SNPA50SL13

Configuring ASA
for WebVPN
Lesson 13
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-1

Outline
 WebVPN Feature Overview

 WebVPN End-User Interface
 Configure WebVPN General Parameters
 Configure WebVPN Policies
 Configure WebVPN Tunnel Groups
 Configure WebVPN Servers and URLs
 Configure WebVPN Email Proxy
 Configure WebVPN Content Filters and ACLs
 Summary

WebVPN Feature
Overview

WebVPN Overview
WebVPN (SSL VPN)

complements IPsec-
based remote access
by allowing secure
remote access to
corporate network
resources without the
use of Cisco VPN
Client software.

WebVPN Features
WebVPN
Broadband
Provider
WebV ISP
PNTu
nnel
Corporate
WebVPN Wireless Provider Network
Tunnel
WebVPN
 Access to internal websites (HTTP/HTTPS), including filtering

 Access to internal Windows (CIFS) file shares
 TCP port forwarding for legacy application support
 Access to e-mail via POP, SMTP, and IMAP4 over SSL

WebVPN Security Precautions
WebVPN
Broadband
Provider
WebV ISP
PNTu
nnel
Corporate
WebVPN Wireless Provider Network
Tunnel
WebVPN n
tio
Co
nne
c
X
Internet
 Configure group policies for only those users who need WebVPN access
 Limit or disable Internet access for WebVPN users
 Educate user about potential SSL problems

WebVPN and IPsec Comparision
WebVPN IPsec VPN
 Uses a standard web browser to  Uses purpose-built client software for

access the corporate network. network access.
 SSL encryption native to browser  Client provides encryption and
provides transport security. desktop security.
 Applications accessed through  Client establishes seamless
browser portal. connection to network.
 Limited client/server applications  All applications are accessible
accessed using applets. through their native interface.

WebVPN End-User
Interface

Home Page
The home page is

the customized
access point for Help
the end user. Show Toolbar
Home
Logout

Website Access and Browsing Files

Port Forwarding
The window shows the interface to configure port forwarding.

Configure WebVPN
General Parameters

Enabling the HTTP Server
 The HTTP server must be enabled

 ASDM and WebVPN cannot be run on the same port
ciscoasa(config)#
http server enable
 Enables the HTTP server for WebVPN
asa1(config)# http server enable

WebVPN Subcommand Mode
The WebVPN subcommand mode configures general WebVPN parameters and the look and
feel of the end-user interface. The following items can be configured:
 apcf  https-proxy
 authorization-dn-attributes  java-trustpoint
 authorization-required  memory-size
 auto-signon  port
 cache  port-forward
 character-encoding  proxy-bypass
 csd  rewrite
 customization  sso-server
 default-idle-timeout  svc
 enable  tunnel-group-list
 file-encoding  url-list
 http-proxy
asa1(config)# webvpn
asa1(config-webvpn)#
Enabling WebVPN Interfaces
 WebVPN needs to be enabled on each interface that will have

WebVPN users.
 ASDM and WebVPN cannot be enabled on the same interface.
ciscoasa(config-webvpn)#
enable ifname
asa1(config)# webvpn
asa1(config-webvpn)# enable outside

Home Page Look and Feel Configuration
Title
Logo
Title Bar Color
Secondary Bar Color
Secondary Text Color
title titletext
 Specifies the title that WebVPN users should see.
title-color color
 Specifies the title color. Supported formats include HTML color name string, HTML color value,
and HTML RGB value.
Configure WebVPN
Policies

