Cisco ASA VPN на любой вкус [ENG]

Jabbson · Регистрация: 03.11.2009

IPsec Site-to-Site VPN Solutions

1. Deploying IPsec Site-to-Site VPN Solutions

1.1 Configuring a Basic IKEv1 IPsec Site-to-Site VPN

Step 1. Configure basic peer authentication. Enable IKEv1 on the interface and configure PSKs and IKEv1 policies.
Step 2. Configure transmission protection. Configure IPsec transform sets, peer addresses, and local and remote identity (interesting traffic).
Step 3. Verify communication through the encrypted tunnel.

Enable IKEv1 on the Outside Interface

Код

ciscoasa(config)# crypto ikev1 enable outside

Enable ISAKMP Session Control Options

Код

ciscoasa(config)# crypto isakmp identity address
ciscoasa(config)# crypto ikev1 am-disable // disable aggressive mode
!!Enable open sessions to be closed voluntarily upon a reload!!
ciscoasa(config)# crypto isakmp reload-wait
!!Enable remote peers to gracefully close connections with the use of a disconnect notification!!
ciscoasa(config)# crypto isakmp disconnect-notify

Create IKEv1 policies

Код

ciscoasa(config)# crypto ikev1 policy 2
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption aes
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 2
ciscoasa(config-ikev1-policy)# lifetime 86400

Create Tunnel Group and Configure the PSK

Код

ciscoasa(config)# tunnel-group 192.168.1.1 type ipsec-l2l
ciscoasa(config)# tunnel-group 192.168.1.1 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key cisco

Crypto Map, Access List, Interface, and Route Configuration

Код

ciscoasa(config)# ipv6 access-list interesting_ipv6_traffic permit tcp 2001:48::/64 2001:50::/64
ciscoasa(config)# crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes-128 esp-sha-hmac
ciscoasa(config)# crypto map ipv6_map 1 match address interesting_ipv6_traffic
ciscoasa(config)# crypto map ipv6_map 1 set peer 2001:49::2
ciscoasa(config)# crypto map ipv6_map 1 set ikev1 transform-set ESP-AES-128-SHA
ciscoasa(config)# interface gi0/0
ciscoasa(config-if)# ipv6 address 2001:49::1/96
ciscoasa(config)# ipv6 route outside 2001:50::/64 2001:49::2

1.2 Configuring a Basic IKEv2 IPsec Site-to-Site VPN

Код

ciscoasa(config)# access-list cryptomap permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!
ciscoasa(config)# crypto ikev2 enable outside
ciscoasa(config)# crypto ikev2 policy 10
ciscoasa(config-ikev2-policy)# group 2 5
ciscoasa(config-ikev2-policy)# encryption aes
!
ciscoasa(config)# group-policy GroupPolicy_1.1.1.1 internal
ciscoasa(config)# group-policy GroupPolicy_1.1.1.1 attributes
ciscoasa(config-group-policy)# vpn-tunnel-protocol ikev2
!
ciscoasa(config)# tunnel-group 1.1.1.1 type ipsec-l2l
ciscoasa(config)# tunnel-group 1.1.1.1 general-attributes
ciscoasa(config-tunnel-general)# default-group-policy GroupPolicy_1.1.1.1
ciscoasa(config)# tunnel-group 1.1.1.1 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco1
ciscoasa(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco2
ciscoasa(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
!
ciscoasa(config)# crypto ipsec ikev2 ipsec-proposal AES
ciscoasa(config-ipsec-proposal)# protocol esp encryption aes
ciscoasa(config-ipsec-proposal)# protocol esp integrity sha-1
!
ciscoasa(config)# crypto map outside_map 1 match address cryptomap
ciscoasa(config)# crypto map outside_map 1 set peer 1.1.1.1
ciscoasa(config)# crypto map outside_map 1 set pfs group2
ciscoasa(config)# crypto map outside_map 1 set ikev2 ipsec-proposal AES
ciscoasa(config)# crypto map outside_map interface outside

1.3 Configure Advanced Authentication for IKEv1 IPsec Site-to-Site VPN
Adding an Identity Certificate to Your Tunnel Group Configuration for Authentication Purposes

Код

ciscoasa(config)# tunnel-group 192.168.1.1 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 trustpoint TrustPoint0

Configuring Certificate Mapping Rules

Код

ciscoasa(config)# crypto ca certificate map IPSecCCNPVPN 10
ciscoasa(config-ca-cert-map)# crypto ca certificate map IPSecCCNPVPN 10
ciscoasa(config-ca-cert-map)# subject-name attr cn eq remote.vpn.peer
ciscoasa(config-ca-cert-map)# tunnel-group-map IPSecCCNPVPN 10 192.168.1.1

1.4 Troubleshooting
Tunnel Not Establishing: Phase 1

Is IKEv1 or IKEv2 enabled on the correct interface? Are the appropriate IKEv1 or IKEv2 policies available? Also check for any ACLs applied to the incoming interface of your device, and make sure the necessary ports/protocols have been allowed through (for example, AH IP protocol 50, ESP IP protocol 51, IKEv1 UDP 500, and NAT-T UDP 4500).
Are the appropriate IKEv1 or IKEv2 policies available?
Do you have the correct authentication parameters?
Make sure traffic you want to go through the tunnel is routed over the interface where crypto map is applied, so the crypto process gets triggered.
Make sure the connection profile name can be matched by the ASA used algorithm.

Tunnel Not Establishing: Phase 2

Are your IPsec policies configured to match those of the remote peer?
Make sure the crypto ACL (one which defines interesting traffic) is configured in mirror on the two VPN endpoints.

Traffic Not Passing Through Your Tunnel

Interesting traffic/ACLs.
Local NAT: Make sure that any traffic that has been marked as interesting is configured to bypass any NAT rules for packets traveling out of the destination interface toward the remote network. If you want traffic that travels over the tunnel to be NAT’ed, make sure you configured the crypto ACL to match on the NAT’ed subnets, because from the order-ofoperation point of view, NAT takes place before the crypto process.
NAT-T: Is there a NAT device in the path of your tunnel? NAT-T works during the connection phase to report whether there is or is not a NAT device in the path between the tunnel endpoints. If NAT-T has been disabled, your networks at each end will not be able to communicate with each other, because ESP is not NAT aware and will be dropped along the path.
Routing.
RRI: Do you have any internal routes advertised in the interior gateway protocol (IGP) of your network? If any devices in your network do not have a specific route for the remote network via your ASA device, they may be sending the traffic to their default route or another destination.
ACLs: Is your IPsec traffic subject to the same interface ACLs as incoming packets? If so, you might want to bypass the ACLs for IPsec traffic or allow through the appropriate packets.

2. High Availability and Performance Strategies

Note that multiple peers are supported only for IKEv1 IPsec site-to-site VPNs.

2.1 High Assurance with QoS

Код

ciscoasa(config)# class-map outside-class
ciscoasa(config-cmap)# match dscp 46
ciscoasa(config-cmap)# match tunnel-group 192.168.1.1
ciscoasa(config-cmap)# policy-map CCNP-VPN-QOS-Policy
ciscoasa(config-pmap)# class outside-class
ciscoasa(config-pmap-c)# priority
ciscoasa(config-pmap-c)# class class-default
ciscoasa(config-pmap-c)# police output 2000000 1500 conform-action transmit exceed-action drop
ciscoasa(config-pmap-c)# service-policy CCNP-VPN-QOS-Policy interface outside

2.2 Site-to-Site VPN Redundancy Using Routing

Код

ciscoasa1(config)# router ospf 1
ciscoasa1(config-router)# area 1
ciscoasa1(config-router)# network 172.30.255.0 255.255.255.240 area 1
ciscoasa1(config-router)# network 10.0.0.0 255.255.255.0 area 1
ciscoasa1(config-router)# neighbor 172.30.255.1 interface outside
ciscoasa1(config-router)# interface GigabitEthernet0/0
ciscoasa1(config-if)# ospf cost 20
ciscoasa1(config-if)# ospf network point-to-point non-broadcast

!! Now carry out the same configuration on ASA2 but changing the interface cost to a lower value!!

