February, 2011
Table of Contents
Introduction......................................................................................................................... 3 Log into the lab portal ........................................................................................................ 9 Exercise 1: Prepare for Launch Meeting.......................................................................... 11 Exercise 2: Verify Initial Connectivity (Baseline) ............................................................ 12 Exercise 3: Install ASDM and review current ASA configurations .................................. 39 Exercise 4: Configure AnyConnect SSL VPN client ......................................................... 60 Exercise 5: Create new AD groups used for DAP AAA attributes and enable remote desktop on DC ................................................................................................................. 140 Exercise 6: Configure DAP policies to control SSL VPN access ................................... 157 Exercise 7: Configure Advanced Endpoint Assessment remediation ............................. 288 Appendix A: Answers to Exercise Questions .................................................................. 305 Appendix B: Final ASA Configuration ........................................................................... 307
February, 2011
Introduction
Your company has successfully deployed an ASA 5510 firewall upgrade and an active/standby high-availability solution for Inside.local, a mid-size organization that employs 500 people and is growing. They are very happy with your work in deploying the ASA and are calling upon you for your skills and knowledge of the ASA to help them migrate from IPSec VPN to SSL VPN. After reviewing Inside.locals requirements, you determine that migrating to the AnyConnect client is best suited for them with the opportunity to design and implement Clientless SSL VPN in the future. You will discuss with Inside the benefit of SSL VPN and show them how they can leverage Dynamic Access Policies (DAP) to provide granular access to resources. With the help of your advice, Inside has also purchased the Advanced Endpoint Assessment license, which will enable them to implement remediation policies. They are looking for guidance in designing and deploying this security strategy. There is a scheduled outage to allow you to complete this deployment and for testing. The customer is ready for you to do some more of your ASA magic! What precipitated the engagement? Inside is looking for a more flexible remote access solution that makes it easy for remote workers to gain access to their resources. Security is of great importance and they would like to provide granular level access to the different departments within the organization. They need to leverage their Active Directory accounts and groups for remote access user authentication. LAN Administrators connecting to the network via remote access must do so from corporate assets only. They need to be able to push down and deploy the VPN client as easily and efficiently as possible. Key requirements: o You must provide the customer a logical topology diagram. o You need to explain how group policies and DAP policies are applied and the processing order. o The Web Content department should only have access to the DMZ server web site. o The Quality Assurance department should only have access to the DMZ server FTP and WWW sites. o The LAN administrators should only have access to the DMZ server FTP and WWW sites as well as remote desktop access to their domain controller. o The ASA should retrieve the users group membership to determine their level of access to the FTP and WWW resources .
February, 2011
4 o Enforce the policy that all remote access users have their MS personal firewall enabled. o Provide post-installation recommendations.
February, 2011
Logical Topology
The diagram below depicts the logical L3 and L2 topology of the network for this lab. Please note that the UserPCs and Servers are VMware images and that if you shut down any of these machines you will lose all changes. Please ensure that you use restart, if/when needed. Unless otherwise specified, all logins are administrator and passwords are cisco123, all in lower case, except for pc-inside.inside.local where the username is johndoe and the password is cisco123.
L3
192.0.2.50 PC outside
Internet
HA-State 192.168.60.4/30 .5 e0/3 .254 e0/0 Primary Active ASA e0/1 .254 .254 e0/2 192.168.1.0/24 v600 .10 .253 e0/2 HA-Failover 192.168.60.0/30 .1 Mgt .2 Mgt ASA e0/1 .253 .6 e0/3 .253 e0/0 Secondary Standby
10.0.0.0/24 v500
DMZ inside
10.0.1.0/24 v10
10.0.2.0/24 v20
DHCP
.10
.100
PC Inside
DC inside
Exchange inside
February, 2011
L2
PC outside
Virtual Internet
ISP Router
ISP Router
e0/0
e0/0 e0/3 Mgt e0/2 HA-State HA-Failover e0/3 Mgt e0/1 ASA e0/2
ASA e0/1
v500
v600
v500
v600
g1/0/5 PC Inside
g1/0/6
g1/0/8
v10
g1/0/3
Core-sw1
g1/0/4
v600
g1/0/1 v20
g1/0/2 v20
DC inside
Exchange inside
February, 2011
Disclaimer
This lab is intended to be a sample of one way to configure the ASA to provide the customer the required connectivity. There are many ways the ASA can be configured, which vary depending on the situation and the customers goals/requirements. Please ensure that you consult all current official Cisco documentation before proceeding with a design or installation. This lab is primarily intended to be a learning tool and may not necessarily follow best practice recommendation at all times in order to convey specific information. Current documentation for ASA can be found on CCO: Cisco ASA 5500 Series Configuration Guide using the CLI, v8.4
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/asa_84_cli_config.html
Cisco ASA 5500 Migration Guide for Version 8.3 http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html Release Notes for the Cisco ASA 5500 Series, 8.4(x) http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html Memory Requirements for the Cisco ASA Software version 8.3 and later
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_bulletin_c25-586414.html
The labs were constructed using the following software versions: ASA ASDM AVC VPN Client asa841-k8.bin asdm-641.bin AnyConnect-win-3.0.0629-k9.pkg vpnclient-win-msi-5.0.07
Prerequisite knowledge
This lab is the third module in a series of ASA labs created by the ASTEC team. This lab assumes that you have taken our first two labs, ASA 8.4 Basics and New Features, and Licensing ASA 8.4 and Configuring High Availability or have viewed the recorded tech sessions or have equivalent basic understanding of IP technologies and the Cisco ASA 5500. It is suggested that you take the modules in the recommended order unless you are already familiar with the information in the previous modules.
February, 2011
Some ASA firewalls have the AIP-SSM module therefore, you might see the IPS in the ASDM. Please disregard the IPS module in this lab.
February, 2011
Your proctor will provide you with the login and pod number information. Type this into the Username/Password box and click Login. Also write this information below. Username Password Pod number __________________________ __________________________ __________________________
February, 2011
10
Click Continue. On the ASTEC Student Portal web page, when launching the web bookmarks to access PC-Inside and PC-Outside, please click the Open in a new Browser icon.
February, 2011
11
February, 2011
12
February, 2011
Open a command prompt and issue the ipconfig command. There is a cmd prompt shortcut on the desktop. What is your IP address? _________________________ What is your subnet mask? ________________________ What is your default gateway? _____________________ From pc-inside.inside.local, ping the following destinations: ping 10.0.1.1 ping 10.0.2.10 ping 10.0.2.100 ping 10.0.0.254 ping 192.168.1.10 pc-inside default gateway dc.inside.local exchange.inside.local ASA inside interface dmz.inside.local
February, 2011
14
February, 2011
15
From pc-inside, launch Internet Explorer and type ftp://192.168.1.10 to test access to the DMZ FTP server.
Next, type http://192.168.1.10 in your browser to test access to the DMZ web server.
February, 2011
16
Lets next test access to the webmail server. We dont want to authenticate, just simply validate that access is allowed and that this is operational. In the browser, type http://10.0.2.100/exchange.
February, 2011
17 Click Cancel and close Internet Explorer. From the ASTEC Student Portal, go to pc-outside.
February, 2011
18
From the desktop, double click the VPN icon, highlight the Inside-ipsec profile and click Connect.
February, 2011
19
February, 2011
20
Once you are connected, open a command prompt and type ipconfig.
February, 2011
21
What are your IP addresses? ______________________________________ Next, issue the following ping commands: ping 10.0.2.10 ping 192.168.1.10 DC DMZ server
February, 2011
22
From pc-outside, launch Internet Explorer and browse to the DMZ web server. In the browser, type http://192.168.1.10.
February, 2011
23
February, 2011
24
Lastly, type http://10.0.2.100/exchange to validate that access is allowed and that this is operational. Click Cancel when prompted to login.
February, 2011
25
Right click the VPN icon the system ray and select Disconnect.
