03. configuring asa for webvpn

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-1SNPA v5.0—13-1© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-1

• Configuring ASA for WebVPN

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-2SNPA v5.0—13-2

Outline

WebVPN Feature Overview

WebVPN End-User Interface

Configure WebVPN General Parameters

Configure WebVPN Policies

Configure WebVPN Tunnel Groups

Configure WebVPN Servers and URLs

Configure WebVPN Email Proxy

Configure WebVPN Content Filters and ACLs

Summary


WebVPN Feature Overview


WebVPN Overview

• WebVPN (SSL VPN) complements IPsec-based remote access by allowing secure remote access to corporate network resources without the use of Cisco VPN Client software.


WebVPN Features

Access to internal websites (HTTP/HTTPS), including filtering

Access to internal Windows (CIFS) file shares

TCP port forwarding for legacy application support

Access to e-mail via POP, SMTP, and IMAP4 over SSL

WebVPN

BroadbandProvider

ISP

WebVPN Wireless Provider

WebVPN Tunnel

WebVPNTunnelCorporate Network


WebVPN Security Precautions

Configure group policies for only those users who need WebVPN access Limit or disable Internet access for WebVPN users Educate user about potential SSL problems

WebVPN

BroadbandProvider

ISP

WebVPN Wireless Provider

WebVPN Tunnel

WebVPNTunnelCorporate Network

Connection

Internet

X


WebVPN and IPsec Comparision

Uses a standard web browser to access the corporate network.

SSL encryption native to browser provides transport security.

Applications accessed through browser portal.

Limited client/server applications accessed using applets.

WebVPN IPsec VPN

Uses purpose-built client software for network access.

Client provides encryption and desktop security.

Client establishes seamless connection to network.

All applications are accessible through their native interface.


WebVPN End-User Interface


Home Page

• The home page is the customized access point for the end user.

Help

Show Toolbar

Home

Logout


Website Access and Browsing Files


Port Forwarding

The window shows the interface to configure port forwarding.


Configure WebVPN General Parameters


Enabling the HTTP Server

http server enable

ciscoasa(config)#

Enables the HTTP server for WebVPN

asa1(config)# http server enable

The HTTP server must be enabled ASDM and WebVPN cannot be run on the same port


WebVPN Subcommand Mode

apcf

authorization-dn-attributes

authorization-required

auto-signon

cache

character-encoding

csd

customization

default-idle-timeout

enable

file-encoding

http-proxy

https-proxy

java-trustpoint

memory-size

port

port-forward

proxy-bypass

rewrite

sso-server

svc

tunnel-group-list

url-list

• The WebVPN subcommand mode configures general WebVPN parameters and the look and feel of the end-user interface. The following items can be configured:

asa1(config)# webvpn

asa1(config-webvpn)#


Enabling WebVPN Interfaces

WebVPN needs to be enabled on each interface that will have WebVPN users.

ASDM and WebVPN cannot be enabled on the same interface.

enable ifname

ciscoasa(config-webvpn)#

asa1(config)# webvpn

asa1(config-webvpn)# enable outside


Home Page Look and Feel ConfigurationTitle

Title Bar Color

Logo

Secondary Bar Color

Secondary Text Color

Specifies the title that WebVPN users should see.


title titletext

Specifies the title color. Supported formats include HTML color name string, HTML color value, and HTML RGB value.


title-color color


Configure WebVPN Policies


Configure WebVPN Policy Attributes

ciscoasa(config)#

group-policy {name} attributes

asa1(config)# group-policy WEBVPN1 attributes

ciscoasa(config-group-policy)#

webvpn

asa1(config-group-policy)# webvpn

Enters the group-policy attributes subcommand mode

Enters WebVPN group-policy attributes subcommand mode

10.0.1.10/24

HTTP-Server

Remote Client SecurityAppliance

Console-Server

10.0.1.11/24

WebVPN Tunnel


Enable URL Entry for WebVPN Users

ciscoasa(config-group-webvpn)#

asa1(config-group-webvpn)# functions url-entry file-access file-entry file-browsing


url-list {value name | none}

asa1(config-group-webvpn)# url-list value URLs

Enables file access, entry, browsing, and URL entry for the group

Selects predefined URLs that were configured by using the url-list command

10.0.1.10/24

HTTP-Server


Console-Server

10.0.1.11/24

functions {auto-download | citrix | file-access | file-browsing | file-entry | filter | http-proxy | url-entry | mapi | port-forward | none}

