|
0:00:13
|
In our next section we are going to look at the SSL VPN feature on the ASA
|
|
0:00:18
|
and look at the configuration of both the client list SSL VPN or the web VPN feature
|
|
0:00:24
|
and the SSL VPN client or the any connect client
|
|
0:00:30
|
Now the first of variations, the client list SSL VPN which is also known as the web VPN
|
|
0:00:36
|
is essentially using the ASA
|
|
0:00:38
|
as a proxy server
|
|
0:00:40
|
where the end client using their web browser
|
|
0:00:43
|
forms an SSL tunnel to the
|
|
0:00:46
|
ASA
|
|
0:00:47
|
then inside this tunnel they can run other applications whether the web browsing
|
|
0:00:51
|
or mail application or telnet or SSH
|
|
0:00:56
|
but from the client to the ASA
|
|
0:00:58
|
its going to be encapsulated inside of TCP
|
|
0:01:01
|
typically over port 443 for SSL
|
|
0:01:04
|
then on the ASA is going to come out on the other side
|
|
0:01:07
|
and the sessions are going to look like, they were originated from the ASA
|
|
0:01:13
|
Now the second variation, the SSL VPN client or the any connect client
|
|
0:01:18
|
is similar in the logic to easy VPN
|
|
0:01:21
|
but instead of using ipsec as our transport
|
|
0:01:24
|
with ESP or AH protocols
|
|
0:01:27
|
we are using SSL
|
|
0:01:29
|
which again is going to be running over TCP port 443 by default
|
|
0:01:35
|
Now the advantage of using the any connect client over easy VPN
|
|
0:01:40
|
is that it gets away from any type of design issue
|
|
0:01:43
|
where some one is filtering either the
|
|
0:01:45
|
the phase I or the phase II negotiation of ipsec
|
|
0:01:50
|
which could potentially be our ISAKMP
|
|
0:01:52
|
SA which is the established using UDP port 500
|
|
0:01:56
|
where the IPSec SA
|
|
0:01:58
|
which is established using ESP
|
|
0:02:00
|
AH or some type of transparent tunnelling
|
|
0:02:04
|
like our NAT traversal using UDP 4500
|
|
0:02:07
|
or the transparent tunneling over UDP or TCP using port 10000
|
|
0:02:13
|
so in various strict filtering networks
|
|
0:02:17
|
where possibly only 80 for regular web browsing and port 443 for SSL
|
|
0:02:23
|
are the only two protocols that are allowed outbound
|
|
0:02:26
|
then an SSL VPN connection will be the only option
|
|
0:02:29
|
for an end client behind that type of filtering
|
|
0:02:32
|
to be able to establish a secure tunnel
|
|
0:02:36
|
Now configuration wise we will see the logic of both these variations the client list and the client based SSL VPN
|
|
0:02:44
|
are similar in logic to the easy VPN
|
|
0:02:47
|
where we are using the same tunnel group and group policy syntax
|
|
0:02:52
|
which means that we can use the show run all tunnel group
|
|
0:02:54
|
and the show run all group policy
|
|
0:02:56
|
to get some syntax help to figure out what are the default values
|
|
0:03:00
|
and what are the different options that we need to issue in order to get the basic functional tunnel working
|
|
0:03:07
|
additionally we have another global
|
|
0:03:09
|
configuration mode which is the web VPN configuration mode
|
|
0:03:13
|
that is going to define some of the shared attributes between the tunnels
|
|
0:03:16
|
things like what are the interfaces that were listening for the connections on
|
|
0:03:20
|
what is the location on the flash of the SSL VPN client
|
|
0:03:25
|
which is also known as the SVC
|
|
0:03:27
|
and what is the port number that the ASA is going to be listening on
|
|
0:03:30
|
which is typically going to be port 443
|
|
0:03:34
|
we can see the defaults of this, if we show run all web vpn
|
|
0:03:39
|
and then also like the
|
|
0:03:41
|
LAN-to-LAN and the other remote access vpns for easy VPN
|
|
0:03:45
|
we can look at the VPN setup
|
|
0:03:46
|
output, thats going to help us to build the syntax
|
|
0:03:52
|
Now a couple of the brief notes on the
|
|
0:03:54
|
syntax for the SSL VPN
|
|
0:03:57
|
since we are no longer using IPsec as the transport
|
|
0:04:00
|
we are no longer using the crypto command set
|
|
0:04:04
|
where previously, we would look at the show crypto isakmp sa for our phase I verification
|
|
0:04:09
|
the show crypto ipsec sa for phase II verification
|
|
0:04:13
|
and then look at various debug crypto outputs
|
|
0:04:16
|
in order to see any problems in the phase I or the phase II negotiations
|
|
0:04:21
|
but in the case of the SSL VPNs since we are no longer using IPSec
|
|
0:04:25
|
we are going to be changing syntax
|
|
0:04:27
|
to the vpn-session db or the vpn session database
|
|
0:04:32
|
So to see what are the active sessions, instead of saying show crypto ipsec sa
|
|
0:04:36
|
we would say show vpn-session db
|
|
0:04:40
|
if we wanted to see the debug output, this is going to be debug
|
|
0:04:43
|
vpn-sessiondb
|
|
0:04:45
|
if we wanted to clear the connection
|
|
0:04:47
|
instead of saying clear cypto isakmp sa or clear
|
|
0:04:50
|
clear crypto ipsec sa
|
|
0:04:53
|
vpn-sessiondb logoff
|
|
0:04:59
|
now documentation wise you will that
|
|
0:05:01
|
this is not as straight forward
|
|
0:05:04
|
as some of the other configurations that we saw
|
|
0:05:07
|
for the lan to lan vpn or for the remote access vpn
|
|
0:05:11
|
so you do want to be aware of where these are located in the documentation
|
|
0:05:16
|
but then also some of the shortcuts that we can do
|
|
0:05:18
|
like the vpn setup and the show run all
|
|
0:05:21
|
to help us piece this together on the command line
|
|
0:05:25
|
where in a real design for the SSL VPN
|
|
0:05:28
|
typically you are going to be using the web GUI interface or ASTN
|
|
0:05:32
|
in order to piece a lot of these configurations together
|
|
0:05:35
|
in fact if you search for SSL VPN in the ASA
|
|
0:05:39
|
or SSL VPN in the IOS
|
|
0:05:41
|
you will see the vast majority of examples they give you on cisco's website
|
|
0:05:44
|
are using either the SDM for the routers
|
|
0:05:47
|
or using the ASTN for the ASAs
|
|
0:05:51
|
So within the scope of the CCIE security lab exam
|
|
0:05:54
|
you don't necessarily need to be an expert in customization of the website
|
|
0:05:58
|
in all the possible options you can change for SSL VPN
|
|
0:06:02
|
you just want to make sure that you can get basic functional configurations for both variation
|
|
0:06:06
|
like client list version
|
|
0:06:08
|
which is basically using the ASA as a proxy
|
|
0:06:10
|
and the SSL VPN client
|
|
0:06:12
|
which is the anyconnect VPN similar to the easy VPN client
|
|
0:06:18
|
so documentation wise from the main page, we are going to go through the same
|
|
0:06:22
|
same structure where we sorted products
|
|
0:06:25
|
to security
|
|
0:06:29
|
firewall appliance, ASA
|
|
0:06:33
|
configuration guides
|
|
0:06:35
|
then to our particular release, 8.0 in this case
|
|
0:06:40
|
then under configuring VPN we have two separate sections here
|
|
0:06:44
|
the first one is for the client list VPN
|
|
0:06:48
|
which again is basically the ASA as a proxy server
|
|
0:06:51
|
then anyconnect VPN client
|
|
0:06:54
|
which is similar to the easyVPN client
|
|
0:06:56
|
or what sometimes called the cisco secure VPN client
