Introduction
During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul2 6.7.1 ASA task definition
Easy VPN server on ASA, SW client
Goal
- Configure WebVPN server on ASA.
- Inicialize tunnel.
- Generate a test connection thru HTTP.
- Use Anyconnect client in advanced task.
- Do not forget to clear configuration before start.
Required time
2 hours
Theoretical background
Here will be short theoretical background for solving this task.
Configuration
PC1
ifconfig INT4 192.168.0.100 netmask 255.255.255.0 route add default gw 192.168.0.1 dev INT4
SERVER
R19@ostrava(config)#hostname SERVER SERVER(config)#interface INT3 SERVER(config-if)#ip address 10.0.0.254 255.255.255.0 SERVER(config-if)#no shutdown SERVER(config)#aaa new-model ;define authentication policy SERVER(config)#aaa authentication login telnet local ;authenticate locally SERVER(config)#username cisco password cisco ;authenticate by this username and password SERVER(config)#enable password cisco ;set enable password for privileged mode SERVER(config)#ip http server ;enable HTTP server SERVER(config)#ftp-server enable ;enable FTP server SERVER(config)#ftp-server topdir FLASH:/ ;set top directory for FTP server SERVER(config)#line vty 0 4 ;enable tenlnet connections
ASA
1) Interface settings, Access lists
ciscoasa(config)# hostname ASA-GATE ASA-GATE(config)# domain-name test ASA-GATE(config)# interface INT1 ASA-GATE(config-if)# ip address 192.168.0.1 255.255.255.0 ASA-GATE(config-if)# nameif outside ASA-GATE(config-if)# no shutdown ASA-GATE(config)# interface INT2 ASA-GATE(config-if)# ip address 10.0.0.1 255.255.255.0 ASA-GATE(config-if)# nameif inside ASA-GATE(config-if)# no shutdown
2) WebVPN configuration
ASA-GATE(config)# ip local pool VPNADDRESSPOOL 10.0.0.10-10.0.0.20 ;set IP pool for webvpn clients ASA-GATE(config)# route inside 0.0.0.0 0.0.0.0 10.0.0.100 1 ;set default route ASA-GATE(config)# webvpn ;configure WebVPN service ASA-GATE(config-webvpn)# port-forward PORTFORWARD 2023 10.0.0.100 telnet ;configure port forwarding for thin Java client ASA-GATE(config-webvpn)# port-forward PORTFORWARD 2024 10.0.0.100 ftp ASA-GATE(config-webvpn)# enable outside ;select interface on which VebWPN will be available ASA-GATE(config)# group-policy MYPOLICY internal ;configure WebVPN policy ASA-GATE(config)# group-policy MYPOLICY attributes ASA-GATE(config-group-policy)# webvpn ASA-GATE(config-group-webvpn)# port-forward auto-start PORTFORWARD ;enable port forwarding automatically ASA-GATE(config-group-webvpn)# default-domain value test.vsb ASA-GATE(config)# username VPNUSER password cisco ;configure WebVPN profile ASA-GATE(config)# tunnel-group WEBVPNGROUP type remote-access ASA-GATE(config)# tunnel-group WEBVPNGROUP general-attributes ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL ASA-GATE(config-tunnel-general)# default-group-policy MYPOLICY
Function test
F1) Turn on debugging
ASA-GATE(config)# debug crypto isakmp ASA-GATE(config)# debug crypto engine ASA-GATE(config)# debug crypto ipsec ASA-GATE(config)# logging console debugging
F2) Generate test connection
Execute WEB browser and type https://192.168.0.1 to iys address bar.
Enter username and password to logon screen
See picture
Enter web address to https session and you will see its default web page, my example shows Linux Debian web page.
Check increasing number of SSL encrypted packets by issuing this command
ASA-GATE#sh crypto protocol statistics ssl
And finally check VPN sessions.
ASA-GATE(config)# sh vpn-sessiondb webvpn
F5) Delete tunnel and reinitialize new one
Tunnel could be deleted by pressing logout link in your web browser.
Optional tasks
- Configure Anyconnect client part of configuration.