WebVPN Tunnel


url-list Command

ciscoasa(config)#

url-list {listname displayname url}

asa1(config)# url-list URLs "Superserver" http://10.0.1.10

asa1(config)# url-list URLs "CIFS Share" cifs://10.0.1.11/training

Defines the name of the URL list

Defines the text the users see for the link on their home page

Defines the actual URL that the link accesses

List of WebVPN links can be HTTP, HTTPS, and CIFS servers

10.0.1.10/24

Superserver


Cisco Training10.0.1.11/24

WebVPN Tunnel


Example: Servers and URL Configuration

WebVPN client parameters:

Need to launch WebVPN interface

Click on Superserver or CIFS Share link

Web access Security Appliance parameters:

Example—url-list URLs "Superserver" http://10.0.1.10

CIFS access security appliance parameters:

Example—url-list URLs "CIFS Share" cifs://10.0.1.10/training

10.0.1.10/24

Superserver



WebVPN Tunnel


Enable Port Forwarding for WebVPN Users



asa1(config-group-webvpn)# functions port-forward


port-forward {value listname | none}

asa1(config-group-webvpn)# port-forward value APPLICATIONS

Enables port forwarding for the group

Enters predefined port forwarding list configured by using the port-forward global configuration command

10.0.1.10/24

HTTP-Server


Console-Server

10.0.1.11/24

WebVPN Tunnel


port-forward Command

ciscoasa(config)#

port-forward {listname localport remoteserver remoteport description}

asa1(config)# port-forward APPLICATIONS 23 10.0.1.10 23 ** Console Server **

Defines the name of the port fowarding list

Defines the port for WebVPN user

Defines the actual server that the link accesses

Defines the actual port that the link accesses

RemoteClient 10.0.1.10/24

HTTP-Server

Console-Server

10.0.1.11/24


Port Forwarding Configuration Example: DNS vs. IP Address

WebVPN parameters (IP address):

Need to launch port forwarding interface

Telnet to “127.0.0.1 2222”

Port forwarding security appliance parameters (IP address):

port-forward list—portlist WebVPN User Port—2222 Remote Server—10.0.1.10 Actual Port—23 Example—port-forward portlist 2222 10.0.1.10 23

Port forwarding security appliance parameters (DNS): port-forward list—portlist WebVPN User Port—2000 Remote Server—Training Remote TCP Port—23 Example—port-forward portlist 2000 Training 23

WebVPN parameters (DNS): Need to launch port forwarding interface Telnet to “Training”

10.0.1.10/24

SuperserverRemote Client Security

Appliance


WebVPN Tunnel


Configure WebVPN Tunnel Groups


WebVPN Tunnel Groups

10.0.1.10/24

HTTP-Server


NBNS-Server

10.0.1.15/24

tunnel-group name type type

ciscoasa(config)#

Names the tunnel group

Defines the type of VPN connection that is to be established

asa1(config)# tunnel-group AUSTIN-WEBVPN type webvpn

WebVPN Tunnel


NBNS Server Attribute

asa1(config-tunnel-webvpn)# nbns-server 10.0.1.15

Enables NetBIOS resolution for CIFS File Shares.

ciscoasa(config-tunnel-webvpn)#

nbns-server {ipaddr or hostname} [master] [timeout timeout] [retry retries]

10.0.1.10/24

HTTP-Server


NBNS-Server

10.0.1.15/24

WebVPN Tunnel


Authentication Server Attribute

asa1(config-webvpn)# authentication-server-group (inside) AUTHSERVER

Specifies the authorization server that WebVPN users should use.

Authorization server must be previously configured using aaa-server commands

ciscoasa(config-tunnel-general)#

authentication-server-group [(interface_name)] server_group [LOCAL | NONE]

10.0.1.10/24

ACS ServerRemote Client Security

Appliance

NBNS-Server

10.0.1.15/24

WebVPN Tunnel


Configure WebVPN Servers and URLs


Enable WebVPN Protocol for Group Policy

ciscoasa(config)#




vpn-tunnel-protocol {webvpn | IPSec}

asa1(config-group-policy)# vpn-tunnel-protocol webvpn


Enables WebVPN for group

HTTP Server

10.0.1.10/24

SecurityAppliance

WebVPN Tunnel


Configure WebVPN Email Proxy


Enable E-Mail Proxy for WebVPN Users


asa1(config-group-webvpn)# functions mapi

Enables MAPI proxy for the group (only necessary if using MAPI)