Код

ciscoasa2(config)# router ospf 1
ciscoasa2(config-router)# area 1
ciscoasa2(config-router)# network 172.30.255.0 255.255.255.240 area 1
ciscoasa2(config-router)# network 10.0.0.0 255.255.255.0 area 1
ciscoasa2(config-router)# neighbor 172.30.255.2 interface outside
ciscoasa2(config-router)# interface GigabitEthernet0/0
ciscoasa2(config-if)# ospf cost 10
ciscoasa2(config-if)# ospf network point-to-point non-broadcast

Easy VPN (EzVPN)

1. Deploying Easy VPN Solutions

1.1 Basic Configuration
Enable IPsec Connectivity

Код

ciscoasa(config)# crypto ikev1 enable outside
ciscoasa(config)# crypto ikev1 policy 5
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption aes
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 2
ciscoasa(config-ikev1-policy)# lifetime 86400
ciscoasa(config)# crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
ciscoasa(config)# crypto dynamic-map EASY_DYN_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA
ciscoasa(config)# crypto map EASYMAP 65535 ipsec-isakmp dynamic EASY_DYN_ CRYPTO_MAP
ciscoasa(config)# crypto map EASYMAP interface outside

Client IP Address Assingment

Код

ciscoasa(config)# tunnel-group DefaultRAGroup general-attributes
ciscoasa(config-tunnel-general)# address-pool 192
ciscoasa(config-tunnel-general)# ipv6-address-pool ipv6-192

VPN Client Authentication Using Pre-Shared Keys

Код

ciscoasa(config)# group-policy CCNP-VPN-POLICY internal
ciscoasa(config)# group-policy CCNP-VPN-POLICY attributes
ciscoasa(config-group-policy)# vpn-tunnel-protocol ikev1
ciscoasa(config)# tunnel-group CCNP-VPN-CONN type remote-access
ciscoasa(config)# tunnel-group CCNP-VPN-CONN ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key security
ciscoasa(config-tunnel-ipsec)# tunnel-group CCNP-VPN-CONN general-attributes
ciscoasa(config-tunnel-general)# address-pool 192
ciscoasa(config-tunnel-general)# default-group-policy CCNP-VPN-POLICY

IP Address Allocation using the Cisco VPN Client
You have three options to choose from, listed in order of preference for assigning IP addresses to VPN clients:

Use Authentication Server: Internal and remote authentication, authorization, and accounting (AAA) servers.
Use DHCP: An external or internally available Dynamic Host Control Protocol (DHCP) server.
Use Internal Address Pools: An internal address pool configured locally on the ASA device.

Assigning an IP Address Directly to a User Account:

Код

ciscoasa(config)# username EzUser1 attributes
ciscoasa(config-username)# vpn-framed-ip-address 192.168.1.100 255.255.255.0

Creating a New IPv4 Address Pool:

Код

ciscoasa(config)# ip local pool IPSEC-POOL 192.168.1.111-192.168.1.222 mask 255.255.255.0

Assigning Your New IP Address Pool to a Connection Profile:

Код

ciscoasa(config)# tunnel-group CCNP-VPN-CONN general-attributes
ciscoasa(config-tunnel-general)# address-pool IPSEC-POOL

Configuring DNS Servers and a Domain Name for Use by Clients:

Код

ciscoasa(config)# group-policy CCNP-VPN-POLICY attributes
ciscoasa(config-group-policy)# dns-server value 192.168.1.1 192.168.1.2
ciscoasa(config-group-policy)# default-domain value lab.local

1.2 Controlling Your Environment with Advanced Features

ACL bypass
Interface ACLs
Per-group or per-user ACLs
Split tunneling

1.3 Troubleshooting

2. Advanced Authentication and Authorization

2.1 Authentication Options and Strategies

The Adaptive Security Appliance (ASA) has sent a copy of its digital certificate to the IPsec client for authentication purposes. The certificate has been encrypted/ digitally signed using the root CA’s private key on being issued to the ASA.
The IPsec client receives the ASA’s certificate, verifies that the root CA’s certificate (that issued the ASA’s certificate) is in its local trusted root CA store, and decrypts (verifies the signature) the ASA certificate using the stored root CA’s public key.
The ASA’s certificate has been validated using the stored CA information, and the authenticity of the ASA is confirmed.
The IPsec client sends a copy of its digital certificate to the ASA for authentication purposes. The certificate has been encrypted/digitally signed using the issuing root CA’s private key.
The ASA receives the IPsec client’s certificate, verifies the issuing root CA’s certificate is in its local trusted root CA store, and decrypts (verifies the signature) the client’s certificate using the stored root CA’s public key.
The IPsec client’s certificate has been validated using the stored CA information, and the authenticity of the IPsec is confirmed.
(Optional) In the case of mutual/hybrid or certificate authentication, the connecting user of the IPsec client can now be prompted for additional authentication information using XAUTH. If XAUTH was disabled on the ASA at the connection profile level, this step does not occur.

2.2 Configuring PKI for Use with Easy VPN
Before your remote users can successfully establish a working VPN connection using certificate-based authentication, you must first enable the use of certificates in two places:

ASA connection profile (tunnel group)
IPsec VPN client

Код

ciscoasa(config)# crypto ikev1 policy 1
ciscoasa(config-ikev1-policy)# group 5
ciscoasa(config-ikev1-policy)# encryption aes-128
ciscoasa(config-ikev1-policy)# authentication rsa-sig
ciscoasa(config)# tunnel-group CCNP-VPN-CONN ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 trust-point IdentityCert1

2.3 Configuring Mutual/Hybrid Authentication

Step 1. Enter the connection profile name (group name).
Step 2. Enter the pre-shared key.
Step 3. Select the identity certificate to use with the connection profile.
Step 4. Enable the use of hybrid XAUTH authentication.

Код

    ciscoasa(config)# tunnel-group CCNP-VPN-CONN ipsec-attributes
    ciscoasa(config-tunnel-ipsec)# ikev1-user-authentication hybrid

2.4 Comfiguring Digital Certificate Mapping

Use the configured rules to match a certificate to a connection profile. (This option must be selected before any incoming identity certificates are evaluated against your configured mapping rules.) CLI command: tunnel-group-map enable rules
Use the certificate OU field to determine the connection profile. CLI command: tunnel-group-map enable ou
Use the IKE identity to determine the connection profile. CLI command: tunnelgroup-map enable ike-id
Use the peer IP address to determine the connection profile. CLI command: tunnelgroup-map enable peer-ip
Default connection profile. Select the default connection profile name from the drop-down list of those configured. If none of the points listed match along with any custom certificate maps you have created, the user is applied this connection profile. CLI command: tunnel-group-map default-group connection profile.

Код

ciscoasa(config)# crypto ca certificate map Country-Map 10
ciscoasa(config-ca-cert-map)# subject-name attr c eq US
ciscoasa(config-cert-mapping)# tunnel-group-map Country-Map CCNP-VPN-CONN

2.5 Provisioning Certificates from a Third-Party CA

Код

ciscoasa(config)# crypto ca trustpoint 3rdPartyIdentityCert
ciscoasa(config-ca-trustpoint)# enrollment terminal
ciscoasa(config-ca-trustpoint)# subject-name CN=CCNP.VPN.LAB
ciscoasa(config-ca-trustpoint)# id-usage ssl-ipsec
ciscoasa(config)# crypto ca enroll 3rdPartyIdentityCert
!
ciscoasa(config)# tunnel-group CCNP-VPN-CONN ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 trust-point 3rdPartyIdentityCert

2.6 Advanced PKI Deployment Strategies
These methods should be used in the following priority:

AAA: Preferred. Use if you have access to an external RADIUS server and are also using downloadable access lists and so on.
OCSP: Recommended for use if you do not have access to an AAA server but have an available OCSP server.
CRL: Use only as a last resort if the preceding two methods are unavailable for use.

3. Advanced Easy VPN Authorization

3.1 Configuring Local and Remote Group Policies
External Group Policy Object Configuration:

Код

ciscoasa(config)# group-policy EzVPN_Policy external server-group RADIUS password security

Creating a New AAA Server Group and Adding an External Radius Server:
c

Код

iscoasa(config)# aaa-server RADIUS protocol radius
ciscoasa(config)# aaa-server RADIUS (outside) host 172.30.255.5
ciscoasa(config-aaa-server-host)# key security
ciscoasa(config-aaa-server-host)# radius-common-pw security

Assigning a Group Policy Directly to a User:

Код

ciscoasa(config)# username EzUser1 attributes
ciscoasa(config-username)# vpn-group-policy EasyVPN

Configuring Split Tunneling:

Код

ciscoasa(config)# group-policy Internal-EzVPN-POLICY attributes
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value Internal_Servers
ciscoasa(config-group-policy)# default-domain value VPN.LAB

3.2 Accounting Methods for Operational Information

Syslog

Код

    ciscoasa(config)# logging buffered informational
    ciscoasa(config)# logging enable
    ciscoasa(config)# logging trap informational
    ciscoasa(config)# logging host inside 10.1.1.1

NetFlow 9

Код

    ciscoasa(config)# flow-export destination inside 192.168.1.100 5010
    ciscoasa(config)# policy-map global_policy
    ciscoasa(config-pmap)# class class-default
    ciscoasa(config-pmap-c)# flow-export event-type flow-create destination 192.168.1.100

RADIUS VPN accounting

Код

    ciscoasa(config)# tunnel-group DefaultRAGroup general-attributes
    ciscoasa(config-tunnel-general)# accounting-server-group RADIUS

Simple Network Management Protocol (SNMP)

4. Troubleshooting

5. Easy VPN Operation using the ASA 5505 as a Hardware Client

5.1 Configuring a Basic Easy VPN Remote Client Using the ASA 5505

Step 1. Enable Easy VPN Remote.
Step 2. Select the operational mode of either Client or Network Extension.
Step 3. Select the authentication scheme.
Step 4. Enter the addresses of the Easy VPN server.