Configure WebVPN Policy Attributes
HTTP-Server
Remote Client Security
Appliance 10.0.1.10/24
WebVPN Tunnel
Console-Server
10.0.1.11/24
ciscoasa(config)#
group-policy {name} attributes
 Enters the group-policy attributes subcommand mode
asa1(config)# group-policy WEBVPN1 attributes
ciscoasa(config-group-policy)#
webvpn
 Enters WebVPN group-policy attributes subcommand mode
asa1(config-group-policy)# webvpn
Enable URL Entry for WebVPN Users
HTTP-Server
WebVPN Tunnel
Console-Server
10.0.1.11/24
ciscoasa(config-group-webvpn)#
functions {auto-download | citrix | file-access | file-browsing |
file-entry | filter | http-proxy | url-entry | mapi | port-
forward | none}
 Enables file access, entry, browsing, and URL entry for the group
asa1(config-group-webvpn)# functions url-entry file-access file-

entry file-browsing
url-list {value name | none}
 Selects predefined URLs that were configured by using the url-list command
asa1(config-group-webvpn)# url-list value URLs

url-list Command
Superserver
Appliance
WebVPN Tunnel 10.0.1.10/24
10.0.1.11/24
Cisco Training
ciscoasa(config)#
url-list {listname displayname url}
 Defines the name of the URL list
 Defines the text the users see for the link on their home page
 Defines the actual URL that the link accesses
 List of WebVPN links can be HTTP, HTTPS, and CIFS servers
asa1(config)# url-list URLs "Superserver" http://10.0.1.10

asa1(config)# url-list URLs "CIFS Share" cifs://10.0.1.11/training
Example: Servers and URL
Configuration
Superserver
Appliance
10.0.1.11/24
Web access Security Appliance parameters:
 Example—url-list URLs "Superserver" http://10.0.1.10
Cisco Training
WebVPN client parameters:

 Need to launch WebVPN interface
 Click on Superserver or CIFS Share
link CIFS access security appliance parameters:
 Example—url-list URLs "CIFS Share" cifs://10.0.1.10/training

Enable Port Forwarding for WebVPN
Users
HTTP-Server
WebVPN Tunnel
Console-Server
10.0.1.11/24
functions {auto-download | citrix | file-access | file-browsing |
file-entry | filter | http-proxy | url-entry | mapi | port-
forward | none}
 Enables port forwarding for the group

asa1(config-group-webvpn)# functions port-forward
port-forward {value listname | none}
 Enters predefined port forwarding list configured by using the port-forward global
configuration command
asa1(config-group-webvpn)# port-forward value APPLICATIONS
port-forward Command
HTTP-Server
Remote
Client 10.0.1.10/24
Console-Server
10.0.1.11/24
ciscoasa(config)#
port-forward {listname localport remoteserver remoteport
description}
 Defines the name of the port fowarding list
 Defines the port for WebVPN user
 Defines the actual server that the link accesses
 Defines the actual port that the link accesses
asa1(config)# port-forward APPLICATIONS 23 10.0.1.10 23 **

Console Server **
Port Forwarding Configuration Example:
DNS vs. IP Address
Superserver
Appliance
Port forwarding security appliance parameters 10.0.1.11/24

(IP address):
 port-forward list—portlist
Cisco Training
 WebVPN User Port—2222
WebVPN parameters
 Remote Server—10.0.1.10
(IP address):
 Actual Port—23
 Need to launch port forwarding
 Example—port-forward portlist 2222 10.0.1.10 23 interface
 Telnet to “127.0.0.1 2222”
Port forwarding security appliance parameters (DNS):

 port-forward list—portlist
 WebVPN User Port—2000 WebVPN parameters (DNS):
 Remote Server—Training  Need to launch port forwarding interface
 Remote TCP Port—23  Telnet to “Training”
 Example—port-forward portlist 2000 Training 23

Configure WebVPN
Tunnel Groups

WebVPN Tunnel Groups
HTTP-Server
WebVPN Tunnel
NBNS-Server
10.0.1.15/24
ciscoasa(config)#
tunnel-group name type type
 Names the tunnel group
 Defines the type of VPN connection that is to be established
asa1(config)# tunnel-group AUSTIN-WEBVPN type webvpn

NBNS Server Attribute
HTTP-Server
WebVPN Tunnel
NBNS-Server
10.0.1.15/24
ciscoasa(config-tunnel-webvpn)#
nbns-server {ipaddr or hostname} [master] [timeout

timeout] [retry retries]
 Enables NetBIOS resolution for CIFS File Shares.
asa1(config-tunnel-webvpn)# nbns-server 10.0.1.15

Authentication Server Attribute
ACS Server
WebVPN Tunnel NBNS-Server
10.0.1.15/24
ciscoasa(config-tunnel-general)#
authentication-server-group [(interface_name)]
server_group [LOCAL | NONE]
 Specifies the authorization server that WebVPN users should use.

