As discussed in Chapter 16, "Remote Access VPNs," Cisco ASA allows mobile and home users to create a secure WebVPN tunnel to access corporate resources. ASDM allows you to configure and customize the WebVPN service. In this section, Figure 21-32 is used as a reference topology in which a Cisco ASA is being set up to accept the WebVPN connections on the outside interface from the web clients. The inside interface of Cisco ASA in Chicago is directly connected to the 192.168.10.0/24 subnet, while another inside network, 192.168.20.0/24, is behind Router1. The public interface's IP address is 126.96.36.199/27, and the default route sends all traffic to the next-hop router toward the Internet.
Figure 21-32. WebVPN Topology
By setting up WebVPN, SecureMe wants to accomplish the following:
The following steps guide you through configuring the ASA to meet the preceding objectives:
Figure 21-33. Enabling WebVPN
ASDM and WebVPN are not supported on the same interface.
Customize the look and feel.
Figure 21-34. Customizing Look and Feel
Set up WebVPN group attributes.
Figure 21-35. Creating a Group Policy
By default, a new group policy inherits all values from the default group policy, which allows both IPSec and WebVPN as the tunneling protocols. In Figure 21-36, the administrator has disabled policy inheritance for tunneling protocols and has selected WebVPN as the tunneling protocol under the General tab.
Figure 21-36. Selecting WebVPN as the Tunneling Protocol
ASDM can restrict users to use certain functions such as port forwarding and Windows file browsing. These functions can be enabled under the WebVPN tab, as shown in Figure 21-37.
Figure 21-37. Setting Up WebVPN Functions
Set up URL mangling.
Figure 21-38. Creating a URL List
After you create a list, you map it to a group policy under the WebVPN tab, as shown in Figure 21-39. Click OK to submit these changes.
Figure 21-39. Applying the URL List
Configure port forwarding.
Figure 21-40. Creating a Port-Forwarding List
After you create a port-forwarding list, you apply it to the group policy, as shown in Figure 21-41. Click the WebVPN tab and select the list from the drop-down menu under Port Forwarding.
Figure 21-41. Applying a Port-Forwarding List
Specify WINS and DNS servers.
Figure 21-42. Setting Up WINS Servers
DNS servers resolve the domain names of the network devices to their configured IP addresses. To specify DNS servers, choose Configuration > Features > Properties > DNS Client. Cisco ASA allows up to six DNS server for name resolution. You have to instruct Cisco ASA which interface to use to send the DNS requests. Figure 21-43 illustrates that two DNS servers, located at 192.168.20.60 and 192.168.20.61, are set up for name resolution on the inside interface. You click Apply to submit the changes to Cisco ASA.
Figure 21-43. Setting Up DNS Servers
Configure e-mail proxy functionality.
Figure 21-44. Enabling E-Mail Proxy
Cisco ASA needs to know where the e-mail server(s) resides. To specify the host name or the IP addresses of the servers, choose Configuration > Features > VPN > E-mail Proxy > Default Servers. Figure 21-45 illustrates that Cisco ASA is being configured for secureme-email as the POP3S, IMAPS, and SMTPS servers using the default TCP ports of 995, 993, and 988, respectively. The DNS server resolves secureme-email as 192.168.20.30.
Figure 21-45. Setting Up the E-Mail Proxy Servers
Cisco ASA allows the use of three different types of authentication:
E-mail authentication methods are configured under Configuration > Features > VPN > E-mail Proxy > Authentication. In Figure 21-46, Cisco ASA is being configured to use AAA authentication for all three supported e-mail protocols.
Figure 21-46. E-Mail Proxy Authentication
Because AAA has been selected as the authentication method, ASDM needs to map an authentication server to the e-mail protocol. In Figure 21-47, a predefined authentication group called Rad, which is using RADIUS authentication, is linked to the protocols. A group policy, called SecureMeWebGrp, is also applied to the e-mail users when they establish a connection using any one of the three e-mail protocols.
Figure 21-47. E-Mail Proxy AAA Servers
Figure 21-48 shows the username and server delimiters for the three supported e-mail protocols, which are set to their default values of colon (:) and at (@), respectively.
Figure 21-48. E-Mail Proxy Delimiters
Example 21-3 shows the complete WebVPN configuration generated by ASDM.
Example 21-3. Complete WebVPN Configuration Created by ASDM
!DNS server configuration for hostname resolution dns domain-lookup inside dns name-server 192.168.20.60 dns name-server 192.168.20.61 !URL-List for URL-Mangling url-list HTTP_link "Internal" http://192.168.20.10 !Port-forward List for Port Forwarding port-forward telnet_inside 1100 192.168.20.20 telnet Telnet Service !AAA server configuration for Email Proxy authentication aaa-server Rad protocol radius aaa-server Rad host 192.168.20.40 key cisco123 !Group-policy configuration for WebVPN users group-policy SecureMeWebGrp internal group-policy SecureMeWebGrp attributes !Allowed tunneling protocol is WebVPN vpn-tunnel-protocol webvpn webvpn !Allowed functions for WebVPN functions url-entry file-access file-entry file-browsing mapi port-forward filter !URL-List is applied to the group-policy url-list value HTTP_link !Port-forward List is applied to the group-policy port-forward value telnet_inside !WebVPN global configuration webvpn !WebVPN is enabled on the outside interface enable outside !WebVPN homepage title and logo are modified title SecureMe WebVPN Service logo file disk0:/secureme.png !WINS servers are setup for NetBIOS name resolution nbns-server 192.168.20.50 master timeout 2 retry 2 nbns-server 192.168.20.51 timeout 2 retry 2 nbns-server 192.168.50.52 timeout 2 retry 2 !Email Proxy for IMAP protocol is setup on the outside interface imap4s enable outside !Declaration of IMAP Email Server server secureme-email !AAA authentication for IMAP users authentication-server-group Rad authentication aaa !Group-policy is applied to the IMAP users default-group-policy SecureMeWebGrp !Email Proxy for POP3 protocol is setup on the outside interface pop3s enable outside !Declaration of POP3 Email Server server secureme-email !AAA authentication for POP3 users authentication-server-group Rad authentication aaa !Group-policy is applied to the POP3 users default-group-policy SecureMeWebGrp !Email Proxy for SMTP protocol is setup on the outside interface smtps enable outside !Declaration of SMTP Email Server server secureme-email !AAA authentication for SMTP users authentication-server-group Rad authentication aaa !Group-policy is applied to the SMTP users default-group-policy SecureMeWebGrp
Part I: Product Overview
Introduction to Network Security
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
Authentication, Authorization, and Accounting (AAA)
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM