Saturday, March 1, 2014

Deploying Clientless SSL VPN (WebVPN) Solution

SSL VPNs are often deployed to allow access to a company's intranet, Microsoft SharePoint, or web mail. The SSL VPN enables users to connect from a handheld device (smartphone or PDA), a public Internet cafe, or a corporate laptop. Users within these environments usually are just opening calendar, editing a document or reading email within a web page.


When preparing to deploy a basic clientless SSL VPN, a few key items must be completed (in order) before you can test the access and move on to providing for advanced features:

Step 1 - IP addressing: It is important to know the IP addressing plan for the site on which you are installing the ASA because you need and IP address for the external interface (the one closest to VPN clients and terminating SSL VPN sessions).

Step 2 - Configure a hostname, domain name, and Domain Name System (DNS): Before publishing the relevant SSL VPN URLs to users, you configure your ASA with a hostname and a domain name. You also enter the addresses of any internal and external DNS servers to allow user access to any bookmarks or external URLs they browse to using your SSL VPN.

Step 3 - Enroll with a CA and become a member of a PKI: Because users will be accessing the device externally over an SSL connection, a device certificate is required for successful authentication of the ASA. Another option is to use a locally generated self-signed certificate.

Step 4 - Enable relevant interfaces for SSL VPN access: Before SSL VPN access can occur, you need to specify which interface the service will be available on.

Step 5 - Create LOCAL user accounts: Because this is a basic SSL VPN, you use LOCAL authentication for user access. Doing so requires that you to create the user accounts on the ASA device.

Step 6: Create a Connection Profile (optional but recommended so that the DefaultWEBVPNGroup is not used): In this step, create a new connection profile and map it to users through group policies or user attributes. A connection profile is used for prelogin settings such as authentication method, DNS servers and domain name, and portal customization.


ciscoasa(config)# hostname MY-ASA-FW     // CONFIGURE HOSTNAME AND DNS FOR CA CERTIFICATE
MY-ASA-FW(config)# domain-name local.com
MY-ASA-FW(config)# dns domain-lookup inside
MY-ASA-FW(config)# dns domain-lookup outside
MY-ASA-FW(config)# dns name-server 8.8.8.8
MY-ASA-FW(config)# dns server-group MY-DNS-GRP
MY-ASA-FW(config-dns-server-group)# name-server 8.8.8.8


MY-ASA-FW(config)# crypto key generate rsa label SSLVPN     // MANUALLY CREATE SELF-SIGNED CERTIFICATE
INFO: The name for the keys will be: SSLVPN
Keypair generation process begin. Please wait...
MY-ASA-FW(config)# crypto ca trustpoint ?

configure mode commands/options:
  WORD < 65 char  Trustpoint Name
MY-ASA-FW(config)# crypto ca trustpoint TPLOCAL
MY-ASA-FW(config-ca-trustpoint)# ?

crypto ca trustpoint configuration commands:
  accept-subordinates    Accept subordinate CA certificates
  client-types           Specifies the client connection types for which this
                         trustpoint can be used to validate the certificates
                         associated with a user connection
  crl                    CRL options
  default                Return all enrollment parameters to their default
                         values
  email                  Email Address
  enrollment             Enrollment parameters
  exit                   Exit from certificate authority trustpoint entry mode
  fqdn                   include fully-qualified domain name
  help                   Help for crypto ca trustpoint configuration commands
  id-cert-issuer         Accept ID certificates
  id-usage               Specifies how the device identity represented by this
                         trustpoint can be used
  ignore-ipsec-keyusage  Suppress Key Usage checking on IPSec client
                         certificates
  ignore-ssl-keyusage    Suppress Key Usage checking on SSL client certificates
  ip-address             include ip address
  keypair                Specify the key pair whose public key is to be
                         certified
  match                  Match a certificate map
  no                     Negate a command or set its defaults
  ocsp                   OCSP parameters
  password               revocation password
  proxy-ldc-issuer       An issuer for TLS proxy local dynamic certificates
  revocation-check       Revocation checking options
  serial-number          include serial number
  subject-name           Subject Name
MY-ASA-FW(config-ca-trustpoint)# enrollment ?

crypto-ca-trustpoint mode commands/options:
  retry     Polling parameters
  self      Enrollment will generate a self-signed certificate
  terminal  Enroll via the terminal (cut-and-paste)
  url       CA server enrollment URL
MY-ASA-FW(config-ca-trustpoint)# enrollment self
MY-ASA-FW(config-ca-trustpoint)# exit
MY-ASA-FW(config)# crypto ca ?

configure mode commands/options:
  authenticate  Get the CA certificate
  certificate   Actions on certificates
  crl           Actions on certificate revocation lists
  enroll        Request a certificate from a CA
  export        Export a trustpoint configuration with all associated keys and
                certificates in PKCS12 format, or export the identity
                certificate in PEM format
  import        Import certificate or pkcs-12 data
  server        Define Local Certificate Server
  trustpoint    Define a CA trustpoint

exec mode commands/options:
  server  Local Certificate Server commands
MY-ASA-FW(config)# crypto ca enroll ?

configure mode commands/options:
  WORD < 65 char  Trustpoint Name
MY-ASA-FW(config)# crypto ca enroll TPLOCAL

% The fully-qualified domain name in the certificate will be: MY-ASA-FW.local.com

% Include the device serial number in the subject name? [yes/no]: no

Generate Self-Signed Certificate? [yes/no]: yes
MY-ASA-FW(config)# ssl ?

configure mode commands/options:
  certificate-authentication  Enable client certificate authentication
  client-version              The SSL/TLS protocol version to use when acting
                              as a client
  encryption                  This is the encryption method(s) used with ssl.
                              The ordering of the algorithms specifies the
                              preference.
  server-version              The SSL/TLS protocol version to use when acting
                              as a server
  trust-point                 Configure the ssl certificate trustpoint
MY-ASA-FW(config)# ssl trust-point ?

configure mode commands/options:
Available configured trustpoints:
  TPLOCAL
MY-ASA-FW(config)# ssl trust-point TPLOCAL ?

configure mode commands/options:
           An entry without the interface being specified represents the
           fallback trustpoint which will be used on all interfaces not
           associated with a trustpoint of their own.
Available interfaces for the trust point / SSL certificate association:
  inside   Name of interface GigabitEthernet1
  outside  Name of interface GigabitEthernet0
  <cr>
MY-ASA-FW(config)# ssl trust-point TPLOCAL outside


MY-ASA-FW(config)# webvpn  
MY-ASA-FW(config-webvpn)# ?

WebVPN commands:
  anyconnect               AnyConnect configuration parameters
  anyconnect-essentials    Enable/Disable AnyConnect Essentials
  apcf                     Load Aplication Profile Customization Framework
                           (APCF) profile
  auto-signon              Configure auto-sign to allow login to certain
                           applications using the WebVPN session credentials
  cache                    Configure WebVPN cache
  certificate-group-map    Associate a tunnel-group with a certificate map rule
  character-encoding       Configures the character encoding for WebVPN portal
                           pages
  csd                      This specifies whether Cisco Secure Desktop is
                           enabled and the package file name to be used.
  default-idle-timeout     This is the default idle timeout in seconds
  default-language         Default language to use
  dtls                     Configure DTLS for WebVPN
  enable                   Enable WebVPN on the specified interface
  error-recovery           Contact TAC before using this command
  exit                     Exit from WebVPN configuration mode
  file-encoding            Configures the file encoding for a file sharing
                           server
  help                     Help for WebVPN commands
  http-proxy               This is the proxy server to use for HTTP requests
  https-proxy              This is the proxy server to use for HTTPS requests
  internal-password        Adds an option to input a different password for
                           accessing internal servers
  java-trustpoint          Configure WebVPN java trustpoint
  kcd-server               Configure an KCD-Server
  keepout                  Shows Web page when the login is disabled
  memory-size              Configure WebVPN memory size. CHECK MEMORY USAGE
                           BEFORE APPLYING THIS COMMAND. USE ONLY IF ADVISED BY
                           CISCO
  mobile-device            Configure access from mobile devices
  mus                      Configure Mobile User Security
  no                       Remove a WebVPN command or set to its default
  onscreen-keyboard        Adds WebVPN onscreen keyboard for typing password on
                           the WebVPN logon page and internal pages requiring
                           authentication
  port                     WebVPN should listen for connections on the
                           specified port
  port-forward             Configure the port-forward list for WebVPN
  portal-access-rule       Configuration related to portal access rules
  proxy-bypass             Configure proxy bypass
  rewrite                  Configure content rewriting rule
  smart-tunnel             Configure a list of programs to use smart tunnel
  sso-server               Configure an SSO Server
  tunnel-group-list        Configure WebVPN group list dropdown in login page
  tunnel-group-preference  Enable/Disable Tunnel Group Preference
MY-ASA-FW(config-webvpn)# enable ?

webvpn mode commands/options:
Current available interface(s):
  inside   Name of interface GigabitEthernet1
  outside  Name of interface GigabitEthernet0

configure mode commands/options:
  password  Configure password for the enable command
MY-ASA-FW(config-webvpn)# enable outside      // ENABLE SSL VPN ON THE OUTSIDE INTERFACE
INFO: WebVPN and DTLS are enabled on 'outside'.

