CCBOOTCAMP Webinar - Cisco ASA SSL VPN

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right well hello everybody this is Tim Riley I'm an instructor at CC boot camp and today we're gonna talk about a security topic there's going to be SSL VPN specific to the a sa and so let's go ahead and have have a look here so get started so for the agenda today like I said we're gonna be talking about a sa SSL VPN and before we get into some of the nuts and bolts there we're gonna start out with some introduction into group policy and Tunnel groups and see how those affect our SSL VPN once we go through those brief intros we'll start hitting the the guts here we'll talk about SSL VPN web VPN that client lists look at the operation advanced features and some troubleshooting there then we'll hop into the client version of that the anyconnect client and we'll do the same same demonstration there and finally we will end with a live config demo we'll get to see all these technologies work and some some good tools to use to verify functionality and some things that are helpful not only for the real world but also for the lab exam at the end of the presentation we'll have a Q&A session so feel free in the in the GoToWebinar window pane there there's a questions section go ahead and type in your questions as we go through the presentation but I'm gonna hold off on the answering until the end but feel free to go ahead and type in your questions there any time and we'll get to those at the end of the presentation okay so our SSL VPNs are gonna be based on group policies and Tunnel groups just like any other VPN like our site-to-site VPN remote access easy VPN things like that ASA's like to use these group policies and the group policies are basically a set of attributes which gets applied to a particular VPN session now these attributes are applied after the two most established and so it's on an example for a easy DPN type connection is after you connect and authenticate you're gonna be pushed down phase 1.5 settings like your DNS and DHCP settings things like that we also specify what type of VPN this is going to be is this going to be a site-to-site is this going to be a spc for any connect or web VPN so we specified the protocol that we're going to be expecting to use at this policy as well so these attributes are applied like I said after the tall's established but they can be held internally at the firewall or externally so these group policies can be created on the firewall or we can tell the firewall to reference an external system such as Radiesse or ACS to hold those policies than and then they'll be pushed down to the firewall after connection so we have an option for internal or external here now we're talking about these these attributes you know sometimes there's multiple spots to apply we can we can apply them at the group policy or we can apply them at the tunnel group or we can even apply some at the at the user level if we have local user accounts we can specify some of these policies within that particular user and so these attributes are applied by priority and then the more specific wins so if we have a conflicting attribute that's applied at a group policy and a user well the user policy is going to win so we can we can specify generic type policies but then also we can override that with user specific policies and we'll take a look at that later on with the with the demo so by default there is a default group policy which is shown there on the last bullet on the slide and that's that's installed and configured on every firewall by default and if you don't specifically call out a particular attribute within your group policy then the setting that's held within the default group policy would apply so if you're creating custom group policies to specify you know certain attributes for different connections you don't have to worry about applying every single attribute there's a lot of them in there and the ones that you don't specifically care about tweaking well the default is just going to be applied based off the default group policy so here we're talking about more specific wins again so if you have a a group policy that you've created and there's an attribute in there that you've configured but that also exists on the default group policy your user-defined group policy is going to win so the default group policy only gets applied case you don't configure these poll at these attributes and so it's a less of like a last attempt or left shot okay so Tunnel groups which Cisco is more or less calling connection profile as these days they'll see both and then it means the same thing but tell groups is where we actually call out this group policy and we say this particular tunnel group when users are connecting to it or when a VPN is connecting to it is gonna is gonna reference all the attributes are specified within the group policy so some of the things we configure within the tunnel group are addressed pools we have listed on the bullet here Triple A for how are we going to authenticate these users into the tunnel so going to be local authentication or authentication via ACS or tags or radius when we talk about the site to site VPN world or even easy VPN we specify the pre shared key in here if we're doing a phase one pre shared key authentication we specify that in our tunnel group and for the web VPN and anyconnect VPN world group alias and group URL are some options that will actually look at more detail later on but these are all things that are important to the actual connection itself these are these are options or attributes that are related to how is personally actually going to be connecting to the VPN here group policies are more after you connect what is going to happen Tunnel groups is what I'm what am I going to need to do in order to connect and we have some defaults here as well we have a default web group default are a group and a default land to land so web VPN group of course applies to web bpn and any connect RA can apply to the EZ VPN connections and L to L is for site to site so the same the same rule applies here that if you don't specify anything particularly and specifically within your tunnel group well based on the type of tunnel group you've created all the defaults will be inherited from the default groups and so it's important to to realize that these default groups are there and the best way to see them is if you're in your commits in your in your firewall you can do a show run all and that'll give you all of the default configurations including all these built-in groups tolerant groups and group policies so it's remember that show run all its handy for you know not only the real world to see what options are available but also for the lab exam if you're trying to figure out you know what a default is for a certain parameter then the show run all will give you that answer okay so as I talked about a couple minutes ago we also have the ability to set these attributes at the user level so once you configure your user another option will be available and you can see there at the top of the side the attribute so you first you create your user and then you can give that particular user or some specific attributes and so some of them are listed in here we have the VPN group policy where we can apply a specific group policy of this user we have a VPN tunnel protocol or against a spy apply you know specific tunnel protocols of this particular user will be able to use we can lock this user to a particular tunnel group so that they'll only be able to authenticate to a certain group with a service type which is important which we'll talk about in a couple slides service type of define if this user is able to administer the firewall or or if they're only able to connect this remote access user so things like this are real handy to have in case you want to have more generic type of a more specific type of configuration apply it to two particular users and not have to create you know new groups you can just create some specific attributes and apply it to the user itself so with that we'll go ahead and go into our first poll here let me throw it on the slide and then we'll have a look at some of the the answers here let me pull up the first poll and here we go give me about a minute or so to to come up with that and we'll look at the answer all right so that was