Configure Advanced ASDM

Objects in ASDM

To configure a network object or a network object group in ASDM, click Configuration > Firewall > Objects > Network Objects/Groups. This opens the Network Object/Groups page. From this window, the administrator can add, edit, or delete a network object or a network object group.

To configure service objects, service object groups, ICMP object groups, or protocol object groups, click Configuration > Firewall > Objects > Service Objects/Groups. This opens the Service Object/Groups page. From this window, the administrator can add, edit, or delete service objects or service object groups, ICMP object groups, and protocol object groups.

Configuring ACLs Using ASDM

In ASDM, ACLs are referred to as access rules and can be created and maintained using the Access Rules page. To open the page, click Configuration > Firewall > Access Rules. Administrators can view existing rules and add, edit, or delete rules. These options are also available by right-clicking a particular rule.

Other tools are available to simplify the process of rule management. In-pane editing is available for specific components of each rule, for instance changing the source or destination IP addresses or ports on each line, without having to enter the rule edit options. Rules can also be moved up or down, copied and cloned, or temporarily disabled and re-enabled.

A useful tool is the Diagram menu option. When clicked, it displays a window at the bottom of the rule set that provides a more visual statement to help understand and troubleshoot specific rules.

Configuring Dynamic NAT in ASDM

Dynamic NAT is configured in ASDM by creating two network objects: one that identifies the range of useable public IP addresses and another that binds the inside addresses to the outside addresses.

To configure Dynamic NAT, click Configurations > Firewall > Objects > Network Objects/Groups and then click Add > Network Object to display the Add Network Object window.

The second network object identifies the inside addresses and the method of NAT translation. Initially, the NAT section is hidden when creating the network object. Click NAT to expand the section and continue.  Click OK and apply the changes.

Configuring Dynamic PAT in ASDM

Dynamic PAT is configured in ASDM by creating a network object that binds inside addresses to the outside interface.

To configure Dynamic PAT, click Configurations > Firewall > Objects > Network Objects/Groups and then click Add > Network Object to display the Add Network Object window. Initially, the NAT section is hidden when creating the network object. Click NAT to expand the section and continue.

Click OK and apply the changes.

Configuring Static NAT in ASDM

Static NAT enables an inside server to be accessed by outside hosts. It is configured in ASDM by creating a network object binding an inside address to an outside address.

To configure Static NAT in ASDM, click Configurations > Firewall > Objects > Network Objects/Groups and then click Add > Network Object. This opens the Add Network Object page.

Click Advanced … to identify the source and destination interfaces. Click OK and apply the changes.

Configuring AAA Authentication

These are the steps to enable AAA on an ASA:

Step 1. Configure local AAA user accounts to the local database.

Step 2. Create a AAA server group.

Step 3. Add servers to the server group.

Step 4. Configure AAA authentication.

To create the local database entries, click Configuration > Device Management > Users/AAA > User Accounts. To add a user, click Add and complete the Add User Account window.

To create the AAA server groups, click Configuration > Device Management > Users/AAA > AAA Server Groups. To add a server group, click Add on the right side of the AAA Server Groups page to open the Add AAA Server Group window.

To add the AAA servers to the server groups, click Configuration > Device Management > Users/AAA > AAA Server Groups. To add a server to a specific Server Group, select a server in the AAA Server Group window and then click Add on the right side of the Servers in the Selected Group window. Complete the Add AAA Server window.

To bind the authentication with the AAA Server Groups and local database, click Configuration > Device Management > Users/AAA > AAA Access. From this page, an administrator can choose to configure AAA for the enable, HTTP, Serial, SSH, and Telnet access. AAA will query the RADIUS-Servers groups first. If it is unavailable, then it will query the local database.

Configuring a Service Policy Using ASDM

To view, add, edit, and delete service policies, click Configuration > Firewall > Service Policy Rules to open the Service Policy Rules page.

To add a service policy, click Add to open the Add Service Policy Rule Wizard. In this window, identify where the service policy will be applied. Click Next to open the Traffic Classification Criteria window, to identify the traffic to match. Click Next to open the Rule Actions window, to identify the specifics of the service policy.