Код

ciscoasa(config)# vpnclient vpngroup CCNP-REMOTE password security
ciscoasa(config)# vpnclient server 1.1.1.1 2.2.2.2
ciscoasa(config)# vpnclient enable

5.2 Configuring Advanced Easy VPN Remote Client Settings for the ASA 5505

X-Auth and Device Authentication

No X-Auth;
Unit Authentication (Automatic X-Auth);
Secure Unit Authentication;
Individual User Authentication.

Код

    ciscoasa(config)# group-policy CCNP-VPN-POLICY attributes
    ciscoasa(config-group-policy)# secure-unit-authentication enable

or

Код

    ciscoasa(config-group-policy)# user-authentication enable
    ciscoasa(config-group-policy)# user-authentication-idle-timeout 10

Remote Management

Enable Tunneled Management;
Clear Tunneled Management.

NAT Transparency (NAT Traversal): UDP/TCP:4500, ESP.
Device Pass-Through: To accompany the implementation of any IUA authentication that might have been configured, you can also configure the option to allow certain devices to pass traffic through the tunnel without having to authenticate.

Код

ciscoasa(config)# group-policy CCNP-VPN-POLICY attributes
    ciscoasa(config-group-policy)# ip-phone-bypass enable
    ciscoasa(config-group-policy)# leap-bypass enable

AnyConnect SSL VPN

1. Deploying an AnyConnect Remote Access VPN Solution

1.1 Deploying an SSL VPN

Step 1. Configure ASA interface IP addresses.
Step 2. Enter the hostname and domain name.
Step 3. Enroll with a CA and become a member of a PKI (only if certificate-based authentication is required).
Step 4. Enable the relevant interfaces for SSL/DTLS and AnyConnect client access;

Код

    ciscoasa(config)# webvpn
    ciscoasa(config-webvpn)# enable outside
    ciscoasa(config-webvpn)# anyconnect enable
    ciscoasa(config)# ssl trust-point TP-Identity outside // identity cert

Step 5. Create a connection profile and user.

Код

    ciscoasa(config)# tunnel-group "AnyConnect Connection 1" type remote-access
    ciscoasa(config)# tunnel-group "AnyConnect Connection 1" general-attributes
    ciscoasa(config-tunnel-general)# authentication-server-group LOCAL
    ciscoasa(config-tunnel-general)# address-pool SSL-POOL
    ciscoasa(config-tunnel-general)# default-group-policy DfltGrpPolicy
    ciscoasa(config-tunnel-general)# domain-name lab.local
    // connection profile grou alias and url conf
    ciscoasa(config)# tunnel-group "AnyConnect Connection 1" webpn-attributes
    ciscoasa(config-tunnel-webvpn)# group-url [url]https://ccnp.vpn.lab/AnyConnectSSL1[/url]
    ciscoasa(config-tunnel-webvpn)# group-alias AnyConnectSSL1
    // user
    ciscoasa(config)# username AnyConnectUser1 password cisco
    ciscoasa(config)# username AnyConnectUser1 attributes
    ciscoasa(config-username)# service-type remote-access // VPN only access
    ciscoasa(config-username)# vpn-tunnel-protocol ssl-client // only SSL access

1.2 Deploying an IKEv2 VPN

Step 1. Configure ASA interface IP addresses.
Step 2. Enter the hostname and domain name.
Step 3. Enroll with a CA and become a member of a PKI (only if certificate-based authentication is required).
Step 4. Enable the relevant interfaces for IKEv2 and AnyConnect client access. Before IKEv2 and AnyConnect client access can occur, you need to specify which interface the services will be available on.

Код

  ciscoasa(config)# webvpn
    ciscoasa(config-webvpn)# anyconnect enable
    ciscoasa(config)# crypto ikev2 enable outside client-services port 443

Step 5. Create a new IKEv2 policy and assign it to the outside interface of your ASA. This step is only required if you have chosen to configure your ASA using the CLI as when configuring using the ASDM a system default policy is created and automatically applied to the outside interface (the interface you enabled IKEv2 access on in Step 4).

Код

    ciscoasa(config)# crypto ipsec ikev2 ipsec-proposal AES128
    ciscoasa(config-ipsec-proposal)# protocol esp encryption aes-128
    ciscoasa(config-ipsec-proposal)# protocol esp integrity sha-1
    ciscoasa(config-ipsec-proposal)# crypto dynamic-map VPNMAP 65535 set ikev2 ipsec-proposal AES128
    ciscoasa(config)# crypto map OUTSIDE 65535 ipsec-isakmp dynamic VPNMAP
    ciscoasa(config)# crypto map OUTSIDE interface outside

Step 6. Create a connection profile. In this step, a new connection profile is created and enabled for IKEv2 connectivity.

Код

    ciscoasa(config)# tunnel-group "AnyConnect Connection 1" type remote-access
    ciscoasa(config)# tunnel-group "AnyConnect Connection 1" general-attributes
    ciscoasa(config-tunnel-general)# authentication-server-group LOCAL
    ciscoasa(config-tunnel-general)# address-pool AnyConnectPool
    ciscoasa(config-tunnel-general)# default-group-policy DfltGrpPolicy
    ciscoasa(config-tunnel-general)# domain-name lab.local

1.3 Client IP Address Allocation

Authentication server.
DHCP.
Internal address pools.
Direct user assignment.

Specific address-assignment methods:

Connection profile address assignment.

Код

    ciscoasa(config)# ip local pool IKEv2-Pool 10.10.10.0-10.10.10.50 mask 255.255.255.0
    ciscoasa(config)# tunnel-group IKEv2 type remote-access
    ciscoasa(config)# tunnel-group IKEv2 genereal-attributes
    ciscoasa(config-tunnel-general)# address-pool IKEv2-Pool
    ciscoasa(config-tunnel-general)# dhcp-server 10.0.0.1

Group policy address assignment.

Код

    ciscoasa(config)# ip local pool POOL 10.10.10.0-10.10.10.50 mask 255.255.255.0
    ciscoasa(config)# group-policy GP internal
    ciscoasa(config)# group-policy GP attributes
    ciscoasa(config-group-policy)# address-pools value POOL
    ciscoasa(config-group-policy)# dhcp-network-scope 10.0.0.0 // to locate an available IP address from the 10.0.0.0 scope (if configured). If not, the DHCP scope configured value is set as the giaddr field by the ASA relay agent function.

Direct user address assignment.

Код

    ciscoasa(config)# username AnyConnectUser1 attributes
    ciscoasa(config-username)# vpn-framed-ip-address 10.10.10.10 255.255.255.255

1.4 Advanced Controls

Access control lists (ACLs) and downloadable ACLs
Split tunneling
Access hours/time range

ACL
Access control lists can be applied to remote users through the use of a

group policy

Код

    ciscoasa(config)# group-policy IKEv2 attributes
    ciscoasa(config-group-policy)# ipv6-vpn-filter value USER-IPV6-FILTER

dynamic access policies (DAPs)
directly to their local user account

Split Tunneling

Код

split-tunnel-policy tunnelall
    split-tunnel-policy excludespecified
    split-tunnel-policy tunnelspecified

Код

ciscoasa(config)# group-policy IKEv2 attributes
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value SPLIT-ACL

Access Hours/Time Range

Код

ciscoasa(config)# time-range WORKING-WEEK
ciscoasa(config-time-range)# periodic Monday 09:00 to Friday 17:00

1.5 Troubleshooting

Код

    logging class auth consoled debugging
    logging class webvpn console debugging
    logging class ssl console debugging
    logging class svc console debugging

2. Advanced Authentication and Authorization

Centralized AAA authentication;
Digital certificates;
Double/triple authentication.