about a minute there let me go ahead and close the poll and we'll have a look at the results here okay so we're talking about group policies and if we have conflicting attributes or attributes are applied at the group level and the user level which one's going to win so some of the answers in there could have been attractive especially that last one the user policy but only if you enable the group user command data command S doesn't actually exist and it's coming to see questions like that that you know you make you think well maybe that is a command it's out there but in the first for this particular question we're looking for B there the user policy because it's more specific so it's always going to be the rule of whichever attribute is supplied more specifically we'll win in this case user policy is about as specific as you can get and so that's gonna be the chosen attribute there all right let's go ahead and continue here okay so now let's go ahead and have a talk at our first technology web VPN are also called client lists SSL VPN so what is it gonna allow us to do is from any internet-connected machine as long as you have a browser of some kind and an internet connection you can actually establish a secure tunnel with your firewall and access internal resources based on that secure tunnel now all this is done through the browser so there's no clients or anything installed in the machine which is why it's called kylus it's all done based on browser connectivity and so the applications that you can access through the SSL VPN are typically web enabled applications okay use also some options for accessing internal email servers or file sharing servers through plugins you can access systems any TCP based system through a port forwarding or smart tunnel and we'll talk about some of those today but the main thing for web BP anisette it's it's totally Client List there's there's no software you need to install on that person's machine or for them to get connectivity to the to the corporate network so the thing to think about from the firewall perspective what is what is it doing on on behalf of the user here the user has a ssl connection established to the firewall but then what's happening at that point is as the user actually connected to the corporate network or are they routable on the network at that point well with the web VPN client list connection the answer is no that the the user is not actually connected or routable to the corporate network at that point what's happening is that the firewall is proxying all their requests of access to the end result to the end destination so if you're connected via SSL VPN and you want to access an internally hosted web server you're going to browse to that URL through the portal on your machine but the firewall is actually going to take that connection establish the connection to the back-end server on behalf of your behalf of the client and then rejoin that through the ssl tunnel so your machine the user's machine isn't actually connecting to the resources it's just connecting to the firewall and the firewall is proxying that acting as a proxy in the middle so some of the things to consider there is is as far as as far as SSL Certificates if you're connecting to something on the corporate network that uses a certificate the users browser isn't actually doing the certificate verification because all that's done between the proxying of the firewall and the and the web server so the firewall is the device that's doing the certificate verification and the client isn't actually getting involved that process there does third us talking pretty much to the firewall at this point so it's important to realtor to understand that you know the firewall may be validating the certificate but your users computer isn't and some things to think about there as well what if the certificates not valid or what if the certificate you know if I'm not trusting particular certificate authorities well the firewall doesn't do any certificate authority trusting it's just gonna look at the certificate the validity date range pretty much as long as it's valid it's going to accept it so if it's a if it's a certificate that's out of ring out of its validity date range then it's going to fail so things to keep in mind there that you typically if you were dealing with certificate that was expired you might get that nice little windows screen that s allows you to connect any way with the firewall with web VPN it's gonna drop that by default so we always want to be careful and brynn realize that so since all this is happening between the users browser and the firewall we want to make sure that we're supporting common SSL or TLS versions so if we're if we're dealing with the browser that we're only allowing SSL or TLS version 1 or 2 or SSL version 3 or whatever whatever have you just want to make sure that it's a it's a version of that SSL or TLS that we're gonna it's going to allow us to use all the technologies we want and we'll see an example of that when we talk about port forwarding that with port forwarding you have to use a certain type of negotiated TLS in order for that to actually work this go ahead move on to the Advanced Options here so as with any other technology there's always the basic stuff just to make it work just to get it on the network but we also have some advanced features here with web bpn and typically is with any other advanced feature it's about making the user experience better making it seem more of a technology that's attractive and when something they'd want to use so with web VPN we have the options called application access and this is applied via port forwarding and smart tunnels so with port forwarding we'll talk about that one first port forwarding allows you to access TCP based applications directly over the SSL VPN now you're still being proxied you're still being proxied at the firewall but the advantage here is that now you can you can use applications that aren't necessarily web based so for example we can maybe telnet or SSH but if we're if we're using our ssl VPN against the firewall but we want to be able to manage routers inside the corporate network we can use port forwarding to do that and what happens is as soon as you enable application access through port forwarding after you authenticate and establish your VPN the app the firewall will actually install a Java applet on the user's machine and what that applet is gonna do is open up local ports on that mom that machine itself so for example you can configure the firewall to say after you authenticate then port 2055 if you were to send traffic locally to that port that's going to be sent over the firewall over the VPN to the firewall and then proxy to the real destination so once you authenticate you'll either be automatically install act asked to install this applet or you can optionally have it be done on demand by clicking the application access button and we'll get to see this in action today but the thing about port at port forwarding is that for every single device that you want to remotely connect to you across the VPN you need to have a unique port forward statement configured for that so if you're if you're configuring if you if you want to have a lot of different access over this through port forwarding then you can start to get into a configuration nightmare with a million thousands of port forwarding statements also it requires some special user instruction now and rather than just launching their email client or a telnet client now they need to know to configure their client such a way that it will direct traffic to this dynamically created local port which will then be hijacked by the Java applet sent over the VPN it's a little more more of a burden on instruction to allow users to take advantage of the port forwarding it also requires administrative privileges so you need to have that type of privilege on the on the machine in order to in order to launch the art to accept that Java applet so this is why sometimes when you're dealing with port forwarding this Java applet is referred to as a thin client so client lists web VPNs what we've been talking about now when we add this Java applet it's called a thin client nothing's actually there's no applications that are actually installed it's just this Java applet that's launched and it's only there for the life of the