CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

Understanding SSL VPN

Remote access VPNs connects individual remote users to a set of resources on an organization’s
internal network.

Remote Access VPN Types

1. SSL VPN or Web VPN (with SSL) aka Clientless VPN

 Access to corporate resources can be provided to remote users even when the remote
device is not managed nor is there any VPN client software. Clientless deployments
require that the user open a web browser, which acts as the VPN client, and the VPN
gateway (server) acts as a proxy device to the internal resources.

 Remote users use their web browser to establish an SSL/TLS session with the Cisco ISR.
After successful mutual authentication, the Cisco ISR will apply a set of authorization
and accounting rules to the user’s session and the user is presented with a web portal.

 Clientless SSL VPNs do not provide full network access like the full tunneling VPNs (Easy
VPN).

2. Easy VPN (without SSL) aka Full tunneling VPNs

 Require VPN client software to be installed on the remote computer or dedicated VPN
devices (hardware clients) to enable full routed IP access to internal resources.

1
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

IOS ISR Techniques to provide resource and application access:

■ URL and Common Internet File System (CIFS) file access: When the client browser establishes
the SSL session and the user is authenticated, the gateway can present a page with resource
bookmarks. These allow the user to access preconfigured web pages or file shares. The user can
also enter an address of a resource and access it that way if it is within the user’s permission.
■ Port forwarding: Provides access to TCP-based applications by mapping application- specific
ports on the remote computer to application-specific ports on the internal servers. Port
forwarding requires that a Java applet be downloaded to the client. This applet listens on ports
on the client machine and forwards the connection to the gateway.

SSL & TLS History

SSL protocol was developed by Netscape in 1994 to protect web transactions.
Netscape developed SSL until version 3.0. In 1999, the IETF adopted SSL and called it
Transport Layer Security (TLS). TLS is also known as SSL version 3.1.

Secure Socket Layer (SSL) evolution:

- SSL 1.0
- SSL 2.0
- SSL 3.0
- TLS 1.0 (SSL 3.1)
- TLS 1.1 & 1.2 is the newest versions

SSL/TLS runs on top of the OSI Transport Layer. Example application protocols
Protected by SSL/TLS are HTTP, SMTP, IMAP, POP3.
SSL/TLS provides endpoint authentication for the client and the server, data encryption to
ensure confidentiality, and data integrity/authentication to ensure data integrity. This protects
traffic as it flows over public networks such as the Internet.

SSL VPN Types

 Clientless SSL VPN (web vpn)
 Thin client SSL VPN (port forwarding)
 SSL VPN Client ( SVC Full tunnel mode)

• Clientless - Clientless mode provides secure access to private web resources and will provide
access to web content. This mode is useful for accessing most content that you would expect to
access in a web browser such as Internet access, web-based intranet, webmail etc.

• Thin Client (port-forwarding Java applet) - Thin client mode extends the capability of the
cryptographic functions of the web browser to enable remote access to TCP-based applications
such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet
Message Access protocol (IMAP), Telnet and Secure Shell (SSH).

• Tunnel Mode (Any Connect Secure Mobility Client) - Full tunnel client mode offers extensive
application support through its dynamically downloaded Cisco Any Connect VPN Client (next-
generation SSL VPN Client) for SSL VPN. Full tunnel client mode delivers a lightweight, centrally
configured and easy-to-support SSL VPN tunneling client that provides network layer access to
virtually any application.

2
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

What Happens between the Web Browser and Server?

1. A browser attempts to connect to a web site secured with SSL. The browser requests
that the web server identify itself.
2. The server sends the browser a copy of its SSL certificate.
3. The browser checks whether it trusts the SSL certificate. If so, it sends a message to the
server.
4. The server sends back a digitally signed acknowledgement to start an SSL encrypted
session.
5. Encrypted data is shared between the browser and the server.

SSL & TLS working Phases

Both the SSL and TLS protocols work in two phases:
■ Session establishment phase: When the negotiation of parameters and peer authentication
takes place.
■ Data transfer phase: User data is exchanged securely between encapsulating endpoints.

Both phases take place inside the SSL/TLS Record Protocol.

Session Establishment phase

Three sub-phases comprise the session establishment phase:
■ In sub-phase 1, hello messages are exchanged to negotiate parameters including
authentication and encryption algorithms.
■ In sub-phase 2, one-way or two-way authentication between the client and server is
performed. Unlike most authentication solutions where server authentication is optional, with
HTTP and SSL, it is client authentication that is optional. A master key is also sent by the client
using the public key of the server to start protecting the session.
■ In sub-phase 3, the session key is calculated and the cipher suite is activated. Data integrity is
provided by Hash-based Message Authentication Code (HMAC) using either Secure Hash
Algorithm 1 (SHA-1) or Message Digest 5 (MD5). Confidentiality will be DES-40, DES-CBC, 3DEC-
EDE, 3DES-CBC, RC4-40, or RC4-128.

Session keys are created using one of the following recommended ways:
■ RSA, where a shared secret is encrypted using the public key of the other peer.
■ A fixed Diffie-Hellman (DH) key exchange, which uses a fixed DH value contained in a
certificate.
■ An ephemeral DH key exchange, which is based on the actual DH value signed with the private
key of the sender. This provides the best protection because each session will have a different
set of keys.

Data transfer phase

After the session keys are exchanged, SSL and TLS transmit data that is encapsulated inside an
SSL- or TLS-encrypted envelope. This is the data transfer phase of the SSL/TLS protocols.

Each SSL session has a session ID that is exchanged during the authentication process. It
differentiates between new and old sessions because sometimes old session IDs might be
cached.

3
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

SSL can resume a session even if the TCP communication is interrupted. The client can request
that the server resume an existing SSL session. The server will resume the SSL session if the
server still has the session ID in its cache.

Tunnel Group selection (incoming SSL connections) :

• Group URL
• Group Alias
• Certificate Maps
• Per-user (group-lock)

If nothing was matched then :

- DefaultWEBVPNGroup will be selected for a Clientless connection
- DefaultRAGroup will be chosen for a Client-based connection

All undefined settings will be inherited from the respective Group

4
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

Lab 1 Configuring Clientless SSL VPN

Basic Configuration

R1
ip domain-name cbtme.com
int f0/0
ip add 10.1.12.1 255.255.255.0
int f1/0
ip add 192.168.159.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.12.2

R2
ip domain-name cbtme.com
int f0/0
ip add 10.1.12.2 255.255.255.0
int f1/0
ip add 10.1.24.2 255.255.255.0

R3 Internal Network
ip domain-name cbtme.com
int f0/0
ip add 10.1.24.4 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.24.2

Lab Tasks
 R3 will be HTTP server with local administrator account (admin/admin123)
 R2 will be SSL VPN Clientless Server
 R2 will use self-signed SSL certificate for authentication and data security as the
following :
 Organization: cbtme.com
 State: CA , Country: US
 No IP address and serial number should be included in the certification
 RSA Keys name: MY-KEYS , RSA Keys length: 1024 bits
 R2 should accept HTTP connections on its f0/0 interface and redirect them to SSL
default port.
 R2 should allow remote users accessing R3 web server after successful authentication
using local user database located on R2.
 Username will be student 1 password cisco123
 This user should see an URL named “R4-Config” located under “Device Configuration”
section.
 Remote User connected to the Web VPN shouldn’t be able to enter custom URLs and
see “real” URLs when connecting to R3.
 Maximum of 10 users should be able to use this connection method at one time.

5
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

Note:
All the client need is a web browser (Internet Explorer, Firefox, etc.).
The user connects to the IP address of your IOS router and authenticates on the website
presented to him.
This authentication can be against local user database configured on the router itself or against
remote database (via ACS or LDAP server).
After successful authentication, the user has access to the portal where he/she can see some
links to corporate resources. Those resources can be for example: files on remote server, other
services available through the web browser (like web accessible management software or
application). The user can also surf the Internet via this gateway.