MY-ASA-FW(config)# group-policy ? 

configure mode commands/options:
  WORD < 65 char  Enter the name of the group policy
MY-ASA-FW(config)# group-policy Sales ?

configure mode commands/options:
  external  Enter this keyword to specify an external group policy
  internal  Enter this keyword to specify an internal group policy
MY-ASA-FW(config)# group-policy Sales internal       // CONFIGURE GROUP POLICY
MY-ASA-FW(config)# group-policy Engineering internal
MY-ASA-FW(config-group-policy)# ?

group_policy configuration commands:
  address-pools                     Configure list of up to 6 address pools to
                                    assign addresses from
  backup-servers                    Configure list of backup servers to be used
                                    by the remote client
  banner                            Configure a banner, or welcome text to be
                                    displayed on the VPN remote client
  client-access-rule                Specify rules permitting/denying access to
                                    specific client types and versions.
  client-firewall                   Configure the firewall requirements for
                                    users in this group-policy
  default-domain                    Configure default domain name given to
                                    users of this group
  dhcp-network-scope                Specify the range of IP addresses to
                                    indicate to the DHCP server for address
                                    assignment
  dns-server                        Configure the primary and secondary DNS
                                    servers
  exit                              Exit from group-policy configuration mode
  group-lock                        Enter name of an existing tunnel-group that
                                    users are required to connect with
  help                              Help for group_policy configuration
                                    commands
  intercept-dhcp                    Enable this command to use group policy for
                                    clients requesting Microsoft DHCP
  ip-comp                           Enter this command to enable IP compression
                                    (LZS)
  ip-phone-bypass                   Configure to allow Cisco IP phones behind
                                    Hardware clients to bypass the Individual
                                    User Authentication process.
  ipsec-udp                         Enter this command to allow a client to
                                    operate through a NAT device using UDP
                                    encapsulation
  ipsec-udp-port                    Enter the UDP port to be used by the client
                                    for IPSec through NAT
  ipv6-address-pools                Configure list of up to 6 ipv6 address
                                    pools to assign addresses from
  ipv6-vpn-filter                   Enter name of a configured IPv6 ACL to
                                    apply to users
  leap-bypass                       Enable/disable LEAP packets from Cisco
                                    wireless devices to bypass the individual
                                    user authentication process. This setting
                                    applies only to HW clients.
  msie-proxy                        Enter this command to configure MSIE
                                    Browser Proxy settings for a client system
  nac-settings                      Configured the name of the nac-policy
  nem                               Configure hardware clients to use network
                                    extension mode. This setting applies only
                                    to HW clients.
  no                                Remove an attribute value pair
  password-storage                  Enable/disable storage of the login
                                    password on the client system
  pfs                               Enter this command to indicate that the
                                    remote client needs to perform PFS
  re-xauth                          Enter this command to enable
                                    reauthentication of the user on IKE rekey
  scep-forwarding-url               Configure CA SCEP URL to forward the SCEP
                                    messages.
  secure-unit-authentication        Configure interactive authentication. This
                                    setting applies only to HW clients.
  smartcard-removal-disconnect      Configure client action for smart card
                                    removal
  split-dns                         Configure list of domains to be resolved
                                    through the Split Tunnel
  split-tunnel-all-dns              Select the option to indicate how the
                                    client should handle DNS queries when
                                    split-tunneling is enabled
  split-tunnel-network-list         Configure name of access-list for split
                                    tunnel configuration
  split-tunnel-policy               Select the split tunneling method to be
                                    used by the remote client
  user-authentication               Configure individual user authentication.
                                    This setting applies only to HW clients.
  user-authentication-idle-timeout  Configure the idle timeout period in
                                    minutes. If there is no communication in
                                    this period, the system terminates the
                                    connection. This setting applies only to HW
                                    clients.
  vlan                              Specify the VLAN onto which VPN traffic for
                                    this group will be forwarded.
  vpn-access-hours                  Enter name of a configured time-range
                                    policy
  vpn-filter                        Enter name of a configured ACL to apply to
                                    users
  vpn-idle-timeout                  Enter idle timeout period in minutes, enter
                                    none to disable
  vpn-session-timeout               Enter maximum user connection time in
                                    minutes, enter none for unlimited time
  vpn-simultaneous-logins           Enter maximum number of simultaneous logins
                                    allowed
  vpn-tunnel-protocol               Enter permitted tunneling protocols
  webvpn                            Configure group policy for WebVPN
  wins-server                       Configure the primary and secondary WINS
                                    servers
MY-ASA-FW(config-group-policy)# vpn-tunnel-protocol ?