tunnel but it's still called a thin client at this point so to take that a step further now there's the feature called smart tunnel which effectively replaces port forwarding in some cases but the the main advantage to smart tunnel is that rather than specifying a ton of different port forward statements we can say anytime this particular path is launched on the user's machine like in the last slide here anytime tell me XE is launched that traffic's gonna be hijacked and sent over the tunnel it's now instead of you know like I said having say if we had 50 routers we wanted to manage through our web BPM we'd have to have 54 port forward statements it's now instead of doing that we can configure a smart tunnel anytime we launch this particular application telnet exe that traffic's gonna be hijacked and sent over the tunnel so it makes it a little easier for for more of a broad type of access it doesn't require any administrator privileges and it's just it's more efficient now we don't have to have any type of special user instruction to say well when you're working from a hotel or from home and you're using your clients VPN need to make sure you connect on these ports but when you're in the office connect using these ports now that's just too confusing for for for people who are just trying to work remotely so this allows us to push these policies and anytime they launch a connection against a particular application that traffic will be sent over the tunnel that traffic is still being proxied here nothing is nothing is talking directly to the end of the end machine the end destination that's still being prompts you to the firewall but it's just being proxied in a way now that applications as a whole are being sent over the tunnel so it's kind of put this together now look at the configuration now as the house is configured so with web VPN we need to first go into the global web BPM mode and configure the interface which we expect to terminate connections on so in this case in config T we do our web BPM command and then we do our enable interface command which which actual interface is going to be terminating these tunnels inside outside whatever interface name you've used okay if we're doing port forwarding now we configure the actual port forward within web bpmconfig mode again this is global of VPN mode as we see down here there's another web bpn within group policy but right now we're just doing web pipian at the global level okay so we define our port forward give it a unique name and then we say on the machine that's connecting what is the localhost port that the Java applet is going to open up so we can specify any port number here typically want to use a non well-known port though to something that's you know do some funky port whatever and then when that traffic is hijacked and sent over the tunnel what am I going to translate that to the real destination and the real destination port so if you're a user and we wanted to tell that to a router we'd say you know localhost port 2050 or twenty thousand fifty maybe when that traffic is seen on port twenty thousand fifty the firewalls going to translate it maybe to the the real IP address of the router and then port 23 so we specify that almost like ice almost like a static statement here like a static Pat here or a static a port base stetic where we're specifying a before and after it's the same kind of idea here this is done through the port forwarding and then web BPM okay now when a user connects to the the portal page when you when you browse in your browser to HTTPS Cohen force that's force less than the IP address of the firewall you're gonna be presented with a login screen and if you have multiple tunnel groups configured you can be you can see a drop-down that has all the various tunnel groups available to you that drop-down doesn't appear until we do this tunnel group list enable command so the tunnel group list enable command will allow the drop-down to appear and now the user can select which particular tunnel group they want to connect to whether they want to connect me to an admin tunnel group or to a remote user or to a sales group when have you it's different every environment but tell them group listen able is what's gonna do that for us now that drop-down to appear okay so by default the firewall is gonna do local authentication so if we want to stick with that and do local authentication then we specify a username and password otherwise we could we can configure it to reference an external system such as Radiesse through ACS in this example here we're doing local so we configure a username and password on the firewall itself and we'll talk about this when we get into our config demo but these web type access lists is something that's unique to SSL VPN when you're do when you wanted to when you want to filter traffic through your site to site IPSec VPN you use a special access list that's bound to a VPN filter command through a group policy VPN filters aren't aren't an option with the VPN so we have to configure a special web type access list which is shown here with a special keyword web type that's going to allow us to filter traffic within the tunnels not maybe you'll be able to connect to the the service to the SSL VPN get a connection established but we only want to allow certain access maybe so we can do that through an access list here and what we'll look at some examples of this but the permit URL isn't sure to interesting because you can actually put the particular URL path in this command line here so permit URL HTTP Cisco comm maybe or or whatever website you want okay so now we configure our group policies here again these are attributes that are applied to the tunnel so the first thing to do is configure our group policy give it a name and and specify is it internal or external are these are these attributes going to be held locally on the firewall or are we going to house these attributes on an external system as soon as you do this command you're not going to be put into Group Policy mode you're going to be put into right back into config mode and now you can issue the attributes command to start putting your attributes in so sometimes it's easy to do the first command a group policy name and then internal and then start plugging in your your attributes but you're gonna get a bunch of errors because you're not in that mode yet so remember your first you're just defining it and then the second thing you go on and give the attributes now you're an attribute mode and you can figure everything that's related to your task in this case we're doing web bpn there's our tunnel protocol and now we can get into more web VPN type configuration here now notice that likewise I'll talk about in the very first the very first web pipian they're the same command web VPN but when you do it in the group policy you're gonna be put into web BPM group policy whereas if you did it in the beginning here in config mode that's you're just put into global web BPM mode the configuration options are totally in there but sometimes it's easy to get confused with it with the two spots of where web VPN is configured us remember that's one globally and one that's applied per group policy and they have different configuration and attributes in there okay so within web VPN group policy mode this is where we call out things like our filter access list we call out things like our port for word name so these are the options that these are things that have been configured earlier and now we're actually putting them into play by applying them in their web BP and group policy configuration mode just by configuring the port forward within the web VPN can global config mode doesn't actually apply anywhere same thing with the access this just by configuring an access list doesn't mean it's actually going to do anything need to apply it and these are applied through global through Group Policy web VPN mode now the last line here port forward Auto Start or enable means that after authentication that port forward application access will automatically start and the user will be presented with a Java applet or it's going to be manual so if we want it to be manual then we'll just say enable call out the name and then when the user authenticates and connects there's gonna be a gray button that says application access they click that and it starts it