Scribd
Upload
52 views

Web VPN & SSL VPN: CCIE Security Advanced Technologies Class

Uploaded by

Edison Acosta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
52 views

Web VPN & SSL VPN: CCIE Security Advanced Technologies Class

Uploaded by

Edison Acosta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

CCIE Security

Advanced Technologies Class

Web VPN & SSL VPN

http://www.InternetworkExpert.com

VPN Review

• LAN-to-LAN VPNs
– Always on
– Requires manual configuration of Phase 1 &
Phase 2 parameters
– Some scalability through wildcard PSKs
– More scalability through DMVPN

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

1
VPN Review (cont.)

• Remote Access VPNs


– On demand
– Requires manual configuration of “EzVPN”
server
– EzVPN client needs manual configuration to
point to server but doesn’t need Phase 1 /
Phase 2 parameters
– Assumes that client has software client (Cisco
Unity Client) or hardware client (IOS / VPN
3002)

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

WebVPN Overview

• Allows users to initiate secure VPN connections


via SSL/TLS without the need for a pre-installed
VPN client
• VPN3K / ASA acts as proxy between web client
and web server
• Supports only certain applications
– Web Browsing
– Secure Email (POP3S / IMAP4S / SMTPS)
– “Port Forwarding”
• Windows Terminal Services
• Telnet / SSH
• SFTP
• Outlook / Lotus Notes
• Other standard TCP applications

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

2
WebVPN Overview (cont.)

• Client authenticates to WebVPN server via


encrypted SSL/TLS channel
• Client is presented with customizable
homepage with links to network resources,
port forwarding applications, and url-entry
box
• Access can be restricted to particular
resources
– WebVPN ACL
– No URL-Entry

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

VPN3K WebVPN Example

• Allow HTTP and telnet access from PC to SW1


Outside
E0/0
E0 PIX
R3 Inside
S1/0.23 E1

302

SW1
S0/0.23
ASA1 203
201 Frame-Relay
R2 S0/0.12 Test PC

102
WebVPN

S0/0.12

R1
E0/0

E0/1
VL117 E0/0
Private VPN Public
SW1 R4

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

3
VPN3K WebVPN Configuration

• Configure WebVPN specific parameters


– Configuration | Tunneling and Security | WebVPN
• Servers and URL
– Displayed on user’s homepage
• Port Forwarding
– TCP application access
• Configure WebVPN Group
– Configuration | User Management | Groups
• Identity
– Specify group name / password
• General
– Permit WebVPN as tunneling protocol
• WebVPN
– Allow manual URL entry?
– Create and apply WebVPN ACL

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

VPN3K WebVPN Configuration (cont.)

• Create users and assign to the group


– Configuration | User Management | Users
• Enable WebVPN on public interface
– Configuration | Interfaces | Public | WebVPN

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

4
ASA WebVPN Example

• Allow HTTP access to SW2 and telnet


access to R5

WebVPN

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

ASA WebVPN Configuration

• Configure WebVPN specific parameters


– webvpn
• enable outside
• tunnel-group-list enable
• Define WebVPN group policy
– show run all group-policy
• Verify default group attributes
– group-policy [group_name] internal
– group-policy [group_name] attributes
• vpn-tunnel-protocol webvpn
• webvpn

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

5
ASA WebVPN Configuration (cont.)

• Define WebVPN tunnel policy


– tunnel-group [tunnel_name] type webvpn
– tunnel-group [tunnel_name] general-
attributes
• default-group-policy [group_name]
• Local authentication is default method
– username cisco password cisco1234
– tunnel-group [tunnel_name] webvpn-
attributes
• group-alias [alias_name] enable

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

ASA WebVPN Configuration (cont.)

• Additional functions
• group-policy WEBVPNPOLICY attributes | webvpn |
functions
– url-entry
• Allow users to manually enter destination URL
– url-list
• Links user can follow without manual url-entry
• Define url-list list under global webvpn
– filter
• Enable webtype access-list
– access-list WEBVPNACL webtype…
– filter value WEBVPNACL
– port-forward [name]
• Allow port-forwarding application access
• Define port-forward list under global webvpn

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

6
SSL VPN Overview

• Extends WebVPN by allowing client to


automatically download “SSL VPN Client”
(SVC) from ASA
• Similar to EzVPN remote access VPN but
doesn’t require client to install VPN client
software beforehand
• Once WebVPN SSL/TLS authentication
occurs SSL VPN Client is downloaded
• Uses normal address allocation & RRI like
EzVPN configuration
Copyright © 2007 Internetwork Expert, Inc
www.InternetworkExpert.com

ASA SSL VPN Example

• Allow access to VLANs 125 and 58

SSLVPN

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

7
ASA SSL VPN Configuration

• Configure WebVPN specific parameters


– webvpn
• enable outside
• tunnel-group-list enable
• Configure SSL VPN Client (SVC) parameters
– svc image disk0:/sslclient-win-1.1.3.173.pkg 1
– svc enable

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

ASA SSL VPN Configuration (cont.)

• Define WebVPN group policy


– show run all group-policy
• Verify default group attributes
– group-policy [group_name] internal
– group-policy [group_name] attributes
• vpn-tunnel-protocol webvpn
• Split tunnel ACL
– split-tunnel-policy tunnelspecified
– split-tunnel-network-list value [acl]
• webvpn
– svc required
– Forces users to download and use SSL VPN Client

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

8
ASA SSL VPN Configuration (cont.)

• Define WebVPN tunnel policy


– tunnel-group [tunnel_name] type webvpn
– tunnel-group [tunnel_name] general-attributes
• default-group-policy [group_name]
• Local authentication is default method
– username cisco password cisco1234
• Define address allocation
– address-pool [pool]
– ip local pool…
– Reverse route injection occurs automatically but static routes
still need to be advertised
– tunnel-group [tunnel_name] webvpn-attributes
• group-alias [alias_name] enable

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com

You might also like