© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-1SNPA v5.0—13-1© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-1
• Configuring ASA for WebVPN
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-2SNPA v5.0—13-2
Outline
WebVPN Feature Overview
WebVPN End-User Interface
Configure WebVPN General Parameters
Configure WebVPN Policies
Configure WebVPN Tunnel Groups
Configure WebVPN Servers and URLs
Configure WebVPN Email Proxy
Configure WebVPN Content Filters and ACLs
Summary
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-3SNPA v5.0—13-3
WebVPN Feature Overview
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-4SNPA v5.0—13-4
WebVPN Overview
• WebVPN (SSL VPN) complements IPsec-based remote access by allowing secure remote access to corporate network resources without the use of Cisco VPN Client software.
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-5SNPA v5.0—13-5
WebVPN Features
Access to internal websites (HTTP/HTTPS), including filtering
Access to internal Windows (CIFS) file shares
TCP port forwarding for legacy application support
Access to e-mail via POP, SMTP, and IMAP4 over SSL
WebVPN
BroadbandProvider
ISP
WebVPN Wireless Provider
WebVPN Tunnel
WebVPNTunnelCorporate Network
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-6SNPA v5.0—13-6
WebVPN Security Precautions
Configure group policies for only those users who need WebVPN access Limit or disable Internet access for WebVPN users Educate user about potential SSL problems
WebVPN
BroadbandProvider
ISP
WebVPN Wireless Provider
WebVPN Tunnel
WebVPNTunnelCorporate Network
Connection
Internet
X
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-7SNPA v5.0—13-7
WebVPN and IPsec Comparision
Uses a standard web browser to access the corporate network.
SSL encryption native to browser provides transport security.
Applications accessed through browser portal.
Limited client/server applications accessed using applets.
WebVPN IPsec VPN
Uses purpose-built client software for network access.
Client provides encryption and desktop security.
Client establishes seamless connection to network.
All applications are accessible through their native interface.
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-8SNPA v5.0—13-8
WebVPN End-User Interface
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-9SNPA v5.0—13-9
Home Page
• The home page is the customized access point for the end user.
Help
Show Toolbar
Home
Logout
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-10SNPA v5.0—13-10
Website Access and Browsing Files
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-11SNPA v5.0—13-11
Port Forwarding
The window shows the interface to configure port forwarding.
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-12SNPA v5.0—13-12
Configure WebVPN General Parameters
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-13SNPA v5.0—13-13
Enabling the HTTP Server
http server enable
ciscoasa(config)#
Enables the HTTP server for WebVPN
asa1(config)# http server enable
The HTTP server must be enabled ASDM and WebVPN cannot be run on the same port
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-14SNPA v5.0—13-14
WebVPN Subcommand Mode
apcf
authorization-dn-attributes
authorization-required
auto-signon
cache
character-encoding
csd
customization
default-idle-timeout
enable
file-encoding
http-proxy
https-proxy
java-trustpoint
memory-size
port
port-forward
proxy-bypass
rewrite
sso-server
svc
tunnel-group-list
url-list
• The WebVPN subcommand mode configures general WebVPN parameters and the look and feel of the end-user interface. The following items can be configured:
asa1(config)# webvpn
asa1(config-webvpn)#
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-15SNPA v5.0—13-15
Enabling WebVPN Interfaces
WebVPN needs to be enabled on each interface that will have WebVPN users.
