Clientless SSL VPN (WebVPN) avec ASA 5505

TOPOLOGIE

Lab instructions

SSL VPN technology can be configured in three ways :

• Thin Client VPN
• SSL VPN Client
• Clientless SSL VPN (WebVPN)

Clientless SSL VPN is a technology allowing limited but secure access to internal network ressources from any location using a web browser. No specific VPN client is needed, a remote user only needs an SSL-enabled web browser to access http- or https-enabled web servers on the internal network. This technology is available on ASA 5505 firewall and has been implemented in Packet Tracer 6.1 network simulator.

Firewall configuration to apply in this lab:

• Outside IP : 192.168.1.1/24
• Inside IP : 192.168.2.1/24
• User login : test
• User password : test.test
• Website IP : site 1

 

Solution

1. Create the bookmark site1 to the URL http://192.168.2.3 on the ASA 5505 firewall

2. Apply the following configuration to the firewall :

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
webvpn
 enable outside
object network LAN
 subnet 192.168.2.0 255.255.255.0
!
object network LAN
 nat (inside,outside) dynamic interface
!
group-policy group1 internal
group-policy group1 attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list value site1
username test password D35rLrqYJOMRHDCX encrypted
username test attributes
 vpn-group-policy group1
!
!

Site à site IPSEC VPN avec ASA 5505

Network diagram

Campus addressing schema :

• Campus IP addresses : 172.16.0.0/17
• DC : 172.16.0.0/18
• Users : 172.16.64.0/20
• DMZ : 172.16.96.0/21
• Network devices : 172.16.252.0/23
• L3 P2p links : 172.16.254.0/24

Branch office 1 IP subnet : 172.16.129.0/24

Enterprise internet IP addresses : 134.95.56.16/28

IPSEC VPN configuration to apply :

• ESP Encryption : AES-256
• AH hash algorithm : SHA
• Pre shared key : SHAREDSECRET

Solution

Campus network - ASA 5505 IPSEC VPN headend device configuration .

interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.254.254 255.255.255.252
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 134.95.56.17 255.255.255.240
!
object network BRANCH01_NETWORK
 subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
 subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
 subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
 subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.129.0 255.255.255.0 134.95.56.18 1
route inside 172.16.0.0 255.255.128.0 172.16.254.253 1
!
access-list BRANCH01_TRAFFIC extended permit tcp object CAMPUS_NETWORK object BRANCH01_NETWORK
access-list BRANCH01_TRAFFIC extended permit icmp object CAMPUS_NETWORK object BRANCH01_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK object PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object BRANCH_NETWORK object CAMPUS_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
crypto ipsec ikev1 transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map BRANCH1 1 match address BRANCH01_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.18
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 134.95.56.18 type ipsec-l2l
tunnel-group 134.95.56.18 ipsec-attributes
 ikev1 pre-shared-key SHAREDSECRET
!

The ENTERPRISE_PRIVATE-TRAFFIC access-group is important to allow the IP traffic through the firewall from remote subnets to the inside subnets. The traffic wiill be blocked by the ASA if this access-list is not configured and applied to the inside vlan interface.

Branch office n°1 - ASA 5505 remote device configuration

interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.129.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 134.95.56.18 255.255.255.240
!
object network BRANCH01_NETWORK
 subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
 subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
 subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
 subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.0.0 255.255.128.0 134.95.56.17 1
!
access-list PRIVATE_TRAFFIC extended permit tcp object BRANCH01_NETWORK object CAMPUS_NETWORK
access-list PRIVATE_TRAFFIC extended permit icmp object BRANCH01_NETWORK object CAMPUS_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK object PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object CAMPUS_NETWORK object BRANCH_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
!
crypto ipsec ikev1 transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map BRANCH1 1 match address PRIVATE_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.17
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 134.95.56.17 type ipsec-l2l
tunnel-group 134.95.56.17 ipsec-attributes
 ikev1 pre-shared-key SHAREDSECRET
!