- SSL VPN
- Plug-in
- Port forwarding
- Smart tunnel
- IOS CLI VPN
- AnyConnect
- DTLS
- IKEv2
- Connection profile
- Certificate map
- Group policy
- Trusted network detection
- Deploy
- Posture
- HostScan
- Client scripting
- Start before Logon (SBL)
- AAA
- Local user
- Client certificate
- Address allocation
- Diagnostic and reporting tool (DART
- Modules
- Load-balancing
- Dynamic access policy (DAP)
- NVM
SSL VPN
- access to HTTP, CIFS, FTP resources with browser via portal (ASA ≡ proxy)
- no stateful switchover
- application plug-in and smart tunnel for access to static TCP ports
- does not require admin rights on client
- ASA rewrites URL (= proxy), verifies certificate (no access if fails) not passing it to client
- /admin – ASDM connection
- can go back through Outside because ASA is a proxy ⇒ traffic not transiting ≡ no need for same-security-traffic
(config)# tunnel-group <TGROUP> webvpn-attributes
(config-tunnel-webvpn)# group-url <URL> enable
(config)# webvpn
; enables (D)TLS globally
(config-webvpn)# enable <OUTSIDE_INTF>
; permits tunnel-group selection using alias
(config-webvpn)# tunnel-group-list enable
(config-webvpn)# certificate-group-map <MAP> <n> <TGROUP>
(config)# group-policy <GNAME> attributes
(config-group-policy)# webvpn
(config-group-webvpn)# filter type none | <WEBTYPE ACL>
; bookmarks defined by ASDM (XML)
(config-group-webvpn)# url-list value <LIST>
Plug-in
- do not support high-availability
- applications: RDP, SSH, Telnet, VNC, Citrix
- Java
Port forwarding
- Java, 32bit only
- Windows, Linux, MacOS
- requires admin privileges, client application on host
- modifies hosts file, redirecting traffic to forwarder on 127.0.0.1:port
- if access is via IP directly – modify application settings to point to forwarder
- no HA
- only static TCP ports
- no support for certificates on client
Smart tunnel
- Java, ActiveX, JavaScript
- Windows, MacOS
- does not require admin privileges
- requires client application on host
- Winsock2 (=TCP), process-name based
- static proxy only
- no stateful switchover, HA
- hardcoded to Downloads folder per user
- method:
- smart tunnel list: process list
- bookmark: intercept all browser traffic
IOS CLI VPN
(config)# webvpn gateway <GW>
; VPN IP:port
(config-webvpn-gateway)# ip interface <INTF> port <n>
(config-webvpn-gateway)# ssl trustpoint <TP>
(config-webvpn-gateway)# inservice
(config)# webvpn context <CTX>
(config-webvpn-context)# aaa authentication list <AAA>
(config-webvpn-context)# gateway <GW>
(config-webvpn-context)# default-group-policy <POLICY>
(config-webvpn-context)# inservice
(config-webvpn-context)# url-list <URLS>
(config-webvpn-url)# heading <STR>
(config-webvpn-url)# url-text <STR> url-value <STR>
(config-webvpn-context)# policy group <POLICY>
(config-webvpn-group)# url-list <URLS>
(config-webvpn-group)# svc address-ppol <POOL> netmask <MASK>
(config-webvpn-group)# svc split dns | include | exclude <ACL>
AnyConnect
- modes: IPsec, TLS, DTLS (preferred)
- full access, disabled by default in the group for SSL client
- IKEv2 only (old client used IKEv1, not licensed, ∞ sessions)
- profile ≡ XML
- if client and headend profiles do not match + no profile update is permitted – deny access
- 0.0.0.0/32 in split-tunnel ACL ≡ permit local LAN (adjacent L2)
- stateful switchover with active/standby
- DPD
- 30s keepalive
- 3 keepalives lost ≡ tunnel is dead
- no session tear down, reconnect
- gateway DPD ≈ dead connection detection for TCP
- SSL keepalive
- 20s
- keepalive refreshes state in transit NAT and FW
DTLS
- fallback to TLS requires DPD
- selected by client, ASA sends traffic back using TLS/DTLS of latest packet
(config)# tunnel-group <TGROUP> webvpn-attributes
(config-tunnel-webvpn)# group-url <URL> enable
(config)# webvpn
; enables (D)TLS globally
(config-webvpn)# enable <OUTSIDE_INTF>
(config-webvpn)# anyconnect enable
(config-webvpn)# anyconnect image <path> <priority>
(config-webvpn)# anyconnect profiles <NAME> <path>
(config)# group-policy <GNAME> attributes
(config-group-policy)# webvpn
; enable DTLS for the group, for AnyConnect
(config-group-webvpn)# anyconnect ssl dtls enable
; prompt to download AnyConnect, default – autodownload, webvpn – redirect to portal
(config-group-webvpn)# anyconnect ask enable [default [webvpn]]
; installed default, none uninstalls AnyConnect after logout
(config-group-webvpn)# anyconnect keep-installer installed | none
(config-group-webvpn)# anyconnect profiles value <NAME> type user
IKEv2
- client services: passing XML profile, AnyConnect update, customization file via TLS
; TGROUP ≡ IPsec ID for IKE
(config)# tunnel-group <TGROUP> ipsec-attributes
(config-tunnel-ipsec)# ikev2 remote-authentication certificate
(config-tunnel-ipsec)# ikev2 local-authentication certificate <NAME>
; disables comparison of DN and IKE ID
(config-tunnel-ipsec)# peer-id-validate nocheck
(config)# crypto dynamic-map <DMAP> <n> set transport-set <SET>
(config)# crypto map <SMAP> <n> ipsec-isakmp dynamic <DMAP>
(config)# crypto map <SMAP> interface <INTF>
Connection profile
