When preparing to deploy a basic clientless SSL VPN, a few key items must be completed (in order) before you can test the access and move on to providing for advanced features:
Step 1 - IP addressing: It is important to know the IP addressing plan for the site on which you are installing the ASA because you need and IP address for the external interface (the one closest to VPN clients and terminating SSL VPN sessions).
Step 2 - Configure a hostname, domain name, and Domain Name System (DNS): Before publishing the relevant SSL VPN URLs to users, you configure your ASA with a hostname and a domain name. You also enter the addresses of any internal and external DNS servers to allow user access to any bookmarks or external URLs they browse to using your SSL VPN.
Step 3 - Enroll with a CA and become a member of a PKI: Because users will be accessing the device externally over an SSL connection, a device certificate is required for successful authentication of the ASA. Another option is to use a locally generated self-signed certificate.
Step 4 - Enable relevant interfaces for SSL VPN access: Before SSL VPN access can occur, you need to specify which interface the service will be available on.
Step 5 - Create LOCAL user accounts: Because this is a basic SSL VPN, you use LOCAL authentication for user access. Doing so requires that you to create the user accounts on the ASA device.
Step 6: Create a Connection Profile (optional but recommended so that the DefaultWEBVPNGroup is not used): In this step, create a new connection profile and map it to users through group policies or user attributes. A connection profile is used for prelogin settings such as authentication method, DNS servers and domain name, and portal customization.
ciscoasa(config)# hostname MY-ASA-FW // CONFIGURE HOSTNAME AND DNS FOR CA CERTIFICATE
MY-ASA-FW(config)# domain-name local.com
MY-ASA-FW(config)# dns domain-lookup inside
MY-ASA-FW(config)# dns domain-lookup outside
MY-ASA-FW(config)# dns name-server 8.8.8.8
MY-ASA-FW(config)# dns server-group MY-DNS-GRP
MY-ASA-FW(config-dns-server-group)# name-server 8.8.8.8
MY-ASA-FW(config)# crypto key generate rsa label SSLVPN // MANUALLY CREATE SELF-SIGNED CERTIFICATE
INFO: The name for the keys will be: SSLVPN
Keypair generation process begin. Please wait...
MY-ASA-FW(config)# crypto ca trustpoint ?
configure mode commands/options:
WORD < 65 char Trustpoint Name
MY-ASA-FW(config)# crypto ca trustpoint TPLOCAL
MY-ASA-FW(config-ca-trustpoint)# ?
crypto ca trustpoint configuration commands:
accept-subordinates Accept subordinate CA certificates
client-types Specifies the client connection types for which this
trustpoint can be used to validate the certificates
associated with a user connection
crl CRL options
default Return all enrollment parameters to their default
values
email Email Address
enrollment Enrollment parameters
exit Exit from certificate authority trustpoint entry mode
fqdn include fully-qualified domain name
help Help for crypto ca trustpoint configuration commands
id-cert-issuer Accept ID certificates
id-usage Specifies how the device identity represented by this
trustpoint can be used
ignore-ipsec-keyusage Suppress Key Usage checking on IPSec client
certificates
ignore-ssl-keyusage Suppress Key Usage checking on SSL client certificates
ip-address include ip address
keypair Specify the key pair whose public key is to be
certified
match Match a certificate map
no Negate a command or set its defaults
ocsp OCSP parameters
password revocation password
proxy-ldc-issuer An issuer for TLS proxy local dynamic certificates
revocation-check Revocation checking options
serial-number include serial number
subject-name Subject Name
MY-ASA-FW(config-ca-trustpoint)# enrollment ?
crypto-ca-trustpoint mode commands/options:
retry Polling parameters
self Enrollment will generate a self-signed certificate
terminal Enroll via the terminal (cut-and-paste)
url CA server enrollment URL
MY-ASA-FW(config-ca-trustpoint)# enrollment self
MY-ASA-FW(config-ca-trustpoint)# exit
MY-ASA-FW(config)# crypto ca ?