|
|
0:07:01
|
Now it would be a good idea, just to read through this two basic documents
|
|
0:07:05
|
to get an idea of what are the possible features that you could do with the SSL VPNs
|
|
0:07:11
|
so we can change things like
|
|
0:07:13
|
what happens when
|
|
0:07:15
|
a particular port is used from the client's perspective
|
|
0:07:19
|
we can configure that to forward to different internal ports
|
|
0:07:23
|
on the inside
|
|
0:07:24
|
we can configure different types of email proxy whether we are using
|
|
0:07:28
|
Microsoft Outlook
|
|
0:07:30
|
or other applications like
|
|
0:07:32
|
Citrix or Internet
|
|
0:07:34
|
File Sharing, these can be run over the proxy with the clientless VPN
|
|
0:07:39
|
but the big problem with this document is that its not very clear
|
|
0:07:43
|
what the entire final configuration should be
|
|
0:07:47
|
for the clientless VPN
|
|
0:07:50
|
so I would recommend, use this as a reference
|
|
0:07:52
|
make sure you know what are the basic overall features
|
|
0:07:55
|
but for the entire configuration
|
|
0:07:58
|
you are better off looking at the command line
|
|
0:08:01
|
and from global configuration here the ASA will go through the VPN setup
|
|
0:08:07
|
this is going to be an SSL remote access VPN
|
|
0:08:11
|
if we look at the steps
|
|
0:08:13
|
we are going to see the overall logic is similar to easy VPN
|
|
0:08:16
|
with some of the new syntax for the web VPN thrown in
|
|
0:08:21
|
Now we know ofcourse that
|
|
0:08:23
|
first thing we would need to do is, configure the basic interfaces, configure the basic routing
|
|
0:08:27
|
these steps would be required
|
|
0:08:29
|
but they are technically not directly related to the web VPN configuration
|
|
0:08:35
|
So out of this we have our second step, it says turn web VPN on the interface
|
|
0:08:40
|
where this would be similar to saying
|
|
0:08:42
|
crypto isakmp enable outside
|
|
0:08:45
|
where by default, the ASA is not listening for an IPsec tunnel
|
|
0:08:49
|
same would be true for an SSL tunnel
|
|
0:08:51
|
we need to enable it on that particular interface
|
|
0:08:54
|
and this web VPN, this is their global configuration mode
|
|
0:08:59
|
then we have the AAA configuration
|
|
0:09:02
|
if we were using the local database
|
|
0:09:05
|
we would then need to have a local username and password
|
|
0:09:09
|
and notice here that they are editing the default web VPN group
|
|
0:09:13
|
which would be similar to editing the default
|
|
0:09:16
|
L 2 L group for lan to lan or the default ra group
|
|
0:09:19
|
for our easy VPN connections
|
|
0:09:22
|
we are beyond just this authentication server that they are changing
|
|
0:09:25
|
which is saying use the local database
|
|
0:09:27
|
this is going to be lot of other options that are defaults there
|
|
0:09:31
|
that we can verify by looking at the show run all tunnel group
|
|
0:09:36
|
then they are specifying what is the location of the
|
|
0:09:39
|
SSL VPN client, which is the SVC
|
|
0:09:43
|
this is generally going to be some files thats on the flash of the ASA
|
|
0:09:48
|
so if you look at the dir flash, or the dir disk0, dir disk1
|
|
0:09:52
|
you should see
|
|
0:09:54
|
some sort of .package file
|
|
0:09:56
|
thats going to be used for the operating system which in this case is windows
|
|
0:10:00
|
to actually do the install of the client
|
|
0:10:05
|
Now with the SVC, that is talking about the any connect client
|
|
0:10:10
|
for the client list SSL VPN
|
|
0:10:13
|
we do not need to specify the SVC image
|
|
0:10:16
|
and we do not need to enable
|
|
0:10:17
|
the SVC globally under the web vpn process
|
|
0:10:22
|
then we see we have an address pool
|
|
0:10:25
|
this would be similar to allocating addresses to an easyVPN client
|
|
0:10:30
|
then we have the group policy
|
|
0:10:32
|
which would control things like split tunneling policy
|
|
0:10:35
|
whats the particular banner that the users get, what is a WINS server?, What is a DNS server?
|
|
0:10:40
|
so just like the easyVPN configuration
|
|
0:10:44
|
vast majority of these options, you do not need to memorise
|
|
0:10:46
|
just make sure you are familiar with looking at the show run all tunnel group
|
|
0:10:50
|
show run all group policy, and show run all web VPN
|
|
0:10:57
|
So next lets set the example here and build into a basic functional configuration
|
|
0:11:09
|
where the first step is to simply turn the process on
|
|
0:11:13
|
So we have web VPN and then this is going enabled on the outside interface
|
|
0:11:18
|
we are going to assume that the basic routing
|
|
0:11:21
|
features are configured up to this point
|
|
0:11:24
|
we then have a tunnel group
|
|
0:11:25
|
which in this case they are using the default name, the default web vpn group
|
|
0:11:30
|
I am going to change this, so we are using a specific named group
|
|
0:11:34
|
which we will make it a little more clear when we look at our final configuration
|
|
0:11:38
|
so I will say that this is the
|
|
0:11:42
|
lets say this is the web VPN group
|
|
0:11:52
|
where web VPN is a remote access type group
|
|
0:11:57
|
we are using the local database for authentication
|
|
0:12:00
|
which would then assume that we need a username and password entry configured
|
|
0:12:05
|
for simplicity here, I would say, username is cisco, password is cisco
|
|
0:12:10
|
in this example they are specifying that the service type
|
|
0:12:13
|
for the user is remote access
|
|
0:12:17
|
this is would then prevent them from logging into the actual command line of the ASA
|
|
0:12:21
|
either through telnet or SSH or may be even from the ASTN
|
|
0:12:29
|
So we could configure that, technically we do not have to
|
|
0:12:35
|
so we could configure that but technically we do not have to
|
|
0:12:40
|
next we have the any connect image
|
|
0:12:42
|
where we are going to save this one for later, this is going to be used for one we were doing the anyconnect client
|
|
0:12:48
|
same would true of the SVC enabled command
|
|
0:12:51
|
so thats going to turn the service on
|
|
0:12:54
|
same would be true about the pool
|
|
0:12:57
|
since we are not running the anyconnect yet, we don't need an address assignment
|
|
0:13:02
|
then we have the group policy
|
|
0:13:04
|
which in this case they are using the default policy
|
|
0:13:09
|
and like the tunnel group, I am going to change this, so this is a named policy
|
|
0:13:14
|
where I will say the group policy will be the
|
|
0:13:18
|
lets say web vpn policy
|
|
0:13:22
|
and in the attributes
|
|
0:13:25
|
the tunnel protocols are going to be just web VPN
|
|
0:13:31
|
and we will look at the context since it will help when we get to that
|
|
0:13:34
|
thats going to control, can we use IPSec
|
|
0:13:36
|
can we use web VPN for the client list access
|
|
0:13:40
|
or can we also use the SSL VPN client, or the SVC
|
|
0:13:46
|
So this on its own
|
|
0:13:48
|
is pretty close to our basic configuration
|
|
0:13:51
|
one other thing, I will need to change is what is the group policy that is being referenced from the tunnel group