 Authorization server must be previously configured using
aaa-server commands
asa1(config-webvpn)# authentication-server-group
(inside) AUTHSERVER
Configure WebVPN
Servers and URLs

Enable WebVPN Protocol for Group
Policy
Security
Appliance
HTTP Server
WebVPN Tunnel
10.0.1.10/24
ciscoasa(config)#

vpn-tunnel-protocol {webvpn | IPSec}
 Enables WebVPN for group
asa1(config-group-policy)# vpn-tunnel-protocol webvpn

Configure WebVPN
Email Proxy

Enable E-Mail Proxy for WebVPN Users
Appliance
Email Server
WebVPN Tunnel
10.0.1.10/24
functions {auto-download | citrix | file-access | file-

browsing | file-entry | filter | http-proxy | url-entry
| mapi | port-forward | none}
 Enables MAPI proxy for the group (only necessary if using MAPI)
asa1(config-group-webvpn)# functions mapi

Defining Proxy Servers
Appliance
WebVPN Tunnel
E-Mail Server
10.0.1.10/24
ciscoasa(config)#
pop3s
smtps
imap4s
 Enters the appropriate e-mail proxy subcommand mode

Defining E-Mail Server and
Authentication Server
Appliance
E-Mail Server
WebVPN Tunnel
10.0.1.10/24
ciscoasa(config-pop3s)#
server {ipaddr or hostname}
 Specifies the default server for use with the e-mail proxy
asa1(config-pop3s)# server 10.0.1.10

authentication-server-group [(interface_name)] server_group
[LOCAL | NONE]
 Specifies the authentication server to use with the e-mail proxy
asa1(config-pop3s)# authentication-server-group (inside)

AUTHSERVER
Defining Authentication Type
Appliance
E-Mail Server
WebVPN Tunnel
10.0.1.10/24
authentication {aaa | certificate | piggyback
 Specifies the authentication method or methods that are used with the e-mail proxy
 Options are as follows:
– aaa: Use previously configured AAA server for authentication
– certificate: Use certificate for authentication
– piggyback: Requires use of an established HTTPS WebVPN session
asa1(config-pop3s)# authentication piggyback

Example: E-Mail Proxy Configuration
Remote Client
172.26.26.1 Security
Appliance
E-Mail Server
WebVPN Tunnel
10.0.1.10/24
Security appliance e-mail proxy E-mail server parameters:

parameters:  Username—Student1
E-mail client parameters:  POP3S ASA port—995  Password—Student1
 Username—Student1
 POP3S default e-mail server—  POP port—110
10.0.1.10  SMTP port—25
 Password—Student1
 POP3S auth. req.—e-mail server, 
 POP address—192.168.1.5 SMTP auth.—Required
piggyback HTTPS
 POP port—SSL port 995  SMTPS default e-mail server—
 SMTP address 10.0.1.10
(auth. req.)—192.168.1.5  SMTPS ASA port—988
 SMTP port—SSL port 988  SMTPS auth. req.—piggyback HTTPS