ASDM and WebVPN cannot be enabled on the same interface.
enable ifname
ciscoasa(config-webvpn)#
asa1(config)# webvpn
asa1(config-webvpn)# enable outside
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-16SNPA v5.0—13-16
Home Page Look and Feel ConfigurationTitle
Title Bar Color
Logo
Secondary Bar Color
Secondary Text Color
Specifies the title that WebVPN users should see.
ciscoasa(config-webvpn)#
title titletext
Specifies the title color. Supported formats include HTML color name string, HTML color value, and HTML RGB value.
ciscoasa(config-webvpn)#
title-color color
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-17SNPA v5.0—13-17
Configure WebVPN Policies
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-18SNPA v5.0—13-18
Configure WebVPN Policy Attributes
ciscoasa(config)#
group-policy {name} attributes
asa1(config)# group-policy WEBVPN1 attributes
ciscoasa(config-group-policy)#
webvpn
asa1(config-group-policy)# webvpn
Enters the group-policy attributes subcommand mode
Enters WebVPN group-policy attributes subcommand mode
10.0.1.10/24
HTTP-Server
Remote Client SecurityAppliance
Console-Server
10.0.1.11/24
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-19SNPA v5.0—13-19
Enable URL Entry for WebVPN Users
ciscoasa(config-group-webvpn)#
asa1(config-group-webvpn)# functions url-entry file-access file-entry file-browsing
ciscoasa(config-group-webvpn)#
url-list {value name | none}
asa1(config-group-webvpn)# url-list value URLs
Enables file access, entry, browsing, and URL entry for the group
Selects predefined URLs that were configured by using the url-list command
10.0.1.10/24
HTTP-Server
Remote Client SecurityAppliance
Console-Server
10.0.1.11/24
functions {auto-download | citrix | file-access | file-browsing | file-entry | filter | http-proxy | url-entry | mapi | port-forward | none}
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-20SNPA v5.0—13-20
url-list Command
ciscoasa(config)#
url-list {listname displayname url}
asa1(config)# url-list URLs "Superserver" http://10.0.1.10
asa1(config)# url-list URLs "CIFS Share" cifs://10.0.1.11/training
Defines the name of the URL list
Defines the text the users see for the link on their home page
Defines the actual URL that the link accesses
List of WebVPN links can be HTTP, HTTPS, and CIFS servers
10.0.1.10/24
Superserver
Remote Client SecurityAppliance
Cisco Training10.0.1.11/24
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-21SNPA v5.0—13-21
Example: Servers and URL Configuration
WebVPN client parameters:
Need to launch WebVPN interface
Click on Superserver or CIFS Share link
Web access Security Appliance parameters:
Example—url-list URLs "Superserver" http://10.0.1.10
CIFS access security appliance parameters:
Example—url-list URLs "CIFS Share" cifs://10.0.1.10/training
10.0.1.10/24
Superserver
Remote Client SecurityAppliance
Cisco Training10.0.1.11/24
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-22SNPA v5.0—13-22
Enable Port Forwarding for WebVPN Users
ciscoasa(config-group-webvpn)#
functions {auto-download | citrix | file-access | file-browsing | file-entry | filter | http-proxy | url-entry | mapi | port-forward | none}
asa1(config-group-webvpn)# functions port-forward
ciscoasa(config-group-webvpn)#
port-forward {value listname | none}
asa1(config-group-webvpn)# port-forward value APPLICATIONS
Enables port forwarding for the group
Enters predefined port forwarding list configured by using the port-forward global configuration command
10.0.1.10/24
HTTP-Server
Remote Client SecurityAppliance
Console-Server
10.0.1.11/24
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-23SNPA v5.0—13-23
port-forward Command
ciscoasa(config)#
port-forward {listname localport remoteserver remoteport description}
asa1(config)# port-forward APPLICATIONS 23 10.0.1.10 23 ** Console Server **
Defines the name of the port fowarding list
Defines the port for WebVPN user
Defines the actual server that the link accesses
Defines the actual port that the link accesses
RemoteClient 10.0.1.10/24
HTTP-Server
Console-Server
10.0.1.11/24
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-24SNPA v5.0—13-24
Port Forwarding Configuration Example: DNS vs. IP Address
WebVPN parameters (IP address):
Need to launch port forwarding interface
Telnet to “127.0.0.1 2222”
Port forwarding security appliance parameters (IP address):
port-forward list—portlist WebVPN User Port—2222 Remote Server—10.0.1.10 Actual Port—23 Example—port-forward portlist 2222 10.0.1.10 23
Port forwarding security appliance parameters (DNS): port-forward list—portlist WebVPN User Port—2000 Remote Server—Training Remote TCP Port—23 Example—port-forward portlist 2000 Training 23
WebVPN parameters (DNS): Need to launch port forwarding interface Telnet to “Training”
10.0.1.10/24
SuperserverRemote Client Security
Appliance
Cisco Training10.0.1.11/24
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-25SNPA v5.0—13-25
Configure WebVPN Tunnel Groups
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-26SNPA v5.0—13-26
WebVPN Tunnel Groups
10.0.1.10/24
HTTP-Server
Remote Client SecurityAppliance
NBNS-Server
10.0.1.15/24
tunnel-group name type type
ciscoasa(config)#
Names the tunnel group
Defines the type of VPN connection that is to be established
asa1(config)# tunnel-group AUSTIN-WEBVPN type webvpn
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-27SNPA v5.0—13-27
NBNS Server Attribute
asa1(config-tunnel-webvpn)# nbns-server 10.0.1.15
Enables NetBIOS resolution for CIFS File Shares.
