Clientless SSL VPN remote access set-up guide for the Cisco ASA

[LEFT][CODE]http://blogs.techrepublic.com.com/networking/?p=1366&tag=rbxccnbtr1[/CODE][SIZE=3][B]PART-1[/B][/SIZE]

[I]Lori Hyde explains the initial set up and configuration of Clientless SSL VPN for remote users who need access to resources in a very controlled environment.[/I]
——————————————————————————
Clientless SSL VPN remote access has its pluses and minuses. I’ve found it to be more complicated to set up and customize than remote access using the VPN client. However, with a bit of patience, you’ll find it’s actually quite flexible and provides a way to offer users access to needed resources in a very controlled environment, without having to manage a client install.
This will be a two-part article with the first part covering the initial setup and the [URL="http://blogs.techrepublic.com.com/networking/?p=1385"]second part[/URL] going into more depth on the customization of the remote user interface.
Keep in mind that the SSL VPN remote access solution does have some limitations. In a clientless SSL session, the Cisco ASA acts as a proxy between the remote user and the internal resources. When accessing resources, the ASA establishes a secure connection and validates the server SSL certificate. This certificate is never seen by the end user. The ASA does not permit communication with sites that have invalid certificates.
As always, refer to [URL="http://www.cisco.com/"]www.cisco.com[/URL] for more detailed information and specific configuration variations.
In the following steps, I’ll set up the basics of Clientless SSL VPN access. I’ve supplied most of the command-line work here as well as the ASDM equivalent.

[B]Step 1[/B]. [B]Configure an identity certificate[/B]

Here, I am creating a general purpose, self-signed, identity certificate named [I]sslvpnkey[/I] and applying that certificate to the “outside” interface. You can purchase a certificate through a vendor such as Verisign, etc., if you choose.
[CODE]
corpasa(config)#crypto key generate rsa label sslvpnkey

corpasa(config)#crypto ca trustpoint localtrust

corpasa(config-ca-trustpoint)#enrollment self

corpasa(config-ca-trustpoint)#fqdn sslvpn. mycompany.com

corpasa(config-ca-trustpoint)#subject-name CN=sslvpn.mycompany.com

corpasa(config-ca-trustpoint)#keypair sslvpnkey

corpasa(config-ca-trustpoint)#crypto ca enroll localtrust noconfirm

corpasa(config)# ssl trust-point localtrust outside
[/CODE][B]Figure A[/B]



[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290773.html?seq=40"][IMG]http://i.techrepublic.com.com/gallery/290773-500-354.png[/IMG][/URL]

[B]Step 2.[/B] [B]Enable SSL VPN Access[/B]

[CODE]
corpasa(config)#[B]webvpn

[/B] corpasa(config-webvpn)#[B]enable outside

[/B] corpasa(config-webvpn)#[B]svc enable[/B]
[/CODE][B]Figure B[/B]



[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290774.html?seq=41"][IMG]http://i.techrepublic.com.com/gallery/290774-500-312.png[/IMG][/URL]


[B]Step 3.[/B] [B]Create a Group Policy[/B]

Group Policies are used to specify the parameters that are applied to clients when they connect. The remote access clients will need to be assigned an IP address during login; so we’ll set up an address pool for them, but you could also use a DHCP server if you have one.
[CODE]corpasa(config)#ip local pool VPN 192.168.100.1-192.168.100.50 mask 255.255.255.0
[/CODE] Next, I’ve made some modifications to the default group policy for items such as the dns-servers, the default domain, etc. Typically, the default group policy is where you will set up the global values common to most users.
[CODE]
Corpasa (config)#group-policy DfltGrpPolicy attributes

Corpasa (config-group-policy)# wins-server value 192.168.80.205

Corpasa (config-group-policy)# dns-server value 172.20.100.1

Corpasa (config-group-policy)# dns-server value 192.168.80.216

Corpasa (config-group-policy)# vpn-tunnel-protocol svc webvpn

Corpasa (config-group-policy)# split-tunnel-policy tunnelspecified

Corpasa (config-group-policy)# split-tunnel-network-list value inside-network

Corpasa (config-group-policy)# address-pools value VPN
[/CODE][B]Figure C[/B]



