Clientless SSL VPN remote access set-up guide for the Cisco ASA
[LEFT][CODE]http://blogs.techrepublic.com.com/networking/?p=1366&tag=rbxccnbtr1[/CODE][SIZE=3][B]PART-1[/B][/SIZE]
[I]Lori Hyde explains the initial set up and configuration of Clientless SSL VPN for remote users who need access to resources in a very controlled environment.[/I]
——————————————————————————
Clientless SSL VPN remote access has its pluses and minuses. I’ve found it to be more complicated to set up and customize than remote access using the VPN client. However, with a bit of patience, you’ll find it’s actually quite flexible and provides a way to offer users access to needed resources in a very controlled environment, without having to manage a client install.
This will be a two-part article with the first part covering the initial setup and the [URL="http://blogs.techrepublic.com.com/networking/?p=1385"]second part[/URL] going into more depth on the customization of the remote user interface.
Keep in mind that the SSL VPN remote access solution does have some limitations. In a clientless SSL session, the Cisco ASA acts as a proxy between the remote user and the internal resources. When accessing resources, the ASA establishes a secure connection and validates the server SSL certificate. This certificate is never seen by the end user. The ASA does not permit communication with sites that have invalid certificates.
As always, refer to [URL="http://www.cisco.com/"]www.cisco.com[/URL] for more detailed information and specific configuration variations.
In the following steps, I’ll set up the basics of Clientless SSL VPN access. I’ve supplied most of the command-line work here as well as the ASDM equivalent.
[B]Step 1[/B]. [B]Configure an identity certificate[/B]
Here, I am creating a general purpose, self-signed, identity certificate named [I]sslvpnkey[/I] and applying that certificate to the “outside” interface. You can purchase a certificate through a vendor such as Verisign, etc., if you choose.
[CODE]
corpasa(config)#crypto key generate rsa label sslvpnkey
corpasa(config)#crypto ca trustpoint localtrust
corpasa(config-ca-trustpoint)#enrollment self
corpasa(config-ca-trustpoint)#fqdn sslvpn. mycompany.com
corpasa(config-ca-trustpoint)#subject-name CN=sslvpn.mycompany.com
corpasa(config-ca-trustpoint)#keypair sslvpnkey
corpasa(config-ca-trustpoint)#crypto ca enroll localtrust noconfirm
corpasa(config)# ssl trust-point localtrust outside
[/CODE][B]Figure A[/B]
[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290773.html?seq=40"][IMG]http://i.techrepublic.com.com/gallery/290773-500-354.png[/IMG][/URL]
[B]Step 2.[/B] [B]Enable SSL VPN Access[/B]
[CODE]
corpasa(config)#[B]webvpn
[/B] corpasa(config-webvpn)#[B]enable outside
[/B] corpasa(config-webvpn)#[B]svc enable[/B]
[/CODE][B]Figure B[/B]
[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290774.html?seq=41"][IMG]http://i.techrepublic.com.com/gallery/290774-500-312.png[/IMG][/URL]
[B]Step 3.[/B] [B]Create a Group Policy[/B]
Group Policies are used to specify the parameters that are applied to clients when they connect. The remote access clients will need to be assigned an IP address during login; so we’ll set up an address pool for them, but you could also use a DHCP server if you have one.
[CODE]corpasa(config)#ip local pool VPN 192.168.100.1-192.168.100.50 mask 255.255.255.0
[/CODE] Next, I’ve made some modifications to the default group policy for items such as the dns-servers, the default domain, etc. Typically, the default group policy is where you will set up the global values common to most users.
[CODE]
Corpasa (config)#group-policy DfltGrpPolicy attributes
Corpasa (config-group-policy)# wins-server value 192.168.80.205
Corpasa (config-group-policy)# dns-server value 172.20.100.1
Corpasa (config-group-policy)# dns-server value 192.168.80.216
Corpasa (config-group-policy)# vpn-tunnel-protocol svc webvpn
Corpasa (config-group-policy)# split-tunnel-policy tunnelspecified
Corpasa (config-group-policy)# split-tunnel-network-list value inside-network
Corpasa (config-group-policy)# address-pools value VPN
[/CODE][B]Figure C[/B]
[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290775.html?seq=42"][IMG]http://i.techrepublic.com.com/gallery/290775-500-309.png[/IMG][/URL]
Then, I’ll create a group policy named Operations. This is where I’ll configure the items specific to our SSL users, which in this case is the operations team.
