Deployment Scenarios of WebVPN

The Cisco WebVPN solution is useful in deployments where remote and home users need limited application support without installing a separate VPN client. The WebVPN solution can be deployed in many ways; however, the sections that follow cover two design scenarios for ease of understanding:

  • WebVPN with external authentication
  • WebVPN with e-mail proxies

Note

The design scenarios discussed in this section should be used solely to reinforce learning. They should be used for reference purposes only.

 

WebVPN with External Authentication

SecureMe has recently learned about the WebVPN functionality in Cisco ASA and wants to deploy it for a group of mobile contractors in London who do not have access to Cisco VPN Client. These contractors use a web server for browsing, a terminal server, and a Windows file server to save and retrieve their documents.

Figure 16-24 shows SecureMe's network topology for WebVPN.

Figure 16-24. SecureMe's WebVPN topology in London

The security requirements for SecureMe's London office are as follows:

  • Allow access to a web server with an IP address of 192.168.30.150
  • Deny access to the internal web-server located at wwwin.securemeinc.com
  • Allow access to a file server with an IP address of 192.168.30.151
  • Allow access to a terminal server with an IP address of 192.168.30.160
  • Use an SDI server as the external database for user lookup

Example 16-90 shows the relevant configuration of the London ASA.

Example 16-90. Relevant WebVPN Configuration for the London ASA

London# show running-config

: Saved

:

ASA Version 7.0(1)

! ip address on the outside interface

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.201.1 255.255.255.0

! ip address on the inside interface

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.30.1 255.255.255.0

!

hostname London

domain-name securemeinc.com

! DNS lookup for hostname

dns domain-lookup inside

dns name-server 192.168.30.200

! WebVPN ACL to deny users to access wwwin.securemeinc.com using HTTP

access-list HTTP webtype deny url http://wwwin.securemeinc.com

access-list HTTP webtype permit url any

! Default Gateway

route outside 0.0.0.0 0.0.0.0 209.165.201.2 1

! URL Mangling. A link to an internal web-server at 192.168.30.150 is displayed

url-list HTTP_Link "Internal" http://192.168.30.150

! Port Forwarding for Terminal Services using local port 1100

port-forward TerminalServer 1100 192.168.30.160 3389

! SDI configuration for user authentication

aaa-server SDI_Server protocol sdi

aaa-server SDI_Server host 192.168.30.10

! Configuration of an internal user-group called SecureMeWebGrp configured for

 WebVPN

group-policy SecureMeWebGrp internal

group-policy SecureMeWebGrp attributes

 vpn-tunnel-protocol webvpn

 webvpn

! The allowed list of functions

 functions url-entry file-access file-entry file-browsing port-forward filter

! WebVPN ACL is applied under the group WebVPN menu

 filter value HTTP

! URL Mangling list is applied under the group WebVPN menu

 url-list value HTTP_Link

! Port Forwarding List is applied under the group WebVPN menu

 port-forward value TerminalServer

! Configuration of ASDM for Appliance management

http server enable

http 0.0.0.0 0.0.0.0 inside

! WebVPN global configuration

webvpn

 enable outside

 logo none

! WebVPN users will be authenticated against an SDI server

 authentication-server-group SDI_Server

! WebVPN user group-policy is applied

 default-group-policy SecureMeWebGrp

! Configuration of WINS server located at 192.168.30.190

 nbns-server 192.168.30.190 master timeout 2 retry 2

 

WebVPN with E-Mail Proxies

SecureMe is looking to deploy the WebVPN e-mail proxy functionality for its remote users who need to check their corporate e-mail. These users generally use either POP3 or IMAP4 depending on their email client configuration. Figure 16-25 shows SecureMe's network topology for e-mail proxy.

Figure 16-25. SecureMe's E-Mail Proxy WebVPN Topology

The security requirements for SecureMe's Sydney office are as follows:

  • Allow POP3 and IMAP4 access to the e-mail server with a hostname of email-server.securemeinc.com. Use port 1000 for secure POP3 and 1010 for secure IMAP4. The users specify the pipe (|) as the username delimiter and the at (@) symbol as the server delimiter.
  • Use a RADIUS server as the external user database.
  • Use a DNS server to resolve email server name

Example 16-91 shows the complete configuration of the Sydney ASA.

Example 16-91. Sydney ASA Configuration to Implement E-Mail Proxies

Sydney# show running-config

: Saved

:

ASA Version 7.0(1)

! ip address on the outside interface

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.202.135 255.255.255.224

! ip address on the inside interface

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.80.1 255.255.255.0

!

hostname Sydney

domain-name securemeinc.com

! DNS lookup for hostname

dns domain-lookup inside

dns name-server 192.168.80.90

! Default Gateway

route outside 0.0.0.0 0.0.0.0 209.165.202.136 1

! Radius configuration for user authentication

aaa-server Radius_Server protocol radius

aaa-server Radius_Server host 192.168.80.100

 key cisco123

! Configuration of an internal user-group called SecureMeWebGrp configured for WebVPN

group-policy SecureMeWebGrp internal

group-policy SecureMeWebGrp attributes

 vpn-tunnel-protocol webvpn

 webvpn

! Configuration of ASDM for Appliance management

http server enable

http 0.0.0.0 0.0.0.0 inside

! WebVPN global parameters

webvpn

 enable outside

 logo none

 authentication-server-group Radius_Server

 default-group-policy SecureMeWebGrp

! IMAP4 configuration

imap4s

 enable outside

 port 1010

 server email-server

 name-separator |

 server-separator @

 default-group-policy SecureMeWebGrp

 authentication-server-group Radius_Server

 authentication aaa

! POP3 configuration

pop3s

 enable outside

 port 1000

 server email-server

 name-separator |

 server-separator @

 default-group-policy SecureMeWebGrp

 authentication-server-group Radius_Server

 authentication aaa


Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies



Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net