[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290775.html?seq=42"][IMG]http://i.techrepublic.com.com/gallery/290775-500-309.png[/IMG][/URL]

Then, I’ll create a group policy named Operations. This is where I’ll configure the items specific to our SSL users, which in this case is the operations team.
[CODE]
Corpasa (config)#group-policy Operations internal

Corpasa (config)#group-policy Operations attributes

Corpasa (config-group-policy)# banner value Tech Op Remote Access

Corpasa (config-group-policy)# banner value Unauthorized access prohibited

Corpasa (config-group-policy)# vpn-tunnel-protocol webvpn

Corpasa (config-group-policy)# webvpn

Corpasa (config-group-webvpn)# url-list value TechOps

Corpasa (config-group-webvpn)# homepage none

Corpasa (config-group-webvpn)# svc ask none default webvpn

Corpasa (config-group-webvpn)# customization value TechOps

Corpasa (config-group-webvpn)# hidden-shares visible

Corpasa (config-group-webvpn)# file-entry enable

Corpasa (config-group-webvpn)# file-browsing enable

Corpasa (config-group-webvpn)# url-entry enable
[/CODE][B]Figure D[/B]



[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290776.html?seq=43"][IMG]http://i.techrepublic.com.com/gallery/290776-500-312.png[/IMG][/URL]


[B]Step 4.[/B] [B]Configure access list bypass[/B]

By using the [I]sysopt connect[/I] command we tell the ASA to allow the SSL/IPsec clients to bypass the interface access lists.
[CODE]corpasa(config)#sysopt connection permit-vpn
[/CODE] [B]Step 5.[/B] [B]Create a connection profile and tunnel group[/B]

As remote access clients connect to the ASA, they connect to a connection profile, which is also known as a tunnel group. We’ll use this tunnel group to define the specific connection parameters we want them to use during this SSL VPN session.
First, let’s create the tunnel group RA_SSL:
[CODE]corpasa(config)# tunnel-group RA_SSL webvpn-attributes
[/CODE] [B]Figure E[/B]



[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290777.html?seq=44"][IMG]http://i.techrepublic.com.com/gallery/290777-500-362.png[/IMG][/URL]



Next, I’ll assign the specific attributes:
[CODE]
corpasa(config)#[B]tunnel-group [/B][I]RA_SSL webvpn-attributes

[/I] corpasa(config-tunnel-webvpn)#[I] group-alias RA_SSL enable

[/I] corpasa(config-tunnel-webvpn)#[I] customization TechOps

[/I] corpasa(config-webvpn)#[I] group-url https://MyASAIP/RA_SSL enable[/I]
[/CODE][B]Figure F[/B]



[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290778.html?seq=45"][IMG]http://i.techrepublic.com.com/gallery/290778-500-409.png[/IMG][/URL]


[B]Step 6.[/B] [B]Configure NAT exemption[/B]

Now I need to tell the ASA not to NAT the traffic between the remote access clients and the internal network they will be accessing. First I’ll create an access list that defines the traffic, and then we’ll apply this list to the [I]nat[/I] statement for our interface.
[CODE]
corpasa(config)#access-list no_nat extended permit


ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0

corpasa(config)#nat (inside) 0 access-list no_nat

[/CODE][B]Figure G[/B]



[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290779.html?seq=46"][IMG]http://i.techrepublic.com.com/gallery/290779-500-362.png[/IMG][/URL]


[B]Step 7.[/B] [B]Configure user accounts[/B]

Now we’re ready for some user accounts. Here I’ll create a user and assign this user to our remote access VPN. While you are setting up local accounts here, you can also configure domain servers and use domain authentication if you choose to do so.
[CODE]
corpasa(config)#username hyde password l3tm3in

corpasa(config)#username hyde attributes

corpasa(config-username)#service-type remote-access
[/CODE][B]Figure H[/B]



[URL="http://content.techrepublic.com.com/2347-10878_11-263392-290780.html?seq=47"][IMG]http://i.techrepublic.com.com/gallery/290780-500-311.png[/IMG][/URL]


[B]Finishing up:[/B]

