Chapter 15. SSL VPNs with Cisco ASA
© 2012 Cisco and/or its affiliates. All rights reserved.
1
Contents
This chapter prepares you to meet these objectives:
• Describe the use cases and operational requirements of Cisco SSL
VPNs
• Describe the protocol framework for SSL and TLS
• Describe a configuration that is based on SSL VPN deployment options
and other design considerations
• Describe the steps to configure Cisco VPN clientless mode on Cisco
ASA and demonstrate the configuration on Cisco ASDM
• Describe the steps to configure Cisco full-tunnel mode on Cisco ASA and
demonstrate the configuration on Cisco ASDM using the Cisco
AnyConnect VPN Client
© 2012 Cisco and/or its affiliates. All rights reserved.
2
SSL VPNs in Borderless Networks
• Remote-access and mobility services have gone through drastic
changes in the past few years.
• There are three market transitions driving the network architectures of
the future:
–
Mobility
–
Video
–
IT Consumerization
© 2012 Cisco and/or its affiliates. All rights reserved.
3
Cisco SSL VPN
• The Cisco SSL VPN technology provides remote-access connectivity
from almost any Internet-enabled location with a web browser and its
native SSL encryption.
• Cisco SSL VPN provides the flexibility to support secure access for all
users, regardless of the endpoint host from which they establish a
connection.
• If application access requirements are modest, SSL VPN does not
require a software client to be preinstalled on the endpoint host.
• This ability enables companies to extend their secure enterprise
networks to any authorized user by providing remote-access
connectivity to corporate resources from any Internet-enabled location.
• Cisco SSL VPN currently delivers three modes of Cisco SSL VPN
access: clientless, thin client, and full client
© 2012 Cisco and/or its affiliates. All rights reserved.
4
Clientless SSL VPN Versus IPsec VPN
© 2012 Cisco and/or its affiliates. All rights reserved.
5
SSL and TLS Protocol Framework
• SSL and TLS provide confidentiality, integrity, and authentication
services to the applications that use them
• SSL is used to encrypt and authenticate the session layer and above.
• As such, it encrypts more than just HTTP (called HTTPS); it can also
encrypt FTP (thus FTPS), POP (for POPS), LDAP (for LDAPS), wireless
security (EAP-TLS), and others.
© 2012 Cisco and/or its affiliates. All rights reserved.
6
SSL/TLS Encapsulation
© 2012 Cisco and/or its affiliates. All rights reserved.
7
SSL and TLS
© 2012 Cisco and/or its affiliates. All rights reserved.
8
SSL Cryptography
© 2012 Cisco and/or its affiliates. All rights reserved.
9
SSL Tunnel Establishment
© 2012 Cisco and/or its affiliates. All rights reserved.
10
SSL Tunnel Establishment Example
© 2012 Cisco and/or its affiliates. All rights reserved.
11
Example of an HTTPS Session
• Steps A to I illustrate steps between the Blue Bank server and VeriSign.
• Steps 1 to 11 illustrate steps between the HTTPS client and the Blue
Bank server.
© 2012 Cisco and/or its affiliates. All rights reserved.
12
Cisco SSL VPN Deployment Options and
Considerations
© 2012 Cisco and/or its affiliates. All rights reserved.
13
Scenario for the following three types of SSL access
• Clientless
• Thin Client
• SSL VPN Client
© 2012 Cisco and/or its affiliates. All rights reserved.
14
Two Main SSL Deployment Modes
© 2012 Cisco and/or its affiliates. All rights reserved.
15
Cisco SSL VPN Client: Full Network
Access
• The following are among the many features of the Cisco AnyConnect
VPN client:
–
Optimal gateway selection
–
Mobility-friendly
–
Broad operating system support
–
Wide range of deployment and connection options
–
Ease of client administration
–
Preconnection posture assessment (Premium license required):
–
Client firewall policy
© 2012 Cisco and/or its affiliates. All rights reserved.
16
SSL VPN on Cisco ASA in Clientless
Mode
• Task 1. Launch the Clientless SSL VPN Wizard from ASDM.
• Task 2. Configure the SSL VPN interface.
• Task 3. Configure user authentication.
• Task 4. Configure user group policy.
• Task 5. Configure a bookmark list.
• Task 6. Verify the Clientless SSL VPN Wizard configuration.
© 2012 Cisco and/or its affiliates. All rights reserved.
17
Clientless Configuration Scenario
Clientless SSL VPN Configuration Topology
© 2012 Cisco and/or its affiliates. All rights reserved.
18
Task 1: Launch the Clientless SSL VPN Wizard from
ASDM
Wizards > VPN Wizards > Clientless SSL VPN Wizard
© 2012 Cisco and/or its affiliates. All rights reserved.
19
Task 2: Configure the SSL VPN Interface
© 2012 Cisco and/or its affiliates. All rights reserved.
20
Task 3: Configure User Authentication
© 2012 Cisco and/or its affiliates. All rights reserved.
21
Task 4: Configure User Group Policy
© 2012 Cisco and/or its affiliates. All rights reserved.
22
Task 5: Configure a Bookmark List
© 2012 Cisco and/or its affiliates. All rights reserved.
23
Creating a Bookmark List
© 2012 Cisco and/or its affiliates. All rights reserved.
24
Task 6: Verify the Clientless SSL VPN Wizard
Configuration
© 2012 Cisco and/or its affiliates. All rights reserved.
25