Thin-Client SSL VPN technology allows secure access for some applications that have static ports, such as Telnet(23), SSH(22), POP3(110), IMAP4(143) and SMTP(25). You can use the Thin-Client SSL VPN as a user-driven application, policy-driven application, or both. That is, you can configure access on a user by user basis or you can create Group Policies in which you add one or more users.
Clientless SSL VPN (WebVPN)—Provides a remote client that requires an SSL-enabled Web browser to access HTTP or HTTPS Web servers on a corporate local-area network (LAN). In addition, clientless SSL VPN provides access for Windows file browsing through the Common Internet File System (CIFS) protocol. Outlook Web Access (OWA) is an example of HTTP access.
Refer to Clientless SSL VPN (WebVPN) on ASA Configuration Example in order to learn more about the Clientless SSL VPN.
Thin-Client SSL VPN (Port Forwarding)—Provides a remote client that downloads a small Java-based applet and allows secure access for Transmission Control Protocol (TCP) applications that use static port numbers. Post Office Protocol (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), secure shell (ssh), and Telnet are examples of secure access. Because files on the local machine change, users must have local administrative privileges to use this method. This method of SSL VPN does not work with applications that use dynamic port assignments, such as some file transfer protocol (FTP) applications.
Note: User Datagram Protocol (UDP) is not supported.
SSL VPN Client (Tunnel Mode)—Downloads a small client to the remote workstation and allows full secure access to resources on an internal corporate network. You can download permanently the SSL VPN Client (SVC) to a remote workstation, or you can remove the client once the secure session is closed.
Refer to SSL VPN Client (SVC) on ASA with ASDM Configuration Example in order to learn more about the SSL VPN Client.
This document demonstrates a simple configuration for the Thin-Client SSL VPN on the Adaptive Security Appliance (ASA). The configuration allows a user to telnet securely to a router located on the inside of the ASA. The configuration in this document is supported for ASA version 7.x and later.
Before you attempt this configuration, ensure that you meet these requirements for the remote client stations:
SSL-enabled Web browser
SUN Java JRE version 1.4 or later
Cookies enabled
Popup blockers disabled
Local Administrative privileges (not required but strongly suggested)
Note: The latest version of the SUN Java JRE is available as a free download from the Java Website .
The information in this document is based on these software and hardware versions:
Cisco Adaptive Security Appliance 5510 series
Cisco Adaptive Security Device Manager (ASDM) 5.2(1)
Note: Refer to Allowing HTTPS Access for ASDM in order to allow the ASA to be configured by the ASDM.
Cisco Adaptive Security Appliance Software Version 7.2(1)
Microsoft Windows XP Professional (SP 2) remote client
The information in this document was developed in a lab environment. All devices used in this document were reset to their default configuration. If your network is live, make sure you understand the potential impact of any command. All IP addresses used in this configuration were selected from RFC 1918 addresses in a lab environment; these IP addresses are not routable on the Internet and are for test purposes only.
This document uses the network configuration described in this section.
When a remote client initiates a session with the ASA, the client downloads a small Java applet to the workstation. The client is presented with a list of preconfigured resources.
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
In order to start a session, the remote client opens an SSL browser to the outside interface of the ASA. After the session is established, the user can use the parameters configured on the ASA to invoke any Telnet or application access. The ASA proxies the secure connection and allows the user access to the device.
Note: Inbound access lists are not necessary for these connections because the ASA is already aware of what constitutes a legal session.
In order to configure Thin-Client SSL VPN on the ASA, complete these steps:
Create a Group Policy and Link it to the Port Forwarding List (created in Step 2)
Create a Tunnel Group and Link it to the Group Policy (created in Step 3)
Create a User and Add That User to the Group Policy (created in Step 3)
In order to enable WebVPN on the ASA, complete these steps:
Within the ASDM application, click Configuration, and then click VPN.
Expand WebVPN, and choose WebVPN Access.
Highlight the interface, and click Enable.
Click Apply, click Save, and then click Yes to accept the changes.
In order to configure port forwarding characteristics, complete these steps:
Expand WebVPN, and choose Port Forwarding.
Click the Add button.
In the Add Port Forwarding List dialog box, enter a list name, and click Add.
The Add Port Forwarding Entry dialog box appears.
In the Add Port Forwarding Entry dialog box, enter these options:
In the Local TCP Port field, enter a port number or accept the default value.
The value you enter can be any number from 1024 to 65535.
In the Remote Server field, enter an IP address.
This example uses the address of the router.
In the Remote TCP Port field, enter a port number.
This example uses port 23.
In the Description field, enter a description, and click OK.
Click OK, and then click Apply.
Click Save, and then click Yes to accept the changes.
In order to create a group policy and link it to the port forwarding list, complete these steps:
Expand General, and choose Group Policy.
Click Add, and choose Internal Group Policy.
The Add Internal Group Policy dialog box appears.