Don’t forget to save your configuration to memory.
[CODE]corpasa#write memory
[/CODE] Verify your configuration by establishing a remote access session and use the following show command to view session details.
[CODE]corpasa #show vpn-sessiondb webvpn
[/CODE] This should get the basics of your SSL VPN remote access configured on the Cisco ASA. Unfortunately, your users won’t have many resources until you configure them. In [URL="http://blogs.techrepublic.com.com/networking/?p=1385"]part 2[/URL], I’ll look at how to customize the SSL VPN portal to provide the required access for your remote users. Stay tuned
[/LEFT]

[LEFT][CODE]http://blogs.techrepublic.com.com/networking/?p=1385&tag=leftCol;post-1366[/CODE][SIZE=3][B]PART-2[/B][/SIZE]

[I]Lori Hyde explains how to customize the SSL portal for remote users with customizations that can be configured via the Adaptive Security Device Manager (ASDM) interface in the Cisco ASA. This post follows up her guide to the basic setup of SSL VPN access.
[/I]
———————————————————————————-
Customizing the SSL portal is the second part of my post, [URL="http://blogs.techrepublic.com.com/networking/?p=1366"]Clientless SSL VPN Remote Access Set-up Guide for the Cisco ASA[/URL], in which I went over the basic setup of SSL VPN access. In this second part, we’ll look at customizing the remote user portal. It’s via the customization of the remote user SSL portal that internal resources are made available to the remote user.
As I pointed out in part one, setting up the clientless SSL VPN access is more complicated than using the VPN Client, but after you become familiar with the key pieces, you’ll find it’s really not too bad.
The Cisco ASA supports a variety of features that can be customized for the clientless SSL VPN user experience, among which are portal look and feel, application access, and file browsing. These customizations can be configured via the Adaptive Security Device Manager (ASDM) interface or by creating your own HTML files.
The first step in providing access should be to gather your user requirements to define which specific resources and applications you will need to configure. For this example, I’ll configure user file-share access, SSH access, VNC access and I’ll incorporate a support HTML page, but there are many more features you could use.
I’ll use Client-Server Plug-ins, Web Contents, and Bookmarks to customize the user portal page.
[B]Client-Server Plug-ins[/B]

Web browser plug-ins are actually separate programs that the browser uses to provide specific functionality, such as connecting the remote client to a server. Cisco provides plug-ins for SSH and Telnet access, Terminal Server access, Citrix access, and VNC access. Client-Server Plug-ins can be downloaded from the Cisco Web site and then uploaded to the ASA by navigating: Configuration | Remote Access VPN | Clientless SSL VPN Access | Portal | Client-Server Plug-ins, as shown in [B]Figure A[/B].
[B]Figure A[/B]

[CENTER][URL="http://content.techrepublic.com.com/2347-10878_11-263392-293084.html?seq=48"][IMG]http://i.techrepublic.com.com/gallery/293084-500-375.png[/IMG][/URL][/CENTER]


You can also configure Smart Tunnels instead of, or in addition to, using plug-ins. They perform better than plug-ins; however, plug-ins do not require the client application to be installed on the remote users system.
[B]Web content[/B]

Upload any images you want to use in your customization, such as company logos, thumbnail pictures, etc., to the Configuration | Remote Access VPN | Clientless SSL VPN Access | Portal | Web Contents section of the ASDM, as shown in [B]Figure B[/B]. These objects will be used during the Bookmark configuration and the User Portal Page configurations.
[B]Figure B[/B]

[CENTER][URL="http://content.techrepublic.com.com/2347-10878_11-263392-293086.html?seq=49"][IMG]http://i.techrepublic.com.com/gallery/293086-500-332.png[/IMG][/URL][/CENTER]


[B]Bookmarks[/B]

We can now create bookmarks that will use the plug-ins to provide specific access to the remote user. You can also tie a thumbnail picture to the bookmark if you choose: Configuration | Remote Access VPN | Clientless SSL VPN Access | Portal | Bookmarks, as shown in [B]Figure C[/B].
[B]Figure C[/B]