2.1 Provisioning Certificates as a Local CA
Enabling the local CA Server:

Код

ciscoasa(config)# crypto ca server
ciscoasa(config-ca-server)# issuer-name CN=CA.lab.local
ciscoasa(config-ca-server)# keysize server 1024
ciscoasa(config-ca-server)# keysize 1024
ciscoasa(config-ca-server)# smtp from-address [email]admin@ccnp.vpn.lab[/email]
ciscoasa(config-ca-server)# smtp subject "Certificate Enrollment Invitation"
ciscoasa(config-ca-server)# cdp-url [url]http://ccnp.vpn.lab/=CSCOCA=/enrollment.html[/url]
ciscoasa(config-ca-server)# publish-crl inside
ciscoasa(config-ca-server)# database path flash:/LOCAL-CA-SERVER
ciscoasa(config-ca-server)# enrollment-retrieval 24
ciscoasa(config-ca-server)# otp expiration 72
ciscoasa(config-ca-server)# no shutdown passphrase 12345678

User creation:

Код

ciscoasa# crypto ca server user-db add John dn CN=CA.lab.local email [email]causer1@ccnp.vpn.lab[/email]
ciscoasa# crypto ca server user-db allow John

Username Field Population Based upon Certificate Contents:

Код

ciscoasa(config)# tunnel-group "AnyConnect Connect1" webvpn-attributes
ciscoasa(config-tunnel-webvpn)# authentication certificate aaa
ciscoasa(config-tunnel-webvpn)# pre-fill-username ssl-client
ciscoasa(config)# tunnel-group "AnyConnect Connect1" general-attributes
ciscoasa(config-tunnel-general)# username-from-certificate DNQ SER

2.2 Configuring Certificate Mappings
Regardless of the method you have chosen to configure your ASA device, two items must be configured:

Certificate-to-Connection Profile Mapping;
Mapping Criteria.

Certificate-to-Connection Profile Mapping
Assigning multiple certificate-to-connection profile maps to connection profiles:

Код

ciscoasa(config)# crypto ca certificate map Cert-Map-Country 10
ciscoasa(config)# crypto ca certificate map Cert-Map-Country 20
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# certificate-group-map Cert-Map-Country 10 CCNP-VPNCONN
ciscoasa(config-webvpn)# certificate-group-map Cert-Map-Country 20 "AnyConnect 1"

Mapping Criteria
After creating a certificate-to-connection profile map, you can create and assign rules that will match the criteria you require to be present in users’ certificate files for them to be assigned to the connection profile you have chosen.

Код

ciscoasa(config)# crypto ca certificate map Cert-Map-Country 10
ciscoasa(config-ca-cert-map)# subject-name attr c eq RU

2.3 Provisioning Certificates from a Third-Party CA

Enrollment outside an SSL VPN tunnel: The AnyConnect client prompts the user to click the Get Certificate button to start the enrollment process. The user then enters her username and OTP received from the CA server.
Enrollment inside an SSL VPN tunnel.

Enrollment outside an SSL VPN tunnel
This method requires two connection profiles, one configured with certificate-based authentication and the second without. The connection profile without certificate-based authentication is used for the purposes of enrollment and will allow access only to the CA. Upon connecting, the AnyConnect client receives a profile that includes the Simple Certificate Enrollment Protocol (SCEP) parameters.

Step 1. Configure an Extensible Markup Language (XML) profile for use by the AnyConnect client containing the SCEP parameters required for communication with the CA.
Step 2. Configure a dedicated connection profile with password-based authentication used by clients for the purposes of enrollment. Communication only to the CA must be allowed through this connection. Configure group-policy.

Код

    ciscoasa(config)# group-policy Enrollment-Policy internal
    ciscoasa(config)# group-policy Enrollment-Policy attributes
    ciscoasa(config-group-policy)# address-pools value AnyConnectAdd
    ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified // only to CA
    ciscoasa(config-group-policy)# split-tunnel-network-list value SPLIT
    ciscoasa(config-group-policy)# webvpn
    ciscoasa(config-group-webvpn)# anyconnect profiles value Enrollment type vpn
    ciscoasa(config-group-wevpn)# tunnel-group Enrollment type remote-access
    ciscoasa(config)# tunnel-group Enrollment general-attributes
    ciscoasa(config-tunnel-general)# default-group-policy Enrollment-Policy
    ciscoasa(config-tunnel-general)# tunnel-group Enrollment webvpn-attributes
    ciscoasa(config-tunnel-webvpn)# group-alias Enrollment enable

Step 3. Enroll the AnyConnect client into a PKI.
Step 4. Optionally, configure client certificate selection.

Assigning an AnyConnect Profile to a Group Policy Object:

Код

ciscoasa(config)# group-policy Certificate-Selection-Policy internal
    ciscoasa(config-group-policy)# webvpn
    ciscoasa(config-group-webvpn)# anyconnect profiles value Enrollment type vpn
    ciscoasa(config)# webvpn

Importing a New AnyConnect Client Profile:

Код

ciscoasa(config-webvpn)# anyconnect profile Certificate_Profile disk0:/client_profile.xml

Step 5. Import the issuing CA’s certificate into the ASA’s certificate store, allowing the ASA to verify the connecting clients.

Creating a New Trustpoint for CA Certificate Retrieval Using SCEP:

Код

ciscoasa(config)# crypto ca trustpoint SCEP-CA
    ciscoasa(config-ca-trustpoint)# enrollment url [url]http://ccnp.vpn.lab/Certsrv/mscep/[/url]
    ciscoasa(config-ca-trustpoint)# enrollment retry count 5
    ciscoasa(config-ca-trustpoint)# enrollment retry period 10
    ciscoasa(config)# crypto ca authenticate SCEP-CA

Step 6. Configure a connection profile used by clients for network access using certificate-based authentication.

Код

ciscoasa(config)# tunnel-group Certificate-Based type remote-access
    ciscoasa(config)# tunnel-group Certificate-Based general-attributes
    ciscoasa(config-tunnel-general)# address-pool AnyConnectciscoasa
    ciscoasa(config-tunnel-general)# tunnel-group Certificate-Based webvpn-attributes
    ciscoasa(config-tunnel-webvpn)# authentication certificate
    ciscoasa(config-tunnel-webvpn)# group-alias Certificate-Based
    ciscoasa(config-tunnel-webvpn)# dns

2.4 Doubling Up on a Client Authentication
Control the status of certificates:

Certificate revocation list (CRL).
Online Certificate Status Protocol (OCSP) - prefered.

The following are valid methods of double or triple authentication using the ASA:

Certificate-based + AAA authentication.
Certificate-based + AAA authentication and username prefill from certificate.
Certificate-based + AAA authentication and username prefill and username hide.
Certificate-based + AAA authentication + AAA authentication, using optional username prefill or username hide.
AAA Authentication + AAA authentication, with optional username reuse for the second AAA authentication.

Configuring Double Authentication with Username Prefill and Hiding:

Код

ciscoasa(config)# tunnel-group "AnyConnect Connection Profile" webvpn-attributes
ciscoasa(config-tunnel-webvpn)# authentication certificate aaa
ciscoasa(config-tunnel-webvpn)# pre-fill-username ssl-client hide

Configuring Triple Authentication with Username Prefill and Hiding for Both AAA Servers:

Код

ciscoasa(config)# tunnel-group "AnyConnect Connection Profile" generalattributes
ciscoasa(config-tunnel-general)# secondary-authentication-server-group aaa local
ciscoasa(config-tunnel-general)# tunnel-group "AnyConnect Connection Profile" webvpn-attributes
ciscoasa(config-tunnel-webvpn)# secondary-pre-fill-username ssl-client hide

3. Advanced Deployment and Management of the AnyConnect Client

3.1 AnyConnect Installation Options

Manual predeployment
Automatic web deployment

Enabling AnyConnect and SSL on an Interface:

Код

ciscoasa(config-webvpn)# anyconnect image Anyconnect-win-2.5-2001-k9.pkg 1
ciscoasa(config-webvpn)# enable outside
ciscoasa(config-webvpn)# anyconnect enable
ciscoasa(config)# ip local pool SSL-POOL 192.168.111.0 192.168.111.254 mask 255.255.255.0
ciscoasa(config)# tunnel-group AnyConnect_Connect_1 general-attributes
ciscoasa(config-tunnel-general)# address-pool SSL-POOL
ciscoasa(config-tunnel-general)# default-group-policy CCNP-VPN-POLICY
ciscoasa(config)# group-policy CCNP-VPN-POLICY attributes
ciscoasa(config-group-policy)# vpn-tunnel-protocol ssl-client

Prompting the User to Choose AnyConnect Installation:

Код

ciscoasa(config-webvpn)# anyconnect enable
ciscoasa(config)# group-policy CCNP-VPN-POLICY attributes
ciscoasa(config-group-webvpn)# anyconnect ask enable default anyconnect timeout 20

3.2 Managing AnyConnect Client Profiles
The client profiles that may be configured are as follows:

VPN: Settings applied to the core AnyConnect client software.
NAM: Network Access Manager module settings for control of wireless and wired network device settings.
Web Security: The settings required for operation by the Web Security module (for example, which local ports to run on and which scanning hosts are available).
Telemetry: The settings required for the Telemetry module operation (for example, service control and local device antivirus checking).