ciscoasa(config-tunnel-webvpn)#
nbns-server {ipaddr or hostname} [master] [timeout timeout] [retry retries]
10.0.1.10/24
HTTP-Server
Remote Client SecurityAppliance
NBNS-Server
10.0.1.15/24
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-28SNPA v5.0—13-28
Authentication Server Attribute
asa1(config-webvpn)# authentication-server-group (inside) AUTHSERVER
Specifies the authorization server that WebVPN users should use.
Authorization server must be previously configured using aaa-server commands
ciscoasa(config-tunnel-general)#
authentication-server-group [(interface_name)] server_group [LOCAL | NONE]
10.0.1.10/24
ACS ServerRemote Client Security
Appliance
NBNS-Server
10.0.1.15/24
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-29SNPA v5.0—13-29
Configure WebVPN Servers and URLs
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-30SNPA v5.0—13-30
Enable WebVPN Protocol for Group Policy
ciscoasa(config)#
group-policy {name} attributes
asa1(config)# group-policy WEBVPN1 attributes
ciscoasa(config-group-policy)#
vpn-tunnel-protocol {webvpn | IPSec}
asa1(config-group-policy)# vpn-tunnel-protocol webvpn
Enters the group-policy attributes subcommand mode
Enables WebVPN for group
HTTP Server
10.0.1.10/24
SecurityAppliance
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-31SNPA v5.0—13-31
Configure WebVPN Email Proxy
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-32SNPA v5.0—13-32
Enable E-Mail Proxy for WebVPN Users
ciscoasa(config-group-webvpn)#
asa1(config-group-webvpn)# functions mapi
Enables MAPI proxy for the group (only necessary if using MAPI)
functions {auto-download | citrix | file-access | file-browsing | file-entry | filter | http-proxy | url-entry | mapi | port-forward | none}
10.0.1.10/24
Email Server
Remote Client SecurityAppliance
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-33SNPA v5.0—13-33
Defining Proxy Servers
ciscoasa(config)#
pop3s
smtps
imap4s
Enters the appropriate e-mail proxy subcommand mode
10.0.1.10/24
E-Mail Server
Remote Client SecurityAppliance
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-34SNPA v5.0—13-34
Defining E-Mail Server and Authentication Server
ciscoasa(config-pop3s)#
server {ipaddr or hostname}
asa1(config-pop3s)# server 10.0.1.10
Specifies the default server for use with the e-mail proxy
ciscoasa(config-pop3s)#
asa1(config-pop3s)# authentication-server-group (inside) AUTHSERVER
Specifies the authentication server to use with the e-mail proxy
10.0.1.10/24E-Mail Server
Remote Client SecurityAppliance
authentication-server-group [(interface_name)] server_group [LOCAL | NONE]
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-35SNPA v5.0—13-35
Defining Authentication Type
ciscoasa(config-pop3s)#
authentication {aaa | certificate | piggyback
asa1(config-pop3s)# authentication piggyback
Specifies the authentication method or methods that are used with the e-mail proxy Options are as follows:
– aaa: Use previously configured AAA server for authentication
– certificate: Use certificate for authentication
– piggyback: Requires use of an established HTTPS WebVPN session
10.0.1.10/24
E-Mail ServerRemote Client Security
Appliance
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-36SNPA v5.0—13-36
Example: E-Mail Proxy Configuration
172.26.26.1
E-mail client parameters: Username—Student1
