A remote client needs only an SSL-enabled web browser to access http- or https-enabled web servers on the corporate LAN.
Clientless SSL VPN and ASDM must not be enabled on the same ASA interface. It is possible for the two technologies to coexist on the same interface if changes are made to the port numbers. It is highly recommended that ASDM is enabled on the inside interface, so WebVPN can be enabled on the outside interface.
Clientless SSL VPN provides secure and easy access to a broad range of web resources and web-enabled applications from almost any computer on the Internet. They include:
•Internal websites
•Web-enabled applications
•NT/Active Directory file shares
•E-mail proxies, including POP3S, IMAP4S, and SMTPS
•MS Outlook Web Access
•Application Access (that is, smart tunnel or port forwarding access to other TCP-based applications)
The user connects to the ASA firewall using a secure HTTP connection and logs in using a name and
a password provided. The firewall opens a special (customizable) portal page to the user, which mulates a browser, with URL address bar. The user may enter URLs for company resources, and the firewall resolves them using a configured DNS server and downloads the requested pages. Optionally, the firewall may apply an URL filter to restrict access to certain corporate resources, or even disallow URL entry at all, providing the user with a list of static bookmarks.
Using WebVPN you can download a special Java applet that implements port-forwarding.
A browser plug-in is a separate program that a web browser invokes to perform a dedicated function, such as connect a client to a server within the browser window. The adaptive security appliance lets you import plug-ins for download to remote browsers in clientless SSL VPN sessions.
Cisco redistributes the following open-source, Java-based components to be accessed as plug-ins for web browsers in clientless SSL VPN sessions:
- Citrix Client (ica)
- Terminal Servers (rdp)
- Terminal Servers Vista (rdp2)
- SSH
- Telnet
- VNC
Scenario:
Enable WebVPN
webvpn
port 8443
enable outside
tunnel-group-list enable
Define a DNS server group
dns domain-lookup outside
DNS server-group DNS
name-server 8.8.8.8
Define a group policy for WebVPN connection
access-list WEBACCESS webtype permit url http://*.com
group-policy WEBVPN internal
group-policy WEBVPN attributes
vpn-tunnel-protocol ssl-clientless
webvpn
filter value WEBACCESS
url-entry enable
Define a connection-profile (tunnel-group) for WebVPN users
tunnel-group WEBVPN type remote-access
tunnel-group WEBVPN general-attributes
default-group-policy WEBVPN
tunnel-group WEBVPN webvpn-attributes
group-alias WEBVPN enable
dns-group DNS
username ClientlessUser password CISCO
username ClientlessUser attributes
group-lock value WEBVPN
Applications plug-in
ciscoasa#import webvpn plug-in protocol ssh,telnet tftp://172.20.1.6/ssh-plugin.jar
ciscoasa#import webvpn plug-in protocol vnc tftp://172.20.1.6/vnc-plugin.jar
Verification:
- https://172.20.1.10:8443
- ASA outputs:
ciscoasa# show vpn-sessiondb webvpn
Session Type: WebVPN
Username : WEBVPN Index : 6
Public IP : 172.20.1.6
Protocol : Clientless
Encryption : RC4 Hashing : SHA1
Bytes Tx : 2576 Bytes Rx : 19408
Group Policy : WEBVPN Tunnel Group : WEBVPN
Login Time : 14:40:29 UTC Sun Apr 28 2013
Duration : 0h:02m:39s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
No comments:
Post a Comment