February, 2011
26
Now lets re-launch the VPN and login as janedoe with cisco123 as the password.
February, 2011
27
Once logged in, issue the ping tests again. ping 10.0.2.10 ping 192.168.1.10 DC DMZ server
February, 2011
28
Now lets re-test access to the FTP and WWW sites on the DMZ server. Launch Internet Explorer and type ftp://192.168.1.10.
February, 2011
29
February, 2011
30
And lets test the webmail access again (http://10.0.2.100/exchange). Click Cancel when prompted to provide credentials.
February, 2011
31
We have validated that John Doe and Jane Doe both can ping internal resources and can access the FTP and WWW sites on the DMZ server and Webmail on the Email server. Right click the VPN icon in the system tray and select Disconnect.
February, 2011
32
We will lastly validate that the administrator also has access to all the resources. Open the VPN client and click Connect.
February, 2011
33
Type administrator and cisco123 in the username and password field. Open the command prompt and re-issue the same ping test. ping 10.0.2.10 ping 192.168.1.10 DC DMZ server
February, 2011
34
February, 2011
35
February, 2011
36
Lastly, type http://10.0.2.100/exchange to test webmail. Click Cancel when you are prompted to provide credentials.
February, 2011
37
Close Internet Explorer and right click and select Disconnect from the VPN icon in the system tray.
February, 2011
38
We have confirmed that all three users, Jane Doe, John Doe and Administrator all have the same level of access, which is to the FTP and Web server on the DMZ server and to Webmail on the Email server. As we deploy the SSL VPN solution, we need to remember that we need to limit access based on Inside.locals requirements. Please notify your proctor if any ping tests or FTP and HTTP tests fail.
February, 2011
39
February, 2011
40
February, 2011
41
Click Run.
February, 2011
February, 2011
43
Click Install.
February, 2011
44
Lets log onto the ASAs inside IP address of 10.0.0.254 using the local administrator account and cisco123 password.
Check Always trust content from this publisher and click Yes.
February, 2011
45
The ASDM should start parsing the configuration from the ASA. This may take about one minute.
February, 2011
Lets test connectivity from the ASA. Ping the following addresses. 192.0.0.1 outside gateway 10.0.0.1 inside gateway 192.168.1.10 DMZ server
February, 2011
47
Click Close after completing the ping tests. From the Device Dashboard tab in the ASDM Home page, we can see the ASAs hostname, uptime, code version, and other pertinent information. Select the License tab.
February, 2011
48
Q3.1: How many SSL VPN peers are installed on this ASA? __________________ Click the More Licenses link. From here, we can see that this ASA has both a permanent and time based license. Click Show license details to see the permanent licenses on this ASA.
February, 2011
49
February, 2011
50 Q3.2: What is the purpose of the Advanced Endpoint Assessment license? Click OK to close this box. Lets next review the IPsec connection profile and group policy settings. Navigate to Configuration > Remote Access VPN > Network (Client) Access and select IPsec (IKEv1) Connection Profiles. Select the inside-ipsec-tunnelgroup connection profile and click Edit.
We can see some very pertinent information here: user authentication information, the client IP address pool, which group policy is mapped to this connection profile, and other information. If no connection profiles are created, then the users will match the Default connection profile depending on whether this is IPsec or SSL VPN. Lets verify the settings in this connection profile and understand the values. Click Select in the Client Address Pools.
February, 2011
51
February, 2011
52 Q3.3: What is the starting and ending IP address in this pool? Do you recall what IP address the pc-outside had when the IPsec VPN was established? Click OK and select Manage in the User Authentication field.
From here we can see the AAA server groups that can be referenced for authentication. The AD-server group was already created and is now being used for the IPsec VPN users. This AAA server group uses LDAP as the protocol. We will also use this AAA server group for our SSL VPN users but lets better understand these settings first. Select the AD-server server group object and click Edit.
February, 2011
53
We see that the Inside interface is used for the LDAP lookup and that the LDAP servers IP address is 10.0.2.10. If you recall, this is Inside.locals domain controller. The ASA will try to access this server for 10 seconds before it times out. The lookup uses port 389, the standard LDAP port. We could use LDAP over SSL which will then use port 636 but this requires additional configuration on the domain controller. Next we see that the LDAP server is a Microsoft server. The Base DN (distinguished name) is the location of where we want our LDAP lookup to start. Using an LDAP browser, you would be able to see the LDAP hierarchy for Inside.local and that Inside.Local is the root of this hierarchy. This is why we specified dc=inside,dc=local as the base DN. This tells the lookup to start at the highest level in the LDAP hierarchy at the dc=domain_name component. The Scope specifies the depth of the LDAP lookup. Here we are specifying All levels beneath the Base DN. The Naming Attribute is the username of the remote access users. This is represented by the sAMAccountName LDAP attribute. The next two settings specify who is binding to the domain controller and performing this LDAP lookup. We cannot simply type administrator. We need to provide the path in LDAP form to specify where this user resides in the LDAP hierarchy and provide the corresponding password.
February, 2011
54
Click Cancel to close this box. Also click OK to close the Configure AAA Server Groups window. Next lets click Manage in the Group Policy settings.
February, 2011
55
This will open the Configure Group Policies dialog box. We see two group policies, the inside-ipsec-tunnelgroup and DfltGrpPolicy. We can also see which tunneling protocols are enabled for each group policy. Select inside-ipsec-tunnelgroup group policy and select Edit.
February, 2011
56
Lets explore the pertinent settings to this group policy. Click on General and expand More Options. From here we can see the tunneling protocols
February, 2011
57
Only IPsec IKEv1 is selected as the tunneling protocol. Q3.4: Could we use this group policy for AnyConnect SSL VPN? If not, what would we need to change? Q3.5: Should we edit this group policy to allow AnyConnect SSL VPN or should we create a new group policy and allow the SSL VPN tunneling protocol separately? Q3.6: What would some of the benefits be for creating a separate group policy for SSL VPN? Click Servers.
February, 2011
58
We can see the DNS and WINS servers IP addresses. Expand More Options. We can see the default domain is inside.local. Expand Advanced and select Split Tunneling.
February, 2011
59
Here we can see that split tunneling is disabled. Inside.local has determined that all remote access traffic is to be sent to the ASA. This is defined in their security policy. Our SSL VPN group policy will also not allow split tunneling. Click Cancel three times.
February, 2011
60
Click Yes in the Enable SSL VPN Client Access dialogue box.
February, 2011
Expand Regular expression to match user-agent and select Windows NT from the drop down menu.
February, 2011
62
This is an optional parameter that helps reduce time to select the correct client image for the remote computer. If we had images for Linux and Mac computers, configuring regular expressions would help reduce the time to select the correct image for the platform. Click OK. Select Allow Access on the outside interface.
February, 2011
63
Notice that the Enable DTLS also becomes selected. Clear the Enable DTLS check box and observe the warning message.
Notice the warming pop-up message? It is indicating that DTLS offers better performance than TLS. Click No. Click on Port Settings. Notice that AnyConnect uses port 443 for TLS and DTLS. The difference being that TLS use TCP as the transport while DTLS uses UDP.
February, 2011
64
Once we start testing our AVC SSL VPN, we will look at the real time log viewer and see what is happening from a protocol basis when users are connecting and we will observe the number of connections each AVC connection has. Navigate to Configuration > Remote Access VPN > AAA/Local Users and select Local Users.
February, 2011
65
We can see that there are two local users, the administrator which we are using to configure the ASA, and janedoe, which was used to initially test our IPsec VPN from our last engagement with Inside.local. We also see that janedoe has the inside-ipsec-tunnelgroup group policy applied to her. This means that if this local account was to VPN to the ASA, all settings in the group policy would apply. Do you recall these group policy settings from before? Lets view the Real-Time Log viewer on the ASDM so that we can observe the log while we perform our testing. Keep the Real-Time Log Viewer open throughout the lab as we will be returning often to review the log. In the ASDM, navigate to Monitoring > Logging and select Real-Time Log Viewer. Click View.