3.3 Advanced Profile Features

SBL (Start Before Login)

Код

ciscoasa(config-group-webvpn)# anyconnect modules value vpngina

Trusted Network Detection: Trusted Network Detection is typically used by remote users who spend time working from both a remote location and their corporate office using the same device. Depending on the user’s current location, you can configure the AnyConnect client to disconnect from its current VPN connection, pause a VPN connection, start a connection, or do nothing.

4. AnyConnect Advanced Authorization using AAA and DAPs

4.1 Configuring Local and Remote Group Policies
Creating an External Group Policy and AAA Server Group:
[CODE]ciscoasa(config)# aaa-server RADIUS protocol radius
ciscoasa(config)# aaa-server RADIUS (dmz) host 192.168.0.10
ciscoasa(config-aaa-server-host)# key ciscoman
ciscoasa(config)# group-policy External_Policy1 external server-group RADIUS password ciscoman

Configuring Split-Tunnel Lists and Options:

Код

ciscoasa(config)# group-policy AnyConnect1 attributes
ciscoasa(config-group)# split-dns value lab.local
ciscoasa(config-group)# split-tunnel-policy tunnelspecified
ciscoasa(config-group)# split-tunnel-network-list value AnyConnect_Client_Local_Print

Configuring AnyConnect-Specific Options:

Код

ciscoasa(config)# group-policy AnyConnect1 attributes
ciscoasa(config-group)# webvpn
ciscoasa(config-group-webvpn)# anyconnect keep-installer installed
ciscoasa(config-group-webvpn)# anyconnect ssl dtls enable
ciscoasa(config-group-webvpn)# anyconnect profiles value VPN type VPN

4.2 Full SSL VPN Accountability

Код

ciscoasa(config)# logging enable
ciscoasa(config)# logging buffer-size 4096
ciscoasa(config)# logging flash-maximum-allocation 4096
ciscoasa(config)# logging savelog ciscoasaLog.txt
 
ciscoasa# show vpn-sessiondb

Configuring the RADIUS Accounting Group:

Код

ciscoasa(config)# tunnel-group CCNP-VPN-CONN general-attributes
ciscoasa(config-tunnel-general)# accounting-server-group RADIUS

5. AnyConnect High Availability and Performance

5.1 Deploying DTLS
Let’s assume DTLS has been enabled and a user tries to establish an AnyConnect session. To connect to the ASA and successfully establish the SSL VPN session, AnyConnect first creates the TLS (using TCP) tunnel. After VPN session is up, AnyConnect tries to negotiate with the ASA, also a DTLS tunnel. When the DTLS tunnel is established, all VPN session user data goes through the DTLS tunnel, the initial TLS tunnel being used only for VPN session control traffic. DPD needs to be enabled so that AnyConnect can detect whether a problem exists with the DTLS tunnel and thus failover user data to the TLS tunnel. Otherwise, user data will still go through the DTLS tunnel and end up dropped because of the DTLS tunnel no longer being available.

Enabling Per-User DTLS Support:

Код

ciscoasa(config)# username employee1 attributes
ciscoasa(config-user-attributes)# webvpn
ciscoasa(config-user-webvpn)# anyconnect ssl dtls enable

5.2 Basic QoS Configuration

Код

ciscoasa(config)# priority-queue outside
ciscoasa(config)# class-map voice-classciscoasa(config-cmap)# match tunnel-group AnyConnect_Connect_1
ciscoasa(config-cmap)# match dscp ef
ciscoasa(config-cmap)# policy-map outside-policy
ciscoasa(config-pmap)# class voice-class
ciscoasa(config-pmap-c)# priority
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# police output 2000000 1500 conform-action transmit exceed-action drop
ciscoasa(config-pmap-c)# service-policy outside-policy interface outside

5.3 AnyConnect Redundant Peering and Failover
In addition to trying one of the configured backup servers if the primary ASA is unavailable when establishing a new VPN session, the AnyConnect client uses dead peer detection (DPD) to detect when an ASA becomes unavailable during an established VPN connection. DPD is a keepalive mechanism that sends DPD_R_U_THERE packets to the ASA after a defined period of inactivity (default 30 seconds, maximum configurable value being 3600 seconds). After the AnyConnect client sends its first DPD_R_U_THERE packet, it expects a DPD_R_U_THERE_ACK back from the ASA. If the AnyConnect client does not receive an ACK from the ASA, it continues to send DPD_R_U_THERE packets until three have been sent. If at this point the AnyConnect client still has not received a response from the ASA, it tears down the connection and attempts to open a connection to the next available server configured in the Backup Servers list. In the scenario that both TLS and DTLS tunnels are established, DPD always uses the TLS tunnel.

Configuring the AnyConnect VPN Keepalive Value:

Код

ciscoasa(config)# group-policy SSL attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# anyconnect ssl keepalive 20

Configuring the AnyConnect DPD-Interval:

Код

ciscoasa(config)# group-policy SSL attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# anyconnect dpd-interval client 9
ciscoasa(config-group-webvpn)# anyconnect dpd-interval gateway 30

5.4 Hardware-Based Failover with VPNs

Step 1. Configure LAN failover interfaces.

Код

   ciscoasa(config)# failover lan unit primary
    ciscoasa(config)# failover lan interface logical name physical failover interface
    ciscoasa(config)# failover link logical stateful name physical stateful interface
    ciscoasa(config)# failover interface ip failover int logical name ip address mask standby ip address
    ciscoasa(config)# failover interface ip stateful int logical name ip address mask standby ip address
    ciscoasa(config)# interface physical failover int
    ciscoasa(config-if)# no shut
    ciscoasa(config-if)# interface physical stateful int
    ciscoasa(config-if)# no shut
    ciscoasa(config)# failover

Step 2. Configure standby addresses on interfaces used for traffic forwarding.

Код

    ciscoasa(config)# interface GigabitEthernet0/0
    ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

Step 3. Define failover criteria.

Код

    ciscoasa(config)# monitor-interface outside
    ciscoasa(config)# monitor-interface inside
    ciscoasa(config)# failover interface-policy 50%

Step 4. (Optional) Configure nondefault MAC addresses.

Код

    ciscoasa(config)# failover mac address physical interface primary mac standby mac

5.5 Redundancy in the VPN Core
Clustering (or VPN load balancing, as it is more commonly known) can be used to divide AnyConnect remote client sessions between the available ASA devices without the need for identical hardware and software.

Код

ciscoasa(config)# isakmp enable inside
ciscoasa(config)# vpn load-balancing
ciscoasa(config-load-balancing)# priority 1
ciscoasa(config-load-balancing)# interface lbpublic outside
ciscoasa(config-load-balancing)# interface lbprivate inside
ciscoasa(config-load-balancing)# cluster ip address 192.168.1.1
ciscoasa(config-load-balancing)# cluster key 1234567
ciscoasa(config-load-balancing)# cluster encryption
ciscoasa(config-load-balancing)# cluster port 3444
ciscoasa(config-load-balancing)# redirect-fqdn enable
ciscoasa(config-load-balancing)# participate

Clientless SSL VPN

1. Clientless SSL VPN Solution

1.1 Deployment Procedures and Strategies
You can configure five options:

Reverse proxy: Also known as the clientless SSL VPN, the reverse-proxy method of connection provides the benefits of ubiquitous connectivity (anywhere, anytime, from anything connectivity—within reason, of course). This particular connection method is commonly deployed for user access to internal web-enabled resources (Microsoft SharePoint or web mail, for example).
Port forwarding: Typically, the use of this connection method is for users accessing a Telnet application. The program’s connection/server settings must be changed from the default server addresses to the local loopback address where port 23 is listening and forwarded to the VPN appliance. Only TCP applications using static port assignments can be used, and client certificates cannot be used because the Java Runtime Environment (JRE) cannot access the local certificate store. Because of these reasons and others, port forwarding is now considered a legacy application, and Cisco recommends the use of plug-ins or smart tunnels.
Client/server plug-ins: Plug-ins enable users to access their familiar applications from within the browser window. This feature continues the ubiquitous ideal of SSL VPNs, where unlike port forwarding, the client can connect to the VPN and use the application from a public computer without any need for the application to be locally installed. Available plug-ins include RDP, VNC, SSH, Telnet, and Citrix.
Smart tunnels: The smart tunnel client requires the exact executable name of the local PC’s application process, including the extension (such as .exe), to be configured on the ASA, and it redirects any requests from the process to the ASA device through the SSL tunnel. Unlike with the plug-ins feature, the applications used by the client need to be installed locally on the PC in use. However, this feature can allow clients to use their existing application without the need to change any settings, and therefore the need for local administrator rights is removed as a requirement.
Full tunnel with AnyConnect: Similar to the IPsec client implementation, this method of access enables users to tunnel into the internal network and access network resources from their machines without having to choose a URL or change their local application settings.

1.2 Deploying Your First Clientless SSL VPN Solution
Configure a basic clientless SSL VPN:

Step 1. Plan an IP addressing.