up manually so does just based on the task requirements or based on what you're trying to do in your production world it's a couple different options there they're just like anything else with with these all these advanced options we want to make sure that especially for the lab exam that we're configuring it per the task it's really important to remember that just because something is working doesn't mean you're gonna get full points for that in fact remember it's it's no it's all or nothing there's no partial credit for these questions so if you go through all this time configuring your web PPN and it's working and you must move on that's great that's working that's part one but part two is the direction following so if it said that the port forward application access should be manually enabled but you configured it for auto start even though it's everything is working you're not gonna get any points for that task it's might be really careful when you're reading these these tasks cuz sometimes there's a a lot of bullets in here a lot of a lot of things to configure if any one of those is misconfigured then you're not going to get points so it's just something that just something to consider there all right so the second half of our configuration now the tone group so we want to configure our tonal group in this case it's going to be a type remote-access so we're going to say you know this is a remote-access now the other option in there is site to site but this is a remote access VPN so we do that and the same thing is true with the group policy that we're just first defining our group policy oops Alice thing I lost my screen there first thing we're gonna do is configure our tunnel group okay and we're giving it a type just like with our group policy we set those internal and now we'll put now are put back in the global mode and now we can do our attributes so you need to first you're telling the firewall about it and then you're saying okay now that you know about it here's what I want to configure within that so you create it then you go into attributes mode within general attributes we're gonna call out our group policy so whatever group policy we just configured we call out that name okay so that's really all we're going to do in general attributes here within our web VPN attributes we have some customization here so we have a group alias command in a group URL command here these aren't required but what's gonna allow you to do is to customize these names to maybe something that you've got on your firewall that's not really user friendly but make it create a name that is user friendly so that when a user connects to the portal page they'll see a group name that would make sense to them so in this example maybe we have tunnel group name of Group 1 or higher security something like that that's good for us maybe the people who are administering the firewall and trying to keep things organized but when the user connects and sees a drop-down with Group 1 or high security in it they're not going to know necessarily what that means unless you've told them which one to connect to so with the group alias command we can say that we're going to say when the user sees this in the drop-down it's going to here as the custom name in that custom name is an alias of the tunnel group name so we can say the group alias would be sales or remote or admin or something like that something that's easier for the user to know what they want we can also specify a custom path within the URL itself so we can say that normally you'd connect to the HTTP and the IP address of the firewall but we can also add add a forged slash and a custom path here so maybe forward slash sales or forward slash remote teams like that and when when the user puts that custom path into their browser they're not going to see the drop down they're gonna be directed straight into this toun group which is referencing the group URL to a system customization they're not only important for the real world but real important for the lab exam to make sure we're configuring things exactly as a task requiring one of the important thing to note here about this custom path is that it's case sensitive and we'll see an example of that today where if you have all uppercase here but on your browser you type in lowercase in that custom path that's not going to work so it's it's case sensitive in this in this path statement so just because we're doing local authentication here we want to be careful because if we're also doing local authentication for administrative sessions into the firewall itself every single account that we've just configured for a web VPN access would also have the ability to configure the firewall itself if we're doing local authentication so we have the ability within user attributes to specify a service type and well this is going to mean is if we do a service type remote access this particular user is only going to be able to access the firewall firm remote access perspective they're not going to be able to manage the firewall of any way so important to realize this service type is their and the group lock sent meaning that there may be 30 tunnel groups on this particular firewall but this user is only going to be able to authenticate into this one particular group so you can group lock users into particular group limiting their access to the various groups that may be available to them you don't want maybe a a maybe a sales team or an engineering team to be able to authenticate into each other's tonal groups because they might have different levels of access and so we assist a way of desegregate if you need that type of sir ocation and you're in your remote access solution alright so now throughout the second poll here before we get into any connect let me go ahead and throw that out and we'll have a look okay so about a minute there let me go ahead and close the poll have a look at the answer here okay so when web VPN is enabled on the a SA does DTLS get enabled by default so we have some options here yes and it uses TCP 443 yes but you have designate a port no or yes and it uses UDP 4 4 3 so the correct answer here is is D yes and it uses UDP port 443 so DTLS is Datagram transport layer security and when you first do your web VPN config from global mode you'll see a pop-up that says DTLS says and TLS have been configured so it actually listens for both that at any given time did the day the main we'll talk about this a little bit more with anyconnect but the main advantage DTLS is that it's it's it's UDP in that it aids if performance so if there's latency sensitive applications like voice or video DTLS is actually used by default with any connect and it can fail over to a TLS TCP port 443 if there's a problem with the UDP 4 4 3 D TLS session so we'll talk about that a little bit more in the upcoming excuse me in the upcoming slides but yes it is enabled then it uses UDP 443 by default alright let's go ahead and move into anyconnect VPN here now a lot of things that we just talked about applies directly to any connect all the tunnel groups the group policy is the web VPN configuration and it's all the same thing here except with any connect we're introducing a new client so a client is actually installed on the user's machine for any connect it starts out just like a typical client list web EPN session where any machine that's connected the internet and has a browser can browse to the Ferrill after authentication a client would be pushed down to that machine that used that connecting machine and would be installed automatically and after the installation it'll reconnect with the client itself so it's kind of a two-step process there first we're just authenticating to the web BPM service we're telling the firewall that we're authenticating it to a group a tunnel group that references the anyconnect client that client gets pushed down and installed and then it reconnects using the client and then from that point on the user is on the network so the big difference here is that not only is it client based but once you connect you're getting some attributes similar to easy VPNs phase 1.5 where a user is getting an IP address that's routable on the corporate network they're getting dns settings maybe they're getting wind settings so this at this point the firewall isn't doing the proxying between the user's machine and the