Lecture CCNA security partner - Chapter 15: SSL VPNs with Cisco ASA

This chapter describes the use cases and operational requirements of SSL VPNs and offers a detailed presentation on the operations of SSL. The chapter explains configurations, deployment options, and design considerations. It describes the steps to configure both Cisco VPN clientless mode and Cisco full-tunnel mode on Cisco ASA using the Cisco AnyConnect client.

Trang 1

Chapter 15 SSL VPNs with Cisco ASA

Trang 2

This chapter prepares you to meet these objectives:

• Describe the use cases and operational requirements of Cisco SSL

VPNs

• Describe the protocol framework for SSL and TLS

• Describe a configuration that is based on SSL VPN deployment options and other design considerations

• Describe the steps to configure Cisco VPN clientless mode on Cisco

ASA and demonstrate the configuration on Cisco ASDM

• Describe the steps to configure Cisco full-tunnel mode on Cisco ASA and demonstrate the configuration on Cisco ASDM using the Cisco

AnyConnect VPN Client

Contents

Trang 3

• Remote-access and mobility services have gone through drastic

changes in the past few years

• There are three market transitions driving the network architectures of

Trang 4

• The Cisco SSL VPN technology provides remote-access connectivity

from almost any Internet-enabled location with a web browser and its

native SSL encryption

• Cisco SSL VPN provides the flexibility to support secure access for all

users, regardless of the endpoint host from which they establish a

connection

• If application access requirements are modest, SSL VPN does not

require a software client to be preinstalled on the endpoint host

• This ability enables companies to extend their secure enterprise

networks to any authorized user by providing remote-access

connectivity to corporate resources from any Internet-enabled location

• Cisco SSL VPN currently delivers three modes of Cisco SSL VPN

access: clientless, thin client, and full client

Cisco SSL VPN

Trang 5

Clientless SSL VPN Versus IPsec VPN

Trang 6

• SSL and TLS provide confidentiality, integrity, and authentication

services to the applications that use them

• SSL is used to encrypt and authenticate the session layer and above

• As such, it encrypts more than just HTTP (called HTTPS); it can also

encrypt FTP (thus FTPS), POP (for POPS), LDAP (for LDAPS), wireless security (EAP-TLS), and others

SSL and TLS Protocol Framework

Trang 7

SSL/TLS Encapsulation

Trang 8

SSL and TLS

Trang 9

SSL Cryptography

Trang 10

SSL Tunnel Establishment

Trang 11

SSL Tunnel Establishment Example

Trang 12

• Steps A to I illustrate steps between the Blue Bank server and VeriSign

• Steps 1 to 11 illustrate steps between the HTTPS client and the Blue

Bank server

Example of an HTTPS Session

Trang 13

Cisco SSL VPN Deployment Options and

Considerations

Trang 14

Trang 15

Two Main SSL Deployment Modes

Trang 16

• The following are among the many features of the Cisco AnyConnect

VPN client:

Cisco SSL VPN Client: Full Network

Access

Trang 17

• Task 1 Launch the Clientless SSL VPN Wizard from ASDM

• Task 2 Configure the SSL VPN interface

• Task 3 Configure user authentication

• Task 4 Configure user group policy

• Task 5 Configure a bookmark list

• Task 6 Verify the Clientless SSL VPN Wizard configuration

SSL VPN on Cisco ASA in Clientless

Mode

Trang 18

Clientless Configuration Scenario

Clientless SSL VPN Configuration Topology

Trang 19

Task 1: Launch the Clientless SSL VPN Wizard from ASDM

Wizards > VPN Wizards > Clientless SSL VPN Wizard

Trang 20

Task 2: Configure the SSL VPN Interface

Trang 21

Task 3: Configure User Authentication

Trang 22

Task 4: Configure User Group Policy

Trang 23

Task 5: Configure a Bookmark List

Trang 24

Creating a Bookmark List

Trang 25

Task 6: Verify the Clientless SSL VPN Wizard

Configuration

Trang 26

Log In to the VPN Portal: Clientless SSL VPN

Trang 27

Resources Accessible in the Portal

Trang 28

SSL VPN on ASA Using the Cisco

Trang 29

• There are three major phases to configuring SSL VPN full-tunnel mode using Cisco ASDM so that remote clients will connect using Cisco

AnyConnect:

Major phases

Trang 30

Cisco AnyConnect Configuration

Scenario

Trang 31

Eight tasks are required for configuring the Cisco ASA for

AnyConnect, which will be further outlined in this section:

1 Configure the connection profile

2 Configure VPN protocols and the device certificate

3 Configure the client image

4 Configure the authentication methods

5 Configure the client address management

6 Configure the network name resolution servers

7 Configure the network address translation exemption

8 Configure the AnyConnect client deployment summary

Phase 1: Configure Cisco ASA for Cisco AnyConnect

Trang 32

Task 1: Connection Profile Identification

Trang 33

Task 2: VPN Protocols and Device

Certificate

Trang 34

Task 3: Client Image

Trang 35

Selecting the Client Image

Trang 36

Task 4: Authentication Methods

Trang 37

Task 5: Client Address Assignment

Trang 38

Task 6: Network Name Resolution

Servers

Trang 39

Task 7: Network Address Translation

Exemption

Trang 40

Task 8: AnyConnect Client Deployment

Summary

Trang 41

Phase 2: Configure the Cisco

Connecting to the Portal to Eventually Request an AnyConnect Installation

Download

Trang 42

Cisco AnyConnect Installed from a VPN Clientless

Session

Trang 43

Phase 3: Verify VPN Connectivity with

Cisco AnyConnect VPN Client

Trang 44

Detailed Information on Current VPN

Session

Trang 45

The key points covered in this chapter are as follows:

• Market trends drive the need for effective remote-access security and

present challenges to the IT organization

• The SSL protocol uses the cryptology concepts presented in this chapter

• Cisco SSL VPN solutions include clientless and full client tunnel modes

Trang 46

• For additional information, refer to this resource:

Press)

References

Trang 47

Định dạng
Số trang	47
Dung lượng	1,89 MB