WebVPN este termenul folosit de Cisco pentru a descrie folosirea SSL pentru furnizarea unei solutii VPN remote-access.
Cisco suporta trei implementari pentru SSL VPN: clientless, thin client si network or tunnel client. In comparatie cu alte implementari VPN, SSL VPN nu necesita (in mod obligatoriu) ca un client VPN sa fie instalat pe calculatorul utilizatorului, accesul la VPN, putandu-se face direct in browserul web. Modul clientless suporta numai aplicatii web-based, gateway-ul SSL actionand ca un proxy pentru HTTP, HTTPS, CIFS si email. Modul thin client suprta si aplicatii non-web-based cum ar fi telnet, SSH, VNC, RDP, email. Cisco ofera trei implementari pentru furnizarea modului thin client: port-forwarding, plug-ins si smart tunnels. Toate acestea necesita pe langa existenta browser-ului ca Java 1,5 sa fie instalat pe calculatorul utilizatorului. In modul tunnel este necesar ca un client, AnyConnect, sa fie instalat. Acesta se poate descarca direct dintr-o conexiune Clientless.
In continuare se prezinta modul de realizare al webvpn-ului folosind port-forwarding, plug-ins si clientul AnyConnect (SVC – SSL VPN Client).
Urmatoarele comenzi sunt folosite pentru configurarea initiala:
ciscoasa(config)# hostname SSLVPN SSLVPN(config)# interface ethernet 0/0 SSLVPN(config-if)# ip address 192.0.2.2 255.255.255.252 SSLVPN(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. SSLVPN(config-if)# no shutdown SSLVPN(config)# interface ethernet 0/1 SSLVPN(config-if)# ip address 172.16.40.25 255.255.255.248 SSLVPN(config-if)# nameif dmz INFO: Security level for "dmz" set to 0 by default. SSLVPN(config-if)# no shutdown SSLVPN(config)# route outside 0 0 192.0.2.1 |
Configurare NAT pentru serverele din DMZ
SSLVPN(config)# nat (dmz) 1 172.16.40.24 255.255.255.248 SSLVPN(config)# global (outside) 1 interface INFO: outside interface address added to PAT pool SSLVPN(config)# same-security-traffic permit inter-interface SSLVPN(config)# dns domain-lookup outside SSLVPN(config)# dns name-server 94.52.207.65 SSLVPN(config)# username ionel password ionel privilege 15 SSLVPN(config)# username ionel attributes SSLVPN(config-username)# service-type admin SSLVPN(config)# aaa authentication enable console LOCAL |
Configurare SSH
SSLVPN(config)# crypto key generate rsa modulus 2048 SSLVPN(config)# ssh version 2 SSLVPN(config)# ssh 0 0 outside SSLVPN(config)# aaa authentication ssh console LOCAL |
Creare certificate folosite pentru SSL VPN
SSLVPN(config)# crypto key generate rsa label SSLVPN modulus 2048 INFO: The name for the keys will be: SSLVPN Keypair generation process begin. Please wait... SSLVPN(config)# crypto ca trustpoint ionelmocanu.eu SSLVPN(config-ca-trustpoint)# enrollment self SSLVPN(config-ca-trustpoint)# fqdn ionelmocanu.eu SSLVPN(config-ca-trustpoint)# subject-name CN=ionelmocanu.eu SSLVPN(config-ca-trustpoint)# keypair SSLVPN SSLVPN(config-ca-trustpoint)# crypto ca enroll ionelmocanu.eu noconfirm % The fully-qualified domain name in the certificate will be: ionelmocanu.eu SSLVPN(config)# ssl trust-point ionelmocanu.eu outside |
ASDM
SSLVPN(config)# copy tftp://172.16.40.28/asdm-621.bin flash SSLVPN(config)# copy tftp://172.16.40.28/asdm-621.bin flash Address or name of remote host [172.16.40.28]? Source filename [asdm-621.bin]? Destination filename [asdm-621.bin]? Accessing tftp://172.16.40.28/asdm-621.bin...!!!!!!!!!!!!!!!!!!!!!! SSLVPN(config)# asdm image flash:/asdm-621.bin SSLVPN(config)# http server enable SSLVPN(config)# http 0 0 outside |
Se instaleaza plugin-urile ssh si rdp (pentru port-forwarding) si packetul AnyConnect pentru Windows, folosit pentru realizarea SVC:
SSLVPN(config)# import webvpn plug-in protocol ssh,telnet tftp://172.16.40.28/ssh-plugin.jar SSLVPN(config)# import webvpn plug-in protocol rdp tftp://172.16.40.28/rdp-plugin.jar SSLVPN(config)# copy tftp://172.16.40.28/anyconnect-win-2.4.xxxx-k9.pkg flash Address or name of remote host [172.16.40.28]? Source filename [anyconnect-win-2.4.xxxx-k9.pkg]? Destination filename [anyconnect-win-2.4.xxxx-k9.pkg]? Accessing tftp://172.16.40.28/anyconnect-win-2.4.xxxx-k9.pkg...!!!!!!!! |