Password—Student1
POP address—192.168.1.5
POP port—SSL port 995
SMTP address (auth. req.)—192.168.1.5
SMTP port—SSL port 988
Security appliance e-mail proxy parameters:
POP3S ASA port—995
POP3S default e-mail server— 10.0.1.10
POP3S auth. req.—e-mail server, piggyback HTTPS
SMTPS default e-mail server—10.0.1.10
SMTPS ASA port—988
SMTPS auth. req.—piggyback HTTPS
E-mail server parameters: Username—Student1
Password—Student1
POP port—110
SMTP port—25
SMTP auth.—Required
10.0.1.10/24E-Mail Server
Remote ClientSecurity
Appliance
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-37SNPA v5.0—13-37
Configure WebVPN Content Filters and ACLs
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-38SNPA v5.0—13-38
HTML Content Filtering
ciscoasa(config)#
group-policy {name} attributes
asa1(config)# group-policy WEBVPN1 attributes
ciscoasa(config-group-policy)#
webvpn
asa1(config-group-policy)# webvpn
Enters the group-policy attributes subcommand mode
Enters WebVPN group-policy attributes subcommand mode
10.0.1.10/24
HTTP Server
Remote Client SecurityAppliance
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-39SNPA v5.0—13-39
HTML Content Filtering (Cont.)
ciscoasa(config-group-webvpn)#
html-content-filter {cookies | images | java | none | scripts}
asa1(config-group-webvpn)# html-content-filter cookies images java
Configures the content or objects to be filtered from the HTML for this policy
Options are as follows:
– Cookies: Removes cookies from images, providing limited ad filtering and privacy
– images: Removes references to images (removes <IMG> tags)
– java: Removes references to Java and ActiveX (removes <EMBED>, <APPLET>, and <OBJECT> tags)
– none: Indicates that there is no filtering; sets a null value, thereby disallowing filtering; prevents inheriting filtering values
– scripts: Removes references to scripting (removes <SCRIPT> tags)
10.0.1.10/24
HTTP Server
Remote Client SecurityAppliance
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-40SNPA v5.0—13-40
WebVPN ACLs
ciscoasa(config-group-webvpn)#
filter {value ACLname | none}
asa1(config-group-webvpn)# filter value WEBVPNACL
Configures the name of the web-type ACL in the WebVPN group-policy attributes subcommand mode
10.0.1.10/24
HTTP Server
Remote Client SecurityAppliance
ciscoasa(config)#
access-list id webtype {deny | permit} tcp [host ip_address | ip_address subnet_mask | any] [oper port [port]] [log [[disable | default] | level] [interval secs] [time_range name]]
asa1(config)# access-list WEBVPNACL webtype permit tcp any eq http
Configures a web-type ACL to be used for filtering with WebVPN
WebVPN Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-41SNPA v5.0—13-41
Summary
WebVPN lets users establish a secure, remote-access VPN tunnel to a security appliance using a web browser.
WebVPN features include:
– Secure access to internal websites via HTTPS.
– Windows files access, port forwarding, and e-mail proxy are supported.
– HTML content filtering and WebVPN ACLs can be used to restrict WebVPN traffic.
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-42SNPA v5.0—13-42
Lab Visual Objective
192.168.P.0
Student PC172.26.26.P
.1
10.0.P.0
RTS
.5 .5.150
SuperServer
.10.100
RBB172.26.26.0
ASA
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-43SNPA v5.0—13-43