SNPA50SL13
SNPA50SL13
SNPA50SL13
for WebVPN
Lesson 13
Broadband
Provider
WebV ISP
PNTu
nnel
Corporate
WebVPN Wireless Provider Network
Tunnel
WebVPN
Broadband
Provider
WebV ISP
PNTu
nnel
Corporate
WebVPN Wireless Provider Network
Tunnel
WebVPN n
tio
Co
nne
c
X
Internet
Configure group policies for only those users who need WebVPN access
Limit or disable Internet access for WebVPN users
Educate user about potential SSL problems
Home
Logout
ciscoasa(config)#
http server enable
Enables the HTTP server for WebVPN
asa1(config)# webvpn
asa1(config-webvpn)#
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-14
Enabling WebVPN Interfaces
ciscoasa(config-webvpn)#
enable ifname
asa1(config)# webvpn
asa1(config-webvpn)# enable outside
Logo
ciscoasa(config-webvpn)#
title titletext
Specifies the title that WebVPN users should see.
ciscoasa(config-webvpn)#
title-color color
Specifies the title color. Supported formats include HTML color name string, HTML color value,
and HTML RGB value.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-16
Configure WebVPN
Policies
WebVPN Tunnel
Console-Server
10.0.1.11/24
ciscoasa(config)#
group-policy {name} attributes
Enters the group-policy attributes subcommand mode
ciscoasa(config-group-policy)#
webvpn
Enters WebVPN group-policy attributes subcommand mode
asa1(config-group-policy)# webvpn
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-18
Enable URL Entry for WebVPN Users
HTTP-Server
Remote Client Security
Appliance 10.0.1.10/24
WebVPN Tunnel
Console-Server
10.0.1.11/24
ciscoasa(config-group-webvpn)#
functions {auto-download | citrix | file-access | file-browsing |
file-entry | filter | http-proxy | url-entry | mapi | port-
forward | none}
Enables file access, entry, browsing, and URL entry for the group
10.0.1.11/24
Cisco Training
ciscoasa(config)#
url-list {listname displayname url}
Defines the name of the URL list
Defines the text the users see for the link on their home page
Defines the actual URL that the link accesses
List of WebVPN links can be HTTP, HTTPS, and CIFS servers
10.0.1.11/24
Web access Security Appliance parameters:
Example—url-list URLs "Superserver" http://10.0.1.10
Cisco Training
WebVPN Tunnel
Console-Server
10.0.1.11/24
ciscoasa(config-group-webvpn)#
functions {auto-download | citrix | file-access | file-browsing |
file-entry | filter | http-proxy | url-entry | mapi | port-
forward | none}
Console-Server
10.0.1.11/24
ciscoasa(config)#
port-forward {listname localport remoteserver remoteport
description}
Defines the name of the port fowarding list
Defines the port for WebVPN user
Defines the actual server that the link accesses
Defines the actual port that the link accesses
WebVPN Tunnel
NBNS-Server
10.0.1.15/24
ciscoasa(config)#
tunnel-group name type type
Names the tunnel group
Defines the type of VPN connection that is to be established
WebVPN Tunnel
NBNS-Server
10.0.1.15/24
ciscoasa(config-tunnel-webvpn)#
10.0.1.15/24
ciscoasa(config-tunnel-general)#
authentication-server-group [(interface_name)]
server_group [LOCAL | NONE]
asa1(config-webvpn)# authentication-server-group
(inside) AUTHSERVER
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-28
Configure WebVPN
Servers and URLs
ciscoasa(config)#
group-policy {name} attributes
Enters the group-policy attributes subcommand mode
ciscoasa(config-group-webvpn)#
Enables MAPI proxy for the group (only necessary if using MAPI)
ciscoasa(config)#
pop3s
smtps
imap4s
Enters the appropriate e-mail proxy subcommand mode
ciscoasa(config-pop3s)#
server {ipaddr or hostname}
Specifies the default server for use with the e-mail proxy
ciscoasa(config-pop3s)#
authentication {aaa | certificate | piggyback
Specifies the authentication method or methods that are used with the e-mail proxy
Options are as follows:
– aaa: Use previously configured AAA server for authentication
– certificate: Use certificate for authentication
– piggyback: Requires use of an established HTTPS WebVPN session
ciscoasa(config)#
group-policy {name} attributes
Enters the group-policy attributes subcommand mode
ciscoasa(config-group-policy)#
webvpn
Enters WebVPN group-policy attributes subcommand mode
asa1(config-group-policy)# webvpn
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-38
HTML Content Filtering (Cont.)
Remote Client Security
Appliance
HTTP Server
WebVPN Tunnel
10.0.1.10/24
ciscoasa(config-group-webvpn)#
html-content-filter {cookies | images | java | none | scripts}
Configures the content or objects to be filtered from the HTML for this policy
Options are as follows:
– Cookies: Removes cookies from images, providing limited ad filtering and privacy
– images: Removes references to images (removes <IMG> tags)
– java: Removes references to Java and ActiveX (removes <EMBED>, <APPLET>, and <OBJECT> tags)
– none: Indicates that there is no filtering; sets a null value, thereby disallowing filtering; prevents inheriting
filtering values
– scripts: Removes references to scripting (removes <SCRIPT> tags)
ciscoasa(config)#
access-list id webtype {deny | permit} tcp [host ip_address |
ip_address subnet_mask | any] [oper port [port]] [log [[disable
| default] | level] [interval secs] [time_range name]]
Configures a web-type ACL to be used for filtering with WebVPN
asa1(config)# access-list WEBVPNACL webtype permit tcp any eq http
ciscoasa(config-group-webvpn)#
filter {value ACLname | none}
Configures the name of the web-type ACL in the WebVPN group-policy attributes
subcommand mode
asa1(config-group-webvpn)# filter value WEBVPNACL
SuperServer
RBB ASA
172.26.26.0 192.168.P.0 10.0.P.0
.100 .150 .1 .5 .5 .10
Student PC
RTS
172.26.26.P