li>\n\n\n\n
        • NAT \u306e no-proxy-arp \u554f\u984c<\/li>\n\n\n\n
        • \u30a4\u30f3\u30b9\u30da\u30af\u30b7\u30e7\u30f3\uff08TLS\uff09<\/li>\n<\/ul>\n\n\n\n
          \u7279\u306b\u300cTLS Inspection\u300d\u304c ON \u3060\u3068 SSL-VPN \u304c\u58ca\u308c\u307e\u3059\u3002<\/p>\n\n\n\n
          ▶ \u5bfe\u7b56\uff08\u6700\u91cd\u8981\uff09<\/h1>\n\n\n\n
          SSL Decryption \/ TLS Inspection \u3092 \u201cOFF\u201d \u306b\u3059\u308b<\/strong>
          SSL-VPN \u30dd\u30ea\u30b7\u30fc\u304c\u7834\u58ca\u3055\u308c\u308b\u305f\u3081\u3002<\/p>\n\n\n\n
          Firepower \u3067 SSL-VPN \u3092\u4f7f\u3046\u3068\u304d\u306e\u6b63\u3057\u3044\u8a2d\u5b9a\u30d5\u30ed\u30fc<\/h1>\n\n\n\n
          1. Connection Profile \u4f5c\u6210<\/h3>\n\n\n\n
            \n
          • \u30c8\u30f3\u30cd\u30eb\u30b0\u30eb\u30fc\u30d7<\/li>\n\n\n\n
          • AAA<\/li>\n\n\n\n
          • \u30dd\u30fc\u30bf\u30eb<\/li>\n\n\n\n
          • \u30b0\u30eb\u30fc\u30d7\u30dd\u30ea\u30b7\u30fc<\/li>\n<\/ul>\n\n\n\n
            2. \u8a3c\u660e\u66f8\u8a2d\u5b9a<\/h3>\n\n\n\n
              \n
            • CA + \u4e2d\u9593\u8a3c\u660e\u66f8<\/li>\n\n\n\n
            • \u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u5272\u308a\u5f53\u3066<\/li>\n<\/ul>\n\n\n\n
              3. SSL \u8a2d\u5b9a\uff08TLS\/\u6697\u53f7\uff09<\/h3>\n\n\n\n
                \n
              • TLS1.2<\/li>\n\n\n\n
              • ECDHE + AES-GCM<\/li>\n<\/ul>\n\n\n\n
                4. NAT\/ACL<\/h3>\n\n\n\n
                  \n
                • Outside \u306e 443 \u3078 NAT<\/li>\n\n\n\n
                • ACL \u306f\u81ea\u52d5\u751f\u6210\u3060\u304c\u3001\u4e0d\u8981\u306a block \u304c\u306a\u3044\u304b\u78ba\u8a8d<\/li>\n<\/ul>\n\n\n\n
                  5. TLS Inspection \u3092\u7121\u52b9\u5316<\/h3>\n\n\n\n
                  \uff08SSL-VPN \u306b\u5e72\u6e09\u3059\u308b\u305f\u3081\uff09<\/p>\n\n\n\n
                  \u5b9f\u969b\u306e \u201cTLS \u30a8\u30e9\u30fc\u4f8b\u201d\uff08Firepower \u30ed\u30b0\uff09<\/h1>\n\n\n\n
                  FTD \u306e VPN debug \u3067\u3088\u304f\u898b\u308b\u30a8\u30e9\u30fc\uff1a<\/p>\n\n\n\n
                    \n
                  • TLS alert, unknown_ca<\/code><\/li>\n\n\n\n
                  • TLS handshake failed<\/code><\/li>\n\n\n\n
                  • protocol version mismatch<\/code><\/li>\n\n\n\n
                  • unsupported cipher<\/code><\/li>\n\n\n\n
                  • certificate validate failed<\/code><\/li>\n<\/ul>\n\n\n\n
                    \u3053\u308c\u3089\u306f\u5168\u3066 TLS \u304c\u539f\u56e0<\/strong>\u3067\u3059\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
                    Firepower\uff08FTD\uff09\u3067 Cisco Secure Client\u3092\u4f7f\u7528\u3059\u308b\u5834\u5408\u3001TLS \u304c\u539f\u56e0\u3067 VPN \u304c\u8cbc\u308c\u306a\u3044\u30b1\u30fc\u30b9\u306f\u201c\u975e\u5e38\u306b\u591a\u3044\u201d\u3067\u3059\u3002\u7279\u306b Firepower \u306f ASA \u3068\u9055\u3044\u3001FTD \u306e SSL\/TL […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1620","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/pages\/1620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1620"}],"version-history":[{"count":1,"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/pages\/1620\/revisions"}],"predecessor-version":[{"id":1621,"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/pages\/1620\/revisions\/1621"}],"wp:attachment":[{"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}