Step 2. Configure a hostname, domain name, and Domain Name System (DNS).

Код

   ciscoasa(config)# hostname ciscoasa
    ciscoasa(config)# domain-name lab.local
    ciscoasa(config)# dns server-group DNS
    ciscoasa(config)# dns domain-lookup outside
    ciscoasa(config-dns-server-group)# domain-name lab.local
    ciscoasa(config-dns-server-group)# name-server 10.10.10.10

Step 3. Enroll with a CA and become a member of a PKI: install CA certificate and identity certificate.

Код

    ! To manually enter the root CA certificate
    ciscoasa(config)# crypto ca trustpoint CA
    ciscoasa(config-ca-trustpoint)# enrollment terminal
    ciscoasa(config-ca-trustpoint)# revocation-check none
    ciscoasa(config-ca-trustpoint)# no id-usage
    ciscoasa(config)# crypto ca authenticate CA
    ! To manually enter the identity certificate
    ciscoasa(config)# crypto ca trustpoint ASA
    ciscoasa(config-ca-trustpoint)# enrollment terminal
    ciscoasa(config-ca-trustpoint)# revocation-check none
    ciscoasa(config-ca-trustpoint)# id-usage ssl-ipsec
    ciscoasa(config-ca-trustpoint)# no fqdn
    ciscoasa(config-ca-trustpoint)# subject-name CN=ASA
    ciscoasa(config)# crypto ca enroll ASA
    !When you receive the certificate back from the issuing CA
    ciscoasa(config)# crypto ca import ASA certificate
    !!!!!!! or you can enroll the certificate with SCEP
    ciscoasa(config)# crypto ca trustpoint ASA
    ciscoasa(config-ca-trustpoint)# enrollment url [url]http://CA[/url]
    ciscoasa(config-ca-trustpoint)# revocation-check none
    ciscoasa(config-ca-trustpoint)# id-usage ssl-ipsec
    ciscoasa(config-ca-trustpoint)# no fqdn
    ciscoasa(config-ca-trustpoint)# subject-name CN=ASA
    ciscoasa(config)# crypto ca authenticate ASA
    ciscoasa(config)# crypto ca enroll ASA

Step 4. Enable the relevant interfaces for SSL VPN access.

Код

    ciscoasa(config)# webvpn
    ciscoasa(config-webvpn)# enable outside
    ciscoasa(config)# ssl trust-point ASA outside

Step 5. Create LOCAL user accounts.

Код

   ciscoasa(config)# username JohnChambers password cisco
    ciscoasa(config)# username JohnWayne password catwoman

Step 6. Create a Connection Profile (optional but recommended so that the DefaultWEBVPNGroup is not used).

Код

    ciscoasa(config)# tunnel-group SSL type remote-access
    ciscoasa(config)# tunnel-group SSL general-attributes
    ciscoasa(config)# tunnel-group SSL webvpn-attributes
    ciscoasa(config-tunnel-webvpn)# dns-group DNS

1.3 Optimizing Clientless SSL VPN Performance with Content Transformation
1.3.1 Gateway Content Rewriting
You might not want some applications and web resources, for example, public websites, to go through the ASA. The ASA therefore lets you create rewrite rules that let users browse certain sites and applications without going through the ASA. This is similar to split-tunneling in an IPsec VPN connection.

Код

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# rewrite order 1 disable resource-mask https://bank.com/* name Disable-Content-Rewrite-for-Banking

1.3.2 Application Helper Profiles
Clientless SSL VPN includes an Application Profile Customization Framework option that lets the ASA handle non-standard applications and web resources so they display correctly over a clientless SSL VPN connection. An APCF profile contains a script that specifies when (pre, post), where (header, body, request, response), and what (data) to transform for a particular application. The script is in XML and uses sed (stream editor) syntax to transform strings/text.

Код

ciscoasa(config)# webvpn
ciscoasa(config)# apcf flash:/apcf/apcf1.xml

or

Код

ciscoasa(config-webvpn)# apcf https://myserver:1440/apcf/apcf1.xml

1.3.3 Java Code Signing
A digital signature can be added to the application to provide the client with a way to verify that the application’s underlying code has not been tampered with between the server sending it and the client receiving it. The ASA can be configured to add a digital signature to Java objects for code-verification processes on the receiving client, because the ASA’s rewrite operation has the potential to modify any stored links within the file and render the current signature useless.
Configuring a Certificate for Signing Rewritten Java Content:

Код

hostname(config)# crypto ca import mytrustpoint pkcs12 mypassphrase
hostname(config)# webvpn
hostname(config-webvpn)# java-trustpoint mytrustpoint

1.4 Troubleshooting a Basic Clientless SSL VPN
The most common causes of problems for users are as follows:

Session establishment;
Certificate errors.

1.4.1 Troubleshooting Session Establishment

Step 1. Observe the SSL establishment phase for any incompatible protocol versions or cipher suites. If protocol errors have occurred, you can see these in the syslog real-time viewer within the ASDM or within the client browser. Some browsers, such as Mozilla, return messages that are easier to read and understand. Others, such as Internet Explorer, provide more generic error messages.

Step 2. After confirming SSL establishment has completed successfully, check for user authentication errors within the ASDM real-time viewer. Authentication errors (for example, an incorrect password or username) also display to the client upon submission.

Step 3. Check the user’s associated connection profile/tunnel group and group policy objects for clientless SSL VPN being allowed under the Protocols section. With this you make sure the user is allowed to connect using a clientless SSL VPN session and is also allowed to connect by using a certain or any connection profile.

After the user session has established successfully.

Step 1. Verify whether the ASA device is allowing traffic through the SSL tunnel without denying it. If any errors exist, examine the ASDM syslog output to display them.

Step 2. Check any content-rewrite rules configured to determine whether inside resources are incorrectly being sent by the user to the Internet directly (and thus bypassing the rewrite engine by mistake).

Step 3. Verify the HTML content being passed back to the client by the ASA. You can use packet-sniffing tools locally on the PC to check for the content being returned by the ASA when a user clicks a link and so forth.

Step 4. Verify the DNS server configuration on the ASA. If the ASA does not have any DNS servers or DNS server groups assigned, the client cannot browse resources internal or external by name through the SSL VPN portal.

Step 5. Ensure that the ASA is included in the browser Trusted Zone and that cookies are enabled in the used browser.

1.4.2 Troubleshooting Certificate Errors

Certificate expires.
Invalid hostname or hostname mismatch.
Invalid CA root certificate.
Revoked certificate.
Connection partially encrypted.

2. Portal

2.1 Configuring Application Access

2.1.1 Application Access Through Port Forwarding
Port forwarding lets users access TCP-based applications over a clientless SSL VPN connection. Protocols that use UDP do not work. Requires admin privileges.

Код

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# port-forward list_name local_port remote_server remote_port description
ciscoasa(config-webvpn)# port-forward PF 31337 10.10.10.10 22 SSH_TO_SERVER

Assigning a port forwarding list to Group Policy:

Код

ciscoasa(config)# group-policy name attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# port-forward enable list_name

To enable the port forwarding applet to start automatically after a remote user has successfully connected and opened the portal page:

Код

ciscoasa(config-group-webvpn)# port-forward auto-start list name

2.1.2 Application Access Using Client-Server Plugins

Step 1. Download the plug-in JAR files from Cisco.com.
Step 2. Import the plug-in JAR files into the ASA’s flash memory using the ASDM or CLI.

Код

    ciscoasa# import webvpn plug-in protocol vnc tftp://192.168.13.37/vnc-plugin.jar

Step 3. Configure a bookmark list or use an existing one and create a new bookmark using the plug-in prefix. (For example, the VNC plug-in uses a prefix of vnc://.)
Step 4. (Optional) Define plug-in parameters to customize the user experience or connection type. (This step is usually carried out during bookmark creation. However, it is important and therefore requires its own step.)
Step 5. Connect to a remote server using the application plug-in bookmark for access and experience verification.

2.1.3 Application Access Through Smart Tunnels
Smart tunnels can be implemented into an existing or new SSL VPN connection using the following three methods:

Smart tunnel application lists: You must first create a list and then associate smart tunnel applications.
Smart tunnel network lists: You must first create a network list and then associate networks to be tunneled by the Smart Tunnel feature.
Bookmarks: When creating a bookmark list, you have an Enable Smart Tunnel option. You can check this option for web-enabled applications, allowing users to automatically start the smart tunnel process upon bookmark selection.

Код

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# smart-tunnel list SMART-RDP RDP "mstsc.exe"
ciscoasa(config-webvpn)# smart-tunnel network SMART-RDP-NET ip 192.168.1.0 255.255.255.0
ciscoasa(config)# group-policy name webvpn-attributes
ciscoasa(group-policy-webvpn)# smart-tunnel list SMART-RDP enable
ciscoasa(group-policy-webvpn)# smart-tunnel tunnel-policy tunnelspecified SMART-RDP-NET

2.2 Customizine the Clientless Portal
2.2.1 Basic Portal Layout Configuration
You can modify the look and feel of the following pages:

Logon page.
Portal page.
Logout page.