R2 (SSL VPN Clientless Server)

Commands with yellow color are the commands we will be applied in this lab.

1-Configure SSL Self-signed Certificate and Enable Web Services

aaa new-model
aaa authentication login AUTH-LOCAL local
ip http server
ip http secure-server

crypto ca trustpoint SELF-CA

rsakeypair MY-KEYS 1024
subject-name O=cbtme.com, ST=CA,C=US
ip-address none
enrollment selfsigned
serial-number none
exit
crypto ca enroll SELF-CA

Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
Generate Self Signed Router Certificate? [yes/no]: yes

2-Configure and Enable Web VPN Gateway

The Web VPN Virtual Gateway enables the interface or IP address and port number to which the
Web VPN service will ‘listen’ for incoming connections and also determines the encryption that
will be used.

webvpn gateway SSL-GATEWAY

ip address 10.1.12.2 port 443
http-redirect port 80
ssl trustpoint SELF-CA
inservice
exit

6
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

3-Configure and Enable SSL VPN Context

Wait a minute, what is Context?

The SSL VPN context is used to configure a number of parameters for our Web VPN server, these
include:
 Gateway and domain associated
 AAA user authentication method
 Group policy associated
 The remote user portal (web page)
 Limit number of WebVPN SSL user sessions
Most of these parameters are configured in our group policy. This group policy is then set as the
default-group policy for our Web SSL VPN.

Example:
webvpn context Cisco-WebVPN
title "Firewall.cx WebVPN - Powered By Cisco"
!
acl "ssl-acl"
permit ip 192.168.9.0 255.255.255.0 192.168.9.0 255.255.255.0
login-message "Cisco Secure WebVPN"
!
policy group webvpnpolicy
functions svc-required
functions svc-enabled
filter tunnel ssl-acl
svc address-pool "webvpn-pool" netmask 255.255.255.0
svc rekey method new-tunnel
svc split include 192.168.9.0 255.255.255.0

Let’s explain what all the above commands do:

 webvpn context command is used to create a context named which we have named
Cisco-WebVPN.
 title command sets the text that will be displayed at the web browser’s Page Title and at
the top of the login screen.
 acl “ssl-acl” command configures the access lists for this context. It basically governs
what the web vpn users will have access to. We’ve provided our webVPN users full
access to the 192.168.9.0 network.

Our webvpn users' IP addresses have already been defined in the webvpn-pool (192.168.9.80 to
192.168.0.85).
Instead of typing each IP address within that range into our ACL list we simply configure the
router to allow the 192.168.9.0 network as a source and destination in our VPN tunnel.
This ensures any IP in the 192.168.9.0 range assigned to our vpn clients will have access to our
LAN (192.168.9.0)
 login-message command defines the text that will be shown in the login section of the
webvpn webpage. These messages are also visible in our WebVPN login screen at the
beginning of our article.

7
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

Since our webvpn pool is part of the same network we just set the 192.168.9.0 network as the
source and destination IP address.

Next, we define a group policy.

The group policy configures a number of important parameters. We named our group policy
webvpnpolicy.

 functions svc-enabled & svc-required commands ensure tunnel-mode is enabled and

required. The combination of these two commands will force the VPN user’s PC to start
downloading the AnyConnect software client as soon as he authenticates successfully.
This is called tunnel-mode operation.
Alternatively, without the svc-required command, a webpage will be presented from which the
user can directly launch any configured web service in our webvpn portal or selectively initiate
tunnel-mode and start downloading the AnyConnect software client.
Note: The acronym SVC stands for SSL VPN Client

webvpn context SSL-CONTEXT

aaa authentication list AUTH-LOCAL
gateway SSL-GATEWAY
max-users 10
url-list Device-Configuration
heading "Device Configuration"
url-text R3-Config url-value http://10.1.24.4
exit

policy group SSL-POLICY

mask-urls
hide-url-bar
url-list Device-Configuration
exit

4-Configure Default Group Policy, Authentication List and Final Parameters

Now we will configure the policy we just created as the default policy, set the aaa
authentication list (sslvpn) to be used for user authentication and maximum users for the
service. Finally, we enable our webvpn context:

Example:

default-group-policy webvpnpolicy
aaa authentication list sslvpn
gateway Cisco-WebVPN-Gateway
max-users 2
ssl authenticate verify all
url-list "rewrite"
inservice

8
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

 ssl authenticate verify all command enables SSL configurations for backend
server connections. While we are not using any such backend services, it’s a good
option to always have enabled.

default-group-policy SSL-POLICY
inservice
exit

username student1 password cisco123

ip route 192.168.159.0 255.255.255.0 10.1.12.1

R3
ip http server
ip http authentication local
username admin privilege 15 password admin123

Verification

Let’s make sure pc has ip address 192.168.159.51 and his default gateway is R1
192.168.159.10
C:\Documents and Settings\xpuser1>ping 192.168.159.10
Should be 100% successful

Now run web browser and type in the address bar: http://10.1.12.2. The SSL certificate
warning window should appear. Click Yes to accept the certificate.

9
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

Web VPN website should be loaded. Use your credentials to log in (student1 account)

10
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

After successful login you should see configured bookmark. Click on (R4-Config) to connect to
the R3’s web management GUI.

As R3 management interface requires admin privileges, log in using administrator (priv 15)
account.

11
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

Don’t delete configuration, we will need it to complete

remaining labs (Lab2, Lab3)

12
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

Lab 2 Configuring Thin Client ( Port forwarding) SSL VPN

Add Thin Client Web VPN option to the previous configuration so that authenticated users will
be forwarded to R3 when connecting to their local ports:

Local Port Remote Port (on R4) Description

2200 22 SSH to R3
2300 23 TELNET to R3

The Java plugin must run automatically after user’s logon.

Using SSL VPN we can access corporate resources in a secure way. However, in the previous task
we configured basic access to the “application” accessed by the web browser.
What if we have an application installed on our local system which must connect to the other
ports than HTTP/HTTPS? Such application must be “tunneled” somehow through our SSL VPN.
This can be done using a feature called Port Forwarding and available in SSL VPN by some JAVA
plug-in runs on our web browser. The main advantage of it is that the user does not need
administrative privileges on the system to run the plug-in.
We will use two applications to show how it works: TELNET and SSH client.

R2
We need to add Port Forwarding feature to our context. This is configured by enabling a
«container» for our applications. This feature runs JAVA plug-in on the client and start listening
on a local port and loopback IP address of 127.0.0.1. This port is then redirected by the plug-in
to the real IP/port on the corporate network.

webvpn context SSL-CONTEXT

port-forward Applications-List
local-port 2200 remote-server 10.1.24.4 remote-port 22 description "SSH on R4"
local-port 2300 remote-server 10.1.24.4 remote-port 23 description "TELNET on R4"
exit

Configuring the Port Forward application list is not enough. We need to enable it by associating
it with our Policy. The policy is already associated with the context. We can specify the JAVA
plug-in behavior – it may run automatically when client gets access to the portal or may be run
manually.

webvpn context SSL-CONTEXT

policy group SSL-POLICY
port-forward Applications-List auto-download
exit
exit

13
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

R3
crypto key generate rsa modulus 1024
line vty 0 4
login local

Verification
From pc open your web browser and type http://10.1.12.2 then Click Yes to accept the
certificate.

After successful login you should see configured bookmark and Port Forwarding Java applet
should automatically start. Depends on your browser security level configuration you should
accept some security warnings regarding running an unsigned applets.