configure mode commands/options:
authenticate Get the CA certificate
certificate Actions on certificates
crl Actions on certificate revocation lists
enroll Request a certificate from a CA
export Export a trustpoint configuration with all associated keys and
certificates in PKCS12 format, or export the identity
certificate in PEM format
import Import certificate or pkcs-12 data
server Define Local Certificate Server
trustpoint Define a CA trustpoint
exec mode commands/options:
server Local Certificate Server commands
MY-ASA-FW(config)# crypto ca enroll ?
configure mode commands/options:
WORD < 65 char Trustpoint Name
MY-ASA-FW(config)# crypto ca enroll TPLOCAL
% The fully-qualified domain name in the certificate will be: MY-ASA-FW.local.com
% Include the device serial number in the subject name? [yes/no]: no
Generate Self-Signed Certificate? [yes/no]: yes
MY-ASA-FW(config)# ssl ?
configure mode commands/options:
certificate-authentication Enable client certificate authentication
client-version The SSL/TLS protocol version to use when acting
as a client
encryption This is the encryption method(s) used with ssl.
The ordering of the algorithms specifies the
preference.
server-version The SSL/TLS protocol version to use when acting
as a server
trust-point Configure the ssl certificate trustpoint
MY-ASA-FW(config)# ssl trust-point ?
configure mode commands/options:
Available configured trustpoints:
TPLOCAL
MY-ASA-FW(config)# ssl trust-point TPLOCAL ?
configure mode commands/options:
An entry without the interface being specified represents the
fallback trustpoint which will be used on all interfaces not
associated with a trustpoint of their own.
Available interfaces for the trust point / SSL certificate association:
inside Name of interface GigabitEthernet1
outside Name of interface GigabitEthernet0
<cr>
MY-ASA-FW(config)# ssl trust-point TPLOCAL outside
MY-ASA-FW(config)# webvpn
MY-ASA-FW(config-webvpn)# ?
WebVPN commands:
anyconnect AnyConnect configuration parameters
anyconnect-essentials Enable/Disable AnyConnect Essentials
apcf Load Aplication Profile Customization Framework
(APCF) profile
auto-signon Configure auto-sign to allow login to certain
applications using the WebVPN session credentials
cache Configure WebVPN cache
certificate-group-map Associate a tunnel-group with a certificate map rule
character-encoding Configures the character encoding for WebVPN portal
pages
csd This specifies whether Cisco Secure Desktop is
enabled and the package file name to be used.
default-idle-timeout This is the default idle timeout in seconds
default-language Default language to use
dtls Configure DTLS for WebVPN
enable Enable WebVPN on the specified interface
error-recovery Contact TAC before using this command
exit Exit from WebVPN configuration mode
file-encoding Configures the file encoding for a file sharing
server
help Help for WebVPN commands
http-proxy This is the proxy server to use for HTTP requests
https-proxy This is the proxy server to use for HTTPS requests
internal-password Adds an option to input a different password for
accessing internal servers
java-trustpoint Configure WebVPN java trustpoint
kcd-server Configure an KCD-Server
keepout Shows Web page when the login is disabled
memory-size Configure WebVPN memory size. CHECK MEMORY USAGE
BEFORE APPLYING THIS COMMAND. USE ONLY IF ADVISED BY
CISCO
mobile-device Configure access from mobile devices
mus Configure Mobile User Security
no Remove a WebVPN command or set to its default
onscreen-keyboard Adds WebVPN onscreen keyboard for typing password on
the WebVPN logon page and internal pages requiring
authentication
port WebVPN should listen for connections on the
specified port
port-forward Configure the port-forward list for WebVPN
portal-access-rule Configuration related to portal access rules
proxy-bypass Configure proxy bypass
rewrite Configure content rewriting rule
smart-tunnel Configure a list of programs to use smart tunnel
sso-server Configure an SSO Server
tunnel-group-list Configure WebVPN group list dropdown in login page
tunnel-group-preference Enable/Disable Tunnel Group Preference
MY-ASA-FW(config-webvpn)# enable ?
webvpn mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet1
outside Name of interface GigabitEthernet0
configure mode commands/options:
password Configure password for the enable command
MY-ASA-FW(config-webvpn)# enable outside // ENABLE SSL VPN ON THE OUTSIDE INTERFACE
INFO: WebVPN and DTLS are enabled on 'outside'.