Configure WebVPN
Content Filters and ACLs

HTML Content Filtering
Appliance
HTTP Server
WebVPN Tunnel
10.0.1.10/24
ciscoasa(config)#
webvpn
 Enters WebVPN group-policy attributes subcommand mode
asa1(config-group-policy)# webvpn
HTML Content Filtering (Cont.)
Appliance
HTTP Server
WebVPN Tunnel
10.0.1.10/24
html-content-filter {cookies | images | java | none | scripts}
 Configures the content or objects to be filtered from the HTML for this policy
 Options are as follows:
– Cookies: Removes cookies from images, providing limited ad filtering and privacy
– images: Removes references to images (removes <IMG> tags)
– java: Removes references to Java and ActiveX (removes <EMBED>, <APPLET>, and <OBJECT> tags)
– none: Indicates that there is no filtering; sets a null value, thereby disallowing filtering; prevents inheriting
filtering values
– scripts: Removes references to scripting (removes <SCRIPT> tags)
asa1(config-group-webvpn)# html-content-filter cookies images java

WebVPN ACLs
Appliance
HTTP Server
WebVPN Tunnel
10.0.1.10/24
ciscoasa(config)#
access-list id webtype {deny | permit} tcp [host ip_address |
ip_address subnet_mask | any] [oper port [port]] [log [[disable
| default] | level] [interval secs] [time_range name]]
 Configures a web-type ACL to be used for filtering with WebVPN
asa1(config)# access-list WEBVPNACL webtype permit tcp any eq http
filter {value ACLname | none}
 Configures the name of the web-type ACL in the WebVPN group-policy attributes
subcommand mode
asa1(config-group-webvpn)# filter value WEBVPNACL

Summary
 WebVPN lets users establish a secure, remote-access VPN

tunnel to a security appliance using a web browser.
 WebVPN features include:
– Secure access to internal websites via HTTPS.
– Windows files access, port forwarding, and e-mail proxy are
supported.
– HTML content filtering and WebVPN ACLs can be used to
restrict WebVPN traffic.

Lab Visual Objective
SuperServer
RBB ASA
172.26.26.0 192.168.P.0 10.0.P.0
.100 .150 .1 .5 .5 .10
Student PC
RTS
172.26.26.P


SNPA50SL13

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

SNPA50SL13

Caricato da

Copyright:

Formati disponibili

Configuring ASA

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-1

 WebVPN Feature Overview

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-2

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-3

WebVPN (SSL VPN)

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-4

 Access to internal websites (HTTP/HTTPS), including filtering

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-5

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-6

WebVPN IPsec VPN

 Uses a standard web browser to  Uses purpose-built client software for

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-7

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-8

The home page is

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-9

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-10

The window shows the interface to configure port forwarding.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-11

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-12

 The HTTP server must be enabled

asa1(config)# http server enable

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-13

 WebVPN needs to be enabled on each interface that will have

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-15

Title Bar Color

Secondary Bar Color

Secondary Text Color

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-17

asa1(config)# group-policy WEBVPN1 attributes

asa1(config-group-webvpn)# functions url-entry file-access file-

asa1(config-group-webvpn)# url-list value URLs

asa1(config)# url-list URLs "Superserver" http://10.0.1.10

WebVPN client parameters:

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-21

 Enables port forwarding for the group

asa1(config)# port-forward APPLICATIONS 23 10.0.1.10 23 **

Port forwarding security appliance parameters 10.0.1.11/24

Port forwarding security appliance parameters (DNS):

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-24

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-25

asa1(config)# tunnel-group AUSTIN-WEBVPN type webvpn

nbns-server {ipaddr or hostname} [master] [timeout

asa1(config-tunnel-webvpn)# nbns-server 10.0.1.15

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-27

WebVPN Tunnel NBNS-Server

 Specifies the authorization server that WebVPN users should use.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-29

asa1(config)# group-policy WEBVPN1 attributes

asa1(config-group-policy)# vpn-tunnel-protocol webvpn

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-30

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-31

functions {auto-download | citrix | file-access | file-

asa1(config-group-webvpn)# functions mapi

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-32

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-33

asa1(config-pop3s)# server 10.0.1.10

asa1(config-pop3s)# authentication-server-group (inside)

asa1(config-pop3s)# authentication piggyback

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-35

Security appliance e-mail proxy E-mail server parameters:

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-36

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—13-37