14
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

You may need to install jre-8u51-windows-i586 then connect again

Telnet using your favorite terminal software to the IP address of 127.0.0.1 and port 2300. You
should be tunneled to the R3. Note that source IP address of this connection is R2’s interface
(10.1.24.2). Do the same for SSH connection to the IP address of 127.0.0.1 and port 2200.
Check Java applet window and see there are packets tunneled for both connections.

15
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

Lab 3 Configuring SVC Full Tunnel mode SSL VPN (SSL VPN Client)

Configure full SSL VPN client on the R2 router. User should be able manually run Tunnel
connection after successful authentication to WebVPN.
The SSL VPN Client package (sslclient-win-1.1.4.176.pkg) is located on the Flash memory.
User’s workstation should get IP address form a pool of 192.168.2.10 – 192.168.2.60.
After tunnel set up the user should be able to connect R4’s F0/0 interface using SSH and TELNET
natively. Rest of user’s traffic should be sent out without any encryption.

Now, what if we have an application which has this server IP address embedded in the code?
That application must connect directly to its server. To make it happen we need full SSL Client
software installed on the client’s machine. To run and install this software the client must have
administrative privileges on the system.

We also need full client software (called SVC – SSL VPN Client) installed on the router to make it
available to the client for download. Hence, it is called Full Client mode or Tunnel Mode.
The SVC works similar to the IPSec client but the SVC uses SSL for securing the connection.

R2
The SVC software image must be already on the flash.
To use it with SSL VPN we must install it first.

webvpn install svc flash:sslclient-win-1.1.4.176.pkg

This is an ACL specifying what traffic will tunneled by tha SVC. This is not a split tunnel list! This is
an ACL applied on the tunnel to make only certain services available for a client.

ip access-list extended SSL-VPN-ACL

permit tcp 192.168.2.0 0.0.0.255 host 10.1.24.4 eq telnet
permit tcp 192.168.2.0 0.0.0.255 host 10.1.24.4 eq 22
exit

This is a pool of IP addresses for a client. Just like it is with IPSec client, the full client software
must get an IP address to use during the connections.

ip local pool SSL-VPN-POOL 192.168.2.10 192.168.2.60

16
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

The tunnel policy must be configured under the Policy Group. The same for Split Tunnel list,
which is configured without any ACL.

webvpn context SSL-CONTEXT

policy group SSL-POLICY
filter tunnel SSL-VPN-ACL
svc split include 10.1.24.0 255.255.255.0

We need to enable SVC in the policy and specify the IP address pool to be given out to the client.

functions svc-enabled
svc address-pool SSL-VPN-POOL
exit
exit

Verification
From pc open web browser and type http://10.1.12.2 then Click Yes to accept the certificate.
Login with user studetnt1 ,After successful log in you should see Tunnel Connection (SVC)
available. Click Start button.

17
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

Allow running of ActiveX applet in your web browser and install it.

You must have administrator right to be able to install the applet

After successful installation, the SSL VPN Client runs and establishes the tunnel.

18
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

Lab 4 Configuring ASA SSL VPN

Basic Configuration
R1
int e0/0
ip add 10.1.1.1 255.255.255.0
int e0/1
ip add 192.168.160.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.100

R2
int e0/0
ip add 10.2.2.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.2.2.100

ip http server
ip http authentication local
username admin priv 15 pass cisco123
line vty 0 4
login local

ASA
int e0
nameif outside
ip add 10.1.1.100 255.255.255.0
no sh
int e1
nameif inside
ip add 10.2.2.100 255.255.255.0
no sh
route outside 192.168.160.0 255.255.255.0 10.1.1.1

19
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

Lab Tasks
 Configure ASA to support SSL VPN for remote users (win xp) connected to R1
 Make sure you manually create ASA self-signed certificate to be use in SSL Connection
 ASA should allow remote users accessing R2’s HTTP server after successful
authentication using local user database located on the ASA.
 The user named “yasser” with a password “cisco123” should be able to enter custom
URL to go to R2.
 R2 should have http enabled with username “admin” password “cisco123”
 Remote users should use the following custom URL (https://10.1.1.100/SSL_VPN)

