Monitoring an Ssl Vpn in Cisco IOS

This section discusses the monitoring steps that are available to help you run the SSL VPN solution smoothly on the IOS router. To monitor SSL VPN sessions, the first step is to check how many active SSL VPN tunnels are established on the IOS router. You can achieve this by choosing Monitor > VPN Status > SSL VPN (All Contexts) > SecureMeContext > Users. The Cisco IOS router shows you all the active VPN sessions for the SecureMeContext context. As shown in Figure 6-47, an active...

Step 1 Setting Up an Ssl Vpn Gateway

In SSL VPNs, the Cisco IOS router acts as a proxy between the SSL-enabled VPN client and the resources on the private network. Before an SSL VPN tunnel can be established, you need to allocate a public IP address or host name to terminate the VPN sessions. The VPN users point their browser to this configured IP address or host name and start the SSL negotiation process. An IOS SSL VPN gateway can be configured by issuing the webvpn gateway command followed by a gateway name. This gateway only...

Enrolling Digital Certificates Recommended

Enrollment is the process of obtaining a certificate from a certificate authority (CA). Before starting the enrollment process, you must generate the RSA key pair with the crypto key generate rsa command. To generate the keys, you must first configure a host name and domain name on a Cisco IOS router. Example 6-5 demonstrates how to configure a domain name of securemeinc.com and how to generate the RSA key pair of 1024 bits modulus size. Example 6-5 Generating the RSA Key Pair Chicago(config)...

Public Key Infrastructure Digital Certificates and Certification

The preceding section showed how you can use digital signatures to achieve important security requirements, such as entity authentication, nonrepudiation, and data origin authentication. You might have noticed that one piece is still missing in the picture. To verify the digital signature, you need to have the sender's public key. This public key should be distributed not only to the public in a scalable way but also be trusted as the true public key of the sender. (For example, Bob can post...

Case Study SSL Connection Setup

The section examines the setup of an SSL connection as a case study of the workings and implementations of the concepts we have discussed so far. The section examines the communications from both the SSL session level and lower TCP IP packet level using tools such as ssldump and ethereal. The SSL connection used in this case study is fairly simple. A user at IP address 10.1.1.200 browses to a website at IP address 66.94.230.34 using HTTPS, views the page, and then closes the connection. First,...

L2TP over IPsec

Organizations that prefer to use a built-in remote access client in the Windows-based operating systems can use L2TP. However, L2TP fails to provide strong data confidentiality. Therefore, most of the L2TP implementations use IPsec to provide data security. This methodology is commonly referred to as L2TP over IPsec and is documented in RFC 3139. In an L2TP over IPsec implementation, the client workstation and the home gateway device go through seven steps, as depicted in Figure 1-6 and...

Reverse Proxy Technology

HTTPS provides secure web communication between a browser and a web server that supports the HTTPS protocol. SSL VPN extends this model to allow VPN users to access corporate internal web applications and other corporate application servers that might or might not support HTTPS, or even HTTP. SSL VPN does this by using several techniques that are collectively called reverse proxy technology. A reverse proxy is a proxy server that resides in front of the application servers, normally web...

Setting Up User Authentication

Cisco ASA supports a number of authentication servers, such as RADIUS, NT domain, Kerberos, SDI, LDAP, digital certificates, smart cards, and local databases. For small organizations, a local database can be set up for user authentication. For medium to large SSL VPN deployments, it is highly recommended that you use an external authentication server, such as RADIUS or Kerberos, as the user authentication database. If you are deploying the SSL VPN feature for a few users, you can use the local...

Accessing ASDM

ASDM's interface can be accessed from any workstation whose IP address is in the trusted network list. Before you establish the secure connection to the appliance, verify that IP connectivity exists between the workstation and the Cisco ASA. To establish an SSL connection, launch a browser and point the URL to the IP address of the appliance. In Figure 5-1, the administrator is accessing ASDM by entering https 192.168.1.1 admin as the URL. The URL is redirected to https 192.168.L1 admin public...

Setting Up Basic Host Scan

To configure CSD to scan a remote computer for basic information, click Add under Basic Host Scan and select the type of basic scan you would like to configure. As mentioned in the previous section, a basic Host Scan can identify registry keys, active processes, and files located on the remote workstation. For example, if you want CSD to scan a registry key from the workstation and based on that information you want to apply appropriate action by DAP, add Registry Scan under Basic Host Scan....

Step 2 Defining Any Connect VPN Client Attributes

After loading the AnyConnect package in the router's configuration, SDM allows you to define the client parameters. Before an AnyConnect VPN Client is functional, you have to configure the following attributes Defining a pool of addresses Creating a Layer 3 interface Optionally, you can define other attributes to enhance the functionality of the SSL VPN configuration. They include Keep SSL VPN client installed The sections that follow define these options. The Cisco IOS router allows you to...

Port Forwarding Technology

Clientless web access supports only a small set of corporate business applications that already have a web interface or can be easily webified. To be a complete remote access VPN solution, SSL VPN-based solutions need to be able to support other types of applications. The port-forwarding client solves part of the problems. The SSL VPN port-forwarding client is a client-side agent that intercepts specific application traffic and redirects the traffic to the SSL VPN gateway through the...

Full Customization of a User Portal Page

If you want to customize the user web portal, you can use the following steps to provide full customization. These steps are similar to the steps described for the logon page customization. The default user web portal is shown in Figure 5-23. Figure 5-23 Default User Web Portal Page Figure 5-23 Default User Web Portal Page & h ttpc 209,165.200,225 + CSC OE+ porta .html - Windows Internet Explorer (gjl CertificateError jjitj Google 5 Step 1 Choose Configuration > Remote Access VPN >...

Selecting a AAA Attribute

Because DAP complements the AAA process, the security appliance can select DAP records based on AAA authorization attributes that it receives from the following storages Table 5-10 defines the attributes that you can select within ASDM. Table 5-10 defines the attributes that you can select within ASDM. Group names that the authenticated user is a member of Group name value that is passed through the class attribute Tunnel group name that the user connects to NOTE You can leverage the advanced...

Configuring Web Type ACLs

Cisco ASA enables network administrators to further their clientless SSL VPN security by configuring web-type access control lists ACL to manage access to web, Telnet, SSH, citrix, FTP, file, e-mail servers, or all types of traffic. These ACLs affect only the clientless SSL VPN traffic and are processed in sequential order until a match is found. If an ACL is defined but no match exists, the default behavior on the security appliance is to drop the packets. On the other hand, if no web-type ACL...

Configuring Application ACL

Vpn Ssl Port Forward Cisco Java Applet

Network administrators can restrict their clientless SSL VPN users to access certain application servers by configuring the application access control lists ACL . They can filter traffic such as Hypertext Transfer Protocol HTTP , HTTPS, FTP, and Common Internet File System CIFS , to name a few. These ACLs affect only the clientless SSL VPN traffic. An application ACL is configured by choosing Configure gt VPN gt SSL VPN gt Edit SSL VPN gt SecureMeContext gt Edit gt App ACL. Click Add, specify...

Configuring Clientless Ssl Vpns

As mentioned in Chapter 3, SSL VPN Design Considerations, Chapter 4, Cisco SSL VPN Family of Products, and Chapter 5, SSL VPNs on Cisco ASA, remote users can use SSL VPNs to browse their internal websites and Outlook Web Access. A Cisco IOS router terminates the HTTPS connections on its public interface and then forwards the HTTP or HTTPS requests to the internal web server. The response from the web server is then encapsulated into HTTPS and forwarded to the client. This feature uses only an...