MY-ASA-FW(config)# group-policy ?
configure mode commands/options:
WORD < 65 char Enter the name of the group policy
MY-ASA-FW(config)# group-policy Sales ?
configure mode commands/options:
external Enter this keyword to specify an external group policy
internal Enter this keyword to specify an internal group policy
MY-ASA-FW(config)# group-policy Sales internal // CONFIGURE GROUP POLICY
MY-ASA-FW(config)# group-policy Engineering internal
MY-ASA-FW(config-group-policy)# ?
group_policy configuration commands:
address-pools Configure list of up to 6 address pools to
assign addresses from
backup-servers Configure list of backup servers to be used
by the remote client
banner Configure a banner, or welcome text to be
displayed on the VPN remote client
client-access-rule Specify rules permitting/denying access to
specific client types and versions.
client-firewall Configure the firewall requirements for
users in this group-policy
default-domain Configure default domain name given to
users of this group
dhcp-network-scope Specify the range of IP addresses to
indicate to the DHCP server for address
assignment
dns-server Configure the primary and secondary DNS
servers
exit Exit from group-policy configuration mode
group-lock Enter name of an existing tunnel-group that
users are required to connect with
help Help for group_policy configuration
commands
intercept-dhcp Enable this command to use group policy for
clients requesting Microsoft DHCP
ip-comp Enter this command to enable IP compression
(LZS)
ip-phone-bypass Configure to allow Cisco IP phones behind
Hardware clients to bypass the Individual
User Authentication process.
ipsec-udp Enter this command to allow a client to
operate through a NAT device using UDP
encapsulation
ipsec-udp-port Enter the UDP port to be used by the client
for IPSec through NAT
ipv6-address-pools Configure list of up to 6 ipv6 address
pools to assign addresses from
ipv6-vpn-filter Enter name of a configured IPv6 ACL to
apply to users
leap-bypass Enable/disable LEAP packets from Cisco
wireless devices to bypass the individual
user authentication process. This setting
applies only to HW clients.
msie-proxy Enter this command to configure MSIE
Browser Proxy settings for a client system
nac-settings Configured the name of the nac-policy
nem Configure hardware clients to use network
extension mode. This setting applies only
to HW clients.
no Remove an attribute value pair
password-storage Enable/disable storage of the login
password on the client system
pfs Enter this command to indicate that the
remote client needs to perform PFS
re-xauth Enter this command to enable
reauthentication of the user on IKE rekey
scep-forwarding-url Configure CA SCEP URL to forward the SCEP
messages.
secure-unit-authentication Configure interactive authentication. This
setting applies only to HW clients.
smartcard-removal-disconnect Configure client action for smart card
removal
split-dns Configure list of domains to be resolved
through the Split Tunnel
split-tunnel-all-dns Select the option to indicate how the
client should handle DNS queries when
split-tunneling is enabled
split-tunnel-network-list Configure name of access-list for split
tunnel configuration
split-tunnel-policy Select the split tunneling method to be
used by the remote client
user-authentication Configure individual user authentication.
This setting applies only to HW clients.
user-authentication-idle-timeout Configure the idle timeout period in
minutes. If there is no communication in
this period, the system terminates the
connection. This setting applies only to HW
clients.
vlan Specify the VLAN onto which VPN traffic for
this group will be forwarded.
vpn-access-hours Enter name of a configured time-range
policy
vpn-filter Enter name of a configured ACL to apply to
users
vpn-idle-timeout Enter idle timeout period in minutes, enter
none to disable
vpn-session-timeout Enter maximum user connection time in
minutes, enter none for unlimited time
vpn-simultaneous-logins Enter maximum number of simultaneous logins
allowed
vpn-tunnel-protocol Enter permitted tunneling protocols
webvpn Configure group policy for WebVPN
wins-server Configure the primary and secondary WINS
servers
MY-ASA-FW(config-group-policy)# vpn-tunnel-protocol ?