February, 2011
66
February, 2011
67 As we start performing our testing, we will be toggling back and forth between pcoutside and pc-inside. We test our VPN from pc-outside and then return to pc-inside and view the logs in the real-time log viewer. Always leave real time log viewer open. From pc-outside, launch Internet Explorer and type, https://192.0.0.254 . Click Continue to this website (not recommended).
February, 2011
68
We see that the VPN traffic is reaching the firewall over port 443. Return to pc-outside and we are prompted to provide credentials for the VPN. Which accounts could we use? We know that there are two local accounts on the ASA, administrator and janedoe. We also know from our earlier IPsec testing that there are also Johndoe, Janedoe and Administrator accounts retrieved from the LDAP server. Lets start by trying the Johndoe account. Type johndoe and cisco123 in the username and password fields and click Login.
February, 2011
69
We see that this has failed. Return to pc-inside and look at the log.
February, 2011
70
February, 2011
71
Looking at the log, we see that the authentication was rejected because it was invalid. This attempt tried to use a local account and there is no local johndoe account. We also see that the DfltGrpPolicy was matched. We will shortly review the settings in that group policy. Lets next try providing janedoe and cisco123 as the credentials and click Login.
February, 2011
72
We are seeing a different message in our browser. Lets return to pc-inside and look at the log.
February, 2011
73
We can see that janedoe successfully authenticated using the local account but yet her login was denied. Q4.1: Why was janedoes login denied? If you recall, the janedoe account had the inside-ipsec-tunnelgroup group policy assigned. Q4.2: What tunneling protocols were enabled in that group policy? We also see that janedoe also matched the DfltAccessPolicy DAP policy. DAP (dynamic access policy) is a collection of AAA attributes and endpoint attributes that are defined, and when matched, specific policies are applied. This provides granular level access to resources. More on DAP later on.
February, 2011
74
Lets edit janedoes local account and remove the assigned inside-ipsec-tunnelgroup group policy. In the ASDM, navigate to Configuration > Remote Access VPN > AAA/Local Users and select Local Users. Select janedoe and Edit.
Select VPN Policy. Click Inherit in the Group Policy setting. Click Ok and Apply.
February, 2011
75
Q4.3: What does the Inherit check box do for the settings? Now by selecting Inherit, what group policy setting will apply for janedoe? Return to pc-outside and test the SSL VPN by providing janedoe credentials again. The password is cisco123 and click Login.
February, 2011
76
We can see that Janedoe has logged in successfully to the Clientless SSL VPN. No AnyConnect client was downloaded and installed.
February, 2011
77
Q4.4: Why didnt the AVC client get installed? Return to pc-inside and look at the ASA log.
February, 2011
78
There are a few log entries that we will examine; first is that janedoe was authenticated locally and that the default group policy, DfltGrpPolicy, was applied. We also see that the session type is WebVPN or Clientless. This is not what we were expecting. We were expecting Janedoe to get the AVC client installed. Lets look at the VPN log on the ASDM. Navigate to Monitoring > VPN > VPN Statistics and click Sessions. In the Filter By drop down menu, select Clientless SSL VPN and click Filter.
February, 2011
79
We can see which connection profile janedoe matched and which group policy got applied.
February, 2011
80
We will review the DfltGrpPolicy group policy settings but before we do that, return to pc-outside and log out as janedoe. Also close Internet Explorer.
From pc-inside, navigate to Configuration > Remote Access VPN > Network (Client) Access and select Group Policies. Select the DfltGrpPolicy and click Edit.
February, 2011
81
Click General and expand More Options. We can see that all the Tunneling Protocols except the SSL VPN Client (AnyConnect) are selected. Also notice that there is no Inherit settings on the DfltGrpPolicy group policy. This is because this is the catch all group policy. Settings in this policy are applied if there is no value setting in another matching group policy. As we saw earlier when we looked at the inside-ipsec-tunnelgroup connection profile, we can select a group policy which we want to apply. Those group policy settings will apply and take precedence, however, any settings defined in the DfltGrpPolicy group policy not defined elsewhere would also apply.
February, 2011
82
Click Servers.
February, 2011
83
Again, we do not see any Inherit check box. If all remote access users would have the same DNS and WINS servers, we could define these values here and this would apply to all users that would have Inherit in their matching group policies. Click Cancel. Lets delete the janedoe local user and test again. In the ASDM, navigate to Configuration > Remote Access VPN > AAA/Local Users and select Local Users. Select janedoe and Delete. Click Apply.
February, 2011
84
Return to pc-outside. Launch Internet Explorer and type https://192.0.0.254. Try to login as janedoe with the password cisco123.
February, 2011
85
February, 2011
86
February, 2011
87
We can now confirm that there is no janedoe local user on the ASA and the ASA is not retrieving LDAP information for authentication. Q4.5: If we were to login as the administrator, would this be successful? Q4.6: Would the administrator get the AVC downloaded and installed or would the SSL VPN be Clientless? Lets test this by returning to pc-outside and typing https://192.0.0.254 into our browser and providing administrator and cisco123 as the credentials. Click Login.
February, 2011
88
Success, the administrator has logged in successfully but again, there is no AnyConnect. The SSL VPN session is Clientless.
February, 2011
89
Lets review the ASA log and see what policies are being applied.
February, 2011
90
We can determine that the local administrator user on the ASA is being authenticated and that the DfltGrpPolicy is being applied. The DfltGrpPolicy does not have the SSL VPN Client tunneling protocol enabled, thus we only are getting Clientless SSL VPN. Ok, now we know that we will be creating a new Group Policy for AVC SSL VPN and selecting SSL VPN Client (SVC) as a permitted tunneling protocol. From the ASDM on pc-inside, navigate to Configuration > Remote Access VPN > Network (Client) Access and select Group Policies. Click the Add pull-down menu and select Internal Group Policy
February, 2011
91
Name this group policy inside-avc-gp. Expand More Options. Clear the Inherit checkbox and select SSL VPN Client. Note that the client in our case will be AnyConnect Client (AVC).
February, 2011
92
Click Servers and clear the Inherit check boxes for DNS and WINS servers. Type 10.0.2.10 as the IP address for both. Expand More Options in the Servers window and clear the Inherit check box. Then type inside.local in the Default domain.
February, 2011
93
February, 2011
94 Lets next create a connection profile that users will need to match so that we can apply our new inside-avc-gp group policy. From pc-inside, in the ASDM, navigate to Configuration > Remote Access VPN > Network (Client) Access and select AnyConnect Connection Profiles. Click Add.
For the new connection profile name, type inside-avc-cp. Select AD-server from the AAA Server Group drop down menu and click Select for the Client Address Pools.
February, 2011
95
Select the inside-ipsec-vpn-pool and click Assign. Although this IP pool is used in the inside-ipsec-tunnelgroup connection profile, it could also be used in this connection profile. Click OK.
February, 2011
96
February, 2011
97 The new connection profile should have the following settings as seen in this picture.
February, 2011
98
Click Save. Now with the new connection profile (inside-avc-cp) and group policy (inside-avc-gp), we are ready to test again using the LDAP user accounts johndoe, janedoe and administrator. From pc-outside, launch Internet Explorer if your browser was closed. Type https://192.0.0.254 in the address bar. When prompted, provide johndoe and cisco123 as the username and password and click Login.
February, 2011
99
February, 2011
100
Q4.7: Why do you suspect that the SSL VPN login is still failing? Return to pc-inside and look at the ASA log. There might be an indication as to why the login is failing.
