CCIE Security V4 Technology Labs Section 7:

Confidentiality and Secure Access

ASA Clientless SSL VPN
Last updated: May 20, 2013
Hardware Configuration(s)
Section 7 Confidentiality and Secure Access Config Files (/documents/configs/Section 7
Confidentiality And Secure Access Config Files.zip)
Note:
For this task, you can use the configuration files that resulted from completing the
previous task, or you can load the Section 7 Initial Configuration Files to initialize your
rack.
Task
Configure ASA4 to permit WebVPN connections on its VLAN100 interface using the port number
443:
Create a URL-List entry named CISCO pointing to the URL http://www.cisco.com.
Filter WebVPN connections and only allow users to connect on the port 80 to sites in .com
domains.
Configure R1 as a DNS server and make the firewall use it for WebVPN.
Create a DNS entry in R1 for www.cisco.com resolving to R1s Loopback0 address.
Authenticate users using the name WEBVPN and password CISCO1234 locally.
Ensure that this user is only allowed to use the configured WEBVPN group.
Overview
SSL VPN is a technology that allows tunneling IP packets over an SSL connection (TCP protected
by SSL). Using regular SSL connections on the default port 443 allows for better compatibility and
firewall/NAT traversal. An SSL VPN connection can be either client-based (requires a software
installed on the client side) or clientless (requires only a compatible web browser on the client side).
Clientless SSL VPN technology (aka WebVPN) allows remote users to access corporate resources
solely using their web browsers. This feature does not require any client installation on the users
side. The ASA firewall is used as a proxy for HTTP/HTTPs connections initiated by the user. The
user connects to the ASA firewall using a secure HTTP connection and authenticates with a
username and password, digital certificate, or both. The firewall opens a special (customizable)
portal page to the user, which emulates a browser with URL address bar. The user may enter URLs

for company resources, and the firewall resolves them using a configured DNS server and
downloads the requested pages. Optionally, the firewall may apply a URL filter to restrict access to
certain corporate resources, or even disallow URL entry completely, providing the user with a list of
static bookmarks.
In addition to simple HTTP/HTTPs browsing, the user may access Microsoft file shares or use the
SMTPs/POP3s/IMAPs proxy for email access. If you have TCP-based applications requiring
custom TCP ports access, WebVPN lets you download a special Java applet that implements port-
forwarding (more about it in separate scenario). A more advanced feature is the Smart-Tunnel
option, which allows automatic port-redirection for any application written using Winsock library
(covered in a separate scenario).
Aside from TCP-based connectivity, the firewall may allow users downloading and running
application-specific plugins, such as RDP, VNC, or Telnet applets. These plugins let the user
initiate a connection using the specified protocol to any destination on the protected network.
Here are the basic WebVPN configuration steps. The pattern is to define some global properties
and then configure a group-policy and a connection-profile (tunnel-group).
Step 1:
Enable WebVPN on the required interface by entering webvpn configuration mode and using the
command enable <INTERFACE_NAMEIF> . You may need to define a port number used for
WebVPN connection using the command port <port-number> , which defaults to 443. Notice
that this no longer affects ASDM access on the same port, which was the case in previous code
versions. ASDM and clientless SSL VPN can run concurrently on the same port, because ASDM
uses a dedicated URL in the format of https://IP_ADDRESS/admin.
You may define HTTP and HTTPs proxy servers used by the firewall to hop-off incoming connection
to the internal resources. The command
http(s)-proxy <IP> <PORT> username <Proxy-User> password <Proxy-Password> defines
the proxy and the credentials used for proxy authentication. You may specify the URL to be
excluded from proxying using the command http(s)-proxy <IP> <PORT> exclude <URL-Spec> .
When defining the URL-Spec, you may use meta-characters ? for any symbol, * for any string,
[] to define a range of characters, and ![] to define a negative range of character (not in the
list).
Another useful command is tunnel-group-list enable . When enabled, it allows the user to
select the tunnel-group to be used for login and authentication from the VPN portal. An alternative to
this is creating a specific URL for each connection-profile and asking the user to use it. WebVPN
cannot classify incoming connections and match a connection profile automatically, unless you
provide a hit for it. This is why, without the explicit/implicit group selection, the firewall will revert to
using the default remote-access tunnel-group of DefaultWEBVPNGroup for any incoming
connection.
Step 2:
Define a DNS server group. This step is required for WebVPN because the firewall acts as a proxy
server and needs to resolve the names in the URLs presented by the users (unless they use IP
addressing). To define a DNS server group, you must enable DNS lookups on the interface-facing
DNS servers using the command dns domain-lookup <INTERFACE_NAMEIF> . After this, you may
define a server-group using the command dns server-group <NAME> . Define at least one DNS
server IP address and the default domain under server-group configuration mode.
Step 3:
Define a group policy for WebVPN connection. The group policy command is generic, but you may
define specific WebVPN attributes under the webvpn configuration mode of the group-policy. Here
you may define functions enabled by this policy, such as url-entry and file-browsing. The default
values are inherited from the DfltGrpPolicy group-policy. A policy setting of interest here is the
filter command, which applies a webtype access-list to the connections requested by users. A
webtype access-list permits or denies connections based on URL strings in the format
{permit|deny} url [method]://<pattern> or
{permit|deny} tcp <SUBNET> <MASK> <PORT> . Basically, you can filter based on destination
URL and protocol or destination subnet and TCP port. The URL method could be http, https, cifs,
nfs, pop3, imap4, smtp, and ftp only. The pattern specifies the URL, and you may use the same
meta-characters defined in the proxy section for the pattern. For example, the URL may look like
http://www.ci*.com:80[12]? . In addition to the method/pattern entries, you can also use the
regular ACL entries, such as permit tcp any host 2.2.2.2 eq 80 .
Step 4:
Define a connection-profile (tunnel-group) for WebVPN users. The tunnel-group type should be
remote-access , and you must associate the previously defined group-policy with the tunnel-group.
Finally, you should define some basic WebVPN attributes. The first one is authentication for remote
clients, username/password or digital certificates or both. The group-alias <NAME> command
define a name to be used on the logon page for the tunnel-group selection. You may have to define
users for local authentication. The DNS group created earlier can be associated with the tunnel
group using the command dns-group <NAME> under the
tunnel-group <NAME> webvpn-attributes definition.
According to the scenario requirements, we define a group-lock attribute for the user to limit him to
use the group WEBVPN only. Additionally, we create a bookmark list (URL-List) to be used with the
WebVPN portal. We must use the ASDM for this; version 8.x does not support the legacy
url-list command and bookmarks are now stored as XML files, so you must use the GUI to
define them. Notice the webtype access-list created for this task. It allows connecting to sites in
the .com domain on port number 80 only. To verify the scenario, we configure R1 as a DNS server
and define some names (in .com and .net domains) there.
Configuration
ASA4:
webvpn
port 443
enable VLAN100
tunnel-group-list enable
!
access-list WEBACCESS webtype permit url http://*.com:80
!
dns domain-lookup VLAN18
dns server-group WEBVPN
name-server 136.1.18.1
domain-name cisco.com
!
group-policy WEBVPN internal
group-policy WEBVPN attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-entry enable
filter value WEBACCESS
!
tunnel-group WEBVPN type remote-access
tunnel-group WEBVPN general-attributes
default-group-policy WEBVPN
!
tunnel-group WEBVPN webvpn-attributes
group-alias WEBVPN enable
authentication aaa
dns-group WEBVPN
!
username WEBVPN password CISCO1234
username WEBVPN attributes
group-lock value WEBVPN
!
http server enable
http 0 0 VLAN100
To configure the URL-List, from the TEST-PC connect to the ASA using ASDM; the same
username configured for WebVPN can be used. Navigate in the GUI as follows: Configuration ->
Remote Access VPN -> Clientless SSL VPN Access -> Portal -> Bookmarks. Assign the list a
name in the Bookmark List Name field.
Click Add, give the entry a name in the Bookmark Title field, and enter www.cisco.com in the
URL field.
Assign the URL-List to the group-policy from CLI. group-policy WEBVPN attributes webvpn url-list
value WEBVPN
R1:
ip dns server
ip host cisco.com 150.1.1.1
ip host www.cisco.com 150.1.1.1
ip host www.google.com 150.1.1.1
ip host www.ripe.net 150.1.1.1
Verification
Assign the Test PC an IP address from VLAN 100, such as 136.1.100.100, and using Internet
Explorer browse to https://136.1.100.8; you will see the drop-down box that allows you to select the
connection-profile. However, there is only one created. Authenticate using the configured username
and password.
<img src="http://s3.amazonaws.com/images.ine.development/r7HJ4.png" width="1500" "/>
Upon successful authentication, you should be presented with the following page.
Click the box with an arrow to the right of the bookmark to open the hyperlink in a new page. This
will redirect you to R1's HTTP server page, as configured, asking you for authentication.
Try typing www.google.com in the Address field of the VPN portal and click Browse; it should
again direct you to the same page of R1's HTTP server, because the .com domain is allowed by the
webtype access-list. Try typing www.ripe.net in the Address field of the VPN portal and click
Browse; it should redirect you to the same page of R1's HTTP server, but because the .net domain
is denied by the webtype access-list, you'll get an error message.
Check the VPN session on the ASA.
Rack1ASA4# show vpn-sessiondb webvpn filter name WEBVPN
Session Type: WebVPN
Username : WEBVPN Index : 17
Public IP : 136.1.100.100
Protocol : Clientless
License : AnyConnect Premium
Encryption : RC4 Hashing : SHA1
Bytes Tx : 135601 Bytes Rx : 19501
Group Policy : WEBVPN Tunnel Group : WEBVPN
Login Time : 17:34:23 UTC Thu May 16 2013
Duration : 0h:00m:34s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none