Scribd
Upload
11 views9 pages

SIMOS 4005 ASA Clientless SSL VPN Configuration v001

Uploaded by

minhlilili
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views9 pages

SIMOS 4005 ASA Clientless SSL VPN Configuration v001

Uploaded by

minhlilili
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

CCNP Security – SIMOS

ASA Clientless SSL VPN Configuration


ASA Configuration Steps
» ASA requires a certificate for all SSL VPN
connections
• Use self-signed certificate
• Temporary self-signed certificate, generated/used by default
• Persistent self-signed certificate, user configured
• Use certificate issued by a trusted CA
• Enroll with the CA
• Configured trustpoint to be used for SSL VPN connections

Copyright © www.ine.com
ASA Configuration Steps
» Activate the web portal on the VPN terminating
interface
• Optionally change the default port 443, not recommended
• Optionally list the tunnel-group aliases
» Optionally but recommended, restrict supported
encryption/hashing algorithms for SSL sessions
• Also SSL/TLS version for server/client

Copyright © www.ine.com
ASA Configuration Steps
» Configure authorization parameters
• Bookmarks
• Port-forwarding
• Smart Tunneling
» If bookmarks are configured with FQDN
• Configure DNS server groups and enable domain-lookup
• Apply DNS server group at the tunnel-group level
» Configure group-policy
• Could use the default one, not recommended
• Bind the authorizations to the group-policy
Copyright © www.ine.com
ASA Configuration Steps
» Configure tunnel-group
• Could use the default one, not recommended
• Configure authentication type, default is local AAA
• Bind the configured group-policy
• Could use the default one, not recommended
• Optionally, customize the web portal
• Optionally configure alias for being published in the web
portal
Copyright © www.ine.com
ASA Configuration Steps
» Configure user in the local database
• Optionally restrict the user to connect to a specific
tunnel-group/connection-profile
• Recommended
• Optionally configure user specific authorizations
• Only if you want per user specific authorization
• Optionally bind a group-policy
• Only if you want per user specific authorization

Copyright © www.ine.com
ASA Verification Steps
» Verify tunnel-group aliases
• show webvpn group-alias
» Verify active connections
• show vpn-sessiondb detail webvpn
» Verify webvpn statistics
• show webvpn statistics

Copyright © www.ine.com
ASA Troubleshooting Steps
» Troubleshoot authentication
• debug webvpn 255
• debug radius / debug ntdomain / debug ldap
» Troubleshoot resource access
• debug webvpn cifs / debug webvpn nfs
• debug webvpn citrix / debug webvpn javascript

Copyright © www.ine.com
Q&A

Copyright © www.ine.com All rights reserved.

You might also like