Cisco ASA 5580 Adaptive Security Appliance Getting Started Guide, 8.1 - Scenario: SSL VPN Clientless Connections [Cisco ASA 5500 Series Adaptive Security Appliances]

Table Of Contents

Scenario: SSL VPN Clientless Connections

About Clientless SSL VPN

Security Considerations for Clientless SSL VPN Connections

Example Network with Browser-Based SSL VPN Access

Implementing the Clientless SSL VPN Scenario

Information to Have Available

Starting ASDM

Configuring the ASA 5580 for Browser-Based SSL VPN Connections

Specifying the SSL VPN Interface

Specifying a User Authentication Method

Specifying a Group Policy

Creating a Bookmark List for Remote Users

Verifying the Configuration

What to Do Next

Scenario: SSL VPN Clientless Connections

This chapter describes how to use the adaptive security appliance to accept remote access SSL VPN connections without a software client (clientless). A clientless SSL VPN allows you to create secure connections, or tunnels, across the Internet using a web browser. This provides secure access to off-site users without a software client or hardware client.

This chapter includes the following sections:

•About Clientless SSL VPN

•Example Network with Browser-Based SSL VPN Access

•Implementing the Clientless SSL VPN Scenario

•What to Do Next

About Clientless SSL VPN

Clientless SSL VPN connections enable secure and easy access to a broad range of web resources and web-enabled applications from almost any computer on the Internet. They include the following:

•Internal websites

•Web-enabled applications

•NT/Active Directory and FTP file shares

•E-mail proxies, including POP3S, IMAP4S, and SMTPS

•MS Outlook Web Access

•MAPI

•Application Access (that is, port forwarding for access to other TCP-based applications) and Smart Tunnels

Clientless SSL VPN uses the Secure Sockets Layer Protocol (SSL) and its successor, Transport Layer Security (TLSI), to provide the secure connection between remote users and specific, supported internal resources that you configure at a central site. The adaptive security appliance recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users.

The network administrator provides access to resources by users of Clientless SSL VPN on a group basis.

Security Considerations for Clientless SSL VPN Connections

Clientless SSL VPN connections on the adaptive security appliance differ from remote access IPsec connections, particularly with respect to how they interact with SSL-enabled servers and the validation of certificates.

In a Clientless SSL VPN connection, the adaptive security appliance acts as a proxy between the end user web browser and target web servers. When a user connects to an SSL-enabled web server, the adaptive security appliance establishes a secure connection and validates the server SSL certificate. The end user browser never receives the presented certificate, so therefore it cannot examine and validate the certificate.

The current implementation of Clientless SSL VPN on the adaptive security appliance does not permit communication with sites that present expired certificates. The adaptive security appliance does not perform trusted CA certificate validation. Therefore, users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it.

To minimize the risks involved with SSL certificates:

1. Configure a group policy that consists of all users who need Clientless SSL VPN access and enable it only for that group policy.

2. Limit Internet access for Clientless SSL VPN users, for example, by limiting which resources a user can access using a clientless SSL VPN connection. To do this, you could restrict the user from accessing general content on the Internet. Then, you could configure links to specific targets on the internal network that you want users of Clientless SSL VPN to be able to access.

3. Educate users. If an SSL-enabled site is not inside the private network, users should not visit this site over a Clientless SSL VPN connection. They should open a separate browser window to visit such sites, and use that browser to view the presented certificate.

The adaptive security appliance does not support the following features for Clientless SSL VPN connections:

•NAT, reducing the need for globally unique IP addresses.

•PAT, permitting multiple outbound sessions appear to originate from a single IP address.

Example Network with Browser-Based SSL VPN Access

Figure 6-1 shows the adaptive security appliance configured to accept SSL VPN connection requests over the Internet using a web browser.

Figure 6-1 Network Layout for SSL VPN Connections

Implementing the Clientless SSL VPN Scenario

This section describes how to configure the adaptive security appliance to accept SSL VPN requests from web browsers. Values for example configuration settings are taken from the remote-access scenario illustrated in Figure 6-1.

This section includes the following topics:

•Information to Have Available

•Starting ASDM

•Configuring the ASA 5580 for Browser-Based SSL VPN Connections

•Specifying the SSL VPN Interface

•Specifying a User Authentication Method

•Specifying a Group Policy

•Creating a Bookmark List for Remote Users

•Verifying the Configuration

Information to Have Available

Before you begin configuring the adaptive security appliance to accept remote access IPsec VPN connections, make sure that you have the following information available:

•Name of the interface on the adaptive security appliance to which remote users will connect. When remote users connect to this interface, the SSL VPN Portal Page is displayed.

•Digital certificate

The ASA 5580 generates a self-signed certificate by default. For improved security and to eliminate browser warning messages, you may want to purchase a publicly trusted SSL VPN certificate before putting the system in a production environment.

•List of users to be used in creating a local authentication database, unless you are using a AAA server for authentication.

•If you are using a AAA server for authentication, the AAA Server Group Name

•The following information about group policies on the AAA server:

–Server group name

–Authentication protocol to be used (TACACS, SDI, NT, Kerberos, LDAP)

–IP address of the AAA server

–Interface of the adaptive security appliance to be used for authentication

–Secret key to authenticate with the AAA server

•List of internal websites or pages you want to appear on the SSL VPN portal page when remote users establish a connection. Because this is the page users see when they first establish a connection, it should contain the most frequently used targets for remote users.

Starting ASDM

This section describes how to start ASDM using the ASDM Launcher software. If you have not installed the ASDM Launcher software, see Installing the ASDM Launcher, page 4-5.

If you prefer to access ASDM directly with a web browser or using Java, see Starting ASDM with a Web Browser, page 4-7.

To start ASDM using the ASDM Launcher software, perform the following steps:

Step 1 From your desktop, start the Cisco ASDM Launcher software.

A dialog box appears.

Step 2 Enter the IP address or the host name of your adaptive security appliance.

Step 3 Leave the Username and Password fields blank.

Note By default, there is no Username and Password set for the Cisco ASDM Launcher.

Step 4 Click OK.

Step 5 If you receive a security warning containing a request to accept a certificate, click Yes.

The ASA 5580 checks to see if there is updated software and if so, downloads it automatically.

The main ASDM window appears.

Configuring the ASA 5580 for Browser-Based SSL VPN Connections

To begin the process for configuring a browser-based SSL VPN, perform the following steps:

Step 1 In the main ASDM window, choose SSL VPN Wizard from the Wizards drop-down menu. The SSL VPN Wizard Step 1 screen appears.

Step 2 In Step 1 of the SSL VPN Wizard, perform the following steps:

a. Check the Browser-based SSL VPN (Web VPN) check box.

b. Click Next to continue.

Specifying the SSL VPN Interface

In Step 2 of the SSL VPN Wizard, perform the following steps:

Step 1 Specify a Connection Name to which remote users connect.

Step 2 From the SSL VPN Interface drop-down list, choose the interface to which remote users connect. When users establish a connection to this interface, the SSL VPN portal page is displayed.

Step 3 From the Certificate drop-down list, choose the certificate the ASA 5580 sends to the remote user to authenticate the ASA 5580.

Note The ASA 5580 generates a self-signed certificate by default. For improved security and to eliminate browser warning messages, you may want to purchase a publicly trusted SSL VPN certificate before putting the system in a production environment.

Specifying a User Authentication Method

Users can be authenticated either by a local authentication database or by using external authentication, authorization, and accounting (AAA) servers (RADIUS, TACACS+, SDI, NT, Kerberos, and LDAP).

In Step 3 of the SSL VPN Wizard, perform the following steps:

Step 1 If you are using a AAA server or server group for authentication, perform the following steps:

a. Click the Authenticate using a AAA server group radio button.

b. Choose a preconfigured server group from the Authenticate using an AAA server group drop-down list, or click New to add a new AAA server group.

To create a new AAA Server Group, click New. The New Authentication Server Group dialog box appears.

In this dialog box, specify the following:

–A server group name

–The Authentication Protocol to be used (TACACS, SDI, NT, Kerberos, LDAP)

–IP address of the AAA server

–Interface of the adaptive security appliance

–Secret key to be used when communicating with the AAA server

Click OK.

Step 2 If you have chosen to authenticate users with the local user database, you can create new user accounts here. You can also add users later using the ASDM configuration interface.

To add a new user, enter a username and password, and then click Add.

Step 3 When you have finished adding new users, click Next to continue.

Specifying a Group Policy

In Step 4 of the SSL VPN Wizard, specify a group policy by performing the following steps:

Step 1 Click the Create new group policy radio button and specify a group name.

OR

Click the Modify an existing group policy radio button and choose a group from the drop-down list.

Step 2 Click Next.

Creating a Bookmark List for Remote Users

You can create a portal page, a special web page that comes up when browser-based clients establish VPN connections to the adaptive security appliance, by specifying a list of URLs to which users should have easy access.

In Step 5 of the SSL VPN Wizard, specify URLs to appear on the VPN portal page by performing the following steps:

Step 1 To specify an existing bookmark list, choose the Bookmark List name from the drop-down list.

To add a new list or edit an existing list, click Manage.

The Configure GUI Customization Objects dialog box appears.

Step 2 To create a new bookmark list, click Add.

To edit an existing bookmark list, choose the list and click Edit.

The Add Bookmark List dialog box appears.

Step 3 In the URL List Name field, specify a name for the list of bookmarks you are creating. This is used as the title for your VPN portal page.

Step 4 Click Add to add a new URL to the bookmark list.

The Add Bookmark Entry dialog box appears.

Step 5 Specify a title for the list in the Bookmark Title field.

Step 6 From the URL Value drop-down list, choose the type of URL you are specifying. For example, choose http, https, ftp, and so on.

Then, specify the complete URL for the page.

Step 7 Click OK to return to the Add Bookmark List dialog box.

Step 8 If you are finished adding bookmark lists, click OK to return to the Configure GUI Customization Objects dialog box.

Step 9 When you are finished adding and editing bookmark lists, click OK to return to Step 5 of the SSL VPN Wizard.

Step 10 Choose the name of the bookmark list for this VPN group from the Bookmark List drop-down list.

Step 11 Click Next to continue.

Verifying the Configuration

In Step 6 of the SSL VPN Wizard, review the configuration settings to ensure that they are correct. The configuration that appears should be similar to the following:

If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance.

If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save. Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM.

If you do not save the configuration changes, the old configuration takes effect the next time the device starts.

What to Do Next

If you are deploying the adaptive security appliance solely in a clientless SSL VPN environment, you have completed the initial configuration. In addition, you may want to consider performing some of the following steps:

To Do This...

See...

Refine configuration and configure optional and advanced features

Cisco Security Appliance Command Line Configuration Guide

Learn about daily operations

Cisco Security Appliance Command Reference

Cisco Security Appliance Logging Configuration and System Log Messages

You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance:

To Do This...

See...

Configure an AnyConnect VPN

Chapter 5, "Scenario: Configuring Connections for a Cisco AnyConnect VPN Client"

Configure a site-to-site VPN

Chapter 7, "Scenario: Site-to-Site VPN Configuration"

Configure a remote-access VPN

Chapter 8, "Scenario: IPsec Remote-Access VPN Configuration"