10.0.1.10/24

Email Server


WebVPN Tunnel


Defining Proxy Servers

ciscoasa(config)#

pop3s

smtps

imap4s

Enters the appropriate e-mail proxy subcommand mode

10.0.1.10/24

E-Mail Server


WebVPN Tunnel


Defining E-Mail Server and Authentication Server

ciscoasa(config-pop3s)#

server {ipaddr or hostname}

asa1(config-pop3s)# server 10.0.1.10

Specifies the default server for use with the e-mail proxy


asa1(config-pop3s)# authentication-server-group (inside) AUTHSERVER

Specifies the authentication server to use with the e-mail proxy

10.0.1.10/24E-Mail Server


authentication-server-group [(interface_name)] server_group [LOCAL | NONE]

WebVPN Tunnel


Defining Authentication Type


authentication {aaa | certificate | piggyback

asa1(config-pop3s)# authentication piggyback

Specifies the authentication method or methods that are used with the e-mail proxy Options are as follows:

– aaa: Use previously configured AAA server for authentication

– certificate: Use certificate for authentication

– piggyback: Requires use of an established HTTPS WebVPN session

10.0.1.10/24

E-Mail ServerRemote Client Security

Appliance

WebVPN Tunnel


Example: E-Mail Proxy Configuration

172.26.26.1

E-mail client parameters: Username—Student1

Password—Student1

POP address—192.168.1.5

POP port—SSL port 995

SMTP address (auth. req.)—192.168.1.5

SMTP port—SSL port 988

Security appliance e-mail proxy parameters:

POP3S ASA port—995

POP3S default e-mail server— 10.0.1.10

POP3S auth. req.—e-mail server, piggyback HTTPS

SMTPS default e-mail server—10.0.1.10

SMTPS ASA port—988

SMTPS auth. req.—piggyback HTTPS

E-mail server parameters: Username—Student1

Password—Student1

POP port—110

SMTP port—25

SMTP auth.—Required

10.0.1.10/24E-Mail Server

Remote ClientSecurity

Appliance

WebVPN Tunnel


Configure WebVPN Content Filters and ACLs


HTML Content Filtering

ciscoasa(config)#




webvpn

asa1(config-group-policy)# webvpn


Enters WebVPN group-policy attributes subcommand mode

10.0.1.10/24

HTTP Server


WebVPN Tunnel


HTML Content Filtering (Cont.)


html-content-filter {cookies | images | java | none | scripts}

asa1(config-group-webvpn)# html-content-filter cookies images java

Configures the content or objects to be filtered from the HTML for this policy

Options are as follows:

– Cookies: Removes cookies from images, providing limited ad filtering and privacy

– images: Removes references to images (removes <IMG> tags)

– java: Removes references to Java and ActiveX (removes <EMBED>, <APPLET>, and <OBJECT> tags)

– none: Indicates that there is no filtering; sets a null value, thereby disallowing filtering; prevents inheriting filtering values

– scripts: Removes references to scripting (removes <SCRIPT> tags)

10.0.1.10/24

HTTP Server


WebVPN Tunnel


WebVPN ACLs


filter {value ACLname | none}

asa1(config-group-webvpn)# filter value WEBVPNACL

Configures the name of the web-type ACL in the WebVPN group-policy attributes subcommand mode

10.0.1.10/24

HTTP Server


ciscoasa(config)#

access-list id webtype {deny | permit} tcp [host ip_address | ip_address subnet_mask | any] [oper port [port]] [log [[disable | default] | level] [interval secs] [time_range name]]

asa1(config)# access-list WEBVPNACL webtype permit tcp any eq http

Configures a web-type ACL to be used for filtering with WebVPN

WebVPN Tunnel


Summary

WebVPN lets users establish a secure, remote-access VPN tunnel to a security appliance using a web browser.

WebVPN features include:

– Secure access to internal websites via HTTPS.

– Windows files access, port forwarding, and e-mail proxy are supported.

– HTML content filtering and WebVPN ACLs can be used to restrict WebVPN traffic.


Lab Visual Objective

192.168.P.0

Student PC172.26.26.P

.1

10.0.P.0

RTS

.5 .5.150

SuperServer

.10.100

RBB172.26.26.0

ASA

03. configuring asa for webvpn

Documents