Saturday, April 19, 2014

Clientless SSL VPN Port Forwarding

Port forwarding was the first method of application access deployed by Cisco for SSL VPN way back version numbers 7.x. The ASA admin must first create a new port forwarding list consisting of a name, the local forwarded port on the client machine, the remote/application server name, the application server's port, and a description. The port forwarding list is then made available through a Java applet that automatically opens when the user logs in to the SSL VPN portal or clicks the Application Access pane from within the portal and chooses Start Application Access.

Upon starting application access, a Java applet is downloaded to the client, and an entry is created in the local hosts file of the user's PC, which contains the application server's name and the local machine's loopback address. The application in use must be configured to send its traffic via the local port as configured in the port forwarding entry on the ASA. With the Java applet open, all traffic originating from Telnet is sent via the SSL tunnel to the ASA. The ASA then establishes a TCP session with the destination server and relays any application data between the client and server.

The drawbacks with this solution is that client application must be installed locally on the user's machine and it requires administrative access. It can also operate with simple applications that runs only on static TCP ports.


MY-ASA-FW(config)# webvpn
MY-ASA-FW(config-webvpn)# ?

WebVPN commands:
  anyconnect               AnyConnect configuration parameters
  anyconnect-essentials    Enable/Disable AnyConnect Essentials
  apcf                     Load Aplication Profile Customization Framework
                           (APCF) profile
  auto-signon              Configure auto-sign to allow login to certain
                           applications using the WebVPN session credentials
  cache                    Configure WebVPN cache
  certificate-group-map    Associate a tunnel-group with a certificate map rule
  character-encoding       Configures the character encoding for WebVPN portal
                           pages
  csd                      This specifies whether Cisco Secure Desktop is
                           enabled and the package file name to be used.
  default-idle-timeout     This is the default idle timeout in seconds
  default-language         Default language to use
  dtls                     Configure DTLS for WebVPN
  enable                   Enable WebVPN on the specified interface
  error-recovery           Contact TAC before using this command
  exit                     Exit from WebVPN configuration mode
  file-encoding            Configures the file encoding for a file sharing
                           server
  help                     Help for WebVPN commands
  http-proxy               This is the proxy server to use for HTTP requests
  https-proxy              This is the proxy server to use for HTTPS requests
  internal-password        Adds an option to input a different password for
                           accessing internal servers
  java-trustpoint          Configure WebVPN java trustpoint
  kcd-server               Configure an KCD-Server
  keepout                  Shows Web page when the login is disabled
  memory-size              Configure WebVPN memory size. CHECK MEMORY USAGE
                           BEFORE APPLYING THIS COMMAND. USE ONLY IF ADVISED BY
                           CISCO
  mobile-device            Configure access from mobile devices
  mus                      Configure Mobile User Security
  no                       Remove a WebVPN command or set to its default
  onscreen-keyboard        Adds WebVPN onscreen keyboard for typing password on
                           the WebVPN logon page and internal pages requiring
                           authentication
  port                     WebVPN should listen for connections on the
                           specified port
  port-forward             Configure the port-forward list for WebVPN
  portal-access-rule       Configuration related to portal access rules
  proxy-bypass             Configure proxy bypass
  rewrite                  Configure content rewriting rule
  smart-tunnel             Configure a list of programs to use smart tunnel
  sso-server               Configure an SSO Server
  tunnel-group-list        Configure WebVPN group list dropdown in login page
  tunnel-group-preference  Enable/Disable Tunnel Group Preference
MY-ASA-FW(config-webvpn)# port-forward ?

webvpn mode commands/options:
  WORD < 65 char  A name by which to identify the list of ports to be forwarded
                  via WebVPN
MY-ASA-FW(config-webvpn)# port-forward PF-TELNET ?

webvpn mode commands/options:
  <1-65535>  This is the port that the WebVPN user connects to on their local
             workstation. Enter a port number (1-65535) or port name. Use a
             port number greater than 1024 to avoid conflicts with existing
             services.
MY-ASA-FW(config-webvpn)# port-forward PF-TELNET 2300 ?

webvpn mode commands/options:
  A.B.C.D          Enter an IP address for the Remote Server
  WORD < 256 char  Enter a DNS name for the Remote Server
  X:X:X:X::X       Enter an IPv6 address for the Remote Server
MY-ASA-FW(config-webvpn)# port-forward PF-TELNET 2300 192.168.1.254 ?

