SSL VPN For CLN
SSL VPN For CLN
SSL VPN For CLN
Access to corporate resources can be provided to remote users even when the remote
device is not managed nor is there any VPN client software. Clientless deployments
require that the user open a web browser, which acts as the VPN client, and the VPN
gateway (server) acts as a proxy device to the internal resources.
Remote users use their web browser to establish an SSL/TLS session with the Cisco ISR.
After successful mutual authentication, the Cisco ISR will apply a set of authorization
and accounting rules to the user’s session and the user is presented with a web portal.
Clientless SSL VPNs do not provide full network access like the full tunneling VPNs (Easy
VPN).
Require VPN client software to be installed on the remote computer or dedicated VPN
devices (hardware clients) to enable full routed IP access to internal resources.
1
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
SSL/TLS runs on top of the OSI Transport Layer. Example application protocols
Protected by SSL/TLS are HTTP, SMTP, IMAP, POP3.
SSL/TLS provides endpoint authentication for the client and the server, data encryption to
ensure confidentiality, and data integrity/authentication to ensure data integrity. This protects
traffic as it flows over public networks such as the Internet.
• Clientless - Clientless mode provides secure access to private web resources and will provide
access to web content. This mode is useful for accessing most content that you would expect to
access in a web browser such as Internet access, web-based intranet, webmail etc.
• Thin Client (port-forwarding Java applet) - Thin client mode extends the capability of the
cryptographic functions of the web browser to enable remote access to TCP-based applications
such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet
Message Access protocol (IMAP), Telnet and Secure Shell (SSH).
• Tunnel Mode (Any Connect Secure Mobility Client) - Full tunnel client mode offers extensive
application support through its dynamically downloaded Cisco Any Connect VPN Client (next-
generation SSL VPN Client) for SSL VPN. Full tunnel client mode delivers a lightweight, centrally
configured and easy-to-support SSL VPN tunneling client that provides network layer access to
virtually any application.
2
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
Session keys are created using one of the following recommended ways:
■ RSA, where a shared secret is encrypted using the public key of the other peer.
■ A fixed Diffie-Hellman (DH) key exchange, which uses a fixed DH value contained in a
certificate.
■ An ephemeral DH key exchange, which is based on the actual DH value signed with the private
key of the sender. This provides the best protection because each session will have a different
set of keys.
Each SSL session has a session ID that is exchanged during the authentication process. It
differentiates between new and old sessions because sometimes old session IDs might be
cached.
3
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
SSL can resume a session even if the TCP communication is interrupted. The client can request
that the server resume an existing SSL session. The server will resume the SSL session if the
server still has the session ID in its cache.
4
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
Basic Configuration
R1
ip domain-name cbtme.com
int f0/0
ip add 10.1.12.1 255.255.255.0
int f1/0
ip add 192.168.159.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.12.2
R2
ip domain-name cbtme.com
int f0/0
ip add 10.1.12.2 255.255.255.0
int f1/0
ip add 10.1.24.2 255.255.255.0
R3 Internal Network
ip domain-name cbtme.com
int f0/0
ip add 10.1.24.4 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.24.2
Lab Tasks
R3 will be HTTP server with local administrator account (admin/admin123)
R2 will be SSL VPN Clientless Server
R2 will use self-signed SSL certificate for authentication and data security as the
following :
Organization: cbtme.com
State: CA , Country: US
No IP address and serial number should be included in the certification
RSA Keys name: MY-KEYS , RSA Keys length: 1024 bits
R2 should accept HTTP connections on its f0/0 interface and redirect them to SSL
default port.
R2 should allow remote users accessing R3 web server after successful authentication
using local user database located on R2.
Username will be student 1 password cisco123
This user should see an URL named “R4-Config” located under “Device Configuration”
section.
Remote User connected to the Web VPN shouldn’t be able to enter custom URLs and
see “real” URLs when connecting to R3.
Maximum of 10 users should be able to use this connection method at one time.
5
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
Note:
All the client need is a web browser (Internet Explorer, Firefox, etc.).
The user connects to the IP address of your IOS router and authenticates on the website
presented to him.
This authentication can be against local user database configured on the router itself or against
remote database (via ACS or LDAP server).