|
|
0:13:59
|
because the way that they were configuring it
|
|
0:14:02
|
they were already using the default tunnel group and the default group policy
|
|
0:14:06
|
So those two are automatically bound together
|
|
0:14:08
|
where in this case, I will need to say some thing like default
|
|
0:14:12
|
group policy
|
|
0:14:14
|
and then what is the name of it, in this case is the web VPN policy
|
|
0:14:19
|
Now whether this is the actual correct syntax or not, the ASA is going to tell us
|
|
0:14:22
|
when we actually try to enter this on the command line
|
|
0:14:27
|
Now from a design point of view in this topology
|
|
0:14:30
|
ASA2 is going to be the SSL VPN server
|
|
0:14:35
|
where as a proxy server
|
|
0:14:37
|
it is going to listen for connection coming in from the test PC
|
|
0:14:43
|
then based on the individual application that we choose
|
|
0:14:46
|
it is then going to be redirecting traffic
|
|
0:14:49
|
either back out to the public network or the internal network
|
|
0:14:54
|
but in either case it is going to be using the ASA as a proxy
|
|
0:14:58
|
So if we were to SSL
|
|
0:15:00
|
client list SSL VPN to the ASA
|
|
0:15:03
|
and then telnet to router3
|
|
0:15:06
|
router3 is going to see the traffic is being originated from the outside ip address of the ASA
|
|
0:15:13
|
so just like any normal web proxy that you would use
|
|
0:15:17
|
in any other configuration where
|
|
0:15:19
|
the idea is that we are configuring
|
|
0:15:21
|
a tunnel between the client and the server
|
|
0:15:25
|
then from the server
|
|
0:15:27
|
to the actual end point
|
|
0:15:30
|
its a separate connection
|
|
0:15:36
|
So lets take this first portion of this configuration
|
|
0:15:39
|
and then try to apply this on to the command line
|
|
0:15:48
|
so looks like, upto this point
|
|
0:15:51
|
this syntax looks pretty group
|
|
0:15:53
|
Now before we actually test this, lets look at any of the other output from the defaults
|
|
0:15:57
|
and see if there is anything else that we need to change
|
|
0:15:59
|
so lets say show run all web VPN
|
|
0:16:04
|
and we see the options
|
|
0:16:05
|
that we can change in here would be like what is the port number
|
|
0:16:09
|
that were listening for
|
|
0:16:11
|
by default we have this enabled on the outside
|
|
0:16:15
|
we configure this, we enable this on the outside
|
|
0:16:19
|
we could specify whats the size of the cache
|
|
0:16:23
|
whether the SSL VPN client is enabled
|
|
0:16:27
|
another important one here is the next command
|
|
0:16:29
|
the tunnel-group-list enable
|
|
0:16:33
|
this is used when we have multiple tunnel groups
|
|
0:16:37
|
then from the web interface of the ASA
|
|
0:16:40
|
the user can specify, which tunnel group do they want to authenticate to
|
|
0:16:45
|
where we could say I have one group for sales, one group thats for
|
|
0:16:49
|
tech support
|
|
0:16:50
|
then they choose the group from drop down list
|
|
0:16:53
|
and then authenticate to that particular one
|
|
0:16:56
|
where in the case of our easy VPN tunnel
|
|
0:16:59
|
the group was chosen based on the pre shared keys
|
|
0:17:03
|
or based on the certificate of the user
|
|
0:17:18
|
next lets look at the show
|
|
0:17:21
|
show run all group policy
|
|
0:17:25
|
where the default group policy
|
|
0:17:29
|
says for the web VPN
|
|
0:17:31
|
there is no type of filtering as to what destinations they can or cannot reach
|
|
0:17:36
|
we could do port forwarding
|
|
0:17:39
|
we could see some of this stuff is going to be customization of the web interface itself
|
|
0:17:44
|
says whats the mtu size of the SSL VPN client
|
|
0:17:47
|
if we are doing some sort of additional tunneling may be we want to reduce the mtu even smaller
|
|
0:17:53
|
or if we do not need
|
|
0:17:54
|
that small of the payload, we can increase the mtu
|
|
0:18:01
|
but you can see most of these
|
|
0:18:03
|
you wouldn't really need to customize unless you had a very specific reason, in order to do it
|
|
0:18:09
|
we can also see that the default
|
|
0:18:12
|
group policy
|
|
0:18:13
|
is going to control other options like
|
|
0:18:16
|
what are the VPN tunnel protocols we can use
|
|
0:18:19
|
where we can use IPSec
|
|
0:18:21
|
layer2 tunneling protocol and web VPN by default
|
|
0:18:24
|
but we could not use the SSL VPN client
|
|
0:18:27
|
we would need to say vpn-tunnel-protocol as we see
|
|
0:18:33
|
then additionally this is where we would define the split tunneling policy
|
|
0:18:38
|
so one were using any connect client
|
|
0:18:40
|
just like the easy VPN client
|
|
0:18:42
|
this is where we would specify what tunnel goes over the tunnel
|
|
0:18:45
|
in which traffic does not go over the tunnel
|
|
0:18:50
|
then lastly we have the
|
|
0:18:53
|
show run all tunnel-group
|
|
0:19:00
|
where in the tunnel group here we want to look at what is the default web VPN group
|
|
0:19:06
|
so the web vpn group
|
|
0:19:08
|
says that there is no address pool configured
|
|
0:19:11
|
we are checking the local database
|
|
0:19:13
|
we are using the default group policy
|
|
0:19:17
|
if we were to use certificates for authentication, we would get the username from the common name and the organizational unit
|
|
0:19:25
|
then the rest of this is going to be specific to the web VPN
|
|
0:19:45
|
so now lets check the result of this, let go to the windows
|
|
0:19:48
|
machine, the test PC
|
|
0:19:50
|
and we are going to open an SSL
|
|
0:19:52
|
web browsing session to the outside interface of the ASA
|
|
0:19:55
|
and ideally what we should see is that on this address
|
|
0:20:00
|
the ASA pops up a login box
|
|
0:20:03
|
that we can then use to
|
|
0:20:05
|
connect to it as a proxy server
|
|
0:20:14
|
so on a web browser, we are going to go to https
|
|
0:20:19
|
200.0.122.12
|
|
0:22:02
|
we could see now we get the request to accept the certificate
|
|
0:22:05
|
in this case if we look at the view certificate
|
|
0:22:08
|
this is self signed by the ASA itself
|
|
0:22:11
|
if we look at the details
|
|
0:22:13
|
typically in
|
|
0:22:15
|
real design for this, you will have public certificate
|
|
0:22:19
|
so may be something thats signed by verisign for example
|
|
0:22:22
|
So that when the users browse to that interface
|
|
0:22:25
|
they are not, constantly going to be asked to, not to proceed
|
|
0:22:29
|
or they can view it to open this in firefox or
|
|
0:22:31
|
chrome, sometimes it will give you a big warning message that you should not
|
|
0:22:34
|
continue with the connection
|
|
0:22:35
|
basically this is just because its a self signed certificate
|
|
0:22:38
|
now when this coming from a
|
|
0:22:40
|
trusted certificate authority
|
|
0:22:43
|
but eventually once the webpage loads
|
|
0:22:46
|
we should get to the portion, where we have our username and password
|
|
0:22:50
|
or in this case, our username is cisco, password is cisco
|
|
0:22:57
|
from here we get to the web portal, or basically the proxy server page
|
|
0:23:01
|
which on the left we can choose whats the particular application that we want to choose
