7/14/2019 Clientless SSL VPN Remote Access Set-up Guide for the Cisco ASA

1/10

Clientless SSL VPN remote access

set-up guide for the Cisco ASAByLori HydeinData Center, April 23, 2009, 6:30 AM

Email Alert RSS 7Comments Save Facebook0 Twitter0 Linkedin0 More

Lori Hyde explains the initial setup and configuration ofClientless SSL VPN for remote users who need access toresources in a very controlled environment.Clientless SSL VPN remote access has its pluses and minuses. I've found it to be

more complicated to set up and customize than remote access using the VPN client.

However, with a bit of patience, you'll find it's actually quite flexible and provides a way

to offer users access to needed resources in a very controlled environment, without

having to manage a client install.

This will be a two-part article with the first part covering the initial setup and thesecond

partgoing into more depth on the customization of the remote user interface.

Keep in mind that the SSL VPN remote access solution does have some limitations. In

a clientless SSL session, the Cisco ASA acts as a proxy between the remote user and

the internal resources. When accessing resources, the ASA establishes a secure

connection and validates the server SSL certificate. This certificate is never seen bythe end user. The ASA does not permit communication with sites that have invalid

certificates.

As always, refer towww.cisco.comfor more detailed information and specific

configuration variations.

http://www.techrepublic.com/search/?q=lori+hydehttp://www.techrepublic.com/search/?q=lori+hydehttp://www.techrepublic.com/search/?q=lori+hydehttp://www.techrepublic.com/blog/data-center/http://www.techrepublic.com/blog/data-center/http://www.techrepublic.com/blog/data-center/http://www.techrepublic.com/blog/data-center/clientless-ssl-vpn-remote-access-set-up-guide-for-the-cisco-asa/http://www.techrepublic.com/blog/data-center/clientless-ssl-vpn-remote-access-set-up-guide-for-the-cisco-asa/http://www.techrepublic.com/rssfeeds/topic/networking/http://www.techrepublic.com/rssfeeds/topic/networking/http://www.techrepublic.com/blog/data-center/clientless-ssl-vpn-remote-access-set-up-guide-for-the-cisco-asa/#postCommentshttp://www.techrepublic.com/blog/data-center/clientless-ssl-vpn-remote-access-set-up-guide-for-the-cisco-asa/#postCommentshttp://www.techrepublic.com/blog/data-center/clientless-ssl-vpn-remote-access-set-up-guide-for-the-cisco-asa/#postCommentshttp://www.techrepublic.com/blog/networking/?p=1385http://www.techrepublic.com/blog/networking/?p=1385http://www.techrepublic.com/blog/networking/?p=1385http://www.cisco.com/http://www.cisco.com/http://www.cisco.com/http://www.cisco.com/http://www.techrepublic.com/blog/networking/?p=1385http://www.techrepublic.com/blog/networking/?p=1385http://www.techrepublic.com/blog/data-center/clientless-ssl-vpn-remote-access-set-up-guide-for-the-cisco-asa/#postCommentshttp://www.techrepublic.com/rssfeeds/topic/networking/http://www.techrepublic.com/blog/data-center/clientless-ssl-vpn-remote-access-set-up-guide-for-the-cisco-asa/http://www.techrepublic.com/blog/data-center/http://www.techrepublic.com/search/?q=lori+hyde

7/14/2019 Clientless SSL VPN Remote Access Set-up Guide for the Cisco ASA

2/10

In the following steps, I'll set up the basics of Clientless SSL VPN access. I've supplied

most of the command-line work here as well as the ASDM equivalent.

Step 1. Configure an identity certificate

Here, I am creating a general purpose, self-signed, identity certificate

named sslvpnkeyand applying that certificate to the "outside" interface. You can

purchase a certificate through a vendor such as Verisign, etc., if you choose.

corpasa(config)#crypto key generate rsa label sslvpnkey

corpasa(config)#crypto ca trustpoint localtrust

corpasa(config-ca-trustpoint)#enrollment self

corpasa(config-ca-trustpoint)#fqdn sslvpn. mycompany.com

corpasa(config-ca-trustpoint)#subject-name CN=sslvpn.mycompany.com

corpasa(config-ca-trustpoint)#keypair sslvpnkey

corpasa(config-ca-trustpoint)#crypto ca enroll localtrust noconfirm

corpasa(config)# ssl trust-point localtrust outside

7/14/2019 Clientless SSL VPN Remote Access Set-up Guide for the Cisco ASA

3/10

Figure A

Click to enlarge

Step 2.Enable SSL VPN Access corpasa(config)#webvpn corpasa(config-webvpn)#enable outside corpasa(config-webvpn)#svc enable

7/14/2019 Clientless SSL VPN Remote Access Set-up Guide for the Cisco ASA

4/10

Figure B

Click to enlarge.

Step 3.Create a Group Policy

Group Policies are used to specify the parameters that are applied to clients when they

connect. The remote access clients will need to be assigned an IP address duringlogin; so we'll set up an address pool for them, but you could also use a DHCP server

if you have one.

corpasa(config)#ip local pool VPN 192.168.100.1-192.168.100.50 mask 255.255.255.0

Next, I've made some modifications to the default group policy for items such as the

dns-servers, the default domain, etc. Typically, the default group policy is where you

will set up the global values common to most users.

