Cisco ASA 5500 SSL VPN Deployment Guide, Version 8_deen

By Willie Carpenter,2014-09-28 15:54
8 views 0
Cisco ASA 5500 SSL VPN Deployment Guide, Version 8_deen

    Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x

    Document version number 1.0


    This document demonstrates key SSL VPN features and capabilities of the ASA 5500 Adaptive Security Appliance. It can help you evaluate the security appliance for your own network security needs. The Cisco ASA 5500 offers two types of SSL VPN, a key technology for remote access to corporate resources:

    Clientless SSL VPN provides access to Web applications, such as email, and corporate portals via

    Web browsers and Java components. It requires no client software.

    The AnyConnect SSL VPN Client provides direct access to corporate resources, just like an IPsec

    client. Using Datagram Transport Layer Security (DTLS), the client improves the performance of

    real-time applications that are sensitive to packet delays by avoiding latency and bandwidth

    problems associated with some SSL-only connections.

    Both clientless and AnyConnect client connections use posture assessment policies. You can define these policies to evaluate whether an endpoint is a corporate or public entity with the properly configured operating systems, firewall, antivirus software, and antispyware that you require.

    The security appliance software includes two SSL VPN licenses, allowing two simultaneous SSL VPN connections of any combination of clientless, or client connections.

    Additional Information

    This document provides configuration tasks for Dynamic Access Policies (DAP)a powerful tool for controlling access to corporate resources regardless of the location or security posture of the end user device. For a more in-depth discussion about DAP, see the white paper Dynamic Access Policies at this URL: For detailed DAP configuration information, see the Understanding Policy Enforcement of Permissions

     and Attributes section of the Cisco Security Appliance Command Line Configuration Guide, Version 8.0 at this URL: We continue to document additional use cases and publish them under Selected ASDM Configuration Tasks at the following URL: ml

    Americas Headquarters:

    Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706USA

    ? 2008 Cisco Systems, Inc. All rights reserved.


    This document contains the following sections:

    Example Network Topology, page3

    Initial Setup, page3

    Preparing for ASDM Access, page3

    Configuring Hostname, DNS, Basic Routing, page6

    Configuring VPN Users in the Local Database, page9

    Configuring VPN Users on Active Directory/LDAP, page10

    Enabling SSL VPN on Interfaces, page13 Enforcing VPN Access via Connection Profiles, Group Policies, and Customization Objects,


    Understanding Policy Enforcement of Permissions and Attributes, page16

    Configuring an Engineering and a Sales Connection Profile, page16

    Configuring Engineering and Sales Group Policies, page18

    Associating Group Policies Engineering and Sales to Connection Profiles, page19

    Creating Bookmark Lists for the Engineering and Sales Group Policies, page20

    Applying the Bookmark Lists to Group Policies, page21

    Creating WebType ACLs, page22

    Applying the ACLs to Group Policies, page24

    Creating Customization Objects for Engineering and Sales, page25

    Importing Web Content for use with Logos, page27

    Setting the Customization in the Connection Profile, page29

    Setting the Customization in the Group Policy, page30

    Establishing a Clientless Session Using the Drop-Down Menu, page31

    Establishing an SSL VPN Session Using a Group URL, page32 Single Sign-on & URL Variable Substitution, page33

    Introduction to URL Variable Substitution:, page33

    Configuring Post Parameters for SSO with Outlook Web Access, page35

    Configuring Post Parameters for Single Sign-on with Citrix, page38

    SSO Substitution via Active Directory Attribute Mapping, page40 Accessing Applications using Smart Tunnels and Plug-ins over Clientless Connections, page45

    Plug-ins, page46

    Plug-in Requirements and Restrictions, page46

    Smart Tunnels, page51 Dynamic Access Policies (DAP), page56

    Using DAPs for VPN Policies (no Cisco Secure Desktop), page56

    Integrating Cisco Secure Desktop with DAPs, page63

    Advanced DAP Settings, page75 AnyConnect VPN Client, page76

    Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x

    Document version number 1.0

     Example Network Topology

    Installing and Configuring the AnyConnect Client, page76

    Installing the AnyConnect Client and Configuring the Security Appliance, page79

    CSA Interoperability with the AnyConnect Client and Cisco Secure Desktop, page84

    Uninstalling the Cisco AnyConnect VPN Client, page84

    Example Security Appliance Configuration for AnyConnect Client, page85

    Example Network Topology

    This document assumes the following network topology:

    DNS Server


    Security Client


    Inside Outside Internet Internal network AnyConnect Management Client Interface

    WINS Server ASDM Browser-based 361 client 243

    Initial Setup

    This section provides instructions for setting up ASDM to manage the security appliance, configuring basic settings, and adding users.

    Preparing for ASDM Access

    The information of this section is also available in the ASA 5500 Getting Started Guide at


    To use ASDM, perform the following steps:

    Use an Ethernet cable to connect the MGMT interface to a switch or hub. To this same switch, connect Step1

    a PC that will run ASDM to configure the security appliance.

    You can use other interfaces inside for ASDM access if you choose. Note

    Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x

    Document version number 1.0

     Initial Setup

Configure your PC to use DHCP. This enables the PC to obtain an IP address automatically from the Step2

    security appliance. It can then communicate with the security appliance and the Internet as well as run ASDM for configuration and management tasks.

    Alternatively, you can assign a static IP address to your PC by selecting an address in the Note subnet.

    Valid addresses are through, with a mask of and default route of When you connect other devices to any of the inside ports, make sure that they do not have the same IP address. The MGMT interface of the adaptive security appliance is assigned the IP address by default, so this address is unavailable.