ASA support for site-to-site VPNs

Like the ISR, the ASA supports Virtual Private Networks (VPNs) by creating a secure connection across a TCP/IP network (such as the Internet) to provide a private connection:

  • Site-to-Site VPNs – Create a secure LAN-to-LAN connection.
  • Remote Access VPNs – Create a secure single-user-to-LAN connection.

These are the four ASDM VPN wizards described in this section:

  • Site-to-Site VPN Wizard
  • AnyConnect VPN Wizard
  • Clientless SSL VPN Wizard
  • IPsec (IKEv1) Remote Access VPN Wizard

How to use the wizard to complete the site-to-site VPN implementation.

Step 1. Launch the Site-to-Site VPN wizard.

From the menu bar, click Wizards > VPN Wizards > Site-to-Site VPN Wizard. The VPN wizard Introduction window is displayed. Click Next to continue.

Step 2. Identify the peer device in the Peer Device Identification window. Enter the reachable IP address of the peer.

Step 3. Identify interesting traffic in the Traffic to Protect window.

This step allows the administrator to identify the local network and remote network. These networks protect the traffic using IPsec encryption.Click Next to continue.

Step 4. Secure the selected traffic in the Security window.

This window provides two security options:

  • Simple Configuration – Uses a pre-shared keyword to use when authenticating with the identified peer. It selects common IKE and ISAKMP security parameters to establish the tunnel.
  • Customized Configuration – Uses either a pre-shared key or a digital certificate to authenticate with the identified peer. The IKE and ISAKMP security parameters can also be specifically selected.

Click Next to continue.

Step 5. Determine whether NAT should be exempted in the NAT Exempt window.

Typically the NAT exemption should be selected. Remote VPN clients that attempt to reach inside hosts by sending data to their real IP addresses cannot connect to these hosts unless the NAT exemption rule is selected.

Click Next to continue.

Step 6. Verify and commit the configuration.

The summary page is displayed next. Verify that the information configured in the Site-to-Site VPN wizard is correct. Use Back to alter any of the configuration parameters.

Click Finish to finish the wizard and deliver the commands to the ASA.

To verify and edit the site-to-site VPN configuration, click Configuration > Site-to-Site VPN > Connection Profiles

The VPN can be monitored by clicking Monitoring > VPN > Sessions

 

Remote access VPN

IPsec vs SSL

Internet Protocol Security (IPsec) and Secure Sockets Layer (SSL) are the two primary remote-access VPN technologies.

SSL VPNs are capable of “anywhere” connectivity from company-managed desktops, employee-owned PCs, contractor or business partner desktops, Internet kiosks, and smart handheld devices.

SSL is mostly used to protect HTTP traffic (HTTPS), and email protocols such as IMAP and POP3. For example, HTTPS is actually HTTP using an SSL tunnel. The SSL connection is first established, and then HTTP data is exchanged over the connection.

This chapter uses the term SSL. However, when a client negotiates an SSL VPN connection with the ASA, it actually connects using Transport Layer Security (TLS), and optionally, Datagram Transport Layer Security (DTLS). TLS is the newer version of SSL and is sometimes expressed as SSL/TLS. DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. SSL/TLS sessions are established in a four phase process,

Phase 1. The client and server negotiate authentication, encryption, and key exchange settings.

Phase 2. The server sends its certificate to client.

Phase 3. The client sends its certificate to the server. A session key is calculated and the encryption algorithms are activated.

Phase 4. Data transfer begins with exchange of session keys. The server sends a session ID to the client, which allows the server to track the session and quickly resume.

Compare IPsec and SSL
IPsec SSL
Application supported Extensive: All IP-based application are supported Limited: Only web-based application and files sharing are supported.
Authentication Strength Strong: Using two-way authentication with shared keys or digital certificates Moderate: Using one-way or two-way authentication
Encryption strength Strong: With key lengths from 56 to 256 bits Moderate to strong: with key length from 40 to 256 bits
Connection complexity Medium: because it requires a VPN client pre-installed on a host Low: It only requires a web browser on a host
Connection Option Limited: only specific devices with specific configurations can connect Extensive: Any device with a web browser can connect.