username mode commands/options:
ikev1 IKEv1
ikev2 IKEv2
l2tp-ipsec L2TP using IPSec for security
ssl-client SSL VPN Client
ssl-clientless SSL Clientless VPN
MY-ASA-FW(config-group-policy)# vpn-tunnel-protocol ssl-clientless
MY-ASA-FW(config)# username John password cisco // CREATE LOCAL USER
MY-ASA-FW(config)# username John ?
configure mode commands/options:
attributes Enter the attributes sub-command mode for the specified user
nopassword Indicates that this user has no password
password The password for this user
MY-ASA-FW(config)# username John attributes
MY-ASA-FW(config-username)# ?
username configuration commands:
exit Exit from username attribute configuration mode
group-lock Enter name of an existing tunnel-group that the user
is required to connect with
help Help for username configuration commands
ipv6-vpn-filter Enter name of user specific ACL
memberof Enter a comma separated list of group-names that
this user is a member of.
no Remove an attribute value pair
password-storage Enable/disable storage of the login password on the
client system
service-type Select service type for this user.
vpn-access-hours Enter name of a configured time-range policy
vpn-filter Enter name of user specific ACL
vpn-framed-ip-address Enter the IP address and the net mask to be assigned
to the client
vpn-group-policy Enter name of a group-policy to inherit attributes
from
vpn-idle-timeout Enter idle timeout period in minutes, enter none to
disable
vpn-session-timeout Enter maximum user connection time in minutes, enter
none for unlimited time
vpn-simultaneous-logins Enter maximum number of simultaneous logins allowed
vpn-tunnel-protocol Enter permitted tunneling protocols
webvpn Configure user policy for WebVPN
MY-ASA-FW(config-username)# vpn-group-policy ?
username mode commands/options:
WORD Name of a group-policy to inherit attributes from
MY-ASA-FW(config-username)# vpn-group-policy Engineering // APPLY A GROUP POLICY
MY-ASA-FW(config)# tunnel-group ?
configure mode commands/options:
WORD < 65 char Enter the name of the tunnel group
MY-ASA-FW(config)# tunnel-group Engineering ?
configure mode commands/options:
general-attributes Enter the general-attributes sub command mode
ipsec-attributes Enter the ipsec-attributes sub command mode
ppp-attributes Enter the ppp-attributes sub command mode
webvpn-attributes Enter the webvpn-attributes sub command mode
MY-ASA-FW(config)# tunnel-group Engineering general-attributes // CONFIGURE CONNECTION PROFILE
MY-ASA-FW(config-tunnel-general)# ?
tunnel-group configuration commands:
accounting-server-group Enter name of the accounting server
group
address-pool Enter a list of address pools to
assign addresses from
annotation Specify annotation text - to be used
by ASDM only
authenticated-session-username Specify the authenticated username
will be associated with the session
authentication-attr-from-server Specify the authentication server that
provides authorization attribute for
the session
authentication-server-group Enter name of the authentication
server group
authorization-required Require users to authorize
successfully in order to connect
authorization-server-group Enter name of the authorization server
group
default-group-policy Enter name of the default group policy
dhcp-server Enter IP address or name of the DHCP
server
exit Exit from tunnel-group general
attribute configuration mode
help Help for tunnel group configuration
commands
ipv6-address-pool Enter a list of IPv6 address pools to
assign addresses from
no Remove an attribute value pair
override-account-disable Override account disabled from AAA
server
password-management Enable password management
scep-enrollment Enable SCEP proxy enrollment
secondary-authentication-server-group Enter name of the secondary
authentication server group
secondary-username-from-certificate The DN of the peer certificate used as
secondary username for authorization
strip-group Enable strip-group processing
strip-realm Enable strip-realm processing
username-from-certificate The DN of the peer certificate used as
username for authorization and/or
authentication
MY-ASA-FW(config-tunnel-general)# default-group-policy ?