|
|
0:23:05
|
and then either manually enter an address into the url bar
|
|
0:23:11
|
or if we have preconfigured it on the ASA
|
|
0:23:13
|
we can have a list of links that is going to go to common services that these users would be using
|
|
0:23:19
|
so for example, if we were to click on telnet SSH
|
|
0:23:23
|
it changes what is the particular protocol that we want to use
|
|
0:23:27
|
if we were to look at telnet for example
|
|
0:23:30
|
we could manually type an address in here
|
|
0:23:33
|
lets say router3's address of 200.0.0.3
|
|
0:23:38
|
or we could have the list of the common servers that these users
|
|
0:23:42
|
are typically using
|
|
0:23:46
|
Now if we connect the session here
|
|
0:23:48
|
by saying I want to browse to that address 200.0.0.3
|
|
0:23:54
|
if we look at the diagram
|
|
0:23:57
|
200.0.0.3 is the loopback address of router3
|
|
0:24:01
|
where the normally the test PC's traffic would be going to ASA1
|
|
0:24:05
|
to router1, from router1 to router2, from 2 to 3
|
|
0:24:10
|
but in this case since we are going over the SSL tunnel that is going to ASA2
|
|
0:24:16
|
the traffic is going to go this direction
|
|
0:24:18
|
over SSL
|
|
0:24:21
|
then from ASA2, its going to go back to router3
|
|
0:24:24
|
over a clear text connection
|
|
0:24:28
|
However when router3 receives this session
|
|
0:24:31
|
the source address is going to be the outside interface of the ASA
|
|
0:24:37
|
so its only encrypting the traffic that is going from the client to the server
|
|
0:24:41
|
its not from the client to the SSL server, I should say, which is SSL2
|
|
0:24:45
|
not going to encrypt the traffic the SSL to router3
|
|
0:24:52
|
it now ask us for
|
|
0:24:54
|
do we want to run this java application, this is where the actual telnet is going to happen, inside of this
|
|
0:25:00
|
this web based java app
|
|
0:25:02
|
So now we can see the final result, is that, we have the telnet session open
|
|
0:25:06
|
if I log in here with the user name cisco
|
|
0:25:09
|
password cisco, which is preconfigured
|
|
0:25:11
|
on router3
|
|
0:25:13
|
we are logged into the exact process, if we look at the show users though
|
|
0:25:17
|
it says now the session is coming from the address
|
|
0:25:20
|
200.0.122.12
|
|
0:25:25
|
which is the outside interface of the ASA
|
|
0:25:28
|
not the actual address
|
|
0:25:29
|
that is assigned on the end client
|
|
0:25:32
|
if we look at the ip config of the windows machine
|
|
0:25:35
|
this is currently assigned to the 192.168 address
|
|
0:25:38
|
but we are using this address 200.0.122.12
|
|
0:25:42
|
basically as our proxy
|
|
0:25:47
|
so the final result of this when we look at the syntax
|
|
0:25:50
|
there is really not that much configuration that we need to do in order to get the basic web vpn tunnel working
|
|
0:25:56
|
the vast majority of the additional configuration is if we want to run the SSL
|
|
0:26:01
|
VPN client or the SVC
|
|
0:26:04
|
in order to treat the SSL tunnel
|
|
0:26:06
|
the same is a remote access easy VPN connection
|
|
0:26:11
|
Now when you are testing this out
|
|
0:26:14
|
there is a couple of different caveats for testing this on the equipment
|
|
0:26:17
|
one of them is going to be
|
|
0:26:19
|
that when the client connects, in this case the test PC connects to the ASA
|
|
0:26:24
|
the VPN client software is going to be downloaded
|
|
0:26:28
|
from a java interface
|
|
0:26:31
|
first problem is that generally
|
|
0:26:33
|
just java the interface is itself very slow
|
|
0:26:36
|
so it may take a large amount of time in order for this to load
|
|
0:26:40
|
but also in a topology like this
|
|
0:26:42
|
where the traffic has to transit this frame really segment between router1 and router2
|
|
0:26:48
|
these links are physically 64 kbits per seconds
|
|
0:26:52
|
So its going to be really very slow downloading the client over that
|
|
0:26:56
|
so for this particular example, when I am going to do
|
|
0:26:58
|
is move the test PC from this segment
|
|
0:27:02
|
onto the segment right in front of
|
|
0:27:05
|
the ASA
|
|
0:27:06
|
So we will put it in the 200.0.122
|
|
0:27:10
|
network, we will say that this is the .100
|
|
0:27:13
|
and we will use router2 as the default gateway
|
|
0:27:17
|
now the end result is going to be exactly the same as if we were to leave it on the VLAN 118 network
|
|
0:27:23
|
is just going to take probably
|
|
0:27:25
|
5% of the time, if not even less than that
|
|
0:27:28
|
in order to load the VPN client that we are getting from the ASA
|
|
0:27:33
|
So this means a couple of basic changes
|
|
0:27:36
|
one is that on the end host
|
|
0:27:48
|
I need to change its address
|
|
0:27:50
|
so I am going to go to the
|
|
0:27:54
|
control panel
|
|
0:27:57
|
network connections
|
|
0:28:00
|
and then change the inside of the
|
|
0:28:03
|
the lab adapter
|
|
0:28:05
|
now if you are using our equipments for these labs
|
|
0:28:07
|
feel free to play around with this, you can set these to whatever you want
|
|
0:28:10
|
obviously though, just don't change the one that says do not change
|
|
0:28:15
|
because the this is the interface that is used for the actual desktop connections
|
|
0:28:19
|
in order to get to the web interface of
|
|
0:28:22
|
the windows machine, not the web interface, the GUI interface of the windows matching to begin with
|
|
0:28:26
|
but you can't change these addresses here
|
|
0:28:29
|
you can change the default gateway, the dns is not going to hut the configuration
|
|
0:28:34
|
So here I am going to change this to 200.0.122.100/24
|
|
0:28:41
|
the gateway I will set is router2
|
|
0:28:45
|
and dns, I will leave this blank, I don't need the dns server
|
|
0:28:54
|
then this also implies that I need to change the connection
|
|
0:28:58
|
that is the physical layer1 and layer2 circuit going to the test PC
|
|
0:29:04
|
and this is on switch2's
|
|
0:29:06
|
port fastethernet20, in our topology
|
|
0:29:10
|
so on this link I am going to change this to be
|
|
0:29:12
|
switch port access vlan 122
|
|
0:29:17
|
where now if I go to router2
|
|
0:29:19
|
and ping 200.0.122.100
|
|
0:29:30
|
this is now the new address of the test pc
|
|
0:29:34
|
now if I were to go back to the test pc and do the same
|
|
0:29:37
|
browsing that we did before
|
|
0:29:40
|
where I go to https://200.0.122.12
|
|
0:29:47
|
you will generally see that this is going to load a lot faster
|
|
0:29:50
|
because the problem is not only the java load time
|
|
0:29:53
|
but its also the bandwidth that is in the transit path from the
|
|
0:29:56
|
client to the server
|
|
0:30:04
|
Now for our next example using the SSL VPN client
|
|
0:30:08
|
we do need to add a couple of additional configurations
|
|
0:30:12
|
that they did show in the previous output
|
|
0:30:18
|
of the VPN setup
|
|
0:30:20
|
where I need to specify
|
|
0:30:22
|
where is the actual
|
|
0:30:24
|
SSL VPN client image located
|
|
0:30:27
|
and the reason I need to specify this is that the windows machine
|
|
0:30:30
|