The onscreen keyboard is a Java-based keyboard that you can use to prevent potential keylogger software access to any credentials the user might be required to enter:

Код

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# onscreen-Keyboard all

or

Код

ciscoasa(config-webvpn)# onscreen-Keyboard logon

2.2.2 Outside-the-Box Portal Configuration
You can download any current template or content files that reside on the ASA device:

Код

ciscoasa(config)# export webvpn customization DfltCustomization ftp://myftpserver/custom_page1

After editing the customization templates/files offline, you can then import them to the ASA:

Код

ciscoasa(config)# import webvpn customization custom_page1 ftp://myftpserver/custom_page1

2.2.3 AnyConnect Portal Integration

Код

ciscoasa(config)# group-policy DfltGrpPolicy attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# anyconnect ask none default anyconnect
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# anyconnect image disk0:/anyconnect.pkg 1
ciscoasa(config-webvpn)# enable

2.3 Advanced Authentication
The following are typical authentication options for client authentication:

Static passwords.
Digital certificates.
Double authentication.

2.3.1 Clientless SSL VPN Double Authentication

Код

ciscoasa(config)# tunnel-group name general-attributes
ciscoassa(config-tunnel-general)# secondary-authentication-server-group ASA_interface none | LOCAL | groupname [use-primary-name]

2.3.2 Single Sign-on
Single sign-on support lets users of clientless SSL VPN enter a username and password only once to access multiple protected services and web servers. The clientless SSL VPN server running on the ASA acts as a proxy for the user to the authenticating server. When a user logs in, the clientless SSL VPN server sends an SSO authentication request, including username and password, to the authenticating server. If the server approves the authentication request, it returns an SSO authentication cookie to the clientless SSL VPN server. The ASA keeps this cookie on behalf of the user and uses it to authenticate the user to secure websites within the domain protected by the SSO server.

a) Configuring SSO with HTTP Basic or NTLM Authentication

Configures auto-signon for all users of clientless SSL VPN to servers with IP addresses ranging from 10.1.1.0 to 10.1.1.255 using NTLM authentication.

Код

ciscoasa(config)# webvpn
    ciscoasa(config-webvpn)# auto-signon allow ip 10.1.1.1 255.255.255.0 auth-type ntlm

Configures auto-signon for all users of clientless SSL VPN, using basic HTTP authentication, to servers defined by the URI mask https://*.example.com/*.

Код

ciscoasa(config)# webvpn
    ciscoasa(config-webvpn)# auto-signon allow uri [url]https://*.example.com/*[/url] auth-type basic

b) Configuring SSO Authentication Using SiteMinder

Код

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# sso-server SSO-Server type siteminder
ciscoasa(config-webvpn-sso-siteminder)# web-agent-url [url]http://10.1.1.1[/url]
ciscoasa(config-webvpn-sso-siteminder)# policy-server-secret ciscot
ciscoasa(config-webvpn-sso-siteminder)# username test attributes
ciscoasa(config-username)# webvpn
ciscoasa(config-username-webvpn)# sso-server value SSO-Server
ciscoasa(config-username-webvpn)# group-policy DfltGrpPolicy attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# sso-server value SSO-Server

c) Configuring SSO Authentication Using SAML Browser Post Profile

d) Configuring SSO with the HTTP Form Protocol

2.3.3 Troublshooting PKI

3. Dynamic Access Policies (DAP)

Dynamic access policies (DAP) provide a higher level of granularity when assigning object access to users or groups through the matching of specific authentication, authorization, and accounting (AAA) attributes and endpoint attributes (for example, the existence of particular local files or Registry settings). DAP is not restricted to just clientless SSL VPN. It can be applied to all remote-access VPN connection types.
To deploy a DAP, you must complete five steps:

Step 1. Create a DAP.
Step 2. Specify user AAA attributes for match purposes.

a) Group policy name
b) Assigned IP address
c) Connection profile
d) Username
e) Username 2
f) SCEP Required

Step 3. Specify endpoint attributes for match purposes.

a) Anti-Spyware (CSD Required)
b) Anti-Virus (CSD Required)
c) Application (connection type)
d) File (CSD Required)
e) Device (CSD Reqired)
f) NAC
g) Operating System (CSD Required)
h) Personal Firewall (CSD Required)
j) Policy (CSD Required)
k) Process (CSD Required)
m) Registry (CSD Required)

Step 4. Configure authorization parameters.

a) Action
b) Netwrok ACL Filters (Client)
c) Webtype ACL Filters (Clientless)
d) Functions
e) Port Forwarding List
f) Bookmarks
g) Access Method
h) AnyConnect

Step 5. Configure authorization parameters for the default DAP.

DAP Record Aggregation
DAP record aggregation is the result of configured match conditions in two or more DAPs matching those of the user AAA or endpoint attributes. The results can vary based on the priorities of the DAPs being aggregated and the actions that are configured within them. DAP records, unlike ACLs, do not finish processing and apply the action as soon as a match is found. Instead, all DAP records (except for the DfltAccessPolicy) are checked against the session, and any authorization attributes that result from the matching records are cumulated.

Troubleshooting DAP Deployment

ASDM test feature
ASA logging
DAP debugging

4. High Availability and Performance

4.1 Content Caching for Optimization
It stores frequently reused objects in the system cache, which reduces the need to perform repeated rewriting and compressing of content. It reduces traffic between clientless SSL VPN and the remote servers, with the result that many applications run much more efficiently. By default, caching is enabled.
4.2 Clustering
HA clustering (or VPN load balancing, as it is more commonly known) can be used to divide our remote clients’ SSL VPN sessions between our ASA devices without the need for duplicate hardware, software, or an intermediate load balancer (ACE). After a failover between devices occurs, any clientless SSL VPN sessions must be re-created. However, if connected using a client with DPD enabled (like AnyConnect or IPsec VPN Client), the client can automatically reconnect to the virtual cluster address (VIP) for session reestablishment.

Код

ciscoasa(config)# crypto isakmp enable inside
ciscoasa(config)# vpn load-balancing
ciscoasa(config-load-balancing)# cluster ip add 192.168.0.1 // same on all ASAs
ciscoasa(config-load-balancing)# cluster key cisco123
ciscoasa(config-load-balancing)# cluster encryption
ciscoasa(config-load-balancing)# priority 10 // higher better
ciscoasa(config-load-balancing)# participate

4.3 Troubleshooting

Configuring Policies, Inheritance, and Attributes

1. Policies and Their Relationships
Before remote users can build a successful connection into an organization through a VPN, they must first go through the following two phases:

The prelogin phase is achieved through the use of connection profiles (also known as tunnel groups). In connection profiles, you can carry out the assignment of connection attributes and parameters (for example, AAA and IP address assignment) and define the available connection methods (for example, IKEv1, IKEv2, and SSL), allowing users to move on to the login process.
The post-login phase is achieved through the use of group policy objects, DAPs, and user-specific attributes. These may include such items as IPv4 or IPv6 access lists, DNS servers, access hours, split tunneling, and so on.

The hierarchal policy model (any unassigned attributes inherit their settings from the lower-level policy methods):

2. Understanding Connection Profiles
Connection profiles, or tunnel groups, provide the necessary prelogin policy criteria required to enable remote users to successfully establish a VPN connection to the ASA device.
Connection profiles are typically used to separate remote users into the relevant groups that may require separate methods of access or login (for example, clientless SSL VPN, AnyConnect VPN sessions, username and password, or certificate-based authentication) and provide these groups with general connectivity settings such as AAA, DNS, DHCP servers, and IP address pools.

A few methods are available for allowing users to select and connect to the appropriate connection profile:

Group URL: Group URLs allow remote users connecting through a clientless SSL VPN session to select a connection profile by entering the direct URL in their browser that has been configured for the profile they require.

Код

ciscoasa(config)# tunnel-group SSLVPN webvpn-attributes
    ciscoasa(config-tunnel-webvpn)# group-url [url]https://ccnp.vpn.com/SSL[/url] enable

Group alias: Group aliases allow clientless SSL VPN users to select the appropriate connection profile from a list at the portal login page and AnyConnect users to select a connection profile in the client software.

Код

ciscoasa(config)# webvpn
    ciscoasa(config-webvpn)# tunnel-group-list enable // enabling group alias feature
    ciscoasa(config)# tunnel-group SSLVPN webvpn-attributes
    ciscoasa(config-tunnel-webvpn)# group-alias SSL enable

Certificate to connection profile mapping: If you have chosen to use digital certificate authentication for your connection profiles, the distinguished name (DN) values in a remote user’s certificate can be used to select the appropriate connection profile.
Per-user connection profile lock: You can also assign a connection profile directly to remote users on an individual basis. For example, you might have a specific connection profile for sales users and want to make the process of connecting as seamless as possible for them without their having to first enter or select a connection profile.