[CENTER][URL="http://content.techrepublic.com.com/2347-10878_11-263392-293087.html?seq=50"][IMG]http://i.techrepublic.com.com/gallery/293087-500-437.png[/IMG][/URL][/CENTER]


We’ve now configured the background resources that we’ll use. The next step is to configure the GUI for the user portal.
[B]Portal page customization[/B]

While not truly 100 percent customizable, the remote user portal can be modified to provide a different look, feel, and set of resources for each SSL VPN group you have. There are three primary pages that can be customized: Logon, User Portal, and Logout. All these changes are made via a default browser window that the ASA opens when you edit a Customization Object. Changes can be previewed here prior to saving the configuration. This is also where you configure the ASA to use your own HTML page if you have created one. [B]Figure D[/B] shows the default page that is presented by the ASA.
[B]Figure D[/B]

[CENTER][URL="http://content.techrepublic.com.com/2347-10878_11-263392-293088.html?seq=51"][IMG]http://i.techrepublic.com.com/gallery/293088-500-283.png[/IMG][/URL][/CENTER]


The Logon page, shown in [B]Figure E[/B], allows for customization of the page title, the look and feel, such as colors and text, as well as the languages you want to use and any informational text you want the users to see. Keep in mind that this page can be seen by the general public prior to user authentication unless you have access locked down via an Access Control List (ACL) on the firewall, so take care with what information you allow to be seen.
[B]Figure E[/B]

[CENTER][URL="http://content.techrepublic.com.com/2347-10878_11-263392-293089.html?seq=52"][IMG]http://i.techrepublic.com.com/gallery/293089-500-363.png[/IMG][/URL][/CENTER]


The Portal page, shown in [B]Figure F[/B], is where you customize the remote users’ access to applications, customize their home page, and set up custom panes and columns. The Applications section allows you to enable or disable the plug-ins you have uploaded and change the titles. You could easily have several different customized pages that offer different resources to each user group based on their requirements.
[B]Figure F[/B]

[CENTER][URL="http://content.techrepublic.com.com/2347-10878_11-263392-293090.html?seq=53"][IMG]http://i.techrepublic.com.com/gallery/293090-500-292.png[/IMG][/URL][/CENTER]


The Custom Panes section, shown in [B]Figure G[/B], allows you to configure four types of panes that can display information to the remote user. These panes include HTML, Text, Images, and RSS feeds.
[B]Figure G[/B]

[CENTER][URL="http://content.techrepublic.com.com/2347-10878_11-263392-293091.html?seq=54"][IMG]http://i.techrepublic.com.com/gallery/293091-500-363.png[/IMG][/URL][/CENTER]


[B]Remote user experience[/B]

[B]Figures H[/B], [B]I[/B], and [B]J [/B]show screenshots of a remote user session that shows some of the fruits of our customization efforts.
[B]Figure H[/B]

[CENTER][URL="http://content.techrepublic.com.com/2347-10878_11-263392-293092.html?seq=55"][IMG]http://i.techrepublic.com.com/gallery/293092-500-398.png[/IMG][/URL][/CENTER]
[CENTER][B] Authenticated User Screen[/B]
[/CENTER]

[B]Figure I[/B]

[CENTER][URL="http://content.techrepublic.com.com/2347-10878_11-263392-293093.html?seq=56"][IMG]http://i.techrepublic.com.com/gallery/293093-500-303.png[/IMG][/URL][/CENTER]
[CENTER][B] User Application Screen[/B]
[/CENTER]

[B]Figure J[/B]

[CENTER][URL="http://content.techrepublic.com.com/2347-10878_11-263392-293085.html?seq=57"][IMG]http://i.techrepublic.com.com/gallery/293085-500-339.png[/IMG][/URL][/CENTER]
[CENTER][B] An SSH session[/B]
[/CENTER]

[B]Finishing Up[/B]
Your customizations are not saved in the ASA running configuration so be sure to export them to host on your network. These will export as XML files that can then be imported at a later time or to another ASA.
This article covered a good deal of the basics, but it cannot begin to cover every configuration aspect, so, as always, consult the [URL="http://www.cisco.com/"]Cisco Systems Web site[/URL] for more details
[/LEFT]