is actually going to be downloading and installing this
|
|
0:30:33
|
from the ASA itself
|
|
0:30:36
|
where normally in an easy VPN configuration
|
|
0:30:39
|
you would have to have some sort of offline mechanism to actually distribute
|
|
0:30:43
|
the installer for the cisco secure client
|
|
0:30:46
|
now if we go to the ASA
|
|
0:30:49
|
and look at
|
|
0:31:10
|
now if we go to the ASA and look at the dir output
|
|
0:31:14
|
it says that on disk0
|
|
0:31:17
|
we have this image, that is the anyconnect client for windows
|
|
0:31:25
|
so next under the web vpn configuration in global config
|
|
0:31:29
|
we need to specify, what is the svc image location
|
|
0:31:34
|
so this is going to be on disk0
|
|
0:31:36
|
and the final name is anyconnect
|
|
0:31:39
|
this version is 2.3
|
|
0:31:44
|
I would then need to enable the SVC
|
|
0:31:48
|
SVC access is off by default
|
|
0:31:50
|
SVC enable
|
|
0:31:52
|
the svc profile
|
|
0:31:54
|
would then be basically like an xml file
|
|
0:31:58
|
that is going to control some of the attributes
|
|
0:32:00
|
of what the client is allowed to do, once they actually connect
|
|
0:32:04
|
and we will look at an example here of modifying with the default profile is
|
|
0:32:08
|
for the SSL VPN client connection
|
|
0:32:12
|
ok so now we have the ASA actually listening for the SVC connections
|
|
0:32:16
|
I would also need to specify
|
|
0:32:18
|
what are the particular tunnel groups in group policies
|
|
0:32:23
|
that are going to be associated with the SSL VPN client connections
|
|
0:32:28
|
as I mentioned before in the previous ipsec tunnel examples we did
|
|
0:32:32
|
the tunnel group is controlled
|
|
0:32:34
|
based on how the user authenticates
|
|
0:32:36
|
or based on the username thats located inside of their certificate
|
|
0:32:42
|
but in the case of the SSL VPN client
|
|
0:32:44
|
we don't have an ike identity
|
|
0:32:47
|
that is going to be exchanged during the SSL negotiation
|
|
0:32:51
|
so when we define these tunnel groups
|
|
0:32:54
|
we are going to
|
|
0:32:56
|
essentially configure a drop down list
|
|
0:32:58
|
thats going to be located on the main web page
|
|
0:33:02
|
of the ASA, once we browse to it
|
|
0:33:04
|
that we are going to control which particular tunnel group are we going to authenticate
|
|
0:33:09
|
so I will say that this tunnel group is named
|
|
0:33:13
|
I will say that this is the SVC group, for the SSL VPN client
|
|
0:33:18
|
and the SVC group is of type remote access
|
|
0:33:24
|
the SVC group
|
|
0:33:26
|
they need to specify, what are the general attributes and what are the web vpn attributes
|
|
0:33:32
|
Now the web vpn attributes
|
|
0:33:35
|
this is where we would specify
|
|
0:33:37
|
what is the name of the drop
|
|
0:33:39
|
down list that the users are going to choose,
|
|
0:33:41
|
this is what the group alias is
|
|
0:33:44
|
there is a lot of other options that you can change here
|
|
0:33:47
|
but really the only one that
|
|
0:33:48
|
I need to specify is whats the group alias
|
|
0:33:52
|
the only reason that I really need to do this though
|
|
0:33:55
|
is that I have multiple tunnel groups
|
|
0:33:58
|
I have one tunnel group that I want to use just for web vpn access
|
|
0:34:02
|
which is the client list, SSL VPN
|
|
0:34:05
|
then I have this separate group, that I want to use just for the SSL VPN client
|
|
0:34:10
|
so what the user would be able to choose, which one the are going to use
|
|
0:34:15
|
So I am going to specify the group alias, we give it a name now
|
|
0:34:18
|
lets say that this is the, the SVC users
|
|
0:34:23
|
and I want to enable this
|
|
0:34:26
|
yes now I have the tunnel group configured and I have the alias that they are going to see
|
|
0:34:30
|
when they try to login
|
|
0:34:32
|
the next thing I need to do, is to say
|
|
0:34:35
|
what is the individual policy that these svc group users are going to get, when they login
|
|
0:34:41
|
and thats going to be controlled by the group policy
|
|
0:34:44
|
so now I need a new group policy, we will say group policy
|
|
0:34:49
|
I will say that this is the SVC policy
|
|
0:34:53
|
this is internal, so its not from a AAA server
|
|
0:34:59
|
and I need to mainly specify here
|
|
0:35:02
|
what is the, now you could see there is lot of different options we can have under here
|
|
0:35:12
|
so I need to specify that for this group policy
|
|
0:35:14
|
what are the attributes
|
|
0:35:17
|
and specifically the attribute that I want is
|
|
0:35:24
|
whats the VPN tunnel protocol
|
|
0:35:27
|
where by default this does not include
|
|
0:35:30
|
the SVC, which is what I want, the SSL VPN client
|
|
0:35:36
|
from here I would have the normal group policy attributes
|
|
0:35:40
|
like whats the split tunnelling acl
|
|
0:35:42
|
whats the address pool that I am going to get my allocation from
|
|
0:35:46
|
then if I am also doing a pro.., profile
|
|
0:35:55
|
where the SSL VPN Client Profile, this is where I will specify this
|
|
0:35:58
|
under the web VPN parameters
|
|
0:36:02
|
So you could see that there is the
|
|
0:36:04
|
group policy and then inside the group policy, there is a web vpn sub configuration mode
|
|
0:36:09
|
so we can configure a lot of the customizations from under here
|
|
0:36:14
|
but in a minimum really, the only other ones that I need to specify
|
|
0:36:18
|
are where we are going to get the addresses from
|
|
0:36:20
|
So is it going from an external DHCP server, or is it local
|
|
0:36:23
|
and what is the access list
|
|
0:36:26
|
Now I technically don't even need to know the access list
|
|
0:36:29
|
what that is going to control though
|
|
0:36:31
|
is when this pc connects
|
|
0:36:34
|
So its actually just one half here
|
|
0:36:36
|
when it connects in the tunnel, am I going to send all the traffic out the tunnel
|
|
0:36:40
|
or is it only going to go to certain destination
|
|
0:36:43
|
So if I want this to behave just like our previous vpn tunnels
|
|
0:36:48
|
I could say, send the traffic only to the 10 network out the vpn tunnel
|
|
0:36:53
|
because I am coming in the back and here from my remote desktop
|
|
0:36:57
|
and I want to make sure that I am still allowing this traffic to go through
|
|
0:37:03
|
So I am now configuring an access list, we will say that this is the
|
|
0:37:07
|
access list is the
|
|
0:37:09
|
SVC acl
|
|
0:37:12
|
that permits traffic coming from the 10 network
|
|
0:37:17
|
going anywhere
|
|
0:37:19
|
so just like any easyVPN, this is from the perspective of the ASA
|
|
0:37:24
|
I would then need a pool in address pool
|
|
0:37:27
|
or an external DHCP server
|
|
0:37:30
|
in this case I will say, ip local pool
|
|
0:37:33
|
the neighbour will say that this is the SVC pool
|
|
0:37:38
|
and what are the addresses that we are going to give them
|
|
0:37:41
|
lets say 192.168.1.1
|
|
0:37:46
|
and we will go through 192.168.1.254
|
|
0:37:53
|
whats the net mask, we will say the mask is then
|
|
0:37:56
|
/24, so 255.255.255.0
|
|
0:38:01
|
these options though, just like in the ipsec configurations, the local pool
|
|
0:38:08
|
the local pool is not automatically bound to the policy, nor is the access list
|
|
0:38:12
|
if we look at the show run
|
|
0:38:16
|
show run all group policy
|
|
0:38:36
|
this needs to be specified as what the address pool is
|
|
0:38:41
|
and what the split tunnelling policy is, so I would say tunnel specified
|
|
0:38:45
|
and then tunnel
|
|
0:38:47
|
for that network list, which is going to be the svc acl
|
|
0:39:03
|
So now we go back under our group-policy
|
|
0:39:08
|
svc policy, was the name
|
|
0:39:11
|
and under the attributes, I need to specify, what is the address pool
|
|
0:39:17
|
where the value of the address pool
|
|
0:39:20
|
was what I previously defined appear
|
|
0:39:22
|
the svc pool
|
|
0:39:26
|
then for the split tunnelling
|
|
0:39:29
|
policy, I want to tunnel
|
|
0:39:32
|
specified
|
|
0:39:35
|
and the split tunnel
|
|
0:39:38
|
the split tunnel network list which is the acl
|
|
0:39:41
|
has a value of the svc acl, what I call it
|
|
0:39:50
|
So now lets look at the rest of our configuration, lets look at the show run tunnel group
|
|
0:39:58
|
the show run group policy
|
|
0:40:01
|
and the show run web vpn
|
|
0:40:06
|
So under the web vpn configuration mode
|
|
0:40:09
|
there is really not that much we need to specify here, we just need to enable it on the interface
|
|
0:40:14
|
say where is the file located
|
|
0:40:16
|
and then enable the SSL VPN client, because this is off by default
|
|
0:40:22
|
then we have the group policy
|
|
0:40:25
|
here the svc policy, which is allowing them to run that tunnelling protocol
|
|
0:40:30
|
which again is disabled by default
|
|
0:40:33
|
I have the split tunnelling access list which I don't technically need
|
|
0:40:37
|
the address pool I do need, because I need to give them some sort of allocation
|
|
0:40:42
|
then under the web VPN policy
|
|
0:40:44
|
or excuse me, the tunnel group for svc group
|
|
0:40:50
|
really the one that is key here is what is the alias
|
|
0:40:55
|
Now additionally I am going to go under the tunnel group for the web vpn
|
|
0:40:59
|
and under here, I am going to have the
|
|
0:41:04
|
web vpn attributes
|
|
0:41:07
|
and likewise specify, whats the group alias
|
|
0:41:11
|
I will say these are the web vpn users
|
|
0:41:16
|
so what we should now see, is that when we go to the windows machine
|
|
0:41:20
|
and start a new connection
|
|
0:41:23
|
to the web interface
|
|
0:41:26
|
it should ideally give us two separate options
|
|
0:41:33
|
it should be giving us the drop down that says, do I want to be in the
|
|
0:41:36
|
the svc users, or do I want to be in the web vpn users
|
|
0:41:41
|
where most likely whats missing here is that I didn't enabled it
|
|
0:41:45
|
globally under the web vpn process
|
|
0:41:47
|
so lets look back here
|
|
0:41:49
|
on the ASA, lets say show run web vpn
|
|
0:41:53
|
and show run all web vpn
|
|
0:42:05
|
and this is going to be the tunnel-group-list
|
|
0:42:09
|
enabled, so this is off by default
|
|
0:42:12
|
I didn't need to say under
|
|
0:42:15
|
under web vpn
|
|
0:42:18
|
put that drop down list there, which is the tunnel group list
|
|
0:42:22
|
if I were then to refresh this page
|
|
0:42:27
|
we now see the drop down, so do we want to be the svc users or do we want to be the web vpn users
|
|
0:42:32
|
now for the web vpn users, nothing should have changed versus what we had before
|
|
0:42:37
|
so if I log in here
|
|
0:42:39
|
its going to give me that interface where I can then control
|
|
0:42:43
|
what services am I going to use, am I going to do normal web browsing, am I going to do telnet
|
|
0:42:48
|
or going to do filesharing, email
|
|
0:42:50
|
but the key is that I am going to use the ASA basically as the proxy server
|
|
0:42:57
|
so again if we were to go to telnet
|
|
0:43:00
|
and lets say, we were to telnet to router1, we will say 200.0.0.1
|
|
0:43:08
|
when the java applet loads , we will login as cisco, password cisco
|
|
0:43:13
|
look at the show users
|
|
0:43:15
|
since this connection is coming from 200.0.122.12
|
|
0:43:20
|
but then if we were to look at the ipconfig
|
|
0:43:24
|
of the windows host, their address is actually is the 122.100
|
|
0:43:29
|
so our connection is now being proxied through the ASA
|
|
0:43:34
|
where again this is the client list SSL VPN
|
|
0:43:38
|
Now if we start a new session
|
|
0:43:41
|
but in this case we are going to authenticate to the new group, which is the svc group
|
|
0:43:50
|
so we are the svc users
|
|
0:43:53
|
same login and password, because this is globally under the asa
|
|
0:43:58
|
the difference is now, we should get this page, where the java applet starts to install
|
|
0:44:05
|
starts to install the SSL VPN client
|
|
0:44:09
|
Now in this case, its sent me to the normal client list ssl vpn page
|
|
0:44:14
|
what this most likely means
|
|
0:44:16
|
is that the tunnel group that I configured
|
|
0:44:19
|
either doesn't have the correct group policy assigned
|
|
0:44:24
|
because the group policy is determining whats the tunneling protocol, is it web vpn or is it svc
|
|
0:44:29
|
or I am
|
|
0:44:31
|
calling the correct policy
|
|
0:44:33
|
but the policy doesn't have a correct protocol defined as well
|
|
0:44:36
|
so lets, on the ASA lets look at the
|
|
0:44:39
|
the show run group policy
|
|
0:44:44
|
where the policy SVC policy says, we are going to use that as the tunnelling protocol
|
|
0:44:49
|
then this group policy, this needs to be called from the tunnel group
|
|
0:44:54
|
if we show run tunnel group
|
|
0:44:58
|
the SVC group
|
|
0:45:02
|
has not specified a new default group policy
|
|
0:45:06
|
so its inheriting the global configuration
|
|
0:45:09
|
which is to use the web vpn or the ssl
|
|
0:45:13
|
client, as ssl vpn
|
|
0:45:17
|
so now for this particular tunnel group, under the general attributes
|
|
0:45:22
|
like you can see, for the one above that
|
|
0:45:24
|
under the general attributes, I need to say that the default
|
|
0:45:28
|
the default group policy is the svc policy
|
|
0:45:32
|
thats the one that I defined
|
|
0:45:35
|
So now if I were to disconnect
|
|
0:45:38
|
and reconnect
|
|
0:45:48
|
login as cisco and cisco
|
|
0:45:52
|
under svc users
|
|
0:45:56
|
we are now redirected to the page where we are going to start to install the client
|
|
0:46:01
|
Now if we were to look at the ASA
|
|
0:46:04
|
at this point, this is where, we could look at the debug
|
|
0:46:07
|
vpn-session database
|
|
0:46:11
|
and if we were to turn the logging on, logging to the console at level 7 and logging is on
|
|
0:46:17
|
this is going to show us the actual
|
|
0:46:20
|
negotiation of the tunnel
|
|
0:46:23
|
So one thing its asking me to do is to run the active x control
|
|
0:46:30
|
So its installed that
|
|
0:46:37
|
then you could see the details of SSL connection
|
|
0:46:41
|
it says that it is using
|
|
0:46:44
|
tls version 1
|
|
0:46:46
|
its going to port 443
|
|
0:46:48
|
my identity is 200.0.122.12
|
|
0:46:52
|
connection is coming from 200.0.122.100
|
|
0:46:58
