Cisco Labs – Network Security (13) – Easy VPN server on ASA, SW client – physical lab

Posted on by

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 6.7.1 ASA task definition

Easy VPN server on ASA, SW client

Goal

  • Configure WebVPN server on ASA.
  • Inicialize tunnel.
  • Generate a test connection thru HTTP.
  • Use Anyconnect client in advanced task.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.7.1_ASA_topology1_PHYSICAL

Configuration

PC1

ifconfig INT4 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT4

SERVER

R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT3
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections

ASA

1) Interface settings, Access lists

ciscoasa(config)# hostname ASA-GATE
ASA-GATE(config)# domain-name test
ASA-GATE(config)# interface INT1
ASA-GATE(config-if)# ip address 192.168.0.1 255.255.255.0
ASA-GATE(config-if)# nameif outside
ASA-GATE(config-if)# no shutdown

ASA-GATE(config)# interface INT2
ASA-GATE(config-if)# ip address 10.0.0.1 255.255.255.0
ASA-GATE(config-if)# nameif inside
ASA-GATE(config-if)# no shutdown

2) WebVPN configuration

ASA-GATE(config)# ip local pool VPNADDRESSPOOL 10.0.0.10-10.0.0.20				;set IP pool for webvpn clients
ASA-GATE(config)# route inside 0.0.0.0 0.0.0.0 10.0.0.100 1					;set default route
ASA-GATE(config)# webvpn									;configure WebVPN service
ASA-GATE(config-webvpn)# port-forward PORTFORWARD 2023 10.0.0.100 telnet			;configure port forwarding for thin Java client
ASA-GATE(config-webvpn)# port-forward PORTFORWARD 2024 10.0.0.100 ftp								
ASA-GATE(config-webvpn)# enable outside								;select interface on which VebWPN will be available

ASA-GATE(config)# group-policy MYPOLICY internal						;configure WebVPN policy
ASA-GATE(config)# group-policy MYPOLICY attributes
ASA-GATE(config-group-policy)# webvpn
ASA-GATE(config-group-webvpn)# port-forward auto-start PORTFORWARD				;enable port forwarding automatically
ASA-GATE(config-group-webvpn)# default-domain value test.vsb

ASA-GATE(config)# username VPNUSER password cisco						;configure WebVPN profile 
ASA-GATE(config)# tunnel-group WEBVPNGROUP type remote-access
ASA-GATE(config)# tunnel-group WEBVPNGROUP general-attributes
ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL
ASA-GATE(config-tunnel-general)# default-group-policy MYPOLICY

Function test

F1) Turn on debugging

ASA-GATE(config)# debug crypto isakmp
ASA-GATE(config)# debug crypto engine
ASA-GATE(config)# debug crypto ipsec
ASA-GATE(config)# logging console debugging

F2) Generate test connection

Execute WEB browser and type https://192.168.0.1 to iys address bar.

Enter username and password to logon screen

See picture

NS2-6.7.1_ASA_DIA1-1

Enter web address to https session and you will see its default web page, my example shows Linux Debian web page.

NS2-6.7.1_ASA_DIA1-2

Check increasing number of SSL encrypted packets by issuing this command

ASA-GATE#sh crypto protocol statistics ssl

NS2-6.7.1_ASA_DIA1-3

And finally check VPN sessions.

ASA-GATE(config)# sh vpn-sessiondb webvpn

F5) Delete tunnel and reinitialize new one

Tunnel could be deleted by pressing logout link in your web browser.

Optional tasks

  • Configure Anyconnect client part of configuration.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s