[CODE]
Corpasa (config)#group-policy Operations internal
Corpasa (config)#group-policy Operations attributes
Corpasa (config-group-policy)# banner value Tech Op Remote Access
Corpasa (config-group-policy)# banner value Unauthorized access prohibited
Corpasa (config-group-policy)# vpn-tunnel-protocol webvpn
Corpasa (config-group-policy)# webvpn
Corpasa (config-group-webvpn)# url-list value TechOps
Corpasa (config-group-webvpn)# homepage none
Corpasa (config-group-webvpn)# svc ask none default webvpn
Corpasa (config-group-webvpn)# customization value TechOps
Corpasa (config-group-webvpn)# hidden-shares visible
Corpasa (config-group-webvpn)# file-entry enable
Corpasa (config-group-webvpn)# file-browsing enable
Corpasa (config-group-webvpn)# url-entry enable
[/CODE][B]Figure D[/B]
[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290776.html?seq=43"][IMG]http://i.techrepublic.com.com/gallery/290776-500-312.png[/IMG][/URL]
[B]Step 4.[/B] [B]Configure access list bypass[/B]
By using the [I]sysopt connect[/I] command we tell the ASA to allow the SSL/IPsec clients to bypass the interface access lists.
[CODE]corpasa(config)#sysopt connection permit-vpn
[/CODE] [B]Step 5.[/B] [B]Create a connection profile and tunnel group[/B]
As remote access clients connect to the ASA, they connect to a connection profile, which is also known as a tunnel group. We’ll use this tunnel group to define the specific connection parameters we want them to use during this SSL VPN session.
First, let’s create the tunnel group RA_SSL:
[CODE]corpasa(config)# tunnel-group RA_SSL webvpn-attributes
[/CODE] [B]Figure E[/B]
[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290777.html?seq=44"][IMG]http://i.techrepublic.com.com/gallery/290777-500-362.png[/IMG][/URL]
Next, I’ll assign the specific attributes:
[CODE]
corpasa(config)#[B]tunnel-group [/B][I]RA_SSL webvpn-attributes
[/I] corpasa(config-tunnel-webvpn)#[I] group-alias RA_SSL enable
[/I] corpasa(config-tunnel-webvpn)#[I] customization TechOps
[/I] corpasa(config-webvpn)#[I] group-url https://MyASAIP/RA_SSL enable[/I]
[/CODE][B]Figure F[/B]
[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290778.html?seq=45"][IMG]http://i.techrepublic.com.com/gallery/290778-500-409.png[/IMG][/URL]
[B]Step 6.[/B] [B]Configure NAT exemption[/B]
Now I need to tell the ASA not to NAT the traffic between the remote access clients and the internal network they will be accessing. First I’ll create an access list that defines the traffic, and then we’ll apply this list to the [I]nat[/I] statement for our interface.
[CODE]
corpasa(config)#access-list no_nat extended permit
ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
corpasa(config)#nat (inside) 0 access-list no_nat
[/CODE][B]Figure G[/B]
[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290779.html?seq=46"][IMG]http://i.techrepublic.com.com/gallery/290779-500-362.png[/IMG][/URL]
[B]Step 7.[/B] [B]Configure user accounts[/B]
Now we’re ready for some user accounts. Here I’ll create a user and assign this user to our remote access VPN. While you are setting up local accounts here, you can also configure domain servers and use domain authentication if you choose to do so.
[CODE]
corpasa(config)#username hyde password l3tm3in
corpasa(config)#username hyde attributes
corpasa(config-username)#service-type remote-access
[/CODE][B]Figure H[/B]
[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290780.html?seq=47"][IMG]http://i.techrepublic.com.com/gallery/290780-500-311.png[/IMG][/URL]
[B]Finishing up:[/B]
Don’t forget to save your configuration to memory.
[CODE]corpasa#write memory
[/CODE] Verify your configuration by establishing a remote access session and use the following show command to view session details.
[CODE]corpasa #show vpn-sessiondb webvpn
[/CODE] This should get the basics of your SSL VPN remote access configured on the Cisco ASA. Unfortunately, your users won’t have many resources until you configure them. In [URL="http://blogs.techrepublic.com.com/networking/?p=1385"]part 2[/URL], I’ll look at how to customize the SSL VPN portal to provide the required access for your remote users. Stay tuned
[/LEFT]