username mode commands/options:
  ikev1           IKEv1
  ikev2           IKEv2
  l2tp-ipsec      L2TP using IPSec for security
  ssl-client      SSL VPN Client
  ssl-clientless  SSL Clientless VPN
MY-ASA-FW(config-group-policy)# vpn-tunnel-protocol ssl-clientless


MY-ASA-FW(config)# username John password cisco     // CREATE LOCAL USER
MY-ASA-FW(config)# username John ?

configure mode commands/options:
  attributes  Enter the attributes sub-command mode for the specified user
  nopassword  Indicates that this user has no password
  password    The password for this user
MY-ASA-FW(config)# username John attributes
MY-ASA-FW(config-username)# ?

username configuration commands:
  exit                     Exit from username attribute configuration mode
  group-lock               Enter name of an existing tunnel-group that the user
                           is required to connect with
  help                     Help for username configuration commands
  ipv6-vpn-filter          Enter name of user specific ACL
  memberof                 Enter a comma separated list of group-names that
                           this user is a member of.
  no                       Remove an attribute value pair
  password-storage         Enable/disable storage of the login password on the
                           client system
  service-type             Select service type for this user.
  vpn-access-hours         Enter name of a configured time-range policy
  vpn-filter               Enter name of user specific ACL
  vpn-framed-ip-address    Enter the IP address and the net mask to be assigned
                           to the client
  vpn-group-policy         Enter name of a group-policy to inherit attributes
                           from
  vpn-idle-timeout         Enter idle timeout period in minutes, enter none to
                           disable
  vpn-session-timeout      Enter maximum user connection time in minutes, enter
                           none for unlimited time
  vpn-simultaneous-logins  Enter maximum number of simultaneous logins allowed
  vpn-tunnel-protocol      Enter permitted tunneling protocols
  webvpn                   Configure user policy for WebVPN
MY-ASA-FW(config-username)# vpn-group-policy ?

username mode commands/options:
  WORD  Name of a group-policy to inherit attributes from
MY-ASA-FW(config-username)# vpn-group-policy Engineering    // APPLY A GROUP POLICY


MY-ASA-FW(config)# tunnel-group ?

configure mode commands/options:
  WORD < 65 char  Enter the name of the tunnel group
MY-ASA-FW(config)# tunnel-group Engineering ?

configure mode commands/options:
  general-attributes  Enter the general-attributes sub command mode
  ipsec-attributes    Enter the ipsec-attributes sub command mode
  ppp-attributes      Enter the ppp-attributes sub command mode
  webvpn-attributes   Enter the webvpn-attributes sub command mode
MY-ASA-FW(config)# tunnel-group Engineering general-attributes    // CONFIGURE CONNECTION PROFILE
MY-ASA-FW(config-tunnel-general)# ?

tunnel-group configuration commands:
  accounting-server-group                Enter name of the accounting server
                                         group
  address-pool                           Enter a list of address pools to
                                         assign addresses from
  annotation                             Specify annotation text - to be used
                                         by ASDM only
  authenticated-session-username         Specify the authenticated username
                                         will be associated with the session
  authentication-attr-from-server        Specify the authentication server that
                                         provides authorization attribute for
                                         the session
  authentication-server-group            Enter name of the authentication
                                         server group
  authorization-required                 Require users to authorize
                                         successfully in order to connect
  authorization-server-group             Enter name of the authorization server
                                         group
  default-group-policy                   Enter name of the default group policy
  dhcp-server                            Enter IP address or name of the DHCP
                                         server
  exit                                   Exit from tunnel-group general
                                         attribute configuration mode
  help                                   Help for tunnel group configuration
                                         commands
  ipv6-address-pool                      Enter a list of IPv6 address pools to
                                         assign addresses from
  no                                     Remove an attribute value pair
  override-account-disable               Override account disabled from AAA
                                         server
  password-management                    Enable password management
  scep-enrollment                        Enable SCEP proxy enrollment
  secondary-authentication-server-group  Enter name of the secondary
                                         authentication server group
  secondary-username-from-certificate    The DN of the peer certificate used as
                                         secondary username for authorization
  strip-group                            Enable strip-group processing
  strip-realm                            Enable strip-realm processing
  username-from-certificate              The DN of the peer certificate used as
                                         username for authorization and/or
                                         authentication
MY-ASA-FW(config-tunnel-general)# default-group-policy ?