It is important to understand that IPsec and SSL VPNs are not mutually exclusive. Instead, they are complementary; both technologies solve different problems, and an organization may implement IPsec, SSL, or both, depending on the needs of its telecommuters.

Note: The focus of this section is on the ASA SSL VPNs.

The ASA provides three types of remote access VPN solutions which can be configured using one of the remote-access VPN wizards:

  • AnyConnect VPN Wizard
  • Clientless SSL VPN Wizard
  • IPsec (IKEv1) Remote Access VPN Wizard

IKEv1 is implemented when connecting to older VPN clients such as the Cisco VPN Client. With IKEv1, only one encryption and authentication type can be configured per security policy.

IKEv2 is implemented for newer VPN clients such as the Cisco AnyConnect Secure Mobility Client. With IKEv2, it is possible to configure multiple encryption and authentication types, and multiple integrity algorithms for a single policy.

The focus of this section is on clientless and client-based SSL remote access VPN connections.

Clientless SSL VPN Solution

The clientless SSL VPN deployment model enables corporations to have the additional flexibility of providing access to corporate resources even when the remote device is not corporately managed. It lets users establish a secure, remote-access VPN tunnel to the ASA using a web browser.

Note: A VPN client software is not required to be installed on the remote host.

In this deployment model, the Cisco ASA is used as a proxy device to network resources and provides a web portal interface for remote devices to navigate the network using port-forwarding capabilities. The remote device system requires a supported web browser with built-in SSL functionality to access the SSL VPN network.

Although easier to deploy and more flexible than client-based SSL VPNs, clientless SSL VPNs provide only limited network application or resource access and include additional security risks when using non-corporate managed clients.

Client-Based SSL VPN Solution

The Client-based SSL VPN solution provides full tunnel SSL VPN connection but requires a VPN client application to be installed on the remote host.

The client-based SSL VPN deployment model provides authenticated users with LAN-like, full network access to corporate resources, such as Microsoft Outlook, Cisco Unified Personal Communicator, Telnet, Secure Shell (SSH), and X-Windows. However, the remote devices require a client application, such as the Cisco AnyConnect Secure Mobility Client to be pre-installed on the end user device.

A full tunnel SSL VPN requires more planning for network deployment due to the fact that a client must be installed on the remote systems. The VPN client can be manually pre-installed on a host, or it can be downloaded as needed by initially establishing a clientless SSL VPN.

Client-based SSL VPN supports a wider variety of applications, but it does present additional operational challenges in downloading and maintaining the client software on remote hosts. Most SSL VPN clients require administrator privileges to install.

Cisco AnyConnect Secure Mobility client

Client-based SSL VPN requires a client, such as the Cisco AnyConnect Secure Mobility Client to be pre-installed on the host. The AnyConnect client can be manually installed on the host, or downloaded on-demand from the ASA to a host via a browser.

When the AnyConnect client is pre-installed on the host, the VPN connection can be initiated by starting the application.

The user can then select the VPN server to connect to (i.e., San Jose) from the drop down list and then click Connect. AnyConnect then prompts the user for their username and password. After the username and password are entered, the user clicks OK. If successful, AnyConnect confirms that the connection was successful. Clicking the settings icon in the bottom left of the window displays the connection statistics.

You can configure AnyConnect to establish a VPN session automatically after the user logs in to a computer. The VPN session remains open until the user logs out of the computer, or the session timer or idle session timer expires. Click here to learn more about the Always-on feature.

If the AnyConnect VPN client is not pre-installed on the host, the user can connect to the ASA using an HTTPS browser connection, and authenticate to the ASA. When it is authenticated, the ASA uploads the AnyConnect client to the host. Host operating systems supported include Microsoft Windows, Mac OS, and Linux. The AnyConnect client then installs and configures itself and finally establishes an SSL VPN connection.