|
from the client side
|
|
0:47:01
|
its going to ask us to do this installation
|
|
0:47:07
|
where now its going through the download process
|
|
0:47:11
|
and you could see even though they are connected on the same segment, its not very fast, its only downloading it
|
|
0:47:16
|
10 to 20 kilo bits per second
|
|
0:47:19
|
So if we were to go with that 64k link, its definitely going to be much much slower in order to do the installation
|
|
0:47:25
|
this problem here, this is actually combination of windows machine being very low powered
|
|
0:47:29
|
because the vmware virtual machine doesn't have any resources allocated to it
|
|
0:47:34
|
and then the ASA 5510, this is basically the lowest level platform that you would run this on
|
|
0:47:41
|
So its going to be pretty slow compared to some of the higher level platforms
|
|
0:47:46
|
So eventually once the client fully installs
|
|
0:47:50
|
then we should get to this portion where its going to ask us for what the username and password is
|
|
0:47:54
|
but notice we know have an air message, it says the VPN establishment capability from remote desktop is disabled
|
|
0:48:01
|
and a VPN connection will not be established
|
|
0:48:03
|
So essentially the client knows that I am connecting to the windows machine through remote desktop
|
|
0:48:08
|
as opposed to locally on the console
|
|
0:48:10
|
So its going to disallow this connection
|
|
0:48:13
|
Now on a real environment, if you were local on a machine, you are not going to have this
|
|
0:48:17
|
problem, like on your desktop or laptop
|
|
0:48:19
|
if this was a virtual machine
|
|
0:48:21
|
that you were connecting to through the vmware console
|
|
0:48:24
|
or even if you were using a vnc connection
|
|
0:48:27
|
the vpn client is not going to know that
|
|
0:48:30
|
so its only basically that I am doing the remote desktop in order to
|
|
0:48:33
|
to connect to the machine, that its stopping me from doing this
|
|
0:48:37
|
So now you have a couple of different options
|
|
0:48:39
|
I could actually connect to the vmware client
|
|
0:48:43
|
through the vmware console, I could use vnc for the connection
|
|
0:48:47
|
but instead what I am going to do
|
|
0:48:49
|
is show how to change the svc profile
|
|
0:48:53
|
which essentially is the anyconnect profile template
|
|
0:48:57
|
that controls what are the individual access options of the client
|
|
0:49:03
|
and whether they can do, for example this, it says remote desktop
|
|
0:49:07
|
is it allowed or is it disallowed
|
|
0:49:10
|
Now this is, is kind of a more obscured configuration
|
|
0:49:14
|
where within the scope of the CCIE lab exam, I highly highly doubt, they will have you do this
|
|
0:49:18
|
but from a real production implementation point of view
|
|
0:49:22
|
it is useful to know exactly, where this template is located
|
|
0:49:25
|
and what you can do in order to make changes to
|
|
0:49:29
|
So once the svc is installed
|
|
0:49:32
|
you will see there is a programme group here for
|
|
0:49:35
|
cisco and then the anyconnect client
|
|
0:49:37
|
So its basically going to behave the same now, as the regular cisco secure client
|
|
0:49:43
|
the only difference is the transport, that were running over SSL, not running over ipsec
|
|
0:49:48
|
but if we go to
|
|
0:49:50
|
the search function of windows
|
|
0:49:53
|
and the specific file names, so lets say, all files
|
|
0:49:57
|
and its probably a hidden file
|
|
0:49:59
|
lets say search for hidden files and folders
|
|
0:50:04
|
the name is any
|
|
0:50:06
|
connect profile
|
|
0:50:09
|
.tmpl for template
|
|
0:50:13
|
and ofcourse you could search for a wild card version of this
|
|
0:50:16
|
where it says the location
|
|
0:50:18
|
is my specific user profile
|
|
0:50:22
|
so its under application data, cisco, any connect vpn profile
|
|
0:50:27
|
if I were to open this in notepad
|
|
0:50:32
|
if I were to open this in notepad
|
|
0:50:34
|
basically what this is, is just an xml file
|
|
0:50:37
|
thats going to control what are the different options that the user is
|
|
0:50:41
|
is allowed to do
|
|
0:50:43
|
once the connection starts
|
|
0:50:46
|
so it says certificate store override is false
|
|
0:50:51
|
where
|
|
0:50:53
|
this setting allows an administrator to direct any connect to
|
|
0:50:56
|
search for certificates in the windows machine certificate store
|
|
0:50:59
|
this is useful in cases where certificates located in the store and users do not have administrative privileges to the machine
|
|
0:51:04
|
so you can see a lot of these are very very specific
|
|
0:51:08
|
and you can spend some time reading through this to figure out exactly
|
|
0:51:11
|
what you would or what you would not need to change
|
|
0:51:18
|
but what I am looking for specifically here
|
|
0:51:22
|
is there is an option that says
|
|
0:51:25
|
windows vpn establishment
|
|
0:51:34
|
this one, windows vpn establishment
|
|
0:51:36
|
says this section enables the definition of
|
|
0:51:39
|
no, this one, before the session
|
|
0:51:41
|
settings allows the administrator to control of a vpn connection may be initiated by an remote user
|
|
0:51:46
|
which is what I am currently
|
|
0:51:48
|
I would need to change this local users only
|
|
0:51:51
|
I would need to change this to say
|
|
0:51:54
|
allow
|
|
0:51:56
|
remote users
|
|
0:51:58
|
and I am not 100% sure this is case sensitive
|
|
0:52:02
|
So you could try to either way to see of that
|
|
0:52:04
|
is or is not case sensitive
|
|
0:52:06
|
So now I am going to save this on the desktop
|
|
0:52:11
|
and I will say that this is
|
|
0:52:13
|
lets say my profile
|
|
0:52:19
|
Now this profile was dynamically downloaded from the ASA once the connection established
|
|
0:52:24
|
so essentially what I need to do is now get this particular profile
|
|
0:52:29
|
to load on the ASA's flash
|
|
0:52:32
|
then I could use this to offer to other clients
|
|
0:52:37
|
and thats what the svc profile value is under the group policy
|
|
0:52:42
|
or I could even technically configure this under
|
|
0:52:44
|
on individual users, specify different profiles for individual users
|
|
0:52:49
|
So in order to do this
|
|
0:52:51
|
I need to some how get the file there
|
|
0:52:53
|
so I am going to use tftp
|
|
0:52:56
|
where I have a tftp server running
|
|
0:52:58
|
Now on the desktop
|
|
0:53:00
|
then on the ASA, I am going to say
|
|
0:53:03
|
I want to copy
|
|
0:53:06
|
from the tftp
|
|
0:53:08
|
the address is 200.0.122.100
|
|
0:53:13
|
and the file is my
|
|
0:53:15
|
profile.tmpl for template
|
|
0:53:19
|
and I am going to copy this to disk0
|
|
0:53:28
|
says file is not found
|
|
0:53:32
|
so lets see, what is
|
|
0:53:38
|
the extension of this
|
|
0:53:41
|
we changed it to .txt, so I
|
|
0:53:44
|
I don't believe it actually matters, what the extension is, lets try
|
|
0:53:53
|
actually let me resave it, just in case, it does matter
|
|
0:53:57
|
lets say my profile.tmpl
|
|
0:54:02
|
announce that template, so lets try it again from the ASA
|
|
0:54:05
|
copy tftp myprofile.