webvpn mode commands/options:
  <1-65535>        This is the port on the remote server that connections to
                   the local port will be forwarded to. Enter a port number
                   (1-65535) or port name.
  aol
  bgp
  chargen
  cifs
  citrix-ica
  cmd
  ctiqbe
  daytime
  discard
  domain
  echo
  exec
  finger
  ftp
  ftp-data
  gopher
  h323
  hostname
  http
  https
  ident
  imap4
  irc
  kerberos
  klogin
  kshell
  ldap
  ldaps
  login
  lotusnotes
  lpd
  netbios-ssn
  nfs
  nntp
  pcanywhere-data
  pim-auto-rp
  pop2
  pop3
  pptp
  rsh
  rtsp
  sip
  smtp
  sqlnet
  ssh
  sunrpc
  tacacs
  talk
  telnet
  uucp
  whois
  www
MY-ASA-FW(config-webvpn)# port-forward PF-TELNET 2300 192.168.1.254 23 ?

webvpn mode commands/options:
  LINE < 65 char  A description of this port forward entry
  <cr>
MY-ASA-FW(config-webvpn)# port-forward PF-TELNET 2300 192.168.1.254 23 Telnet to R1
MY-ASA-FW(config-webvpn)# group-policy Engineering attributes
MY-ASA-FW(config-group-policy)# w?

group-policy mode commands/options:
  webvpn    wins-server

configure mode commands/options:
  wccp    webvpn

exec mode commands/options:
  webvpn-cache    who    write
MY-ASA-FW(config-group-policy)# webvpn ?

group-policy mode commands/options:
  <cr>

configure mode commands/options:
  <cr>

exec mode commands/options:
  remove  Remove cached object identified by URL
MY-ASA-FW(config-group-policy)# webvpn
MY-ASA-FW(config-group-webvpn)# ?

Group-policy WebVPN commands:
  activex-relay        Enable or disable activex relay
  always-on-vpn        Configure the always-on-vpn setting for AnyConnect
  anyconnect           AnyConnect Parameters configuration
  auto-signon          Configure auto-sign to allow login to certain
                       applications using the WebVPN session credentials
  customization        Configure a customization object
  deny-message         Configure the Deny message
  download-max-size    Set maximum object size to download
  exit                 Exit from user or group policy webvpn configuration mode
  file-browsing        Allow browsing for file servers and shares
  file-entry           Allow user entry of file server names to access
  filter               Configure the name of the webtype access-list
  help                 Help for group policy webvpn commands
  hidden-shares        CIFS hidden shares
  homepage             Configure URL of web page to be displayed upon login
  html-content-filter  Configures the content/objects to be filtered from the
                       HTML for this policy
  http-comp            HTTP Compression
  http-proxy           Controls HTTP Proxy port forwarding
  keep-alive-ignore    Maximum object size to ignore for updating the session
                       timer
  no                   Remove a command or set to its default
  port-forward         Configure the name of the Port Forwarding applet and
                       auto-download options
  post-max-size        Set maximum object size to post
  smart-tunnel         Configure smart tunnel
  sso-server           Configure SSO server name
  storage-key          Configure storage key for the data stored between
                       sessions.
  storage-objects      Configure storage objects for the data stored between
                       sessions.
  unix-auth-gid        Set the Unix group ID
  unix-auth-uid        Set the Unix user ID
  upload-max-size      Set maximum object size to upload
  url-entry            Control the ability of the user to enter any HTTP/HTTPS
                       URL
  url-list             Configure a list of WebVPN servers/URLs
  user-storage         Configure location for storing user data between
                       sessions.
MY-ASA-FW(config-group-webvpn)# port-forward ?

config-group-webvpn mode commands/options:
  auto-start  Enable and Auto Start port-forward
  disable     Disable port-forward
  enable      Enable port-forward
  name        port-forward-name
  none        (DEPRECATED) Disable port-forward
  value       (DEPRECATED) Specify a list of WebVPN forwarded ports
MY-ASA-FW(config-group-webvpn)# port-forward enable ?

config-group-webvpn mode commands/options:
  WORD < 100 char  A valid port forward list
MY-ASA-FW(config-group-webvpn)# port-forward enable PF-TELNET









Notice the Application Access appeared on the left navigation pane. Just click on the Start Application button and a pop-up window appears that runs Java. Open a command prompt and Telnet using the PC's loopback address 127.0.0.1 and the local port number defined on the ASA.






Saturday, April 5, 2014

HTTP or HTTPS Bookmarks

HTTP or HTTPS bookmarks are generally used to grant access to an intranet portal (for example, a SharePoint or web mail access). These bookmarks are entered in the same format as a URL entered directly into your browser and the ASA rewrites or manages the individual bookmarks and sends them to the client browser. As a result of the rewrite, any requests for the bookmark travels to the ASA.

Whenever a user clicks an HTTPS bookmark, the ASA establishes a direct SSL session between itself and the web or mail server being accessed, and it performs the process of certificate validation on behalf of the client. The client never directly receives a copy of the server's certificate, and therefore the client cannot carry out its own verification/authentication of the server.








This is where ASDM comes in handy when importing the URL list.