tunnel-group-general mode commands/options:
  WORD < 65 char  Name of the default group policy
MY-ASA-FW(config-tunnel-general)# default-group-policy Engineering
MY-ASA-FW(config-tunnel-general)# exit
MY-ASA-FW(config)# tunnel-group Engineering webvpn-attributes
MY-ASA-FW(config-tunnel-webvpn)# ?

tunnel-group configuration commands:
  authentication               This is the authentication method(s) used with
                               WebVPN
  customization                Specify a customization object
  dns-group                    Enter DNS Group name
  exit                         Exit from tunnel-group WebVPN attribute
                               configuration mode
  group-alias                  Enter name of the Group Alias
  group-url                    Enter Group URL
  help                         Help for tunnel group configuration commands
  nbns-server                  This is the NBNS (NetBIOS Name Service) server
                               for CIFS name resolution
  no                           Remove an attribute value pair
  override-svc-download        Override downloading the SVC to the client
  pre-fill-username            Configure username to certificate binding on
                               this tunnel-group.
  proxy-auth                   Flags this tunnel-group as a specific proxy
                               authen tunnel group.
  radius-reject-message        Enable the display of Radius Reject-Message on
                               the login screen when Authentication is Rejected
  secondary-pre-fill-username  Configure secondary username to certificate
                               binding on this tunnel-group.
  without-csd                  Disable CSD for a tunnel group
MY-ASA-FW(config-tunnel-webvpn)# group-alias ?

tunnel-group-webvpn mode commands/options:
  WORD < 32 char  Name of the Group Alias. A maximum of 32 characters is
                  allowed.
MY-ASA-FW(config-tunnel-webvpn)# group-alias Engineering ?

tunnel-group-webvpn mode commands/options:
  disable  Enter this keyword to disable the alias
  enable   Enter this keyword to enable the alias
  <cr>
MY-ASA-FW(config-tunnel-webvpn)# group-alias Engineering enable
ERROR: Group already exists
MY-ASA-FW(config-tunnel-webvpn)# group-url ?

tunnel-group-webvpn mode commands/options:
  WORD  Group URL (supported types: http:// or https://)
MY-ASA-FW(config-tunnel-webvpn)# group-url https://200.1.1.1/Enginering ?

tunnel-group-webvpn mode commands/options:
  disable  Enter this keyword to disable the url
  enable   Enter this keyword to enable the url
  <cr>
MY-ASA-FW(config-tunnel-webvpn)# group-url https://200.1.1.1/Enginering enable


MY-ASA-FW# show vpn-sessiondb detail
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
Clientless VPN               :      1 :          1 :           1
  Browser                    :      1 :          1 :           1
---------------------------------------------------------------------------
Total Active and Inactive    :      1             Total Cumulative :      1
Device Total VPN Capacity    :      0
Device Load                  :     0%
***!! WARNING: Platform capacity exceeded !!***
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concurrent
                             ----------------------------------------------
Clientless                   :      1 :          1 :               1
---------------------------------------------------------------------------
Totals                       :      1 :          1
---------------------------------------------------------------------------


MY-ASA-FW# show vpn-sessiondb detail webvpn

Session Type: WebVPN Detailed

Username     : John                   Index        : 1
Public IP    : 200.1.1.2
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : RC4                    Hashing      : SHA1
Bytes Tx     : 9485                   Bytes Rx     : 16571
Pkts Tx      : 5                      Pkts Rx      : 1
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : Engineering            Tunnel Group : Engineering
Login Time   : 21:42:47 UTC Mon Feb 17 2014
Duration     : 0h:02m:44s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Clientless Tunnels: 1

Clientless:
  Tunnel ID    : 1.1
  Public IP    : 200.1.1.2
  Encryption   : RC4                    Hashing      : SHA1
  Encapsulation: TLSv1.0                TCP Dst Port : 443
  Auth Mode    : userPassword
  Idle Time Out: 30 Minutes             Idle TO Left : 27 Minutes
  Client Type  : Web Browser
  Client Ver   : Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
  Bytes Tx     : 9485                   Bytes Rx     : 16571

NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 165 Seconds
  Hold Left (T): 0 Seconds              Posture Token:
  Redirect URL :


Here are the screenshots on how to configure via ASDM:















Here's what the SSL VPN login page looks like. We can select the tunnel group or connection profile from a drop-down list.




We can also monitor and get more details of the SSL VPN client session in ASDM. We can also create a clientless SSL VPN using a VPN Wizard.




No comments:

Post a Comment