During the establishment phase, the AnyConnect client has the ability perform an endpoint posture assessment by identifying the operating system, antivirus, antispyware, and firewall software installed on the host prior to creating a remote access connection to the ASA. Based on this prelogin evaluation, you can control which hosts are allowed to create a remote access connection to the security appliance.

Configuring Clientless SSL VPN on an ASA

ASDM provides two tools for initially configuring a clientless SSL VPN on an ASA:

  • ASDM Assistant -This feature guides an administrator through the SSL VPN configuration.
  • VPN wizard – This is an ASDM wizard that simplifies the SSL VPN configuration.

To use the ASDM Assistant to configure a clientless SSL VPN, click Configurations > Remote Access VPN > Introduction. Next, click the Clientless SSL VPN Remote Access (using Web Browser).

Sample Clientless VPN Topology

The reference topology for this example, as shown in the figure, is as follows:

  • An inside network with security level 100
  • A DMZ with security level 50
  • An outside network with a security level of 0

Access to the DMZ server is already provided using static NAT.

Assume the outside host requires access to specific applications which do not need a full tunnel SSL VPN. For this reason, the remote host uses a secure web browser connection to access select corporate resources.

To create a clientless SSL VPN configuration, use the VPN wizard and complete the following steps:

Step 1. Launch the Clientless SSL VPN wizard.

From the menu bar, click Wizards > VPN Wizards > Clientless SSL VPN Wizard. The VPN wizard Introduction window is displayed. Click Next to continue.

Step 2. Configure the SSL VPN interface.

Configure a connection profile name for the connection and identify the interface to which outside users connect.

By default, the ASA uses a self-signed certificate to send to the client for authentication.

The SSL VPN Interface screen provides links in the Information section. These links identify the URLs that need to be used for the SSL VPN service access (login) and for Cisco ASDM access (to access the Cisco ASDM software download). Click Next to continue.

Step 3. Configure user authentication, as shown in Figure bellow.

sslvpn

In this window, the authentication method can be defined. Authentication using an AAA server can be configured by selecting the option. Click New to enter the location of the AAA Server.

Alternatively, the local database can be used. To add a new user, enter the username and password and then click Add. Click Next to continue.

Step 4. Create a group policy, as shown bellow.

sslvpn_step4

In this window, a custom group policy for the clientless SSL VPN connection can be created or modified.

If configuring a new policy, the policy name cannot contain any spaces.

By default, the created user group policy inherits its settings from the DfltGrpPolicy. These settings may be modified after the wizard has been completed by navigating to the Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies submenu. Click Next to continue.

Step 5. Configure a bookmark list for clientless connections only.

A bookmark list is a set of URLs that is configured to be used in the clientless SSL VPN web portal. If there are bookmarks already listed, use the Bookmark List drop-down menu, select the bookmark of choice and click Next to continue with the SSL VPN wizard.

However, there are no configured bookmark lists by default and, therefore, they must be configured by the network administrator. To create an HTTP server bookmark in the bookmark list, click Manage to open the Configure GUI Customization Objects window displayed:

configureguicustomization

Click Add to open the Add Bookmark List window shown bellow:

bookmark

Enter a bookmark list name and click Add again to open the Select Bookmark Type window shown bellow:

select_bookmark

There are three types of bookmarks that can be created, as identified in the window. To add a traditional bookmark, select the URL with GET or POST method and click OK to open the Add Bookmark window shown bellow.

add_bookmark

Enter a name for the bookmark in the Bookmark Title field. The name cannot contain spaces. Next enter the URL value which could be HTTP, HTTPS, or FTP, and the server destination IP address or hostname to be used with the bookmark entry. In our example, we are creating a bookmark named WebMail which is located at IP address 192.168.2.3.

When the specifics are configured, click OK in the Add Bookmark window to return to the Add Bookmark List window. The newly created bookmark and specifics are displayed as shown bellow:

add_bookmark2

Click OK to return to the Configure GUI Customization Objects window . Click OK to return to the Bookmark List window .

Click Next to continue.

Step 6. Verify and commit the configuration. Click Finish to finish the wizard and deliver the commands to the ASA.

