ASA SSL clientless VPN

SSL clientless VPN's provide support for remote users to access corporate resources from anywhere on the internet. Remote Access is supported through the Secure Socket Layer enabled VPN Gateway, which allow a remote user to establish a secure Virtual Private Network tunnel using the web browser. This feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTP over SSL (HTTPS) browser support.

SSL Clientless VPN configuration can be done through the CLI or ASDM. This tutorial shows how to configure a SSL VPN through the CLI.

The following topology represents a remote user establishing a secure connection to the corporate network.




The configuration of a SSL ClientLess VPN Tunnel can be done in the following steps.

- Configure an Access-list (WEB ACL).

- Configure a Group-policy.

- Configure a Connection profile (Tunnel-group).

- Create user.

We start by configuring an access-list to allow traffic to access internal resources. In this scenario we want to allow only HTTP traffic to the internal server, to accomplish this we can create a web acl.
ASA2(config)# access-list WebACL webtype permit url http://192.168.10.100 log default
To configure a group-policy we first define where it will be stored. Internal means locally and external means on a RADIUS or LDAP server.
ASA2(config)# group-policy Remote_Access internal
After creating a group policy, we can configure its attributes.
ASA2(config)# group-policy Remote_Access attributes
ASA2(config-group-policy)# vpn-tunnel-protocol ssl-clientless 
ASA2(config-group-policy)# banner none
ASA2(config-group-policy)# banner value Welcome Remote Access user
ASA2(config-group-webvpn)# webvpn
ASA2(config-group-webvpn)# filter value WebACL
ASA2(config-group-webvpn)# url-entry enable
Enable WebVPN on the outside interface.
ASA2(config)# webvpn
ASA2(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
ASA2(config-webvpn)# tunnel-group-list enable
Finally configure the tunnel-group (connection profile).
ASA2(config)# tunnel-group Remote_Access type remote-access
ASA2(config)# tunnel-group Remote_Access general-attributes
ASA2(config-tunnel-general)# default-group-policy Remote_Access
ASA2(config-tunnel-general)# exit
ASA2(config)# tunnel-group Remote_Access webvpn-attributes
ASA2(config-tunnel-webvpn)# group-alias RAusers enable
ASA2(config-tunnel-webvpn)#   group-url https://10.0.0.254/Raccess enable
ASA2(config-tunnel-webvpn)#   without-csd
To access the internal resources a username/password must be specified. For this tutorial we will create a username in the local database.
ASA2(config)# username RemoteUser password Letmein privilege 1
ASA2(config)# username RemoteUser attributes
ASA2(config-username)# vpn-group-policy Remote_Access

No comments:

Post a Comment