#SSL VPN Cisco ASA Ionel Mocanu SSL VPN cu Cisco ASA — Ionel Mocanu
Skip to content
 

SSL VPN cu Cisco ASA

WebVPN este termenul folosit de Cisco pentru a descrie folosirea SSL pentru furnizarea unei solutii VPN remote-access.

Cisco suporta trei implementari pentru SSL VPN: clientless, thin client si network or tunnel client. In comparatie cu alte implementari VPN, SSL VPN nu necesita (in mod obligatoriu) ca un client VPN sa fie instalat pe calculatorul utilizatorului, accesul la VPN, putandu-se face direct in browserul web. Modul clientless suporta numai aplicatii web-based, gateway-ul SSL actionand ca un proxy pentru HTTP, HTTPS, CIFS si email. Modul thin client suprta si aplicatii non-web-based cum ar fi telnet, SSH, VNC, RDP, email. Cisco ofera trei implementari pentru furnizarea modului thin client: port-forwarding, plug-ins si smart tunnels. Toate acestea necesita pe langa existenta browser-ului ca Java 1,5 sa fie instalat pe calculatorul utilizatorului. In modul tunnel este necesar ca un client, AnyConnect, sa fie instalat. Acesta se poate descarca direct dintr-o conexiune Clientless.

In continuare se prezinta modul de realizare al webvpn-ului folosind port-forwarding, plug-ins si clientul AnyConnect (SVC – SSL VPN Client).

Urmatoarele comenzi sunt folosite pentru configurarea initiala:

ciscoasa(config)# hostname SSLVPN 
SSLVPN(config)# interface ethernet 0/0
SSLVPN(config-if)# ip address 192.0.2.2 255.255.255.252
SSLVPN(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
SSLVPN(config-if)# no shutdown
SSLVPN(config)# interface ethernet 0/1
SSLVPN(config-if)# ip address 172.16.40.25 255.255.255.248
SSLVPN(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
SSLVPN(config-if)# no shutdown
SSLVPN(config)# route outside 0 0 192.0.2.1

Configurare NAT pentru serverele din DMZ

SSLVPN(config)# nat (dmz) 1 172.16.40.24 255.255.255.248
SSLVPN(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
SSLVPN(config)# same-security-traffic permit inter-interface
SSLVPN(config)# dns domain-lookup outside
SSLVPN(config)# dns name-server 94.52.207.65
SSLVPN(config)# username ionel password ionel privilege 15
SSLVPN(config)# username ionel attributes
SSLVPN(config-username)# service-type admin
SSLVPN(config)# aaa authentication enable console LOCAL

Configurare SSH

SSLVPN(config)# crypto key generate rsa modulus 2048
SSLVPN(config)# ssh version 2
SSLVPN(config)# ssh 0 0 outside
SSLVPN(config)# aaa authentication ssh console LOCAL

Creare certificate folosite pentru SSL VPN

SSLVPN(config)# crypto key generate rsa label SSLVPN modulus 2048
INFO: The name for the keys will be: SSLVPN
Keypair generation process begin. Please wait...
SSLVPN(config)# crypto ca trustpoint ionelmocanu.eu
SSLVPN(config-ca-trustpoint)# enrollment self
SSLVPN(config-ca-trustpoint)# fqdn ionelmocanu.eu
SSLVPN(config-ca-trustpoint)# subject-name CN=ionelmocanu.eu
SSLVPN(config-ca-trustpoint)# keypair SSLVPN
SSLVPN(config-ca-trustpoint)# crypto ca enroll ionelmocanu.eu noconfirm
% The fully-qualified domain name in the certificate will be: ionelmocanu.eu
SSLVPN(config)# ssl trust-point ionelmocanu.eu outside

ASDM

SSLVPN(config)# copy tftp://172.16.40.28/asdm-621.bin flash
SSLVPN(config)# copy tftp://172.16.40.28/asdm-621.bin flash
Address or name of remote host [172.16.40.28]?
Source filename [asdm-621.bin]?
Destination filename [asdm-621.bin]?
Accessing tftp://172.16.40.28/asdm-621.bin...!!!!!!!!!!!!!!!!!!!!!!
SSLVPN(config)# asdm image flash:/asdm-621.bin
SSLVPN(config)# http server enable
SSLVPN(config)# http 0 0 outside

Se instaleaza plugin-urile ssh si rdp (pentru port-forwarding) si packetul AnyConnect pentru Windows, folosit pentru realizarea SVC:

SSLVPN(config)# import webvpn plug-in protocol ssh,telnet tftp://172.16.40.28/ssh-plugin.jar
SSLVPN(config)# import webvpn plug-in protocol rdp tftp://172.16.40.28/rdp-plugin.jar
SSLVPN(config)# copy tftp://172.16.40.28/anyconnect-win-2.4.xxxx-k9.pkg flash
Address or name of remote host [172.16.40.28]?
Source filename [anyconnect-win-2.4.xxxx-k9.pkg]?
Destination filename [anyconnect-win-2.4.xxxx-k9.pkg]?
Accessing tftp://172.16.40.28/anyconnect-win-2.4.xxxx-k9.pkg...!!!!!!!!