corporate resource because now there's a client that's involved and it's given an IP address that's routable and the user directly connects to these ends services without being proxied through the firewall the client can be auto downloaded or the user can be prompted for that so after you authenticate to your particular tunnel group the user can be prompted with the SVC ask command saying do you want to install the application or not this client or not default is to be auto downloaded but you can specify that we want to ask the user first the client remains installed by default after the disconnect and I put a star there and the reason why I did that because there's conflicting information within the documentation if you look at the config guide for a toe it says that the client is uninstalled after the session is disconnected if you look at the command lookup tool it says that the client remains installed so what I did recently I did a show run all on the firewall in my rack here and it says that the SVC keep installed is to say is configured to remain so maybe it's dependent on the version of firewall asar running but if you're questioning which one in your if you're taking the lab exam if you're questioning that somewhere you can do your show run all and you'll see the all the options there in their default State and you can see which one your firewalls configured for mine happened to be configured to use to keep the Installer installed after disconnect so we talked a little bit about DTLS with any connect as soon as you establish that any connected connection there's going to be two different tones created one with DTLS one with SSL or TLS TLS and you'll actually see that in the firewall will have a look at that today when we get to the demo you'll see like the the two different connections there and it'll favor the udp-based D TLS connection first you can configure it to failover so if there's some kind of problem with your D TLS connection the firewall is going to be doing some dead peer detection between the client and the Gateway in this case the Gateway is the firewall so the client can pull the the firewall and the firewall can pull the client if there's any problem then it'll fail over to just straight TLS so it'll it'll fall over or fail over to that so what we'll actually get to season hit count increase and we'll see bites being transferred notice that it prefers the DTLS connection first because it's it's a performance gain based on UDP and if there's a problem with that it will follow a fill over to TLS if you're far if you're a client or connected devices behind something that does a translation of some kind which is going to be pretty much all the time your ear rarely going to be given a public IP address these days so you'll be given an IP address from your internal from the from the site's internal network and then when you actually form your VPN that's going to be translated at that sites public at that sites edge into a public IPS routable on the Internet the importance of this keepalive is that now you're kind of at the mercy of that translation table being current at the device that's translating you if that goes away then your VPNs going to go down maybe there's some kind of idle timeout or some kind of timer on that translation table these keep our lives are sent from the client towards the firewall and says every so many seconds I'm going to send a keepalive packet and that'll keep my translation table current and hopefully will keep my transition stable the translation table current enough for long enough for me to keep my connection established as long as I need it to so key players are important for NAT T or that NAT traversal and optionally we can adjust the MTU so if we're worried about overhead with all the headers being added on near the IP UDP DTLS headers we can adjust them to you to avoid fragmentation let's have a look at some of this any-any Connect config so just like with our client list web VPN configuration we had to go into web VPN global mode and configure some options here remember we're just going to enable this on the interface that we're expecting connections to terminate now if you already have this configured maybe you have an environment where you're doing any connect VPN and client lists you don't have to obviously enable it twice just remember that it's specific to the interface that's terminating so if you have two interfaces in the firewall that are both terminating this you want to make sure that both interfaces have this configured otherwise you could terminate both on the same single interface to do this enable command once the difference now with with any connection we need to do some SVC settings which is SSL VPN client first we need to enable it saying that this web bpn configuration on this firewall what's gonna is gonna support SVC and then we tell the firewall when I want to push the client down to a particular connecting device where does that image exist on myself so you can do a dir and the firewall and you can say okay the path where this is locally installed on the firewall is in disk 0 and you just specify that path with the SVC image command now the firewall will know where am I going to find this package to push down to clients and you can have multiple images in here if you're doing you know windows or or Mac or whatever you can have multiple images in here and us sign a an identifier at that a unique number at each one in the firewall of this attempt each one in that list until it finds one that works now since we're doing IP address assignment here with this full client based VPN we specify a local pool so that once users are connecting they're getting their more or less phase 1.5 information they're gonna give them an IP address as routable on the network this can be done locally as we're doing here or you can also specify a remote DHCP server where the firewall access that relay and pull an IP address from a DHCP server now again since we're doing a client based VPN we can also do split tunneling so after a connection maybe we only maybe we only care about certain traffic being sent over the tunnel and everything else would be able to go out the users local default gateway so anything that we specify in this access list is gonna be is going to be sent over the tunnel so we're calling out destination IP is here what IP addresses on the remote on the corporate side of the network do we care about encrypting or including in the tunnel so anything else is gonna master deny any that's implicit after every access list and be sent out the local default gateway and not B and it won't be sent across a tunnel so now we specify our group policy internal or external and then we specify attributes so in this case the tunnel protocol is going to be SVC and then we can call out our split tunnel access list its tunnel specified and that and the value is going to be the name of the access list that we just configured above and then we call our address pool so we can also reference the address pool in the tunnel group but group policy is going to be applied to multiple tonal groups so we can specify this address pool within the group policy or within the tunnel group now finally begin to our web APN configuration here again this is web VPN that's within global I'm sorry within group policy and these options are totally different than what we just saw above with the global web VPN configuration and all these are optional here these lists the things that we loved we talked about in the last slide so SVC ask is gonna ask the user if they want to uninstall the client or not keep installer nun means that after the client disconnects the Installer will be uninstalled that client will be uninstalled DPD for dead peer detection after how many seconds is the Gateway gonna pull the client how many seconds is the client gonna pull the Gateway member the Gateway is the firewall they keep alive for NAT traversal every 60 seconds the client will send a keepalive to the firewall to keep that local translation table built and then we can tweak the MTU as well here and all this is applied per group policy so you can have multiple group policies apply to different tunnel groups and that will then give you the customization so you can configure any policy you want based on what type of users you're expecting to connect Tunnel group is still