Monday, February 11, 2008

Configuring SSL VPN (clientless) on the Cisco ASA, v8.0(3)

Basic Clientless SSL VPN Setup

We will attempt to walk you through setting up a simple SSL VPN on the ASA. This configuration will be a foundation on which to add additional security and access features, so it is a ‘start-here’ kind of thing.

It is presented as a step-by-step graphical guide to configuring your first SSL VPN,
The starting point for this configuration is the _initial-config_ guide.

The basic steps involved in setting up a basic SSL VPN are:

  1. Enabled SSL VPN on an interface (actually, this is all that you have to do);
  2. Configure a Connection Profile;
  3. Configure a Group Policy

1) Enable SSL VPN on an Interface

OK. This part is really easy. In fact, it is a single check-box.

At the command line it will look like this:

    5505 (conf)# webvpn
    5505 (conf)# enable webvpn

2) Configure a Connection Profile

Actually, the DefaultWEBVPNGroup does not require any changes to enable your first SSL VPN. Of course, you probably won’t end up with the environment that you really want, but it _will_ work.

3) Configure a Group Policy

Well, go figure, the DefaultWEBVPNGroup is bound, by default, to the DfltGrpPolicy. Again, the Default Group Policy is set up to work.

When we connect to this site we get a pretty unimpressive experience. First, we have to enter https://, or else we time out. HTTP to HTTPS forwarding is not configured by default, and without it the simple user experience that we are looking for is just a little less. Next, we see certificate warnings. That is to be expected as we have not installed any certificates from a valid CA (certificate authority). Finally, the login page and the portal page are quite plain, which is something we will take care of later.

Still, even with so little work done, we have a huge amount of access to the protected resources. The address bar in the portal alone is the gateway. With the address bar available protected resources become available. Just type in a URL of a resource on the protected network, and it shows up in the browser, protected by the SSL VPN>

The only problem is, this is not very convenient to use.

Later we will find ways to dress this up and put the resources just a click away from the portal.

But, first, let’s lock it down so nobody can easily abuse us when we walk away.

To do this we are going to remove that address bar from the portal.

In ASDM you may notice that certain elements seem to be listed twice. Well, they are. Cisco has tried to make the grouping of functions within an element logically grouped by purpose. For this task we need to configure the Group Policy, but we are not going to configure it from the Network (Client) Access > Group Policy menu tree. Instead we access this feature from the Clientless SSL VPN Access > Group Policies.

By default URL Entry, File Server Entry and File Server Browsing are enabled. All it takes to disable these features in our configuration are a few radio buttons and an ‘apply’.

Now we have a really plain portal, with no functionality.

So, what have we really done here?

We now have an SSL VPN portal that works, albeit with extremely limited functionality. And, it is kind of plain, too.

What we really have, though, is a good starting point to build our SSL VPN on our Cisco ASA.

Next: Easing Administration with AAA

Copyright 2008. MultiFactor Corporation. All Rights Reserved.
SEO Services & Blog Design by