Verify

To verify and edit the Clientless SSL VPN configuration, open the ASDM Clientless SSL VPN Access window.

In ASDM, click Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles.

From this window, the VPN configuration can be verified and edited.

Configure SSL VPN anyConnect

ASDM provides two tools for initially configuring an SSL VPN on an ASA:

  • ASDM assistant – This feature guides an administrator through the SSL VPN configuration.
  • VPN wizard – An ASDM wizard which simplifies the SSL VPN configuration.

To use the ASDM assistant to configure a client-based remote access VPN, click Configurations > Remote-Access VPN > Introduction. Next, click the SSL or IPsec(IKEv2) VPN Remote Access (using Cisco AnyConnect Client).

To use the client-based VPN wizard from the menu bar, click Wizards > VPN Wizards > AnyConnect VPN Wizard.

Sample SSL VPN Topology

The reference topology in the figure has the following settings:

sslvpn

  • An inside network with security level 100
  • A DMZ with security level 50
  • An outside network with a security level of 0

The outside host requires an SSL VPN connection to the inside network. Outside access to the DMZ server is already provided via static NAT.

The outside host does not have the Cisco AnyConnect client pre-installed. Therefore, the remote user must initiate a clientless SSL VPN connection using a web browser, and then download and install the AnyConnect client on the remote host.

After it is installed, the host can exchange traffic with the ASA using a full tunnel SSL VPN connection.

AnyConnect SSL VPN

To create a full tunnel SSL VPN configuration, use the VPN wizard and complete the following steps:

Step 1. Launch the AnyConnect VPN Wizard.

From the menu bar, click Wizards > VPN Wizards > AnyConnect VPN Wizard. The VPN wizard Introduction window is displayed. Click Next to continue.

Step 2. Configure a connection profile in the Connection Profile Identification window.

Configure a connection profile name for the connection and identify the interface to which outside users can connect. Click Next to continue.

Step 3. Select the VPN protocols.

Select how the traffic is protected. The choices are SSL and/or IPsec. A third-party certificate can also be configured. Initially, SSL and IPsec are selected. However, in this example only SSL will be used; therefore, IPsec is unchecked.

Click Next to continue.

Step 4. Add the AnyConnect client images in the Client Images window.

clientimage

In order for client systems to download the Cisco AnyConnect SSL VPN Client automatically from the ASA, the location of the SSL VPN Client must be specified in the configuration. To configure the location of the Cisco AnyConnect SSL VPN Client, click Add to identify the location of the image and open the Add AnyConnect Client Image window.

clientimage_path

Now click Browse Flash if the image file is already located on the Cisco ASA. This opens the Browse window. The window lists the image files located on the ASA. Notice that there are images for Linux, MAC OS, and Windows hosts.

Note: Windows 8.1 or newer clients will require AnyConnect Secure Mobility Client release 4.1 or later.

Browse to the location of the Cisco AnyConnect SSL VPN Client in the flash memory. In this example, the Window AnyConnect file is being selected.

Note: If there is no image file on the ASA, click Upload in the Add AnyConnect Client Image window to upload a copy from the local machine.

Click OK and the Add AnyConnect Client Image window is displayed again. However, this time it includes the selected image file name.

Click OK again to accept the location of the Cisco AnyConnect SSL VPN Client and the Client Images window is displayed again. This time it includes the Windows AnyConnect image file.

Click Next to continue.

Step 5. Configure the authentication methods in the Authentication Methods window displayed in the figure.

In this window, the authentication method can be defined. The location of the AAA authentication server can be added. Click New to enter the location of the AAA Server. If a server is not identified, then the local database is used. To add a new user, enter the username and password and then click Add.

Click Next to continue.

Step 6. Create and assign the client IP address pool in the Client Address Management window.

clientaddressassignment

The IP address pool configuration is required for successful client-based SSL VPN connectivity. Without an available IP address pool, the connection to the security appliance fails.