After successful authentication, the user has access to the portal where he/she can see some
links to corporate resources. Those resources can be for example: files on remote server, other
services available through the web browser (like web accessible management software or
application). The user can also surf the Internet via this gateway.
aaa new-model
aaa authentication login AUTH-LOCAL local
ip http server
ip http secure-server
Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
Generate Self Signed Router Certificate? [yes/no]: yes
The Web VPN Virtual Gateway enables the interface or IP address and port number to which the
Web VPN service will ‘listen’ for incoming connections and also determines the encryption that
will be used.
6
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
Example:
webvpn context Cisco-WebVPN
title "Firewall.cx WebVPN - Powered By Cisco"
!
acl "ssl-acl"
permit ip 192.168.9.0 255.255.255.0 192.168.9.0 255.255.255.0
login-message "Cisco Secure WebVPN"
!
policy group webvpnpolicy
functions svc-required
functions svc-enabled
filter tunnel ssl-acl
svc address-pool "webvpn-pool" netmask 255.255.255.0
svc rekey method new-tunnel
svc split include 192.168.9.0 255.255.255.0
webvpn context command is used to create a context named which we have named
Cisco-WebVPN.
title command sets the text that will be displayed at the web browser’s Page Title and at
the top of the login screen.
acl “ssl-acl” command configures the access lists for this context. It basically governs
what the web vpn users will have access to. We’ve provided our webVPN users full
access to the 192.168.9.0 network.
Our webvpn users' IP addresses have already been defined in the webvpn-pool (192.168.9.80 to
192.168.0.85).
Instead of typing each IP address within that range into our ACL list we simply configure the
router to allow the 192.168.9.0 network as a source and destination in our VPN tunnel.
This ensures any IP in the 192.168.9.0 range assigned to our vpn clients will have access to our
LAN (192.168.9.0)
login-message command defines the text that will be shown in the login section of the
webvpn webpage. These messages are also visible in our WebVPN login screen at the
beginning of our article.
7
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
Since our webvpn pool is part of the same network we just set the 192.168.9.0 network as the
source and destination IP address.
Now we will configure the policy we just created as the default policy, set the aaa
authentication list (sslvpn) to be used for user authentication and maximum users for the
service. Finally, we enable our webvpn context:
Example:
default-group-policy webvpnpolicy
aaa authentication list sslvpn
gateway Cisco-WebVPN-Gateway
max-users 2
ssl authenticate verify all
url-list "rewrite"
inservice
8
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
ssl authenticate verify all command enables SSL configurations for backend
server connections. While we are not using any such backend services, it’s a good
option to always have enabled.
default-group-policy SSL-POLICY
inservice
exit
R3
ip http server
ip http authentication local
username admin privilege 15 password admin123
Verification
Let’s make sure pc has ip address 192.168.159.51 and his default gateway is R1
192.168.159.10
C:\Documents and Settings\xpuser1>ping 192.168.159.10
Should be 100% successful
Now run web browser and type in the address bar: http://10.1.12.2. The SSL certificate
warning window should appear. Click Yes to accept the certificate.
9
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
Web VPN website should be loaded. Use your credentials to log in (student1 account)
10
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
After successful login you should see configured bookmark. Click on (R4-Config) to connect to
the R3’s web management GUI.
As R3 management interface requires admin privileges, log in using administrator (priv 15)
account.
11
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
12
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
Add Thin Client Web VPN option to the previous configuration so that authenticated users will
be forwarded to R3 when connecting to their local ports:
Using SSL VPN we can access corporate resources in a secure way. However, in the previous task
we configured basic access to the “application” accessed by the web browser.
What if we have an application installed on our local system which must connect to the other
ports than HTTP/HTTPS? Such application must be “tunneled” somehow through our SSL VPN.
This can be done using a feature called Port Forwarding and available in SSL VPN by some JAVA
plug-in runs on our web browser. The main advantage of it is that the user does not need
administrative privileges on the system to run the plug-in.
We will use two applications to show how it works: TELNET and SSH client.
R2
We need to add Port Forwarding feature to our context. This is configured by enabling a
«container» for our applications. This feature runs JAVA plug-in on the client and start listening
on a local port and loopback IP address of 127.0.0.1. This port is then redirected by the plug-in
to the real IP/port on the corporate network.
Configuring the Port Forward application list is not enough. We need to enable it by associating
it with our Policy. The policy is already associated with the context. We can specify the JAVA
plug-in behavior – it may run automatically when client gets access to the portal or may be run
manually.
13
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
R3
crypto key generate rsa modulus 1024
line vty 0 4
login local
Verification
From pc open your web browser and type http://10.1.12.2 then Click Yes to accept the
certificate.
After successful login you should see configured bookmark and Port Forwarding Java applet
should automatically start. Depends on your browser security level configuration you should
accept some security warnings regarding running an unsigned applets.
14
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
Telnet using your favorite terminal software to the IP address of 127.0.0.1 and port 2300. You
should be tunneled to the R3. Note that source IP address of this connection is R2’s interface
(10.1.24.2). Do the same for SSH connection to the IP address of 127.0.0.1 and port 2200.
Check Java applet window and see there are packets tunneled for both connections.
15
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
Lab 3 Configuring SVC Full Tunnel mode SSL VPN (SSL VPN Client)
Configure full SSL VPN client on the R2 router. User should be able manually run Tunnel
connection after successful authentication to WebVPN.
The SSL VPN Client package (sslclient-win-1.1.4.176.pkg) is located on the Flash memory.
User’s workstation should get IP address form a pool of 192.168.2.10 – 192.168.2.60.
After tunnel set up the user should be able to connect R4’s F0/0 interface using SSH and TELNET
natively. Rest of user’s traffic should be sent out without any encryption.
Now, what if we have an application which has this server IP address embedded in the code?
That application must connect directly to its server. To make it happen we need full SSL Client
software installed on the client’s machine. To run and install this software the client must have
administrative privileges on the system.
We also need full client software (called SVC – SSL VPN Client) installed on the router to make it
available to the client for download. Hence, it is called Full Client mode or Tunnel Mode.
The SVC works similar to the IPSec client but the SVC uses SSL for securing the connection.
R2
The SVC software image must be already on the flash.
To use it with SSL VPN we must install it first.
This is an ACL specifying what traffic will tunneled by tha SVC. This is not a split tunnel list! This is
an ACL applied on the tunnel to make only certain services available for a client.
This is a pool of IP addresses for a client. Just like it is with IPSec client, the full client software
must get an IP address to use during the connections.
16
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
The tunnel policy must be configured under the Policy Group. The same for Split Tunnel list,
which is configured without any ACL.
We need to enable SVC in the policy and specify the IP address pool to be given out to the client.
functions svc-enabled
svc address-pool SSL-VPN-POOL
exit
exit
Verification
From pc open web browser and type http://10.1.12.2 then Click Yes to accept the certificate.
Login with user studetnt1 ,After successful log in you should see Tunnel Connection (SVC)
available. Click Start button.
17
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
Allow running of ActiveX applet in your web browser and install it.
After successful installation, the SSL VPN Client runs and establishes the tunnel.
18
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
Basic Configuration
R1
int e0/0
ip add 10.1.1.1 255.255.255.0
int e0/1
ip add 192.168.160.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.100
R2
int e0/0
ip add 10.2.2.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.2.2.100
ip http server
ip http authentication local
username admin priv 15 pass cisco123
line vty 0 4
login local
ASA
int e0
nameif outside
ip add 10.1.1.100 255.255.255.0
no sh
int e1
nameif inside
ip add 10.2.2.100 255.255.255.0
no sh
route outside 192.168.160.0 255.255.255.0 10.1.1.1
19
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
Lab Tasks
Configure ASA to support SSL VPN for remote users (win xp) connected to R1
Make sure you manually create ASA self-signed certificate to be use in SSL Connection
ASA should allow remote users accessing R2’s HTTP server after successful
authentication using local user database located on the ASA.
The user named “yasser” with a password “cisco123” should be able to enter custom
URL to go to R2.
R2 should have http enabled with username “admin” password “cisco123”
Remote users should use the following custom URL (https://10.1.1.100/SSL_VPN)
Notice in the following SSL VPN with ASA commands, we no longer need the concept of
Gateways and Contexts we used before with SSL VPN with IOS Routers.
All ASA SSL configurations will be using webvpn mdoe
ASA
domain-name cbtme.com
webvpn
enable outside
20
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
exit
Verification
Now from win xp browser type https://10.1.1.100/SSL_VPN and accept certificate the write
username Yasser password cisco123
The issue case that You are running and having AnyConnect Essential license on your ASA which
does not support Clientless SSL VPN.
21
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
You can't have both AnyConnect Essential license and AnyConnect Premium license enabled at
the same ASA. It is one or the other.
webvpn
no anyconnect-essentials
Now you should login successfully, Address Bar is shown below write R2 IP address 10.2.2.2
22
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
You will be asked for username and password , these are the ones we create in R2 , so you
should write “admin” and password “cisco123”
23
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
Clientless : 1: 2: 1
---------------------------------------------------------------------------
Totals : 1: 2
24
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
Note that we are using Clientless mode. There was a default tunnel group used for
terminating this connection (DefaultWEBVPNGroup) , but we did not use and used
RA_TNL_GROUP, However, the user “yasser” has group policy attached to his profile.