|
|
0:54:08
|
tmpl to disk0
|
|
0:54:13
|
okay, if we look at the dir output
|
|
0:54:16
|
Now I have that template
|
|
0:54:19
|
if we were to actually view it, if we were to say more to disk0:/myprofile
|
|
0:54:30
|
inside eventually we should get to the point that says the
|
|
0:54:35
|
allow remote users under the vpn establishment
|
|
0:54:42
|
which is this one, allow remote users
|
|
0:54:46
|
hey next thing I would need to do is
|
|
0:54:47
|
is assign this either to the user or to the group policy
|
|
0:54:51
|
and if we look at the show run all group-policy
|
|
0:54:55
|
this is the option under web vpn
|
|
0:55:00
|
that is the
|
|
0:55:01
|
SVC profile
|
|
0:55:06
|
so I am going to say that for this particular
|
|
0:55:09
|
policy
|
|
0:55:23
|
where my policy's name is svc policy
|
|
0:55:29
|
So group-policy
|
|
0:55:33
|
group policy, svc policy attributes under web vpn
|
|
0:55:38
|
the svc profile
|
|
0:55:41
|
has a value of
|
|
0:55:45
|
actually need to specify globally first, I need to say
|
|
0:55:49
|
I must turn logging off, lets say no logging console
|
|
0:55:53
|
I need to specify under the web vpn mode globally
|
|
0:55:57
|
what is the
|
|
0:56:02
|
svc profile
|
|
0:56:05
|
we will say my
|
|
0:56:07
|
profile is actually the file
|
|
0:56:11
|
disk0:/myprofile.tmpl
|
|
0:56:16
|
so now want to that group policy
|
|
0:56:19
|
svc policy attributes on the web vpn
|
|
0:56:23
|
the svc profile
|
|
0:56:26
|
value is myprofile
|
|
0:56:29
|
so again stuff like this you can see is very very specific
|
|
0:56:33
|
its unlikely that you are going to find this in the documentation
|
|
0:56:36
|
you probably would find it, in like a tech tip or or a configuration example
|
|
0:56:40
|
so you don't need to get into this level of detail
|
|
0:56:44
|
with the SSL configuration
|
|
0:56:46
|
the reason that I am showing this though is you can't demo
|
|
0:56:49
|
the actual tunnel
|
|
0:56:51
|
unless you have local access to the console of windows
|
|
0:56:55
|
or your, you are allowing this particular option
|
|
0:56:58
|
so lets try this again now, lets
|
|
0:57:02
|
run the vpn client
|
|
0:57:06
|
So we will browse to that address
|
|
0:57:10
|
login as cisco, cisco
|
|
0:57:14
|
they should trigger the anyconnect trigger to start
|
|
0:57:22
|
we looked down here in the
|
|
0:57:25
|
the status bar just you like you would have with the regular client
|
|
0:57:29
|
if we double click on it , we get statistics
|
|
0:57:32
|
says now my clients address is 192.168.1.1
|
|
0:57:37
|
if we were to go to the windows command line
|
|
0:57:40
|
and look at the ip config
|
|
0:57:43
|
just like we have for the easy VPN client adapter
|
|
0:57:48
|
we now, we have, we now have the anyconnect
|
|
0:57:50
|
connect adapter and we have the address assigned
|
|
0:57:55
|
if we look at the route print output
|
|
0:57:58
|
we should have this split tunnel acl
|
|
0:58:01
|
installed via the tunnel interface
|
|
0:58:05
|
or I have 10.0.0.0
|
|
0:58:08
|
/8 is via 192.168.1.1
|
|
0:58:14
|
if we now try to
|
|
0:58:16
|
actually send traffic out the tunnel
|
|
0:58:20
|
so if we look at the topology here, this would be from the test pc's perspective
|
|
0:58:25
|
but say that we were to telnet
|
|
0:58:29
|
to router6
|
|
0:58:32
|
if we telnet to 10.0.6.6
|
|
0:58:38
|
from the show users output
|
|
0:58:40
|
I am coming from my tunnel interface
|
|
0:58:44
|
192.168.1.1
|
|
0:58:48
|
if we now look at the ASA in the transit path, ASA1 here
|
|
0:58:53
|
and look at its connections
|
|
0:58:58
|
on ASA1 if we say show connection detail
|
|
0:59:07
|
or show connections off
|
|
0:59:10
|
what we will see, right now no traffic is being sent but
|
|
0:59:15
|
lets go to the
|
|
0:59:19
|
the pc, actually no, I forget, its not on this segment any more , its now on
|
|
0:59:24
|
this segment here
|
|
0:59:28
|
So the SSL connection is directly one half away
|
|
0:59:31
|
but if we look at ASA2
|
|
0:59:33
|
and the show
|
|
0:59:36
|
vpn-session database
|
|
0:59:41
|
we see it says that for
|
|
0:59:49
|
the SSL VPN
|
|
0:59:53
|
there is active tunnels
|
|
0:59:55
|
it is one active SSL tunnel
|
|
0:59:58
|
if we say
|
|
1:00:01
|
debug VPN session
|
|
1:00:05
|
vpn-session database
|
|
1:00:07
|
then we were to send traffic over the tunnel
|
|
1:00:11
|
so say I will ping router6's address for example
|
|
1:00:16
|
if logging were on, so logging console 7
|
|
1:00:27
|
lets disconnect the tunnel and then reestablish it
|
|
1:00:58
|
So we could see now the ASA shows the individual negotiation
|
|
1:01:01
|
where we are assigning the address 192.168.1.1
|
|
1:01:05
|
we would also see the encryption that they are
|
|
1:01:08
|
negotiating, in this case it says rc4-
|
|
1:01:11
|
sha is used for the SSL connection
|
|
1:01:14
|
and this is going to depend on the individual client
|
|
1:01:17
|
so the version of the client
|
|
1:01:19
|
that the ASA is then downloading to, or I should say the ASA is uploading to the client
|
|
1:01:25
|
thats going to control what
|
|
1:01:27
|
the particular
|
|
1:01:28
|
encryption and the authentication that its using is
|
|
1:01:35
|
if I then wanted to disconnect the session
|
|
1:01:38
|
to clear and reestablish it for any type of troubleshooting
|
|
1:01:41
|
I would say vpn-session database logoff
|
|
1:01:46
|
then I could choose the individual session or to say all of them
|
|
1:01:51
|
then we should see, from the windows machine, now the connection is going to close
|
|
1:01:56
|
but when we compare the final configuration of this
|
|
1:02:00
|
to the other easyVPN tunnels
|
|
1:02:03
|
its not that far of a strech
|
|
1:02:05
|
the problem is that there is so many minor
|
|
1:02:08
|
customization that you can do
|
|
1:02:10
|
with the SSL VPN client and the client less connection
|
|
1:02:14
|
it quickly starts to get overwhelming, what the end result of the configuration looks like
|
|
1:02:20
|
but here we have our global web vpn options
|
|
1:02:24
|
which is turning it on
|
|
1:02:26
|
where is the file for the actual client software
|
|
1:02:30
|
we are turning the svc on
|
|
1:02:32
|
then saying that we are giving them that list of the drop downs, what is the particular group
|
|
1:02:38
|
for the client list tunnel
|
|
1:02:40
|
we have a group policy, says that we are using web vpn protocol
|
|
1:02:45
|
and that they are using a different
|
|
1:02:49
|
group policy
|
|
1:02:51
|
or no, this is the group policy, then the tunnel
|
|
1:02:54
|
is down here further
|
|
1:02:56
|
where vpn group says that they are using that policy
|
|
1:03:01
|
but notice here that this is basically the only thing that we are defining
|
|
1:03:04
|
under the tunnel
|
|
1:03:07
|
when we configured multiple tunnels then we had to add the group alias
|
|
1:03:11
|
to make sure that you can choose between the drop down
|
|
1:03:14
|
Now if I don't want in this particular group in the drop down, I could remove this
|
|
1:03:19
|
then for the SVC we have the same
|
|
1:03:22
|
configuration here for the tunnel group
|
|
1:03:24
|
on the group policy we have our more ipsec like options
|
|
1:03:28
|
like the split tunnelling access list, the address pool
|
|
1:03:31
|
we need to specify that they can use the svc
|
|
1:03:34
|
and then in the case of custom profile
|
|
1:03:37
|
that was to change the basically xml attributes that are downloaded to that individual client
|