Corpasa (config)#group-policy DfltGrpPolicy attributes

Corpasa (config-group-policy)# wins-server value 192.168.80.205

Corpasa (config-group-policy)# dns-server value 172.20.100.1

Corpasa (config-group-policy)# dns-server value 192.168.80.216

7/14/2019 Clientless SSL VPN Remote Access Set-up Guide for the Cisco ASA

5/10

Corpasa (config-group-policy)# vpn-tunnel-protocol svc webvpn

Corpasa (config-group-policy)# split-tunnel-policy tunnelspecified

Corpasa (config-group-policy)# split-tunnel-network-list value inside-network

Corpasa (config-group-policy)# address-pools value VPN

Figure C

Click to enlarge.

Then, I'll create a group policy named Operations. This is where I'll configure the items

specific to our SSL users, which in this case is the operations team.

Corpasa (config)#group-policy Operations internal

Corpasa (config)#group-policy Operations attributes

Corpasa (config-group-policy)# banner value Tech Op Remote Access

Corpasa (config-group-policy)# banner value Unauthorized access prohibited

Corpasa (config-group-policy)# vpn-tunnel-protocol webvpn

7/14/2019 Clientless SSL VPN Remote Access Set-up Guide for the Cisco ASA

6/10

Corpasa (config-group-policy)# webvpn

Corpasa (config-group-webvpn)# url-list value TechOps

Corpasa (config-group-webvpn)# homepage none

Corpasa (config-group-webvpn)# svc ask none default webvpn

Corpasa (config-group-webvpn)# customization value TechOps

Corpasa (config-group-webvpn)# hidden-shares visible

Corpasa (config-group-webvpn)# file-entry enable

Corpasa (config-group-webvpn)# file-browsing enable

Corpasa (config-group-webvpn)# url-entry enable

Figure D

Click to enlarge.

Step 4.Configure access list bypass

7/14/2019 Clientless SSL VPN Remote Access Set-up Guide for the Cisco ASA

7/10

By using the sysopt connectcommand we tell the ASA to allow the SSL/IPsec clients

to bypass the interface access lists.

corpasa(config)#sysopt connection permit-vpn

Step 5.Create a connection profile and tunnel group

As remote access clients connect to the ASA, they connect to a connection profile,

which is also known as a tunnel group. We'll use this tunnel group to define the

specific connection parameters we want them to use during this SSL VPN session.

First, let's create the tunnel group RA_SSL:

corpasa(config)# tunnel-group RA_SSL webvpn-attributes

Figure E

Click to enlarge.

Next, I'll assign the specific attributes:

corpasa(config)#tunnel-group RA_SSL webvpn-attributes

7/14/2019 Clientless SSL VPN Remote Access Set-up Guide for the Cisco ASA

8/10

corpasa(config-tunnel-webvpn)# group-alias RA_SSL enable

corpasa(config-tunnel-webvpn)# customization TechOps

corpasa(config-webvpn)# group-url https://MyASAIP/RA_SSL enable

Figure F

Click to enlarge.

Step 6.Configure NAT exemption

Now I need to tell the ASA not to NAT the traffic between the remote access clients

and the internal network they will be accessing. First I'll create an access list that

defines the traffic, and then we'll apply this list to the natstatement for our interface.

corpasa(config)#access-list no_nat extended permit

ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0

7/14/2019 Clientless SSL VPN Remote Access Set-up Guide for the Cisco ASA

9/10

corpasa(config)#nat (inside) 0 access-list no_nat

Figure G

Click to enlarge.

Step 7.Configure user accounts

Now we're ready for some user accounts. Here I'll create a user and assign this user to

our remote access VPN. While you are setting up local accounts here, you can also

configure domain servers and use domain authentication if you choose to do so.

corpasa(config)#username hyde password l3tm3in

corpasa(config)#username hyde attributes

corpasa(config-username)#service-type remote-access

7/14/2019 Clientless SSL VPN Remote Access Set-up Guide for the Cisco ASA

10/10

Figure H

Click to enlarge.

Finishing up:

Don't forget to save your configuration to memory.

corpasa#write memory

Verify your configuration by establishing a remote access session and use the

following show command to view session details.

corpasa #show vpn-sessiondb webvpn

This should get the basics of your SSL VPN remote access configured on the Cisco

ASA. Unfortunately, your users won't have many resources until you configure them.

Inpart 2, I'll look at how to customize the SSL VPN portal to provide the required

access for your remote users. Stay tuned!

Want to learn more about router and switch management?Automatically sign upfor

our free Cisco Technology newsletter, delivered each Friday!

http://www.techrepublic.com/blog/networking/?p=1385http://www.techrepublic.com/blog/networking/?p=1385http://www.techrepublic.com/blog/networking/?p=1385http://nl.cbsi.com/MiniFormHandler?brand=techrepublic&list_id=e115http://nl.cbsi.com/MiniFormHandler?brand=techrepublic&list_id=e115http://nl.cbsi.com/MiniFormHandler?brand=techrepublic&list_id=e115http://nl.cbsi.com/MiniFormHandler?brand=techrepublic&list_id=e115http://www.techrepublic.com/blog/networking/?p=1385