Se permite accesul la SSL VPN, incluzand port-forwarding si clientul AnyConnect

SSLVPN(config)# webvpn
SSLVPN(config-webvpn)# port 444
SSLVPN(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
SSLVPN(config-webvpn)# svc image disk0:/anyconnect-win-2.4.xxxx-k9.pkg
SSLVPN(config-webvpn)# svc enable
SSLVPN(config-webvpn)#  port-forward RDP_WINDOWS 3389 172.16.40.27 3389
SSLVPN(config-webvpn)# port-forward SSH_DEBIAN 30 172.16.40.26 ssh
SSLVPN(config-webvpn)#  tunnel-group-list enable

Pentru clienti este necesar atribuirea de adrese IP:

SSLVPN(config)# ip local pool SSLClient 10.0.0.1-10.0.0.6 mask 255.255.255.248

Se creeaza doua Group Policy care definesc parametrii ce vor fi aplicati clientilor. SSLVPN permite doar accesul Clientless si port-forwrding, iar SSLClient va permite conectarea prin intermediul AnyConnect:

SSLVPN(config)# group-policy SSLVPN internal
SSLVPN(config)# group-policy SSLVPN attributes
SSLVPN(config-group-policy)# vpn-tunnel-protocol webvpn
SSLVPN(config-group-policy)# webvpn
SSLVPN(config-group-webvpn)# port-forward auto-start SSH_DEBIAN
SSLVPN(config-group-webvpn)# port-forward auto-start RDP_WINDOWS
SSLVPN(config-group-webvpn)# file-entry enable
SSLVPN(config-group-webvpn)# file-browsing enable
SSLVPN(config-group-webvpn)# url-entry enable
SSLVPN(config)# group-policy SSLCLient internal
SSLVPN(config)# group-policy SSLCLient attributes
SSLVPN(config-group-policy)# dns-server value 8.8.8.8
SSLVPN(config-group-policy)# vpn-tunnel-protocol svc webvpn
SSLVPN(config-group-policy)# address-pools value SSLClient
SSLVPN(config-group-policy)# webvpn
SSLVPN(config-group-webvpn)# svc ask enable default svc timeout 20
SSLVPN(config-group-webvpn)# svc keep-installer none

Pentru definirea parametrilor conexiunii SSL VPN se creaza doua tunnel-group-uri:

SSLVPN(config)# tunnel-group SSLVPN type  SSLVPN
SSLVPN(config-tunnel-general)# exit
SSLVPN(config)# tunnel-group SSLVPN webvpn-attributes
SSLVPN(config-tunnel-webvpn)# group-alias SSLVPN enable
SSLVPN(config-tunnel-webvpn)# exit
SSLVPN(config)# tunnel-group SSLClient type remote-access
SSLVPN(config)# tunnel-group SSLClient general-attributes
SSLVPN(config-tunnel-general)# default-group-policy SSLCLient
SSLVPN(config-tunnel-general)# exit
SSLVPN(config)# tunnel-group SSLClient webvpn-attributes
SSLVPN(config-tunnel-webvpn)# group-alias SSLClient enable

Se foloseste sysopt pentru a permite clientilor VPN sa treaca de access-list-urile definite pe interfata outside:

SSLVPN(config)# sysopt connection permit-vpn

Se creeaza un utilizator pentru accesul la WebVPN:

SSLVPN(config)# username ionel3 password ionel3 privilege 0
SSLVPN(config)# username ionel3 attributes
SSLVPN(config-username)# service type remote-access

Accesul la Internet se face prin VPN. Se pot accesa si serverele din DMZ:

SSLVPN(config)# access-list no_nat_dmz extended permit ip 172.16.40.24 255.255.255.248 10.0.0.0 255.255.255.248
SSLVPN(config)# nat (dmz) 0 access-list no_nat_dmz
SSLVPN(config)# access-list no_nat_internal_lan extended permit ip 10.0.0.0 255.255.255.248 172.16.40.24 255.255.255.248
SSLVPN(config)# nat (outside) 0 access-list no_nat_dmz

Accesul la internet se face folosind tot gateway-ul actual al clientului, dar se pot accesa si serverele din DMZ. Se realizeaza astfel trafic divizat prin tunel (split tunneling):

SSLVPN(config)# group-policy SSLCLient attributes
SSLVPN(config-group-policy)# split-tunnel-policy tunnelspecified
SSLVPN(config-group-policy)# split-tunnel-network-list value no_nat_dmz
SSLVPN(config)# access-list no_nat_dmz extended permit ip 172.16.40.24 255.255.255.248 10.0.0.0 255.255.255.248
SSLVPN(config)# nat (dmz) 0 access-list no_nat_dmz

Acces la Internet, dar fara acces la DMZ:

SSLVPN(config)# group-policy SSLCLient attributes
SSLVPN(config-group-policy)# split-tunnel-policy tunnelall
SSLVPN(config-group-policy)# exit
SSLVPN(config)# nat (outside) 1 10.0.0.0 255.255.255.248
SSLVPN(config)# same-security-traffic permit intra-interface

anyconnect

anyconnect

portforward

portforward

One Comment

Leave a Reply