Lab Tasks 2
Add Port Forwarding feature to the previous configuration so that authenticated users
will be forwarded to R2 router when connecting to their local ports:
Allow the user to run “telnet.exe” application natively (directly connecting to R2’s real IP
address).
Disable file browsing over the network.
Same feature of Port Forwarding is available on the ASA. However, here is another feature
called Smart Tunneling which “certifies” an application to be able to tunnel traffic through the
SSL VPN no matter what IP address or port the traffic is destined to.
webvpn
port-forward devices 2200 10.2.2.2 SSH to R2
port-forward devices 2300 10.2.2.2 TELNET to R2
Configuration of Port Forwarding and Smart Tunneling is performed under “webvpn” mode.
However, both features must be enabled under Group Policy to be accessible to the user.
25
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
smart-tunnel list Applications TELNET "telnet.exe" <devices , Applications & TELNET are just a
names we given
The Smart Tunnel feature is a replacement for the legacy Port Forwarding. Instead of relying
on the statically configured port-forwarding rules implemented in a Java applet, the
technology implements transparent TCP proxy for applications written using Winsock2 library.
A special application is pushed down to the client and used as an application wrapper. This
wrapper intercepts TCP library calls and redirects them across the ASA firewall as through a
proxy. The operations are completely transparent to the end-user application, which is not
aware of any additional security proxy in the path.
In above commands we enable Port Forwarding and Smart Tunneling. Also we disable File
browsing on the network.
Verification
Now from win xp browser type https://10.1.1.100/SSL_VPN and accept certificate the write
username Yasser password cisco123
Then click Application Access from Left panel
Then click Start Application Button to run java-based Port Forwarding.
New window will pop up , this is your Java applet running and starts listening on specified
ports.
26
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
You can connect to R2’s using your favorite terminal software such as Putty.
You should use local loopback IP address (127.0.0.1) and port 2300 to be forwarded to R2 on
port 23.
27
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
R2
int e0/0
ip add 10.2.2.2 255.255.255.0
int loop 0
ip add 2.2.2.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.2.2.100
R3
itn e0/0
ip add 10.3.3.3 255.255.255.0
int loop 0
ip add 3.3.3.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.3.3.100
ASA
int e0
nameif outside
ip add 10.2.2.100 255.255.255.0
no sh
int e1
nameif inside
ip add 10.3.3.100 255.255.255.0
no sh
route outside 2.2.2.2 255.255.255.0 10.2.2.2
route inside 3.3.3.3 255.255.255.0 10.3.3.3
28
CCIE Security SSL VPN IOS & ASA CCIE & CCSI : Yasser Ramzy Auda
Lab Tasks
Configure AnyConnect 3.0 on the ASA so that it is possible to login on the Portal and
download AnyConnect client.
The user should be able to setup a full DTLS tunnel authenticating to the group CCIE
with username/password of ccie/ccie123.
Give out to the client an IP adress from the pool 192.168.15.1 – 254.
ASA
webvpn
enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
anyconnect image disk0:/anyconnect-win- 3.0.2052-k9.pkg
anyconnect enable
exi
username ccie password ccie123
ip local pool VPN-POOL 192.168.15.1-192.168.15.254
group-policy CCIE internal
group-policy CCIE attributes
vpn-tunnel-protocol ssl-client sslclientless
address-pools value VPN-POOL
exi
tunnel-group CCIE type remote-access
tunnel-group CCIE general-attributes
default-group-policy CCIE
ex
tunnel-group CCIE webvpn-attributes
group-alias CCIE
ex
webvpn
tunnel-group-list enable
exi
Go to the PORTAL using the address https://100.2.2.10, accept the certificate and
authenticate to the group CCIE. click any connect link to download it
If you already download it then just open it and type 10.2.2.100 then connect then Provide a
username and password for the CCIE group and hit OK.
Try to ping IP address behind the ASA.
Good Luck
CCIE & CCSI: Yasser Auda
https://www.facebook.com/YasserRamzyAuda
https://learningnetwork.cisco.com/people/yasserramzy/content
https://www.youtube.com/user/yasserramzyauda
29