Код

    ciscoasa(config-username)# username CCNP attributes
    ciscoasa(config-username)# group-lock value SSL

Creating connection profile:

Код

ciscoasa(config)# tunnel-group SSL type remote-access

3. Understanding Group Policies
A group policy object is a container for the various attributes and post-login parameters that can be assigned to VPN users and to endpoints such as IPv4 and IPv6 ACLs, DHCP servers, address pools, and so on.

Код

ciscoasa(config)# group-policy name internal
ciscoasa(config)# group-policy name internal from existing policy //  you can specify the name of an existing group policy object for the new group policy object to use as a template

4. Configure User Attributes
The policies and parameters assigned to either local or remote users are the same and are assigned using either connection profiles or group policy objects.
However, in a locally configured user, you can also assign attributes and policy objects directly to the user account using the various options available.

Код

ciscoasa(config)# username test password cisco privilege 2
ciscoasa(config)# username test attributes
ciscoasa(config-username)# service-type remote-access // no ASDM, SSH, TELNET access

5. Using External Servers for AAA and Policies
The ASA device supports the following external AAA server types and protocols for authentication purposes:

RADIUS;
TACACS+;
LDAP;
NT Domain;
SDI;
Kerberos;
HTTP Form.

Only two of the protocols are available for use with external group policy assignment: RADIUS and LDAP.

Код

ciscoasa(config)# group-policy name external server-group name password password

VPN Technologies Overview

1. Overview
VPN methods and their associated protocols supported by the ASA:

IPsec remote-access (IKEv1);
Easy VPN Remote client and server (IKEv1);
Easy VPN Remote hardware client (ASA 5505 only);
Clientless SSL remote-access;
AnyConnect SSL remote-access (SSL/TLS);
AnyConnect IKEv2 remote-access (SSL/TLS and Datagram Transport Layer Security (DTLS);
IPsec site-to-site (IKEv1 and IKEv2).

IPsec

IKEv1 or IKEv2 is used by IPsec for the exchange of parameters used for key negotiation, the exchange of the derived authentication/encryption keys, and overall establishment of security associations (SA).
Encapsulating Security Payload (ESP) provides a framework for the data integrity, encryption, authentication, and antireplay functions of an IPsec VPN.
Authentication Header (AH) provides a framework for the data integrity, authentication, and antireplay functions. (No encryption is provided when using AH.)

2. IKEv1
IKEv1 provides a framework for the parameter negotiation and key exchange between VPN peers for the correct establishment of an SA.
Two protocols used by IKEv1:

Internet Security Association and Key Management Protocol (ISAKMP) takes care of parameter negotiation between peers (for example, DH groups, lifetimes, encryption, and authentication).
Oakley provides the key-exchange function between peers using the DH protocol.

Two mandatory IKEv1 phases must be followed by each peer before a communications tunnel can be established between them:

IKEv1 Phase 1: both peers negotiate parameters to set up a secure and authenticated tunnel. Both peers use only one session key to secure both incoming and outgoing traffic.
IKEv1 Phase 2: uses the negotiated parameters in Phase 1 for secure IPsec SA creation. However, unlike the single bidirectional SA created within Phase 1, the IPsec SAs are unidirectional, meaning a different session key is used for each direction (one for inbound, or decrypted, traffic, and one for outbound, or encrypted, traffic).

IKEv1 uses either IKEv1 Main mode or IKEv1 Aggressive mode in Phase 1 to carry out the actions required to build a bidirectional tunnel. It then uses IKEv1 Quick mode for Phase 2 operations.

IKEv1 Main mode (Phase 1) uses three pairs of messages (making six in total) between peers:

Pair 1 consists of the IKEv1 security policies configured on the device: One peer (initiator) begins by sending one or more IKEv1 policies, and the receiving peer responds (responder) with its choice from the policies.
Pair 2 includes DH public key exchange: DH creates shared secret keys using the agreed upon DH group/algorithm exchanged in pair 1 and encrypts nonces (a randomly generated number) that begin life by first being exchanged between peers. They are then encrypted by the receiving peer and sent back to the sender and decrypted using the generated keys.
Pair 3 is used for ISAKMP authentication: Each peer is authenticated and their identity validated by the other using pre-shared keys or digital certificates. These packets and all others exchanged from now on during the negotiations are encrypted and authenticated using the policies exchanged and agreed upon in pair 2.

IKEv1 Aggressive mode (Phase 1) uses just three messages:

The initiator sends DH groups signed nonces (randomly generated numbers), identity information, IKEv1 policies, and so on.
The responder authenticates the packet and sends back accepted IKEv1 policies, nonces, key material, and an identification hash that are required to complete the exchange.
The initiator authenticates the responder’s packet and sends the authentication hash.

During IKEv1 Quick mode (Phase 2), IKEv1 transform sets (a list of encryption and hashing protocols) used for IPsec policy negotiation and unidirectional SA creation are exchanged between peers. Regardless of the parameters/attributes selected within a transform set, the same five pieces of information are always sent.
An optional Extended Authentication (XAUTH) phase can also take place after successful Phase 1 SA creation. The difference is IKEv1 Phase 1 carries out the authentication of the VPN peers used to terminate each end of the SA, whereas XAUTH is used for the authentication of users or devices that will be transmitting and receiving data across the established VPN tunnel.

2. Authentication Header and Encapsulating Security Payload

ESP and AH are not PAT aware, cannot be PAT’ed because these protocols do not have the notion of port numbers, and run on top of IP with their own protocol numbers. To resolve this problem, a similar approach to adding a new IP header can be taken by adding a new transport header.
AH cannot operate with NAT-T because changing the authenticated IP address in the outer header will break the integrity check.
For ESP to pass across PAT devices on Cisco ASA, the following options are available:

Standard-based NAT-T, which encapsulates ESP into User Datagram Protocol (UDP) port 4500 only if NAT/PAT device is detected along the path between the two VPN endpoints. This method is supported for all IKEv1 IPsec VPN types, but only in Tunnel mode.
Cisco proprietary UDP or TCP encapsulation, which always encapsulates ESP into UDP or TCP, even though no NAT/PAT device exists along the path. If UDP encapsulation is being used, IKEv1 negotiation still uses UDP port 500, but ESP is encapsulated into UDP. (By default, port 10000 is used.) With TCP encapsulation, both IKEv1 and ESP are encapsulated into TCP, and by default, port 10000 is used. This method is available only for remote-access IKEv1 IPsec VPNs in Tunnel mode.

3. IKEv2
IKEv2 introduces a new packet-exchange process using just four messages most of the time:

IKE_SA_INIT (Phase 1): The first exchange, IKE_SA_INIT, is used to negotiate the security parameters by sending IKEv2 proposals, including the configured encryption and integrity protocols, DH values, and nonces (random) numbers. At this point, the two peers generate SKEYSEED (a seed security key value) from which all future IKE keys are generated
IKE_AUTH (Phase 1 and 2): IKE_AUTH, operates over the IKE_SA created by the IKE_SA_ INIT exchanges and is used to validate the identity of the peers and negotiate the various encryption, authentication, and integrity protocols to establish the first CHILD_SA for use by ESP or AH in which IPsec communication occurs. The first CHILD_SA created in the second exchange is commonly the only SA created for IPsec communication. However, if an application or peer requires the use of additional SAs to secure traffic through an encrypted tunnel, IKEv2 uses the CREATE_CHILD_SA exchange. During the CREATE_CHILD_SA exchange, new DH values may be generated and cryptographic protocols used.

IKEv2 also implements a fourth exchange type: INFORMATIONAL. This message type is used to exchange error and management information between peers.
4. SSL/TLS
SSL handshake process with client authentication:

5. DTLS
DTLS is based on the original implementation of TLS, but instead operates using the UDP transport protocol for faster packet delivery.
To provide the functions of message reordering and reliable delivery, the DTLS protocol has added two new fields to the TLS record layer format: the Sequence Number and the Epoch. The Epoch field is used to distinguish the different conversations that may be occurring at the same time.

More info:
Cisco ASA Series VPN CLI Configuration Guide, 9.1
Cisco ASA Series VPN ASDM Configuration Guide, 7.1

Resource link

Результаты опроса: Нужен ли теме перевод?
Ничего не понятно, перевод нужен.	2	15.38%
Все понятно, перевод не нужен.	4	30.77%
В основном понятно. но хотелось бы перевод для уяснения тонкостей.	7	53.85%
Голосовавшие: 13. Вы ещё не голосовали в этом опросе

Опции темы