Se permite accesul la SSL VPN, incluzand port-forwarding si clientul AnyConnect
SSLVPN(config)# webvpn SSLVPN(config-webvpn)# port 444 SSLVPN(config-webvpn)# enable outside INFO: WebVPN and DTLS are enabled on 'outside'. SSLVPN(config-webvpn)# svc image disk0:/anyconnect-win-2.4.xxxx-k9.pkg SSLVPN(config-webvpn)# svc enable SSLVPN(config-webvpn)# port-forward RDP_WINDOWS 3389 172.16.40.27 3389 SSLVPN(config-webvpn)# port-forward SSH_DEBIAN 30 172.16.40.26 ssh SSLVPN(config-webvpn)# tunnel-group-list enable |
Pentru clienti este necesar atribuirea de adrese IP:
SSLVPN(config)# ip local pool SSLClient 10.0.0.1-10.0.0.6 mask 255.255.255.248 |
Se creeaza doua Group Policy care definesc parametrii ce vor fi aplicati clientilor. SSLVPN permite doar accesul Clientless si port-forwrding, iar SSLClient va permite conectarea prin intermediul AnyConnect:
SSLVPN(config)# group-policy SSLVPN internal SSLVPN(config)# group-policy SSLVPN attributes SSLVPN(config-group-policy)# vpn-tunnel-protocol webvpn SSLVPN(config-group-policy)# webvpn SSLVPN(config-group-webvpn)# port-forward auto-start SSH_DEBIAN SSLVPN(config-group-webvpn)# port-forward auto-start RDP_WINDOWS SSLVPN(config-group-webvpn)# file-entry enable SSLVPN(config-group-webvpn)# file-browsing enable SSLVPN(config-group-webvpn)# url-entry enable SSLVPN(config)# group-policy SSLCLient internal SSLVPN(config)# group-policy SSLCLient attributes SSLVPN(config-group-policy)# dns-server value 8.8.8.8 SSLVPN(config-group-policy)# vpn-tunnel-protocol svc webvpn SSLVPN(config-group-policy)# address-pools value SSLClient SSLVPN(config-group-policy)# webvpn SSLVPN(config-group-webvpn)# svc ask enable default svc timeout 20 SSLVPN(config-group-webvpn)# svc keep-installer none |
Pentru definirea parametrilor conexiunii SSL VPN se creaza doua tunnel-group-uri:
SSLVPN(config)# tunnel-group SSLVPN type SSLVPN SSLVPN(config-tunnel-general)# exit SSLVPN(config)# tunnel-group SSLVPN webvpn-attributes SSLVPN(config-tunnel-webvpn)# group-alias SSLVPN enable SSLVPN(config-tunnel-webvpn)# exit SSLVPN(config)# tunnel-group SSLClient type remote-access SSLVPN(config)# tunnel-group SSLClient general-attributes SSLVPN(config-tunnel-general)# default-group-policy SSLCLient SSLVPN(config-tunnel-general)# exit SSLVPN(config)# tunnel-group SSLClient webvpn-attributes SSLVPN(config-tunnel-webvpn)# group-alias SSLClient enable |
Se foloseste sysopt pentru a permite clientilor VPN sa treaca de access-list-urile definite pe interfata outside:
SSLVPN(config)# sysopt connection permit-vpn |
Se creeaza un utilizator pentru accesul la WebVPN:
SSLVPN(config)# username ionel3 password ionel3 privilege 0 SSLVPN(config)# username ionel3 attributes SSLVPN(config-username)# service type remote-access |
Accesul la Internet se face prin VPN. Se pot accesa si serverele din DMZ:
SSLVPN(config)# access-list no_nat_dmz extended permit ip 172.16.40.24 255.255.255.248 10.0.0.0 255.255.255.248 SSLVPN(config)# nat (dmz) 0 access-list no_nat_dmz SSLVPN(config)# access-list no_nat_internal_lan extended permit ip 10.0.0.0 255.255.255.248 172.16.40.24 255.255.255.248 SSLVPN(config)# nat (outside) 0 access-list no_nat_dmz |
Accesul la internet se face folosind tot gateway-ul actual al clientului, dar se pot accesa si serverele din DMZ. Se realizeaza astfel trafic divizat prin tunel (split tunneling):
SSLVPN(config)# group-policy SSLCLient attributes SSLVPN(config-group-policy)# split-tunnel-policy tunnelspecified SSLVPN(config-group-policy)# split-tunnel-network-list value no_nat_dmz SSLVPN(config)# access-list no_nat_dmz extended permit ip 172.16.40.24 255.255.255.248 10.0.0.0 255.255.255.248 SSLVPN(config)# nat (dmz) 0 access-list no_nat_dmz |
Acces la Internet, dar fara acces la DMZ:
SSLVPN(config)# group-policy SSLCLient attributes SSLVPN(config-group-policy)# split-tunnel-policy tunnelall SSLVPN(config-group-policy)# exit SSLVPN(config)# nat (outside) 1 10.0.0.0 255.255.255.248 SSLVPN(config)# same-security-traffic permit intra-interface |
Thanks for the post