Notice in the following SSL VPN with ASA commands, we no longer need the concept of
Gateways and Contexts we used before with SSL VPN with IOS Routers.
All ASA SSL configurations will be using webvpn mdoe

ASA
domain-name cbtme.com

crypto key gen rsa label SSLVPNKEYPAIR

crypto ca trustpoint MYTPOINT

enroll self
fqdn ASA.cbtme.com
subject-name CN=ASA.cbtme.com
keypair SSLVPNKEYPAIR

crypto ca enroll MYTPOINT noconfirm

ssl trust-point MYTPOINT OUTSIDE

username yasser pass cisco123

webvpn
enable outside

group-policy MYPOLICY internal

group-policy MYPOLICY attributes

vpn-tunnel-protocol webvpn
exit

tunnel-group RA_TNL_GROUP type remote-access

tunnel-group RA_TNL_GROUP general-attributes
default-group-policy MYPOLICY

tunnel-group RA_TNL_GROUP webvpn-attributes

group-alias SSL_VPN enable
group-url https://10.1.1.100/SSL_VPN enable

20
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

exit

username yasser attributes

vpn-group-policy MYPOLICY
exit

Verification

Now from win xp browser type https://10.1.1.100/SSL_VPN and accept certificate the write
username Yasser password cisco123

Just in case you see the following message

The issue case that You are running and having AnyConnect Essential license on your ASA which
does not support Clientless SSL VPN.

21
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

Remember There are 2 types of SSL VPN license:

1) AnyConnect Essential license - only supports AnyConnect client connections

2) AnyConnect Premium license (user base license) - supports all flavours of SSL VPN, including:
clientless SSL VPN, AnyConnect client VPN, and all the advanced features of SSL VPN.

You can't have both AnyConnect Essential license and AnyConnect Premium license enabled at
the same ASA. It is one or the other.

Here is the command to disable AnyConnect Essential:

webvpn
no anyconnect-essentials

Now you should login successfully, Address Bar is shown below write R2 IP address 10.2.2.2

22
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

You will be asked for username and password , these are the ones we create in R2 , so you
should write “admin” and password “cisco123”

Once click continue and you will login to R2

23
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

ASA# sh webvpn statistics

Total number of objects served 2
html 1
js 0
css 0
vb 0
java archive 0
java class 0
image 0
undetermined 1

ASA# sh crypto protocol statistics ssl

[SSL statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0

ASA# sh vpn-sessiondb detail

---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
Clientless VPN : 1: 2: 1
Browser : 1: 2: 1
---------------------------------------------------------------------------
Total Active and Inactive : 1 Total Cumulative : 2
Device Total VPN Capacity : 0
Device Load : 0%
***!! WARNING: Platform capacity exceeded !!***
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
Clientless : 1: 2: 1
---------------------------------------------------------------------------
Totals : 1: 2

24
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

ASA# sh vpn-sessiondb webvpn

Session Type: WebVPN

Username : yasser Index :3

Public IP : 192.168.160.51
Protocol : Clientless
License : AnyConnect Premium
Encryption : RC4 Hashing : SHA1
Bytes Tx : 2804 Bytes Rx : 9251
Group Policy : MYPOLICY Tunnel Group : RA_TNL_GROUP
Login Time : 00:07:14 UTC Thu Sep 24 2015
Duration : 0h:00m:26s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

Note that we are using Clientless mode. There was a default tunnel group used for
terminating this connection (DefaultWEBVPNGroup) , but we did not use and used
RA_TNL_GROUP, However, the user “yasser” has group policy attached to his profile.

Lab Tasks 2

 Add Port Forwarding feature to the previous configuration so that authenticated users
will be forwarded to R2 router when connecting to their local ports:

local port remote port description

2200 22 SSH to R2
2300 23 TELNET to R2

 Allow the user to run “telnet.exe” application natively (directly connecting to R2’s real IP
address).
 Disable file browsing over the network.