tunnel-group-general mode commands/options:
WORD < 65 char Name of the default group policy
MY-ASA-FW(config-tunnel-general)# default-group-policy Engineering
MY-ASA-FW(config-tunnel-general)# exit
MY-ASA-FW(config)# tunnel-group Engineering webvpn-attributes
MY-ASA-FW(config-tunnel-webvpn)# ?
tunnel-group configuration commands:
authentication This is the authentication method(s) used with
WebVPN
customization Specify a customization object
dns-group Enter DNS Group name
exit Exit from tunnel-group WebVPN attribute
configuration mode
group-alias Enter name of the Group Alias
group-url Enter Group URL
help Help for tunnel group configuration commands
nbns-server This is the NBNS (NetBIOS Name Service) server
for CIFS name resolution
no Remove an attribute value pair
override-svc-download Override downloading the SVC to the client
pre-fill-username Configure username to certificate binding on
this tunnel-group.
proxy-auth Flags this tunnel-group as a specific proxy
authen tunnel group.
radius-reject-message Enable the display of Radius Reject-Message on
the login screen when Authentication is Rejected
secondary-pre-fill-username Configure secondary username to certificate
binding on this tunnel-group.
without-csd Disable CSD for a tunnel group
MY-ASA-FW(config-tunnel-webvpn)# group-alias ?
tunnel-group-webvpn mode commands/options:
WORD < 32 char Name of the Group Alias. A maximum of 32 characters is
allowed.
MY-ASA-FW(config-tunnel-webvpn)# group-alias Engineering ?
tunnel-group-webvpn mode commands/options:
disable Enter this keyword to disable the alias
enable Enter this keyword to enable the alias
<cr>
MY-ASA-FW(config-tunnel-webvpn)# group-alias Engineering enable
ERROR: Group already exists
MY-ASA-FW(config-tunnel-webvpn)# group-url ?
tunnel-group-webvpn mode commands/options:
WORD Group URL (supported types: http:// or https://)
MY-ASA-FW(config-tunnel-webvpn)# group-url https://200.1.1.1/Enginering ?
tunnel-group-webvpn mode commands/options:
disable Enter this keyword to disable the url
enable Enter this keyword to enable the url
<cr>
MY-ASA-FW(config-tunnel-webvpn)# group-url https://200.1.1.1/Enginering enable
MY-ASA-FW# show vpn-sessiondb detail
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
Clientless VPN : 1 : 1 : 1
Browser : 1 : 1 : 1
---------------------------------------------------------------------------
Total Active and Inactive : 1 Total Cumulative : 1
Device Total VPN Capacity : 0
Device Load : 0%
***!! WARNING: Platform capacity exceeded !!***
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
Clientless : 1 : 1 : 1
---------------------------------------------------------------------------
Totals : 1 : 1
---------------------------------------------------------------------------
MY-ASA-FW# show vpn-sessiondb detail webvpn
Session Type: WebVPN Detailed
Username : John Index : 1
Public IP : 200.1.1.2
Protocol : Clientless
License : AnyConnect Premium
Encryption : RC4 Hashing : SHA1
Bytes Tx : 9485 Bytes Rx : 16571
Pkts Tx : 5 Pkts Rx : 1
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : Engineering Tunnel Group : Engineering
Login Time : 21:42:47 UTC Mon Feb 17 2014
Duration : 0h:02m:44s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
Clientless Tunnels: 1
Clientless:
Tunnel ID : 1.1
Public IP : 200.1.1.2
Encryption : RC4 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes
Client Type : Web Browser
Client Ver : Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Bytes Tx : 9485 Bytes Rx : 16571
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 165 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
Here are the screenshots on how to configure via ASDM:
Here's what the SSL VPN login page looks like. We can select the tunnel group or connection profile from a drop-down list.
We can also monitor and get more details of the SSL VPN client session in ASDM. We can also create a clientless SSL VPN using a VPN Wizard.
No comments:
Post a Comment