Enter a name or accept the default group policy name.
Uncheck the Tunneling Protocols Inherit check box, and check the WebVPN check box.
Click the WebVPN tab located at the top of dialog box, and then click the Functions tab.
Uncheck the Inherit check box, and check the Enable auto applet download and Enable port forwarding check boxes as shown in this image:
Also within the WebVPN tab, click the Port Forwarding tab, and uncheck the Port Forwarding List Inherit check box.
Click the Port Forwarding List drop-down arrow, and choose the port forwarding list you created in Step 2.
Uncheck the Applet Name Inherit check box, and change the name in the text field.
The client displays the Applet Name on connection.
Click OK, and then click Apply.
Click Save, and then click Yes to accept the changes.
You can edit the default DefaultWebVPNGroup tunnel group or create a new tunnel group.
In order to create a new tunnel group, complete these steps:
Expand General, and choose Tunnel Group.
Click Add, and choose WebVPN Access.
The Add Tunnel Group dialog box appears.
Enter a name in the Name field.
Click the Group Policy drop-down arrow, and choose the group policy you created in Step 3.
Click OK, and then click Apply.
Click Save, and then click Yes to accept the changes.
The tunnel group, group policy, and port forwarding characteristics are now linked.
In order to create a user and add that user to the group policy, complete these steps:
Expand General, and choose Users.
Click the Add button.
The Add User Account dialog box appears.
Enter values for the username, password, and privilege information, and then click the VPN Policy tab.
Click the Group Policy drop-down arrow, and choose the group policy you created in Step 3.
This user inherits the WebVPN characteristics and policies of the selected group policy.
Click OK, and then click Apply.
Click Save, and then Yes to accept the changes.
ASA | |
---|---|
ASA Version 7.2(1) ! hostname ciscoasa domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0/0 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 !--- Output truncated port-forward portforward 3044 10.2.2.2 telnet Telnet to R1 !--- Configure the set of applications that WebVPN users !--- can access over forwarded TCP ports group-policy NetAdmins internal !--- Create a new group policy for enabling WebVPN access group-policy NetAdmins attributes vpn-tunnel-protocol IPSec l2tp-ipsec webvpn !--- Configure group policy attributes webvpn functions port-forward auto-download !--- Configure group policies for WebVPN port-forward value portforward !--- Configure port-forward to enable WebVPN application access !--- for the new group policy port-forward-name value Secure Router Access !--- Configure the display name that identifies TCP port !--- forwarding to end users username user1 password tJsDL6po9m1UFs.h encrypted username user1 attributes vpn-group-policy NetAdmins !--- Create and add User(s) to the new group policy http server enable http 0.0.0.0 0.0.0.0 DMZ no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart tunnel-group NetGroup type webvpn tunnel-group NetGroup general-attributes default-group-policy NetAdmins !--- Create a new tunnel group and link it to the group policy telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global webvpn enable outside !--- Enable Web VPN on Outside interface port-forward portforward 3044 10.2.2.2 telnet Telnet to R1 prompt hostname context |
Use this section to verify that your configuration works properly.
This procedure describes how to determine the validity of the configuration and how to test the configuration.
From a client workstation, enter https://outside_ASA_IP Address ; where outside_ASA_IPAddress is the SSL URL of the ASA.
Once the digital certificate is accepted, and the user is authenticated, the WebVPN Service Web page appears.
The address and port information required to access the application appears in the local column. The Bytes Out and Bytes In columns display no activity because the application has not been invoked at this time.
Use the DOS prompt or other Telnet application to start a Telnet session.
At the command prompt, enter telnet 127.0.0.1 3044.
Note: This command provides an example of how to gain access to the local port displayed in the WebVPN Service Web page image in this document. The command does not include a colon (:). Type the command as described in this document.
The ASA receives the command over the secure session, and because it stores a map of the information, the ASA knows immediately to open the secure Telnet session to the mapped device.
Once you enter your username and password, access to the device is complete.
In order to verify access to the device, check the Bytes Out and Bytes In columns as shown in this image:
Several show commands are associated with WebVPN. You can execute these commands at the command-line interface (CLI) to show statistics and other information. For detailed information about show commands, refer to Verifying WebVPN Configuration.
Note: The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
Use this section to troubleshoot your configuration.
Once you connect to the ASA, check if the real-time log shows the completion of the SSL handshake.
In order to verify that the SSL VPN Thin-Client is functional, complete these steps:
Click Monitoring, and then click VPN.
Expand VPN Statistics, and click Sessions.
Your SSL VPN Thin-Client session should appear in the sessions list. Be sure to filter by WebVPN as shown in this image:
Several debug commands are associated with WebVPN. For detailed information about these commands, refer to Using WebVPN Debug Commands.
Note: The use of debug commands can adversely impact your Cisco device. Before you use debug commands, refer to Important Information on Debug Commands.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
07-Feb-2008 |
Initial Release |