February, 2011
101
From the above log, we see that the authentication is local database and we know there is no johndoe user account and that the DfltGrpPolicy group policy is applied. Q4.8: Why is the authentication going to the local database when we specified in our inside-avc-cp connection profile to use the AD-server AAA server group? Return to pc-outside and test again using janedoe as the user. In the browser type janedoe and cisco123 as the username and password. Click Login.
February, 2011
102
February, 2011
103
Look at the ASA log on pc-inside to determine whether this is the same reason as for johndoe.
February, 2011
104
As per the ASA log, it appears that the login for janedoe is also trying to use the local database and the janedoe user was deleted earlier. This is not going to be successful. So we know the problem now. The SSL VPN is not using our newly created connection profile, inside-avc-cp. We will return to the ASDM and have a look at our AnyConnect and connection profile settings and see if anything was missed. From the ASDM on pc-inside, navigate to Configuration > Remote Access VPN > Network (Client) Access and select AnyConnect Connection Profiles. In reading the Login Page Setting, it starts making sense now. It indicates that unless an alias is identified on the login page, the DefaultWEBVPNGroup connection profile will be used. We need to select the check box to allow users to select an alias on their login page! Select the check box to Allow users to select the connection profiles in the Login Page Setting.
February, 2011
105
We see that selecting the check box has generated an error message. We will need to create an alias in our connection profile before we enable this check box. Click OK to close the error message. Select the inside-avc-cp connection profile and click Edit.
February, 2011
106
In the Basic settings, type inside-vpn in the Aliases box and click OK.
February, 2011
107
Returning to the AnyConnect Connection Profiles view, we can now see that there is a defined alias for the inside-avc-cp connection profile. We should now be able to select the Allow user to select connection profile check box. Click Apply.
February, 2011
108
Return to pc-outside and type https://192.0.0.254 in your browser. We now see the connection profile alias, inside-vpn, in the Group drop down menu. This is looking better. Type johndoe and cisco123 as the username and password and click Login.
February, 2011
109
Success! We start seeing the installation of the AnyConnect Secure Mobility Client.
February, 2011
110
February, 2011
111
While the AVC is being downloaded and installed, lets return to pc-inside and look at the ASA logs. We can see some information about this SSL VPN connection. We can see that the IP address 10.1.1.1 has been assigned. We can also see that the inside-avc-gp group policy has been matched and applied, and that this is a SVC (SSL VPN Client) session. February, 2011 ASA 8.4 SSL VPN with DAP Lab Procedures
112
Return to pc-outside and see if the AnyConnect has finished downloading and installing. We can see that the connection is established and we now have the AVC icon in our system tray, and we have a gold lock to indicate that the VPN is up. At this point, you can close Internet Explorer.
February, 2011
113
Right click the AVC icon in the system tray and select Open AnyConnect.
February, 2011
114
Click Advanced. We can gather statistics from the Statistics tab on this VPN connection. such as the connection status, IP address of the client and head end server (ASA), time connected and number of sent and received bytes. The AnyConnect 3.0 client is more than a client. It is more a platform today. Stay tuned for our next training release covering Mobile User Security which will cover the AVC 3.0 in greater depth.
February, 2011
115
Of note, we can see that the transport protocol is DTLS and that there is no compression. DTLS and compression are mutually exclusive. DTLS is used because it offers better SSL VPN performance. DTLS uses UDP protocol as the transport which has less overhead than the TCP protocol. Lets look at the ASDM monitoring on pc-inside and see if there is more information that we could retrieve. In the ASDM from pc-inside, navigate to Monitoring > VPN > VPN Statistics and select Sessions. From the Filter By drop down menu, select AnyConnect Client and click Filter.
February, 2011
116
We see the username johndoe and IP address and 10.1.1.1. We can also confirm which connection profile and group policy are matched and applied. Click Details to retrieve more detailed information on this connection. Looking at the details of johndoes connection, we see two tunnels, one SSL-Tunnel and one DTLSTunnel. The SSL-Tunnel uses destination port TCP 443 and DTLS-Tunnel uses destination port UDP 443. We can also see that each connection has its own tunnel ID. When the AVC SSL VPN session is established, it will try to connect over TCP port 443 to establish the initial connection. Once this is established, it will try to connect over UDP port 443. This second tunnel is what is used to send and receive data and because it is using UDP as the protocol, it will be faster than TCP due to less overhead.
February, 2011
117
Click Close. Return to pc-outside and lets test access to resources. From pc-outside, ping the domain controller and DMZ server. Open the command prompt and type: ping 10.0.2.10 ping 192.168.1.10 domain controller DMZ server
February, 2011
118
Next, open Internet Explorer and type ftp://192.168.1.10 to test FTP access.
February, 2011
119
February, 2011
120
Lastly, type http://10.0.2.100/exchange to test access to webmail on the email server. Click Cancel when prompted for credentials.
February, 2011
121
We now have confirmed that, just like the IPsec VPN provided, we have access to the resources through the AnyConnect SSL VPN. Lets test AnyConnect VPN using janedoes user account next. Disconnect the AVC VPN by right clicking on the AVC icon in the system tray and select VPN Disconnect.
February, 2011
122
Now right click the AVC icon in the system tray and select Open AnyConnect and click Connect.
February, 2011
123
Type janedoe and cisco123 in the username and password fields and click OK.
February, 2011
Now return to pc-inside and look at the ASA logs in the Real-Time Log viewer. We can confirm that janedoe is authenticated from server 10.0.2.10, our domain controller, and that the inside-avc-gp group policy is applied. We also see a reference to a DAP policy being applied. More on DAP shortly.
Lets look at additional information on this VPN connection. From the ASDM on pcinside, navigate to Monitoring > VPN > VPN Statistics and select Sessions. In the Filter By drop down menu, select AnyConnect Client and click Filter.
February, 2011
125
We see information that is similar to what we saw for johndoe. Click Details to display additional information.
February, 2011
126
In the details view, we now see the missing information; IP address and group policy. Similar to johndoes session, we see two tunnels, one using TCP and the second using UDP, and two different Tunnel IDs. Note The Tunnel IDs and Source Ports will vary with each connection.
February, 2011
127
Click Close. With janedoe still connected, return to pc-outside and perform some tests. From the command prompt, ping the DMZ server. Ping 10.0.2.10 ping 192.168.1.10 DC server DMZ server
February, 2011
128
Lets next test FTP access. Launch Internet Explorer and type ftp://192.168.1.10.
February, 2011
129
February, 2011
130
Lastly, type http://10.0.2.100/exchange to test webmail. Click Cancel when prompted for credentials.
February, 2011
131
Close your browser and disconnect your VPN session. Right click the AVC icon in the system tray and select VPN Disconnect.
February, 2011
132
We have one more user to test to confirm that all three user have worked successfully, the administrator. Right click the AVC icon in the system tray and select Open AnyConnect.
February, 2011
133
Click Connect.
Type administrator and cisco123 for the username and password fields and click OK .
February, 2011
134
Lets again return to pc-inside and look at the ASA Monitoring information on this VPN connection. From the ASDM on pc-inside, navigate to Monitoring > VPN > VPN Statistics and select Sessions. In the Filter By drop down menu, select AnyConnect Client and click Filter.
We see information that is similar to what we saw for johndoe and janedoe. Click Details.
February, 2011
135
Click Close. Return to pc-outside and perform some tests. From the command prompt, ping the DMZ server. ping 192.168.1.10 DMZ server
February, 2011
136
Lets test FTP access. Launch Internet Explorer and type ftp://192.168.1.10.
Lets next test access to the DMZ server web site. Type http://192.168.1.10 in the browser.
February, 2011
137
Lastly, type http://10.0.2.100/exchange in the browser to test webmail. Click Cancel when prompted for credentials.
February, 2011
138
Close Internet Explorer and right click the AVC icon in the system tray and VPN Disconnect.
