Configuring Clientless SSL VPN with Cisco ASA

In this lab we are going to configure a clientless SSL VPN using Cisco ASA firewall.

The topology layed out here is based on the suggested lab in the official Cisco training IINS.

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_10_41

We are going to build a clientless SSL VPN between Internet-PC and Site1 resources. We’ll configure the whole thing using the Clientless SSL VPN wizard on ASA.

First, from the ASDM software go to Wizards -> VPN Wizards -> Clientless SSL VPN Wizard.

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_15_52

The SSL VPN Wizard launches. Click Next:

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_16_04

Give a name to your Connection Profile:

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_19_42

Under SSL VPN Interface, choose the interface “outside”:configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_19_55

Leave the field Certificate to “None”. Notice that there is the possibility to use a self signed certificate. But I am not going to demonstrate it here.

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_20_03

Give an alias to your Connection Group then click Next:
configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 20_43_34At this point we must define some credentials. These are the ones ASA is going to check the inbound connection request against. Similar to the authentication we configured in the past on Kali Linux and on Windows, we can leverage AAA. But for the simplicity of this tutorial we will use local credentials:configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_21_23

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_21_49

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_21_59

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_22_12

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_22_22

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_22_31

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_35_11

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_36_01

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_36_09

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 18_36_22

Verification steps:

Edit the etc/hosts file to add the hostname resolution between the SSL VPN terminating interface (the ASA outside interface) and the domain name “vpn.site1.public”

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 20_59_38

We enter the full URL, not only the domain name. This way the security appliance will automatically select the associated Connection Profile.

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 21_03_17

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 21_05_10

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 21_05_24

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 21_05_53

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 21_07_45

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 21_08_19

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 22_10_48

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 22_13_24

configuring-clientless-ssl-vpn-cisco-asa-2017-07-30 22_13_35

Comments

Post a Comment

Popular posts from this blog

The Thing With CUCM Device Packs

Image
To add a new phone on CUCM, whether it is a Cisco phone or one of the free softphones on the Internet, you go to Device –> phone. Sometimes the phone you want to add does not exist in the drop box, because the device model is new or the CUCM version is a bit old. What you can do here is to download a Device Pack of the new phone and install it. A Device Pack is a set of firmwares contained in a single file. Generally, it has the extension “sgn”. A Device Pack for phone X not only contains a load for it, but also loads for many other phone models. This is important to know because, once you install a Device Pack in CUCM, your existing phones by default will install the new version of their respective loads. I encountered a case where, after installing a Device Pack, some phones no longer worked. So I had to note down the “Active Load” and put it in the Device Defaults page. CUCM Device Pack download To download a Device Pack, you need to have a valid Cis...
Read more

En Bloc Dialing vs Digit-By-Digit Dialing

Image
Digit Signaling, aka Digit Addressing, is the method by which digits are sent from a dialing endpoint (e.g. phone) to a CUCM server, or by a voice gateway or trunk. There are three known digit signaling methods: En Bloc dialing SIP Dial Rules Digit-by-digit dialing 1. En Bloc digit dialing In the En Bloc digit signaling method, digits are sent as a whole block. Think of it like a brick that you send to UCM. This is the digit addressing method used on Type A Cisco phones, whether the endpoint signaling protocol is SIP or SCCP. En Bloc dialing is the default method used with the famous gateway protocols -MGCP, H323 and SIP- and also on H323 trunks and SIP trunks. Besides, the resulting pattern of a Translation Pattern operation is sent as En bloc to the call control system. 2. SIP Dial Rules It is important to know that all SIP phones support SIP dial rules, whether they are Type A or Type B. SIP dial rules are created on CUCM and downloaded by...
Read more

Call Forward And Call Hunt on CUCM

Image
Call forwarding is one of the features of the call coverage in Cisco CUCM. Call Hunting is when CUCM distributes a call on more than one Directory Number (DN), whether consecutively or simultaneously, depending on the algorithm. Hunt Pilot A Hunt Pilot is the entry point for the whole call hunting process. It is hit by a Call. The Hunt Pilot number is a dialable entity and has many similarities with Route Patterns : We can configure Route Filters with Hunt Pilots, Hunt Pilots can Provide Outside Dial Tone , We can set Hunt Pilots with the Urgent Priority flag, They can route or block calls, They can apply Calling and Called Party Transformations. Hunt Lists After hitting the Hunt Pilot, the call is presented by CUCM to the Hunt List. Each Hunt List contains one or more ordered Line Groups. A Hunt List can be pointed by one or more Hunt Pilots. Line Groups Each Line Group contains one or more member (we’ll refer to them as Hunt members, hunt parties or Line Group members). A Line Grou...
Read more