- pre-login access methods, ≡ tunnel-group
- selection
- manual
- before connection or authC
- URL, dropdown menu
- certificate-based
- OU, CN
- alphabetic priority
- can be used to limit groups that are available for manual selection
- default = DefaultWEBVPNGroup
- ASA: local DB
- FTD: nothing
- TLS or IKEv2 (IKEv1 – DefaultRAGroup)
- match-all in certificate-map
(config)# tunnel-group <TGROUP> type remote-access
(config)# tunnel-group <TGROUP> general-attributes
(config-tunnel-general)# address-pool <POOL>
(config-tunnel-general)# default-group-policy <GNAME>
(config-tunnel-general)# authetication-server-group <AAA>
Certificate map
(config)# crypto ca certificate map <MAP> <n>
(config-ca-cert-map)# subject-name co <SN>
; MAP:n → TGROUP
(config)# tunnel-group-map <MAP> <n> <TGROUP>
(config)# tunnel-group-map default-group <TGROUP>
; default: rules off
(config)# tunnel-group-map enable rules | ou | ike-id | peer-ip
Group policy
- post-login: IP pool, DNS, ACL, banner
- inherit from DfltGrpPolicy
- attributes precedence:
- assigned to user
- assigned to group policy for user
- defined locally
- AAA sends only policy name: RADIUS attribute 25
- assigned to group policy for connection profile
- assigned to default group policy
- dynamic access policy
- external group policy: RADIUS, LDAP
; local DB vs RADIUS/LDAP
(config)# group-policy <GNAME> internal|external
(config)# group-policy <GNAME> attributes
(config-group-policy)# vpn-tunnel-protocol ikev1 | ikev2 | ssl-client | ssl-clientless
(config-group-policy)# split-tunnel-policy tunnelall | tunnelspecified | excludespecified
(config-group-policy)# split-tunnel-network-list value <ACL>
(config-group-policy)# split-dns value <DOMAINLIST>
; all DNS into VPN, if fails – unresolved
(config-group-policy)# split-tunnel-all-dns enable | disable
(config-group-policy)# vpn-filter value <ACL>
; giaddr for DHCP pool selection
(config-group-policy)# dhcp-network-scope <IP>
Trusted network detection
- if network is untrusted → autoconnect VPN
- detection: domain name + DNS servers (full match)
- match on one domain is enough
- DNS server list must match as a whole
- if manually disabled – no network connection
Deploy
- predeploy: manual, software management system
- web deploy: ASA/FTD, ISE portal
- cloud upgrade via Umbrella Roaming Security
Posture
- requires ISE and ISE Posture profile
- OPSWAT module
- client-side evaluation (HostScan – server-side, incompatible)
HostScan
- determines OS, service pack, files, registry keys, MAC, IP, BIOS SN, OPSWAT version, processes
- server-side
- result – dynamic access policy (XML)
- types
- basic
- endpoint assessment: AV, antispyware, FW
- advanced endpoint assessment: remediation
Client scripting
- login/logout events
- map/unmap network drive
Start before Logon (SBL)
- Windows only
- enables VPN before logon
- no effect if located in trusted network
- GINA module
- login using domain controller
AAA
- RADIUS, AD, LDAP, RSA SecurID, Kerberos
- double authC:
- RSA SDI (system diagnostic interface) + LDAP
- certificate + RADIUS
- certificate + RADIUS + RSA SDI
- accounting mode: RADIUS/TACACS+
- simultaneous: sends to all servers
- single: sends to single server
- reactivation mode: RADIUS/TACACS+
- depletion: failed server is considered active only after whole group has failed within 10 minutes
- timed: failed → active after 30s
Local user
(config)# username <USER> password <PASS>
(config)# username <USER> attributes
(config-username)# vpn-group-policy <GPOLICY>
(config-username)# service-type remote-access | nas-prompt | admin
Client certificate
- methods
- manual
- AD certificate service
- SCEP
- ASA-as-a-proxy (AnyConnect 3.0)
- direct (AnyConnect 2.4)
- revoke
- CRL: LDAP, HTTP, SCEP
- OCSP
- AAA
- username = certificate field, password = predefined
- revoked ≡ not in RADIUS DB
Address allocation
- AAA
- DHCP
- internal address pool
- user assignment
- does not depend on AnyConnect version
Modules
- installation sequence
- core
- SBL, NAM, Posture, Web Security
- NVM: requires Posture
Load-balancing
- no stateful switchover
- non-deterministic
- receives FQDN from DNS PTR
- UDP 9023 on internal interfaces, must be in the same subnet
- master
- first to boot → higher priority
- no preemption
(config)# vpn load-balancing
(config-load-balancing)# interface lbprivate | lbpublic <INTF>
(config-load-balancing)# priority <n>
; by default redirect by IP
(config-load-balancing)# redirect-fqdn enable
(config-load-balancing)# cluster ip address <IP>
(config-load-balancing)# cluster key <KEY>
(config-load-balancing)# cluster encryption
(config-load-balancing)# cluster port <UDP>
(config-load-balancing)# participate
Dynamic access policy (DAP)
- attributes:
- endpoint: posture result
- user AAA: types Cisco, LDAP, RADIUS
- DAP result ≡ all matched records except DfltAccessPolicy (not first-match like ACL)
- action: terminate > quarantine > continue
- function: auto-start > enable > disable > unchanged
NVM
- network visibility module
- ~Netflow sensor, uses nvzFlow protocol ≡ IPFIX extension
Networking and IT 