Here we go, the last piece of the VPN puzzle.
How do we configure an SSLVPN on a Cisco ASA.
We're going to do this all from the CLI but it is extremely easy to do via the ASDM wizard.
I've simply configured a Windows 7 box to point directly at the inside interface of the ASA, and allow a VPN to be configured there.
For reference, the inside interface IP is 10.0.0.1 and the Windows 7 box is 10.0.0.20.
Lets lay out a few requirements:
- Users will connect to https://10.0.0.1/Test to sign into the VPN
- We will use a self signed certificate generated on the ASA
- Users will be authenticated against a local database
- Once connected, users will only be able to access https://10.0.0.15
We're starting with a totally clean ASA so first up we need to configure the interface:
ciscoasa(config)# int g0
ciscoasa(config-if)# ip address 10.0.0.1 255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no shut
Now lets lay out the steps required for a VPN to work:
- Generate rsa keys
- create a self signed certificate
- enable webvpn
- create a pool of addresses for the VPN
- create a default group policy
- create a specific group policy
- bypass the interface ACLs
- ensure the VPN traffic is not NATed
- create a tunnel group
- configure user accounts
It looks like a lot, but it's actually quite simple, lets get cracking:
Create keys and certificate:
ciscoasa(config)# crypto key generate rsa label sslvpnkey
INFO: The name for the keys will be: sslvpnkey
Keypair generation process begin. Please wait...
ciscoasa(config)# crypto ca trustpoint localtrust
ciscoasa(config-ca-trustpoint)# enrollment self
ciscoasa(config-ca-trustpoint)# fqdn sslvpn.test.com
ciscoasa(config-ca-trustpoint)# subject-name CN=sslvpn.test.com
ciscoasa(config-ca-trustpoint)# keypair sslvpnkey
ciscoasa(config-ca-trustpoint)# crypto ca enroll localtrust noconfirm
% The fully-qualified domain name in the certificate will be: sslvpn.test.com
ciscoasa(config)# ssl trust-point localtrust inside
The last line is important here, typically we would use the outside interface of the ASA as the whole point of the VPN is terminate traffic from the Internet, but in this case I've just used the inside interface.
Enable webvpn
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# enable inside
ciscoasa(config-webvpn)# svc enable
Create an address pool for the VPN users:
ciscoasa(config)# ip local pool VPN 10.0.1.1-10.0.1.100 mask 255.255.255.0
Create a default group policy and specific group policy
The default policy is one that will apply to all users and is typically where would configure name servers and other global attributes. The specific policy can apply to groups of users, for instance you might have one for IT employees and a different one for sales employees.
ciscoasa(config-webvpn)# group-policy DfltGrpPolicy attributes
ciscoasa(config-group-policy)# dns-server value 10.0.0.2
ciscoasa(config-group-policy)# wins-server value 10.0.0.3
ciscoasa(config-group-policy)# vpn-tunnel-protocol svc webvpn
ciscoasa(config-group-policy)# address-pools value VPN
ciscoasa(config)# group-policy IT internal
ciscoasa(config)# group-policy IT attributes
ciscoasa(config-group-policy)# banner value IT Remote Access
ciscoasa(config-group-policy)# vpn-tunnel-protocol webvpn
ciscoasa(config-group-policy)# webvpn
Here we would configure specific rules for IT users, such as what URLs are accessible, but we'll just leave it as default for now.
Configure ACL bypass:
ciscoasa(config)# sysopt connection permit-vpn
NAT exemption:
ciscoasa(config)# access-list no_nat extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
ciscoasa(config)#nat (inside) 0 access-list no_nat
Create a tunnel group:
ciscoasa(config)# tunnel-group ITSSL type remote-access
ciscoasa(config)# tunnel
ciscoasa(config)# tunnel-group ITSSL webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-alias IT enable
ciscoasa(config-tunnel-webvpn)# group-url https://10.0.0.1/Test enable
Create user accounts:
ciscoasa(config)# username bob password testpass
ciscoasa(config)# username bob attributes
ciscoasa(config-username)# service-type remote-access
And that's it, we should now have a connection working, lets test it out: