SSL clientless VPN's provide support for remote users to access corporate resources from anywhere on the internet. Remote Access is supported through the Secure Socket Layer enabled VPN Gateway, which allow a remote user to establish a secure Virtual Private Network tunnel using the web browser. This feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTP over SSL (HTTPS) browser support.
SSL Clientless VPN configuration can be done through the CLI or ASDM. This tutorial shows how to configure a SSL VPN through the CLI.
The following topology represents a remote user establishing a secure connection to the corporate network.
The configuration of a SSL ClientLess VPN Tunnel can be done in the following steps.
- Configure an Access-list (WEB ACL).
- Configure a Group-policy.
- Configure a Connection profile (Tunnel-group).
- Create user.
We start by configuring an access-list to allow traffic to access internal resources. In this scenario we want to allow only HTTP traffic to the internal server, to accomplish this we can create a web acl.
ASA2(config)# access-list WebACL webtype permit url http://192.168.10.100 log default
To configure a group-policy we first define where it will be stored. Internal means locally and external means on a RADIUS or LDAP server.
ASA2(config)# group-policy Remote_Access internal
After creating a group policy, we can configure its attributes.
ASA2(config)# group-policy Remote_Access attributes ASA2(config-group-policy)# vpn-tunnel-protocol ssl-clientless ASA2(config-group-policy)# banner none ASA2(config-group-policy)# banner value Welcome Remote Access user ASA2(config-group-webvpn)# webvpn ASA2(config-group-webvpn)# filter value WebACL ASA2(config-group-webvpn)# url-entry enable
Enable WebVPN on the outside interface.
ASA2(config)# webvpn ASA2(config-webvpn)# enable outside INFO: WebVPN and DTLS are enabled on 'outside'. ASA2(config-webvpn)# tunnel-group-list enable
Finally configure the tunnel-group (connection profile).
ASA2(config)# tunnel-group Remote_Access type remote-access ASA2(config)# tunnel-group Remote_Access general-attributes ASA2(config-tunnel-general)# default-group-policy Remote_Access ASA2(config-tunnel-general)# exit ASA2(config)# tunnel-group Remote_Access webvpn-attributes ASA2(config-tunnel-webvpn)# group-alias RAusers enable ASA2(config-tunnel-webvpn)# group-url https://10.0.0.254/Raccess enable ASA2(config-tunnel-webvpn)# without-csd
To access the internal resources a username/password must be specified. For this tutorial we will create a username in the local database.
ASA2(config)# username RemoteUser password Letmein privilege 1 ASA2(config)# username RemoteUser attributes ASA2(config-username)# vpn-group-policy Remote_Access
No comments:
Post a Comment