Cisco ASA 5500 SSL VPN Deployment Guide, Version 8_deen

By Willie Carpenter,2014-09-28 15:54
11 views 0
Cisco ASA 5500 SSL VPN Deployment Guide, Version 8_deen

    Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x

    Document version number 1.0


    This document demonstrates key SSL VPN features and capabilities of the ASA 5500 Adaptive Security Appliance. It can help you evaluate the security appliance for your own network security needs. The Cisco ASA 5500 offers two types of SSL VPN, a key technology for remote access to corporate resources:

    Clientless SSL VPN provides access to Web applications, such as email, and corporate portals via

    Web browsers and Java components. It requires no client software.

    The AnyConnect SSL VPN Client provides direct access to corporate resources, just like an IPsec

    client. Using Datagram Transport Layer Security (DTLS), the client improves the performance of

    real-time applications that are sensitive to packet delays by avoiding latency and bandwidth

    problems associated with some SSL-only connections.

    Both clientless and AnyConnect client connections use posture assessment policies. You can define these policies to evaluate whether an endpoint is a corporate or public entity with the properly configured operating systems, firewall, antivirus software, and antispyware that you require.

    The security appliance software includes two SSL VPN licenses, allowing two simultaneous SSL VPN connections of any combination of clientless, or client connections.

    Additional Information

    This document provides configuration tasks for Dynamic Access Policies (DAP)a powerful tool for controlling access to corporate resources regardless of the location or security posture of the end user device. For a more in-depth discussion about DAP, see the white paper Dynamic Access Policies at this URL: For detailed DAP configuration information, see the Understanding Policy Enforcement of Permissions

     and Attributes section of the Cisco Security Appliance Command Line Configuration Guide, Version 8.0 at this URL: We continue to document additional use cases and publish them under Selected ASDM Configuration Tasks at the following URL: ml

    Americas Headquarters:

    Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706USA

    ? 2008 Cisco Systems, Inc. All rights reserved.


    This document contains the following sections:

    Example Network Topology, page3

    Initial Setup, page3

    Preparing for ASDM Access, page3

    Configuring Hostname, DNS, Basic Routing, page6

    Configuring VPN Users in the Local Database, page9

    Configuring VPN Users on Active Directory/LDAP, page10

    Enabling SSL VPN on Interfaces, page13 Enforcing VPN Access via Connection Profiles, Group Policies, and Customization Objects,


    Understanding Policy Enforcement of Permissions and Attributes, page16

    Configuring an Engineering and a Sales Connection Profile, page16

    Configuring Engineering and Sales Group Policies, page18

    Associating Group Policies Engineering and Sales to Connection Profiles, page19

    Creating Bookmark Lists for the Engineering and Sales Group Policies, page20

    Applying the Bookmark Lists to Group Policies, page21

    Creating WebType ACLs, page22

    Applying the ACLs to Group Policies, page24

    Creating Customization Objects for Engineering and Sales, page25

    Importing Web Content for use with Logos, page27

    Setting the Customization in the Connection Profile, page29

    Setting the Customization in the Group Policy, page30

    Establishing a Clientless Session Using the Drop-Down Menu, page31

    Establishing an SSL VPN Session Using a Group URL, page32 Single Sign-on & URL Variable Substitution, page33

    Introduction to URL Variable Substitution:, page33

    Configuring Post Parameters for SSO with Outlook Web Access, page35

    Configuring Post Parameters for Single Sign-on with Citrix, page38

    SSO Substitution via Active Directory Attribute Mapping, page40 Accessing Applications using Smart Tunnels and Plug-ins over Clientless Connections, page45

    Plug-ins, page46

    Plug-in Requirements and Restrictions, page46

    Smart Tunnels, page51 Dynamic Access Policies (DAP), page56

    Using DAPs for VPN Policies (no Cisco Secure Desktop), page56

    Integrating Cisco Secure Desktop with DAPs, page63

    Advanced DAP Settings, page75 AnyConnect VPN Client, page76

    Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x

    Document version number 1.0

     Example Network Topology

    Installing and Configuring the AnyConnect Client, page76

    Installing the AnyConnect Client and Configuring the Security Appliance, page79

    CSA Interoperability with the AnyConnect Client and Cisco Secure Desktop, page84

    Uninstalling the Cisco AnyConnect VPN Client, page84

    Example Security Appliance Configuration for AnyConnect Client, page85

    Example Network Topology

    This document assumes the following network topology:

    DNS Server


    Security Client


    Inside Outside Internet Internal network AnyConnect Management Client Interface

    WINS Server ASDM Browser-based 361 client 243

    Initial Setup

    This section provides instructions for setting up ASDM to manage the security appliance, configuring basic settings, and adding users.

    Preparing for ASDM Access

    The information of this section is also available in the ASA 5500 Getting Started Guide at


    To use ASDM, perform the following steps:

    Use an Ethernet cable to connect the MGMT interface to a switch or hub. To this same switch, connect Step1

    a PC that will run ASDM to configure the security appliance.

    You can use other interfaces inside for ASDM access if you choose. Note

    Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x

    Document version number 1.0

     Initial Setup

Configure your PC to use DHCP. This enables the PC to obtain an IP address automatically from the Step2

    security appliance. It can then communicate with the security appliance and the Internet as well as run ASDM for configuration and management tasks.

    Alternatively, you can assign a static IP address to your PC by selecting an address in the Note subnet.

    Valid addresses are through, with a mask of and default route of When you connect other devices to any of the inside ports, make sure that they do not have the same IP address. The MGMT interface of the adaptive security appliance is assigned the IP address by default, so this address is unavailable.

    Check the LINK LED on the MGMT interface. Step3

    When a connection is established, the LINK LED interface on the adaptive security appliance and the corresponding LINK LED on the switch or hub are solid green.

    Connect to the console for CLI access to verify or set specific configuration commands and for Step4

    debugging, if necessary.

    To configure CLI commands you must be in global configuration mode. To enter configuration mode, at Step5

    the prompt type . config t

    asa# config t


    To display the running configuration, type for the complete configuration or Note show runn show

    for specific output. runn

    Verify ASDM is already enabled on management interface by issuing the command: Step6

    hostname(config)# show run http

    hostname(config-username)# show run http

    http server enable http management

    Verify that the browser uses the same SSL version and encryption as the security appliance. The default Step7

    ssl-server-version is any (SSL3.0 and TLSv1) and AES, 3DES and RC4 encryption ciphers. asa(config)# show runn ssl - displays the SSL encryption and server versions

    asa(config)# ssl - sets the SSL configuration

    The security appliance generates an SSL self-signed certificate for each interface when booting. For Step8

    most lab environments you can use this certificate. Third party certificates (for example, Verisign) are also supported. For instructions on enrolling the security appliance for third party certificates, see Configuring Certs in the Cisco Security Appliance Command Line Configuration Guide at Launch ASDM by entering in the browser. Step9

    Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x

    Document version number 1.0

     Initial Setup

The initial ASDM screen offers three operational options. Select : Install ASDM and Run ASDM Step10

    The security appliance downloads an ASDM .msi file to your PC. Double-click the .msi file to launch the ASDM installer. After installing, the Launcher window displays:

    Enter the username and password. The main ASDM screen displays. Step11

    By default, ASDM does not require that you enter a username and password. Leave the fields blank and click to continue. The following message displays: OK

    ASDM will initialize now...

    To see the commands that ASDM sends to the security appliance, in the toolbar at the top of the main Step12

    ASDM screen, go to Tools > Preferences > General tab, and check Preview commands before sending

    . them to the device

    Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x

    Document version number 1.0

     Initial Setup

    Configuring Hostname, DNS, Basic Routing

    The hostname provides a name for the security appliance. Domain Name Server (DNS) provides name

    resolution for clientless SSL VPN connections. To configure a hostname, DNS, and basic routing on the

    security appliance, perform the following steps.

    Configure the ASA Hostname and Domain Name. Step1

    Navigate to Configuration > Device Setup > Device Name/Password. Enter the hostname and domain


    Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x

    Document version number 1.0

     Initial Setup

Configure routing to access your internal resources. For lab environments we recommend you use static Step2


    The traditional default gateway is the gateway of last resort for non-decrypted traffic and usually Note

    points to the Internet (outside). The tunneled default gateway is the gateway of last resort for

    VPN decrypted traffic and usually represents a router on the inside network. Navigate to: Configuration > Device Setup > Routing > Static Routes Click Add and enter the static .

    route information:

    Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x

    Document version number 1.0

     Initial Setup

    Configure the DNS settings to use for clientless SSL VPN hostname resolution. Step3

     Navigate to Configuration> Remote Access VPN > DNS. Select To configure the DefaultDNS set of

    servers, select DefaultDNS and click . This is a global setting for all clientless sessions on the Add

    security appliance:

    Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x

    Document version number 1.0

     Initial Setup

Configuring VPN Users in the Local Database

    User accounts can be stored in a local database on the security appliance or on an external AAA server.

    This section shows how to configure VPN users in the local database:

     Navigate to Configuration> Device Management > Users/AAA > User Accounts. The Identify pane Step1

    displays. Add three users: Sales , Engineer , and Admin .

    In the VPN Policy pane, assign these users to the default group-policy, DfltGrpPolicy . You can select the Step2

    Tunneling Protocols in this screen or inherit the setting from DfltGrpPolicy.

    Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x Document version number 1.0

     Initial Setup

    Configuring VPN Users on Active Directory/LDAP

    The security appliance supports various authentication methods: RSA one-time passwords, Radius,

    Kerberos, LDAP, NT Domain, TACACS, Local/Internal, digital certificates, and a combination of both

    authentication and certificates.

    To configure VPN users on an Active Directory LDAP AAA server, follow these steps.

     Navigate to Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups. Step1

    Add a server group and specify the Protocol as LDAP. Step2

    Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x

    Document version number 1.0

Report this document

For any questions or suggestions please email