Thursday, July 22, 2010

CCNA Security 31

Cisco ASA SSL VPN is designed to allow quick access to clients. There are two types of SSL VPN, which are WebVPN and Anyconnect. WebVPN is known as a clientless SSL VPN, and is similar in operation to a web proxy. Anyconnect, on the other hand, requires a client and provides the features of a full fledged VPN over TLS. In this article, I'm going to go through both the clientless and the client version of SSL VPN.
WebVPN requires a supported browser (almost any SSL/TLS-supporting browsers), with nothing else to configure. WebVPN is typically best for accessing application servers. Like a web-proxy, it provides no direct connection to the actual resources.

Anyconnect VPN on the other hand, supports both WebVPN and Full-tunnel access. It is initiated via browser and supports a lot of access options. It offers varied application support and uses a WebVPN gateway.

Most people still prefer IPSec VPNs as it a more established technology and is excellent for company-owned systems. It is initiated using VPN Client Software and provides Full Tunnel Access.

To set up the WebVPN, we need to set up a WebVPN gateway. Before we can set up one, we'll need to create a trustpoint. In this article, I'll use a self-signed certificate. Before we can generate a self-signed certificate, we'll need to generate an RSA keypair, so we'll begin by typing:
crypto key gen rsa

Now that we have a keypair, we can enroll a self-signed trustpoint through:
crypto ca trust LOCAL
enroll self
crypto ca enroll LOCAL

We'll need to then enable the WebVPN gateway through:
enable OUTSIDE

At this point, clientless WebVPN would be working. Of course, if you haven't done so, you'll need to create a local user account:
user cisco pass cisco

I'll begin setting up the Anyconnect. It is simpler to set up than an IPSec Remote Access solution.

First we'll have to enable SVC (SSL VPN Client):
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg
svc enable
tunnel-group-list enable

For SVC to work, your device must be loaded with an image. This image is available in disk0 by default so you would just have to specify it. The "tunnel-group-list enable" command is to enable the client to have a list of tunnel-groups to join upon connection to the ASA. The tunnel-group list looks like this:

We'll have to create a group-policy (This is optional as if no group-policy is applied to a tunnel-group, all protocols are enabled). We'll type:
group-policy ACPOLICY internal
group-policy ACPOLICY attributes
vpn-tunnel-protocol svc

Next, we'll simply create a pool, a tunnel-group and assign the group-policy to it (this is only applicable if you created a group policy above):
ip local pool ACPOOL mask
tunnel-group ACGROUP type remote-access
tunnel-group ACGROUP general-attributes
address-pool ACPOOL
default-group-policy ACPOLICY
tunnel-group ACGROUP webvpn-attributes
group-alias AC enable
group-url enable

Now you can verify your configuration through:
show webvpn csd
show webvpn group-alias
show webvpn group-url

This is basically what you need to type to set up the ASA to allow Anyconnect connections! Do note that WebVPN is only supported on ASA firewalls! PIX does not support WebVPN even if they are using the same platform version!

No comments :

Post a Comment