A preconfigured IP address pool can be selected from the Address Pool drop-down menu. Otherwise, click New to open the Add IPv4 Pool window and create a new one. In this window, identify the pool name, the starting and ending IP addresses, and associated subnet mask. The example in Figure bellow will create a pool named VPN-Client-Pool starting at IP address 192.168.1.33 to 192.168.1.62 with a /27 mask.

add_address_pool

Click OK to return to the Client Address Assignment window.

Client Next to continue.

Step 7. Specify the DNS-related information in the Network Name Resolution Servers window.

Specify the DNS server and WINS server locations, if any, and provide the Domain Name. The example in Figure bellow identifies the DNS server with IP address 192.168.2.3 and the domain name ccnasecurity.com.

dns_option

Click Next to continue.

Step 8. Enable NAT exemption for VPN traffic in the NAT Exempt window.

If NAT is configured on the ASA, then the SSL client address pools must be exempt from the NAT process because NAT translation occurs before encryption functions. Click the Exempt NAT traffic checkbox to reveal the details of the exemption, as shown in Figure 2.

Click Next to continue.

Step 9. The AnyConnect Client Deployment window.

This is simply an informational page explaining that the AnyConnect client can be deployed using a web launch or pre-deployed on the host.

Click Next to continue.

Step 10. Verify and commit the configuration. The summary window is displayed next. Verify that the information configured in the SSL VPN wizard is correct. Use Back to alter any of the configuration parameters.

Click Finish to finish the wizard and deliver the commands to the ASA.

Verify

To open the Network Client Access window, click Configurations > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles.

Scrolling down to the bottom of the page displays the Connection Profiles on the ASA.

Install the Anyconnect Client

Several steps must be performed to install the AnyConnect VPN Client on a remote host. Some of these steps may be optional depending on whether the AnyConnect client is already installed (pre-deployed) on the remote host, or if the client will be Web launched.

To connect using Web launched, establish a clientless SSL VPN connection to the ASA. Open a compliant web browser and enter the login URL for the SSL VPN into the address field. Be sure to use secure HTTP (HTTPS) as SSL is required to connect to the ASA. In this example, the ASA login URL is https://209.165.200.226.

The browser will display the warning. To accept the website’s security certificate, click Continue to this website to continue.

The logon window should display. Notice how it specifies the group as Client-Based -SSL-VPN. Enter a previously configured username and password and click Logon to continue.

The Cisco AnyConnect VPN Client installation begins and attempts to use ActiveX. In this example, ActiveX is not installed, and therefore, the installation program suggests manually installing the Cisco AnyConnect client by downloading the installation program using the link.

Click the Windows 7/Vista/64/XP link to continue. Windows displays the warning message. Click Run and windows will download the installer program. This can take a few minutes to download.

Windows then runs a security Scan on the file and Cisco AnyConnect VPN Client Setup installer begins. The installation is easy as a simple windows software installation, click next until finished.

Launch Cisco AnyConnect VPN client by clicking the Windows Start button and selecting Cisco AnyConnect VPN Client.

The Cisco AnyConnect Client opens and prompts the user to enter a secure gateway. Click OK to continue.

In this example, the ASA public IP address is 209.165.200.226. Enter the IP Address of the gateway and click Select.

A Security Alert window is displayed, stating that the connection is connecting to an untrusted site. Click Yes to accept the certificate.

The VPN Client now requests the remote users’ logon credentials. Enter the credentials and click Connect.

Note: Another certificate Security Alert window may be displayed. If so, then click Yes to continue.

If the credentials are acceptable, the VPN client proceeds through several steps, connects, and then closes.

To view VPN information, open on the Windows system tray and point to the Cisco AnyConnect Client icon. Right-click the icon and choose Open AnyConnect to open the Cisco AnyConnect Client window. Notice that the remote host connection state is “Connected” and that it has been allocated an IPv4 address from the configured remote access pool.

To verify the IP address allocation, open a CMD window and type in ipconfig. Notice that the host has two IP addresses; one for the VPN connection and one for the actual network on which the VPN connection is located.

Finally, a ping to the local host 192.168.1.3 validates that the remote host has access to internal resources.