gonna be remote access that hasn't changed there's nothing special to do there just like with web bpn we're gonna call out our boot policy within our tonal group general attributes and then if we want to we can specify aliases with any connect as well and that's always done within web VPN attributes and a cyclist with client lists we have our user name commands with user attributes if you want to apply a group lock or service types as well so a lot of these options are the same as what we saw with client lists just the big things to remember are those SVC commands but that the same flow is there you're always going to configure global web VPN mode you're always going to configure a group policy and then you're always gonna reference that group policy in a tonal group and if you want to have customization with the group URL or alias you can do that within tonal group of VPN configuration so there's learning that you know this is the do kind of a common theme with with any VPN is is is important not just with web DPN or SSL VPN but also with site to site VPN easy connect easy VPN they're all going to use this this group and tone group policy type of configuration so some commands will actually look at when we get to the demo here in a second these some verification commands that are good the show VPN session DB will allow you to see they're currently connected VPNs so what what acts what web VPNs or what SVC anyconnect VPN czar connected at this point and they'll give you some interesting information in there we'll look at when we when we test in a minute choke on all is important to see the connections that are not only traveling through the firewall but also to and from the firewall so when we're talking about client lists web bpn where the firewall is proxying all these connections for us if we do a show con we're not going to see anything we have to do a show con all and that will allow us to see the connections that are being proxied and we'll get to see it we'll get to see that as well today show log and show access lists are always important this to see hit count and anything that's happening in the logs there all right so let's go ahead I'm gonna throw my last poll here and while we're doing that I'm gonna go ahead and boot up the rack here and we'll have a look at the configuration and see the stuff in action Cisco and throw out the last poll you know I'll get that ready to go okay so true or false there's a special a si command that allow you to see general config steps for VPN technologies now this is actually true there's a command you can do within config mode called VPN setup and we'll look at that in a second here you do VPN setup specify what type of VPN you're trying to configure issue the steps command and then it'll give you a general idea of what to configure it's not it's not a script of any kind it doesn't actually configure anything for you but it gives you the general framework of what's required to configure particular types of VPN so we'll have a look at that here when I hop into the rack alright let me go ahead and get in there okay so before we get into the the demo here I was going to go and show that VPN command so you got to go into config T VPN setup and look at the options we have in here we have IPSec remote access l2tp psycho site and SSL remote access so we do a pean VPN setup SSL steps you see it gives you that steps one through so many here on what you should look for for your configuration not only from the VPN perspective but also from the basic stuff your interfaces your routes you know things like that you're also going to need for a VPN to work so its role this kind of handy just for double-checking yourself so to say we look at the VPN setup site-to-site steps same thing here site-to-site VPN you know phase 1 phase 2 access list all good stuff and here it is - it's for easy reference ok so I have a little cheat sheet here just to save time with typing but we'll talk about each of these commands before I plug it into the firewall but what we're going to do is let me first show the picture ok so we have a pretty basic Network here we have the firewall in the middle and this is again you know just for demonstration purposes to see the technology but we're going to do first is from the acs server we're gonna create a client list SSL VPN web VPN to the firewalls inside interface and we're going to some port forwarding so after that connect connection is established the acs your server should be able to administer our - so we should be able to telling it to our - and get a prompt there then we'll go into any connect using the test pc and VLAN - will connect to the allison interface of the firewall launch the client install the client and at that point we should be able to ping r1 or our talent to r1 and you shouldn't be proxy to the firewall and we'll look at some show commands as we go through this so let's start with the web VPN here clientless ok so since this is the inside we're gonna Nabal on the inside interface and for our port forward with a name at r2 just because that's related to what we're trying to do the local or is going to be 2023 and the destination IP in port is going to be 23 okay so we're going to connect to our 222 12.2 and it's gonna hit port 23 on that service okay total group let's enable again that's going to allow us to see a drop-down of all the total groups that are available we're only gonna have one at this point so it's not going to show anything other than that one but when we get to any connect we'll have two groups and we'll see the drop down difference there we have a local user name named web VPN password Cisco and then our web type access this here we're going to say that this particular user will be able to authenticate and connect with a client list VPN SSL VPN but we're only going to allow telnet to our port forward destination and we're only going to allow HTTP to our two web service so it's just showing an example of limiting what type of access the the particular user has here okay so then we create our group policy again we're just creating it here and then we give it our attributes it's going to be a type web BPM and we're gonna call out our filter in our port forward statement in this case is an auto start so as soon as we establish that connection it should launch the application access and we'll be able to start administering our to via the ssl port forward okay now we clear our tunnel group we're going to name it group 1 it's a remote access type configure our general attributes which is where we always call out our group policy which is called web VPN and we're gonna create some web bpn attributes for some customization so the group alias for Group 1 is going to be admin all-capital so when we connect and see the drop-down we shouldn't see group 1 we should see admin in the drop down and we can alternately connect to this this path here slash admin and that will direct us directly to this tunnel group without having to select anything from a drop-down now since we're also doing local authentication for administering the firewall we're gonna do a service type remote access so that this particular username web VPN won't be able to administer the firewall they're only going to be able to access the firewall from the remote access standpoint and we're going to lock this use of the group one so in our next example when we configure any connect this user shouldn't be able to authenticate into the any connected group it's locked to this group only and as with any firewall you should always turn on logging which is just to give yourself more eyes into troubleshooting and watching things happen there let me go ahead and copy this and I'll plug it in okay now notice as soon as I did this here here's the here's the informational message saying web VPN and DTLS are enabled on inside so it's already ready to go for both there and we'll see a better example that in any connect toward era uses both by default okay so let's go ahead and hop into the ACS server here open up a browser okay 102 1 6 8 to 10 we should get the security alert for the certificate not being good and that's fine and so here's our portal page we have our drop down list with nothing in it right now just the one group is all we have configured so that's fine and notice the admin so it's used the the customization there it's not using Group 1 