February, 2011
139
February, 2011
140
Exercise 5: Create new AD groups used for DAP AAA attributes and enable remote desktop on DC
Goal: We will be logging onto the domain controller and creating new Windows groups. These two new groups will be used in our DAP policies to determine the access level to resources. We will also enable remote desktop on the domain controller. From the ASTEC student portal web page, click on the DC-Inside web bookmark.
Type administrator and cisco123 as the username and password and click OK.
February, 2011
141
Launch Active Directory Users and Computers by clicking Start > Programs > Administrative Tools > Active Directory Users and Computers.
February, 2011
142
Expand Inside.local and right-click the Users container and select New > Group from the menu.
February, 2011
143
Type dmz-http-access-group as the group name and leave everything as default. Click Next.
Click Next.
February, 2011
144
Click Finish.
Right click the Users container again and select New > Group from the menu.
February, 2011
145
Click Next.
February, 2011
146
Click Finish.
We next want to add janedoe into the dmz-http-access group and johndoe into the dmzhttp-ftp-access-group. Right click the dmz-http-access-group and select Properties.
February, 2011
147
February, 2011
148
Click OK.
February, 2011
149
February, 2011
150
February, 2011
151
Click OK.
February, 2011
152
We next need to enable remote desktop on the domain controller. Click Start > Settings > Control Panel.
February, 2011
153
February, 2011
154
Select the Remote tab and select the Enable Remote Desktop on this computer check box.
February, 2011
155
Click OK.
February, 2011
156
February, 2011
157
There are no AAA or endpoint attributes to retrieve in the DfltAccessPolicy DAP policy. As we saw earlier while we were testing AVC SSL VPN access, a DAP policy was being applied after each successful user VPN logon. Think of this DfltAccessPolicy as a permit any any ACL. It is configured to allow all VPN users to access all resources without any restrictions. This applies to IPsec, AVC and Clientless VPN connections. As we start to configure DAP policies which will have matching AAA attributes criteria and access restrictions, it is best practice to change this DfltAccessPolicy to terminate.
February, 2011
158 Think of an ACL: you apply specific denies and permits and then have an explicit deny all, so if a packet does not match any permit statement, it does not get forwarded. When we configure DAP policies, this is what we will use the DfltAccessPolicy for. Select Terminate and type the following message; You are not authorized to have remote access. Click OK and Apply.
Lets test the above statement and see whether the DfltAccessPolicy will terminate the VPN connection attempts. From pc-outside, open the AnyConnect client and click Connect. Type administrator and cisco123 in the username and password fields. We know that this worked earlier. Click OK.
February, 2011
159
We get the Login denied message with the banner we just typed in our DfltAccessPolicy.
February, 2011
160
Click OK. Lets review the ASA logs and confirm that the DAP policy is denying access. From pcinside, look at the Real-Time Log viewer. We see that the administrator authentication was successful and that we used the domain controller at 10.0.2.10 to validate the administrators credentials. We also see that the inside-avc-gp group policy was matched. Lastly we see that the DfltAccessPolicy DAP policy was matched and this takes precedence over any other policy. Since it was set to terminate, the administrator was denied access!
February, 2011
161
Now that we know that the DfltAccessPolicy is denying everyone, we need to create some DAP policies that will allow the remote users to connect. In the ASDM, navigate to Configuration > Remote Access VPN > Network (Client) Access and select Dynamic Access Policies. Click Add.
February, 2011
162
Type dmz-http-access for the Policy Name and Policy to permit http access to dmz server in the Description. Type 50 for the ACL Priority. Select User has All of the following AAA attributes values from the drop-down menu.
February, 2011
163
Click Add and select Cisco from the AAA Attribute type. Select the Connection Profile check box and select inside-avc-cp and click OK.
February, 2011
164
Click Add again to add a second AAA attribute. This time select LDAP from the AAA Attribute Type drop down menu. Leave the Attribute ID as memberOf and click Get AD Groups.
February, 2011
165
February, 2011
166
Click OK.
We just configured two AAA attributes in this DAP policy and selected a requirement to match ALL. The first criterion is to match the inside-avc-cp connection profile and the second criterion is to be a member of the dmz-http-access-group, which janedoe is . February, 2011 ASA 8.4 SSL VPN with DAP Lab Procedures
167 As per Inside.locals requirements, her division should only have access to the DMZ server web site. We need to configure a policy to only grant access to this resource. Select the Network ACL Filters (client) tab and click Manage.
February, 2011
168
February, 2011
169
Select the permit-http-2-dmz ACL and click Add ACE from the drop down menu. Type the following information in the ACE. Action: Source: Destination: Service: Description: Click OK. Permit Any 192.168.1.10 TCP/http permit http to dmz server
February, 2011
170
Click OK again.
February, 2011
171
Now select the permit-http-2-dmz ACL from the drop down selection and click Add.
February, 2011
172
Select the Access Method tab and select AnyConnect Client. This value is redundant because the inside-avc-gp only has the SVC tunneling protocol enabled. Remote users matching that group policy could not be using Clientless SSL VPN. However, if someone was to check Clientless in that group policy, the DAP policy would take priority and enforce only AnyConnect clients as the access method.
February, 2011
173
February, 2011
174
Return to pc-outside and lets try to connect again using the AVC method. Type janedoe and cisco123 in the username and password fields and click OK.
February, 2011
175
While the VPN session is processing, return to pc-inside and look at the ASA logs in the Real-Time Log viewer. We see that janedoe has been authenticated by the server 10.0.2.10 and that the insideavc-gp group policy has applied. We now see that the dmz-http-access DAP policy is also applying. So janedoe should have access to the DMZ server web site. Lets return to pc-outside and test this.
February, 2011
176
Open a command prompt and try to ping the DMZ server at 192.168.1.10. We see that this is now failing where this was successful earlier.
February, 2011
177
February, 2011
178
February, 2011
179
The FTP failed to display. Q6.1: Why is the FTP site now failing? Lets try accessing the webmail site. This also worked before. Type http://10.0.2.100/exchange.
February, 2011
180
Same results as the FTP site. Both unsuccessful. When we created our Net ACL and permitted TCP/http to our DMZ server, it applied an implicit deny all ACL after our permit. This is why the ping test failed and both the FTP and webmail failed. We have accomplished our first task, which is to restrict janedoes access using AVC to only the DMZ server web site. Close the browser and right click the AVC icon in the system tray and select VPN Disconnect.
February, 2011
181
Lets try to login as johndoe. Open the AnyConnect client and click Connect. Type johndoe and cisco123 in the username and password fields. Click OK.
February, 2011
182
We immediately get the login denied message. Click OK and return to pc-inside and look at the ASA logs.
February, 2011
183
In the Real-Time log viewer, we confirm that johndoe matched the DfltAccessPolicy DAP policy and was terminated. If you recall, he is member of the dmz-http-ftp-accessgroup and we have no DAP policies that match this AAA attribute yet.
February, 2011
184
We will now create a DAP policy for the dmz-http-ftp-access-group. In the ASDM on pcinside, navigate to Configuration > Remote Access VPN > Network (Client) Access and select Dynamic Access Policies. Click Add.
February, 2011
185
Type dmz-http-ftp-access and Policy to permit http and ftp access to dmz server in the Policy Name and Description fields. Type 51 in the ACL Priority box and select Users has ALL of the following AAA attributes values from the drop down menu.
February, 2011
186
Click Add and select Cisco from the AAA Attribute Type drop down list. Select the Connection Profile box and select inside-avc-cp from the drop down list. Click OK.
February, 2011
187
Click Add again to add the second AAA attribute. Select LDAP from the AAA Attribute Type drop down list.
February, 2011
188
Select Get AD Groups. Click Show All. Then scroll down to find the dmz-http-ftpaccess-group and click OK.
February, 2011
189
Click OK.
February, 2011
190
Select the Network ACL Filters (client) tab and the permit-http-2-dmz Network ACL from the drop down list. Click Add. Now click Manage to create another ACL to permit traffic to the FTP site.
February, 2011
191
February, 2011
192
February, 2011
193
Select the permit-ftp-2-dmz ACL and click Add ACE from the drop down menu.
February, 2011
194
Type the following information in the ACE. Action: Source: Destination: Service: Description: Click OK. Permit Any 192.168.1.10 TCP/ftp permit ftp to dmz server
February, 2011
195
Click OK.
February, 2011
196
Select the permit-ftp-2-dmz Network ACL from the drop down list and click Add.
February, 2011
197
Select the Access Method tab and select AnyConnect Client. Click OK.
February, 2011
198
We can see both DAP policies in the Dynamic Access Policies view. Notice that the higher ACL Priority number is listed first in the list. The DAP policy with the ACL Priority 51 is higher than the DAP policy with the ACL Priority 50. We will explain the ACL Priority number shortly. Click Apply.
February, 2011
199
We now return to pc-outside and test johndoes VPN. Open the AnyConnect client and click Connect. Type johndoe and cisco123 in the username and password fields. Click OK.
February, 2011
200
Lets go to pc-inside and look at the ASA log again. We confirm that johndoe is successfully authenticated by server 10.0.2.10, and that the dmz-http-ftp-access DAP policy was matched and applied. This is what we expected.
February, 2011
201
Return to pc-outside to test access. Lets start with a ping test. Try to ping the DMZ server at 192.168.1.10.
February, 2011
202
Lets next launch Internet Explorer and type ftp://192.168.1.10. This works as expected.
February, 2011
203
February, 2011
204
Lets test other resources that johndoe should not have access to. Type http://10.0.2.100/exchange to test webmail access. This fails.
February, 2011
205
Lastly, lets launch the remote desktop client and test access to the domain controller. From pc-outside, click on Start > Programs > Accessories > Remote Desktop Connection. In the Remote Desktop Connection, type the domain controllers IP address, 10.0.2.10 and click Connect.
February, 2011
We see that this connections fails, as expected. Johndoe only has access to the DMZ servers FTP and Web sites.
Click OK.
February, 2011
207 Close your browser and right click the AVC icon in the system tray and select VPN Disconnect.
At this point we have created two DAP policies and both have tested as expected. Janedoe has access to the DMZ server web site and johndoe has access to the DMZ server web and FTP sites. We will create another DAP policy for the LAN administrators and give them the same DMZ server access as johndoe and RDP access to the domain controller. Lastly, this access is only permissible from a corporate asset computer. From pc-inside, in the ASDM, navigate to Configuration > Remote Access VPN > Network (Client) Access and select Dynamic Access Policies. Click Add.
February, 2011
208
Type dmz-http-ftp-and-dc-rdp-access and Policy to permit http and ftp access to dmz server and rdp to the dc server in the Policy Name and Description. Type 52 in the ACL Priority box.
February, 2011
209
Select Users has ALL of the following AAA attributes values and click Add. Select Cisco from the AAA Attribute Type drop down list and inside-avc-cp in the Connection Profile matching drop down list after you selected the check box. Click OK.
February, 2011
210
Click Add again to add the second AAA attribute and select LDAP as the AAA Attribute Type.
February, 2011
211
Click Get AD Groups the click Show All and select Administrators as the Group Name and click OK twice.
February, 2011
212
Now that we have our AAA attributes, lets add the Net ACLs. Select the Network ACL Filters (client) tab and select permit-http-2-dmz and permit-ftp-2-dmz from the drop down list and click Add. Now click Manage to launch the ACL Manager.
February, 2011
213
February, 2011
214
February, 2011
215
February, 2011
216
Type the following information in the ACE. Action: Source: Destination: Service: Description: Click OK. Permit Any 10.0.2.10 TCP/3389 permit rdp to dc server
February, 2011
217
February, 2011
218
Now select the newly created permit-rdp-2-dc ACL to our DAP policy. Select this ACL from the drop down list and click Add. Click OK.
February, 2011
219
Now we have all three DAP policies listed. Again, the DAP policy with the higher ACL Priority value is listed higher on the DAP list and the DfltAccessPolicy does not have a ACL Priority number. Lets explain this value. The ASA uses the ACL Priority value to logically sequence the ACL when aggregating the network and web-type ACLs from multiple DAP records. These are sequenced from higher to lower and are used to evaluate the processing order of ACLs. There could be a likelihood that a remote access user matches more than one DAP policy; therefore, the user may have different levels of access defined through the DAP policies. Again, recall that to match a DAP policy, you will match any or all AAA and Endpoint attributes. So when processing the Network and Web based ACLs, the DAP policy with the highest ACL Priority is applied and takes precedence if the ACLs are conflicting, otherwise, they are aggregated. Click Apply. When was the last time you saved your work? Click Save. February, 2011 ASA 8.4 SSL VPN with DAP Lab Procedures
220
Lets now return to pc-outside and test the administrators VPN. From pc-outside, type administrator and cisco123 in the username and password fields and click OK.
February, 2011
221
Lets look a the ASA log on pc-inside. We are seeing that the administrator has successfully authenticated. We also see that the administrator is matching the dmz-http-ftp-and-dc-rdp-access DAP policy. This is great!
February, 2011
222
Return to pc-outside and test access to resources. The administrator should be able to access the web and FTP sites on the DMZ server and be able to remote to the domain controller. From pc-outside, launch Internet Explorer and type ftp://192.168.1.10. This works.
February, 2011
223
February, 2011
224
Lets try to access the email server using webmail. Type http://10.0.2.100/exchange. This does not work, as expected.
February, 2011
225
Try to connect to the domain controller through remote desktop. Click Start and Run. Type mstsc (MS terminal services client) and click OK.
February, 2011
226
In the remote desktop connection, type 10.0.2.10 in the computer box and click Connect.
February, 2011
227
Success! We get the Windows login page. Type administrator and cisco123 in the username and password fields and click OK.
February, 2011
228
February, 2011
229
Lets logoff the domain controller. Click Start and select Log Off Administrator. ***CAUTION*** Please do not shut down the server. It is a VM image with non-persistent hard drives. There is no way for you to restart this image. We would have to manually restart this image and you would lose all your settings on this server. Also, all LDAP authentication using this server from the ASA would fail!!!!
February, 2011
230
February, 2011
231
Close your browser and right click the AVC icon in the system tray and select VPN Disconnect.
February, 2011
232
If you recall, the requirement for the LAN administrators access should be only from corporate assets. Inside.local has added a registry key into their laptop and computer build to help them distinguish this asset. We need to Edit the dmz-http-ftp-and-dc-rdp-access DAP policy to add this endpoint attribute as part of the criteria. In the ASDM from pc-inside, navigate to Configuration > Remote Access VPN > Network (Client) Access and select Dynamic Access Policies. Select the dmz-http-ftpand-dc-rdp-access DAP policy and click Edit.
February, 2011
233
February, 2011
234
February, 2011
235
We get a warning message that Cisco Secure Desktop is not enabled. This is required in order to perform endpoint scans. Click OK.
February, 2011
236
Click Cancel to close the Edit Dynamic Access Policy window. We can access Cisco Secure Desktop in a few ways.
February, 2011
237
In the Setup parameter, click Browse Flash to locate the CSD file.
February, 2011
Check the Enable Secure Desktop check box and click Apply.
February, 2011
239
Return to the Dynamic Access Policies and edit the dmz-http-ftp-and-dc-rdp-access DAP policy. Navigate to Configuration > Remote Access VPN > Network (Client) Access. Click Edit.
February, 2011
240
February, 2011
241
Select Registry from the drop down list. This is looking different from the last time we were trying to add the registry key.
February, 2011
242
We see no Endpoint ID to select. We need to create the Endpoint ID in the Host Scan section on CSD and then reference that ID from the DAP policy afterward. Click Cancel twice.
February, 2011
243
Navigate to Configuration > Remote Access VPN >Secure Desktop Manager and select Host Scan. Notice the information posted on the Host Scan page? We need to create the entries to be scanned here and then we reference these entries from the DAP policies.
February, 2011
244
Enable the Endpoint Assessment ver 3.4.17.1 check box and click Add and select Registry Scan from the drop down list.
February, 2011
245
Type corp-asset for the Endpoint ID. This is the value we will select in the DAP policy. Select the HKEY_LOCAL_MACHINE\ value from the Entry Path drop down list.
February, 2011
246
Return to the Dynamic Access Policies configuration and Edit the dmz-http-ftp-and-dcrdp-access DAP policy. Click Add to add the endpoint attribute.
February, 2011
247
Select Registry from the Endpoint Attribute Type drop down list.
February, 2011
248
Select the newly created Endpoint ID corp-asset. Check the Value check box and select string from the drop down list and type yes. Select the Caseless check box. Click OK.
February, 2011
249
February, 2011
250 Click Apply. You may have an Information pop-up message (if you have the enable preview commands setting in the ASDM preferences) indicating that no CLI changes were made but DAP Selection file needs to be updated. All the DAP information is stored in the dap.xml file on flash. Good information to know because doing a copy startup-config tftp will NOT back up your DAP policies. You would need to use the backup utility from the ASDM. This is covered in our ASA 8.4 Basics and New Features and Licensing ASA 8.4 and Configuring Failover tech session classes. For more information, you can view these recordings here: https://www.myciscocommunity.com/docs/DOC-6048 Click OK.
Return to pc-outside and edit the registry to emulate a corporate computer. From pc-outside, click on Start > Run and type regedit. Click OK.
February, 2011
251
In the registry, navigate to HKEY_LOCAL_MACHINE\SOFTWARE. Right click on the SOFTWARE key and select New > Key.
February, 2011
252
Type CORPKEY as the name for this new key. Right click CORPKEY and select New > String Value. Type corpasset as the value.
February, 2011
253
February, 2011
254
Here is how the registry key should look like. Remember, any typing mistakes would NOT allow the DAP policy to match and login would be denied.
February, 2011
255
Close the registry. After changing the registry, you will need to close and re-launch the AnyConnect Secure Mobility client. Launch the AnyConnect client and type administrator and cisco123 in the username and password fields. Click OK.
February, 2011
256
February, 2011
257
Lets test the access to the FTP and Web sites on the DMZ server.
February, 2011
258
February, 2011
259 Now lets test remote access to the domain controller. Click Start > Run and type mstsc and OK.
February, 2011
260
Type administrator and cisco123 in the username and password fields and click OK.
February, 2011
261
February, 2011
262
Close the Remote Desktop window and Disconnect the AVC VPN. Right click the AVC icon in the system tray and click VPN Disconnect.
Time for a reality check. Where are we at with Inside.locals requirements? Lets review these requirements and check off what has been completed. Key requirements: o You must provide the customer a logical topology diagram. o You need to explain how group policies and DAP policies are applied and the processing order. o A department should only have access to the DMZ server FTP site. o A second department should only have access to the DMZ server FTP and WWW sites. o The LAN Administrators should only have access to the DMZ server FTP and WWW sites as well as remote desktop access to their domain controller.
February, 2011
263 o Retrieve the users group membership to determine their level of access to the resources . o Enforce the policy that all remote access users have their MS personal firewall enabled. o Provide post-installation recommendations. We can check off the first six requirements. We are left with the last two. Before we continue and complete the last two requirements, lets test a few more things. 1- Lets modify the registry on pc-outside to a non corporate build and test the administrators VPN capability (this should fail) 2- Lets test IPsec VPN. This was originally working and we want to be certain that while Inside.local is migrating to SSL VPN, we did not break their current IPsec VPN. From pc-outside, lets edit the registry and change the value from yes to no. Click Start > Run and type regedit.
Navigate the registry to the following key, HKEY_LOCAL_MACHINE\SOFTWARE\CORPKEY\corpasset. Right click corpasset and select Modify.
February, 2011
264
Type no and click OK. Close the registry and right click the AnyConnect client and select VPN Connect.
February, 2011
265
Type administrator and cisco123 for the username and password and click OK.
February, 2011
266
As expected, the login is denied. We know that the administrator is now matching the DfltAccessPolicy which is set to Terminate.
February, 2011
267
Click OK. Lets now return the registry string to indicate yes. Click Start > Run and type regedit.
February, 2011
268
Navigate the registry to the following key, HKEY_LOCAL_MACHINE\SOFTWARE\CORPKEY\corpasset. Right click corpasset and select Modify.
February, 2011
269
February, 2011
270
February, 2011
271
February, 2011
272
Lets review the ASA logs from pc-inside. We confirm that the administrator is now matching the dmz-http-ftp-and-dc-rdp-access DAP policy, as expected.
February, 2011
273
Return to pc-outside and lets disconnect the AVC client and test the IPsec client. From pc-outside, right click the AVC icon in the system tray and select VPN Disconnect.
February, 2011
274
Launch the VPN Client shortcut on the desktop, select the inside-ipsec-profile and click Connect.
February, 2011
275
Type johndoe and cisco123 for the username and password and click OK.
February, 2011
276
February, 2011
277
Click OK. Lets return to pc-inside and review the ASA logs. We can see that johndoe authentication is successful. We see that the inside-ipsec-tunnelgroup group policy is matched and applied. However, if you recall, all the DAP policies are matching the inside-avc-cp connection profile. The IPsec vpn is matching the inside-ipsec-tunnelgroup connection profile; therefore, all IPsec connections will match the DfltAccessPolicy DAP policy and fail.
February, 2011
278
We need to create one last DAP policy to permit IPsec remote access users to successfully connect. In the ASDM from pc-inside, navigate to Configuration > Remote Access VPN > Network (Client)Access and select Dynamic Access Policies. Click Add.
February, 2011
279
Type permit-ipsec and Policy to permit ipsec vpn in the Policy Name and Description. Type 53 in the ACL Priority box and select the Users has ALL of the following AAA attributes values from the drop down list.
February, 2011
280
Click Add and select Cisco from the AAA Attribute Type drop down list. Check the Connection Profile box and select inside-ipsec-tunnelgroup from the drop down list. Click OK.
February, 2011
281
February, 2011
282
Click Apply.
February, 2011
283
Return to pc-outside and test the IPsec VPN again. Type johndoe and cisco123 in the username and password fields. Click OK.
February, 2011
284
Lets look at the ASA logs on pc-inside. Success! We now see that the IPsec VPN is matching the permit-ipsec DAP policy.
February, 2011
285
Return to pc-outside and test FTP access to the DMZ server. From pc-outside, launch Internet Explorer and type ftp://192.168.1.10.
February, 2011
286
Awesome! Close Internet Explorer and right click the IPsec icon in the system tray and select Disconnect.
February, 2011
287
February, 2011
288
Select the Windows tab and click Add for the Personal Firewall section.
February, 2011
289
Scroll down to Microsoft Corp. and select Microsoft Windows Firewall XP SP2+ and click OK.
February, 2011
290
From the Firewall Action drop down list, select Force Enable. Please note the warning message. This action will remain on the client after the VPN is terminated.
February, 2011
291
February, 2011
292
February, 2011
293
February, 2011
294 Return to pc-outside and lets test this new policy. Right click the LAN connection icon in the system tray and select Change Windows Firewall settings.
February, 2011
295
February, 2011
296
Click Connect. Type administrator and cisco123 in the username and password fields. Click OK.
February, 2011
297
Review the ASA logs from pc-inside. We confirm that the administrator has been authenticated and that the dmz-http-ftp-and-dc-rdp-access DAP policy was matched.
February, 2011
298
Lets return to pc-outside and see if the personal firewall settings have changed from Off to On. Right click the LAN connection icon in the system tray and select Change Windows Firewall settings.
February, 2011
299
We now see that the Firewall setting has indeed changed to On.
February, 2011
300
February, 2011
301
Launch Internet Explorer and type ftp://192.168.1.10. We do this to simply generate traffic from the pc-outside.
February, 2011
302
Right click the LAN connection icon in the system tray again and select Change Windows Firewall settings.
February, 2011
303
Bingo! The firewall setting has changed again to On. Good job!
February, 2011
304
February, 2011
305
February, 2011
306 Q4.4: Why didnt the AVC client get installed? Janedoe matched the DfltGrpPolicy which has Clientless SSL VPN tunneling protocol enabled. Therefore she was able to login with the Clientless VPN and no AVC software got installed. Q4.5: If we were to login as the administrator, would this be successful? Yes, the administrators login would be successful. Q4.6: Would the administrator get the AVC downloaded and installed or would his SSL VPN be Clientless? The administrator would login using Clientless SSL VPN. Q4.7: Why do you suspect that the SSL VPN login is still failing? The login is failing because the correct connection profile, inside-avc-cp, is not being matched. Q4.8: Why is the authentication going to the local database when we specified in our inside-avc-cp connection profile to use the AD-server AAA server group? The inside-avc-cp is using the AD-server AAA server group however, the DfltWEBVPNgroup connection profile is set to local and that connection profile is being matched. Q6.1: Why is the FTP site now failing? We only specified access to the DMZ server using the HTTP service. The ASA applied an implicit deny all so all other attempts to access resources will fail. .
February, 2011
307
308 host 192.0.0.252 description Address_2_PAT_InsideLAN object network Email_NAT_IP_Address host 192.0.0.250 description NAT-Address-4-EmailServer object network Email_server host 10.0.2.100 description Inside_email_server object network DMZ_server host 192.168.1.10 description DMZ_Web_Server object network Web_NAT_IP_Address host 192.0.0.251 description NAT-Address-4-WebServer object network VPN-IP-Pool subnet 10.1.1.0 255.255.255.192 object network DMZnetwork subnet 192.168.1.0 255.255.255.0 description DMZ network access-list outside_access_in remark ACE to allow SMTP traffic to the email server access-list outside_access_in extended permit tcp any object Email_server eq smtp access-list outside_access_in remark ACE to allow HTTP traffic to the web server access-list outside_access_in extended permit tcp any object DMZ_server eq www access-list outside_access_in extended permit tcp any object DMZ_server eq ftp access-list permit-http-2-dmz remark permit http tp dmz server access-list permit-http-2-dmz extended permit tcp any host 192.168.1.10 eq www access-list permit-ftp-2-dmz remark permit ftp tp dmz server access-list permit-ftp-2-dmz extended permit tcp any host 192.168.1.10 eq ftp access-list permit-rdp-2-dc remark permit rdp to dc server access-list permit-rdp-2-dc extended permit tcp any host 10.0.2.10 eq 3389 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip local pool inside-ipsec-vpn-pool 10.1.1.1-10.1.1.50 mask 255.255.255.0 failover failover lan unit primary failover lan interface failover Management0/0 failover replication http failover link state Ethernet0/3 failover interface ip failover 192.168.60.1 255.255.255.252 standby 192.168.60.2 failover interface ip state 192.168.60.5 255.255.255.252 standby 192.168.60.6 February, 2011 ASA 8.4 SSL VPN with DAP Lab Procedures
309 icmp unreachable rate-limit 1 burst-size 1 icmp permit any echo-reply outside icmp deny any outside asdm image disk0:/asdm-641.bin no asdm history enable arp timeout 14400 nat (inside,outside) source static InsideLAN InsideLAN destination static VPN-IP-Pool VPN-IP-Pool nat (dmz,outside) source static DMZnetwork DMZnetwork destination static VPN-IPPool VPN-IP-Pool ! object network Email_server nat (inside,outside) static Email_NAT_IP_Address object network DMZ_server nat (dmz,outside) static Web_NAT_IP_Address ! nat (inside,outside) after-auto source dynamic InsideLAN Outside_PAT_Address access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 192.0.0.1 1 route inside 10.0.0.0 255.0.0.0 10.0.0.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy user-message "You are not authorized to have remote access." action terminate dynamic-access-policy-record permit-ipsec description "Policy to permit ipsec vpn" priority 53 dynamic-access-policy-record dmz-http-access description "Policy to permit http access to dmz server" network-acl permit-http-2-dmz priority 50 webvpn svc ask none default svc dynamic-access-policy-record dmz-http-ftp-access description "Policy to permit http and ftp access to dmz server" network-acl permit-http-2-dmz network-acl permit-ftp-2-dmz priority 51 webvpn February, 2011 ASA 8.4 SSL VPN with DAP Lab Procedures
310 svc ask none default svc dynamic-access-policy-record dmz-http-ftp-and-dc-rdp-access description "Policy to permit http and ftp access to dmz server and rdp to dc server" network-acl permit-http-2-dmz network-acl permit-ftp-2-dmz network-acl permit-rdp-2-dc priority 52 aaa-server AD-server protocol ldap aaa-server AD-server (inside) host 10.0.2.10 ldap-base-dn dc=inside,dc=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn cn=administrator,cn=users,dc=inside,dc=local server-type microsoft aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http 10.0.0.0 255.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart service resetoutside crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha February, 2011 ASA 8.4 SSL VPN with DAP Lab Procedures
311 group 2 lifetime 86400 crypto ikev1 policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 10.0.0.0 255.0.0.0 inside telnet timeout 5 ssh 10.0.0.0 255.0.0.0 inside ssh timeout 5 console timeout 0 ! tls-proxy maximum-session 125 ! threat-detection basic-threat threat-detection statistics host threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside csd image disk0:/csd_3.5.2008-k9.pkg csd enable anyconnect image disk0:/anyconnect-win-3.0.0629-k9.pkg 1 regex "Windows NT" anyconnect enable tunnel-group-list enable group-policy inside-ipsec-tunnelgroup internal group-policy inside-ipsec-tunnelgroup attributes wins-server value 10.0.2.10 dns-server value 10.0.2.10 vpn-tunnel-protocol ikev1 default-domain value inside.local group-policy inside-avc-gp internal group-policy inside-avc-gp attributes wins-server none dns-server value 10.0.2.10 vpn-tunnel-protocol ssl-client default-domain value inside.local username administrator password e1z89R3cZe9Kt6Ib encrypted privilege 15 tunnel-group inside-ipsec-tunnelgroup type remote-access tunnel-group inside-ipsec-tunnelgroup general-attributes February, 2011 ASA 8.4 SSL VPN with DAP Lab Procedures
312 address-pool inside-ipsec-vpn-pool authentication-server-group AD-server default-group-policy inside-ipsec-tunnelgroup tunnel-group inside-ipsec-tunnelgroup ipsec-attributes ikev1 pre-shared-key ***** tunnel-group inside-avc-cp type remote-access tunnel-group inside-avc-cp general-attributes address-pool inside-ipsec-vpn-pool authentication-server-group AD-server default-group-policy inside-avc-gp tunnel-group inside-avc-cp webvpn-attributes group-alias inside-vpn enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! service-policy global_policy global prompt hostname context service call-home call-home February, 2011 ASA 8.4 SSL VPN with DAP Lab Procedures
313 contact-email-addr johndoe@inside.local contact-name JohnDoe contract-id 123456789 customer-id 145689 phone-number 1-234-567-8901 sender from johndoe@inside.local sender reply-to secops@inside.local site-id 1 street-address 123 ABC street, Nowherville, ZX mail-server 10.0.2.100 priority 1 profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily profile Inside destination address email johndoe@inside.local destination transport-method email subscribe-to-alert-group configuration export full Cryptochecksum:68d5be83450be2c7d6042c5b2f065a8d : end asdm image disk0:/asdm-641.bin no asdm history enable
February, 2011