Same feature of Port Forwarding is available on the ASA. However, here is another feature
called Smart Tunneling which “certifies” an application to be able to tunnel traffic through the
SSL VPN no matter what IP address or port the traffic is destined to.

webvpn
port-forward devices 2200 10.2.2.2 SSH to R2
port-forward devices 2300 10.2.2.2 TELNET to R2

Configuration of Port Forwarding and Smart Tunneling is performed under “webvpn” mode.
However, both features must be enabled under Group Policy to be accessible to the user.

25
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

smart-tunnel list Applications TELNET "telnet.exe" <devices , Applications & TELNET are just a
names we given

The Smart Tunnel feature is a replacement for the legacy Port Forwarding. Instead of relying
on the statically configured port-forwarding rules implemented in a Java applet, the
technology implements transparent TCP proxy for applications written using Winsock2 library.
A special application is pushed down to the client and used as an application wrapper. This
wrapper intercepts TCP library calls and redirects them across the ASA firewall as through a
proxy. The operations are completely transparent to the end-user application, which is not
aware of any additional security proxy in the path.

group-policy MYPOLICY attributes

webvpn
smart-tunnel enable Applications
port-forward enable devices
file-entry disable
file-browsing disable
exit
exit

In above commands we enable Port Forwarding and Smart Tunneling. Also we disable File
browsing on the network.

Verification

Now from win xp browser type https://10.1.1.100/SSL_VPN and accept certificate the write
username Yasser password cisco123
Then click Application Access from Left panel
Then click Start Application Button to run java-based Port Forwarding.
New window will pop up , this is your Java applet running and starts listening on specified
ports.

26
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

You can connect to R2’s using your favorite terminal software such as Putty.
You should use local loopback IP address (127.0.0.1) and port 2300 to be forwarded to R2 on
port 23.

27
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

Lab 5 ASA SSL VPN with any connect

R2
int e0/0
ip add 10.2.2.2 255.255.255.0
int loop 0
ip add 2.2.2.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.2.2.100

R3
itn e0/0
ip add 10.3.3.3 255.255.255.0
int loop 0
ip add 3.3.3.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.3.3.100

ASA
int e0
nameif outside
ip add 10.2.2.100 255.255.255.0
no sh
int e1
nameif inside
ip add 10.3.3.100 255.255.255.0
no sh
route outside 2.2.2.2 255.255.255.0 10.2.2.2
route inside 3.3.3.3 255.255.255.0 10.3.3.3

28
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda

Lab Tasks
 Configure AnyConnect 3.0 on the ASA so that it is possible to login on the Portal and
download AnyConnect client.
 The user should be able to setup a full DTLS tunnel authenticating to the group CCIE
with username/password of ccie/ccie123.
 Give out to the client an IP adress from the pool 192.168.15.1 – 254.

ASA
webvpn
enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
anyconnect image disk0:/anyconnect-win- 3.0.2052-k9.pkg
anyconnect enable
exi
username ccie password ccie123
ip local pool VPN-POOL 192.168.15.1-192.168.15.254
group-policy CCIE internal
group-policy CCIE attributes
vpn-tunnel-protocol ssl-client sslclientless
address-pools value VPN-POOL
exi
tunnel-group CCIE type remote-access
tunnel-group CCIE general-attributes
default-group-policy CCIE
ex
tunnel-group CCIE webvpn-attributes
group-alias CCIE
ex
webvpn
tunnel-group-list enable
exi

Go to the PORTAL using the address https://100.2.2.10, accept the certificate and
authenticate to the group CCIE. click any connect link to download it

If you already download it then just open it and type 10.2.2.100 then connect then Provide a
username and password for the CCIE group and hit OK.
Try to ping IP address behind the ASA.

Good Luck
CCIE & CCSI: Yasser Auda
https://www.facebook.com/YasserRamzyAuda
https://learningnetwork.cisco.com/people/yasserramzy/content
https://www.youtube.com/user/yasserramzyauda

29