okay now we we also configured the group URL so if we do a slash admin same thing appears open let me uh there goes so notice the the drop down is now gone because we've specified a particular path in that URL that's calling out a tunnel group and so we don't have to specify anything you don't have to choose anything from a drop down here so now notice if I do a slash admin but not capital C it's case sensitive number so that's not going to work it has to be whatever you've used in your group URL has to smash the same case that you're at we using from the browser otherwise you're gonna get this error okay let's go ahead and authenticate and see the application access work here okay so web BPM Cisco so here's the portal page now and to the left this is the application access kicking off here so we have to trust we get a get a pop-up to trust the the content in the Java click YES on that and then we'll be presented with our application access here and even gives you some configuration that can tell you what is available to you so we have a name our two locally if we tell if we send any traffic to port twenty thousand twenty three it should end up at the remote IP 20 to 1 to 2 port 23 so let's go ahead and launch a command prompt and we'll tell Matt to localhost one 2700 one port 20 thousand 23 and there we are now we're at r2 through the VPN ok so we didn't actually talk to the art to address itself we talked to the local hosts who are telling in to our local IP address here and we've ended up at r2 so now at the far wall let's have a look at some show commands to see a lot hall at LS playing out so show VPN session web VPN here's the connecting user username web VPN it's a client list port forward which we have configured ok using rc4 encryption the group policy that's applied is called web bpn ok the tunnel group is called Group one so we can verify that yes it's working but is it working per the task still so this is a place to check yourself am i connecting to the group I want to be connecting to is it using the appropriate type of connection is the username correct and the syntax so it's a way to check yourself again here so now if we do our show con though there's nothing in there we don't we don't see show con doesn't it doesn't tell us anything about traffic destined to or from the firewall only traffic through the firewall and since we're proxying everything here we need to do a show on all and now we'll see the different stuff in here we have first the sslvpn itself you know that's established and then at the last line here here's the actual pour forward there's the connection that says from the firewall which is 20 to 1 to 10 I'm connecting on behalf of the user to our r2 port 23 and we see some bytes being transferred there okay so that's the way to verify that your port forwarding and everything is working is show comm doesn't doesn't tell you about this you have to do shoke on all in order to see traffic that's destined to or from the firewall Marty let's go ahead and close this down and then we'll look at the any connect logout close that let me get into now if you try to do in any connect connection through RDP you get a you get a error message saying that it's not supported with an RDP so you have to VNC into a device in order to test any connect so let's keep that in mind when you're when you're testing yourselves so let's look at the configuration here first we'll plug it in so any connect now the same thing here what we talked about we have to enable web VPN in this case since we're expecting any connect connections to terminate on the AL set interface we want to specify outside so we're enabling it on the outside and then we want to call out the to SVC commands 1 to enable it and 1 where does this exist on the firewall so if you look at the firewall do a dir here it is right here here's our here's our package so disk 0 and then the name of this any connect path is what we're going to specify this is what we have here an Eric config script we create our pool what IP are we going to assign to this connecting user in this case we're going to assign them something between 20 to 1 100 100 and 150 and the important thing here is that that subnet needs to be routable so if you expect the reply traffic to get back from the the ultimate destination that destination ease know when I want to reply to this connecting address where am I going to route that to so maybe you're doing reboost reverse route injection or us have some static routes configured we need to make sure that your pool is routable and that the replied traffic knows where to go we can specify a split tunnel access lists again it's a standard access list that defines destinations what destinations do we care about requiring encryption through the tunnel anything that's not specified here is gonna match the deny any and be sent out the users local default gateway case we're gonna create a new group policy call any con ok its internal and then we give it a tribute SVC is the protocol call out our split tunnel access list and then we call out our address pool so address pool value any pool will go ahead and create tunnel group called Group two since Group one was already in use it's still a type type remote access that that encompasses you know a lot of things there SSL client lists any connect easy VPN all these are encompassed by a group remote access type let me get ourselves some general attributes as always we're gonna call out our group policy and then we configure our levee peanut rebukes in this case we're it's gonna give an alias of remote so now I'm in the drop down we should see admin and remote because that's the two alias is the we've condemned we've configured we're not doing any URL customization here we're just going to stick with the normal IP address for the URL now again since default authentication is local we're gonna stick with that create a local account lock this account to group two and it's a remote access tech as well so now we can actually do some testing with this group lock well what will will launch the browser to associate with group two but what the web VPN user shouldn't be able to authenticate to that but any con should so let's go ahead and paste this in give it a shot now notice again and we enable the on the outside interface web bpn we got the same informational error I'm sorry informational message that web bpn and ETLs are both enabled okay so now if we hop into our ACS here let's say before we get into that it's a let's have a look at the group block so from this this machine we do our HTTP 6 8 to 10 now since we're accessing the inside interface and we're using and we're we're referencing the admin group we should not be able to authenticate with the any con user account because he's locked to group 2 so if we try any con with admin it should fail which is what we want to see so that that user is locked to one group and can't authenticate to the admin group so now if we go to our VNC here and do the same thing or now we're connected to the Allison interface of the farlis we want to reference the outside IP address in our in our browser so the same portal page the same options are available to us here if we if we go to the remote group and try to log in as web VP Anna should fail ok which it does he's locked it to Group one so let's go ahead and try there the real one here any con cisco and the remote group now this should pop up with a VPN client installation ask us to accept the the unknown certificate which is fine and now it's going to install the client and after it installs it it's gonna launch the client and connect to the VPN all in one go here so as the user we won't have to do this we don't have to do this twice because it's kind of happening twice here first we it access to the firewall to get the client and then it's going to access fire well again with the client but since we've already we've already specified the group and what the group name we want to connect to the VPN clients gonna remember that and go ahead and establish that connection for us so now it's we're done we can go ahead and close our browser and double click on our VPN client so here it says we're connected we were given an IP address of one a 100 which is what we'd expect from our pool the server we're connecting to or the firewall the Gateway is 10 which is good okay so does some click on details real quick see view anything else we are doing split tunneling and here are some traffic being sent and received using AES 128 DTLS for our protocol which is the default ok let's go ahead and have a look at some testing here it's close this so now that we have an IP address that's routable on the network we should go ahead and it should be able to just just pings steps up on the other side without having any project to the far wall so we're paying our 12.1 and there's our reply so now again since we're not being proxied these police this traffic should show up as a normal show con so if we just tell net to r1 now if we do a show con we should see this this in there and there it is there's our where's our port 23 connection between our unique IP address which is assigned to us through the VPN and the the ultimate destination here 423 now if we do a show con all will see the DTLS and the TLS connections is here so here's the UDP and the very far left that says UDP here that's how you know that that's the DTLS one port 443 and there's that's where all the bytes are being transferred here now that the the the TCP side the the standard TLS connection right at the very bottom is also there and there's just more and more or less controlled traffic being sent across that which is why there are some bytes incrementing there but the majority of the traffic the our traffic is gonna be going over that DTLS time on until it goes down now if you didn't configure your dead peer detection it's not going to auto failover to the TLS connection so you need to configure the dead beer detection if you want that Phil over to occur okay so let's do another show command our show VPN session SVC and here's the same stuff we saw as before analysis related to our any connect connections to our username in Econ the IP address that we were assigned this is a D TLS tunnel it starts out client list but we're using the client now SSL VPN you know rc4 encryption aes-128 the group policy the tunnel group all things that are good to verify that you're connecting per the task because it's really easy to get excited when something works in the lab and then later you fail and wonder how could he have failed when everything was working well two parts to the exam remember part one is working part two is it working for the task it's real easy to lose points by overlooking something and that's why it's real important to do as much verification as you can to verify that yes it's working and it's working per the test all right so we're still connected here and everything's everything's happy with our anyconnect okay let me uh bring the slides back up here so that was the the end of the config demo here before we go into the QA gonna turn it over to Jerry real quick here he's part of our sales team and he has a couple quick things to say there for us so Jerry if you're on the line its unmuted for you great thanks Tim just wanted to make a couple of announcements here for those of you who are interested in CCIE security training with Tim we do have a special for a 1995 it includes all your self study materials including the CCIE security technology lab workbook which has a series of technology-based workbooks to help build the lab one technology at a time and ten CCIE advanced lab advanced labs on our advanced lab workbook which have before eight hour simulations replete with these step-by-step walkthroughs and solution guides as well at not it's not noted there but there's 25 sessions of Brac time 200 hours of bright time for you as well as our video on demand series the series of lectures that we did at the CCIE level we were able we save the lecture portions and omitted the Q&A sessions because for those of you who already aren't signed up go to WWE ie comm it's a great way to interact with other security students and with your security and structures instructors as well some upcoming events the advance lab boot camp and the montclair boot camps are coming to Nevada September 12 to September 16 for advanced lab the week after mock lab is 9 19 to 9 23 in both instances students should be capable of working through a lab from end to end in advance lab mentoring it's much much more active participation from the instructor in terms of going over technologies just verifying techniques everything from from from end to end on the events on the 8-hour laugh and mock lab boot camp it's a simulation we're gonna mimic the lab exam environment and give you an opportunity to gauge whether you are ready for the lab exam itself for those of you who are still working on your security written exam we do have a boot camp scheduled for August 1st to August 5th still need about three more students that's gonna be in Seattle Washington and I believe I believe Tim is the instructor for that boot camp as well if you have any further questions feel free to email it to me my email address is on the slide it's Jerry at cc boot camp comm for those of you who were only able to view or listen to a part of this demonstration starting tomorrow we will have access to the video for recording will be available for about one week feel free to email me Jerry at cc boot camp comm and I will get the link over to you as soon as it's available thanks so much Tim all right thanks a lot Jerry so let me pull up the the Q&A here and see a where the questions we might have so the first question is it necessary to understand the ASTM as well as the command-line methods to configure this for the a sa test for CCMP security so CCIE security you don't have any access to ASTM in the lab so it's totally command line for ccnp security i know that they do have some questions on ASTM but i wouldn't expect to be required to know the ASTM version of that i'll do a little bit of research on that for you there and get back to you but i wouldn't expect to only be able to configure something with just ASTM I think you'd have the option to do either or it certainly is helpful to know where things are with an ASTM because typically if you find the section that's related to VPN with an ASTM you can you can pretty much find where the options are to clicker on and find it but let me get back to you on the more specifics of that as a question regarding URL lists yeah I need anything that's required to be configured through ASTM you want to be able to have access to that on the lab exam so you won't be able to do that so anything that related to the URL list or portal customization and things like that that you really can only configure through ASTM it's not gonna you know you're not gonna have that as an option to you so you can't configure it in the lab okay so the again that the the real important things to remember for the lab exam is we want to make sure that you know not only is it working but is it working for the task and that's where a lot of people can lose points real easily because there's no partial credit you know it's working so we'll give them three points because it's working but you're losing all points because you forgot this command or you know it's not it's not the case unfortunately so that's why you know when you're done with your lab reboot everything go back through the lab reading it make sure everything is okay and then you know look for parts one and two there's a question about XML you're talking about like dynamic access profiles or I'm not sure what with XML as far as editing and importing into the firewall I wouldn't expect any of that on the yeah I wouldn't expect any of that on the lab using any kind of XML editor or anything like that okay okay well then the other uh s that was that was it for the questions there any other any other questions okay well I appreciate everybody joining today asil VPN is a-- is a hot topic for the for the lab exam and also the real world so i'd be you know pretty comfortable with it and print familiar with it so I appreciate you all joining and let me know through email or any any questions you might have let us know and we'll be happy to have a look at that so thanks for joining and have the rest day you

Info

Channel: ccietraining

Views: 7,879

Rating: undefined out of 5

Keywords: CCBOOTCAMP, Webinar, Cisco, ASA, SSL, VPN, Security, CCIE, Training, CCNP, CCNA, Network, certification, ipexpert, internetwork, expert

Id: KJYwhPWYzHQ

Channel Id: undefined

Length: 75min 1sec (4501 seconds)

Published: Thu Aug 11 2011