Friday, December 12, 2014

Remote Access VPN clientless SSL - ASA

Next remote access VPN I would like to work with is SSL VPN clientless on ASA. The biggest advantage of this version is lack of software on client machines, you only need internet browser. Minimum configuration required is very simple:

 port 444
 enable outside

username cisco password cisco
username cisco attributes
 service-type remote-access

and now we can test it:



On the ASA we can also monitor this session:

asa1# sh vpn-sessiondb webvpn

Session Type: WebVPN

Username     : cisco                  Index        : 16
Public IP    :
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : RC4                    Hashing      : SHA1
Bytes Tx     : 7367                   Bytes Rx     : 12748
Group Policy : DfltGrpPolicy          Tunnel Group : DefaultWEBVPNGroup
Login Time   : 12:50:22 UTC Thu Dec 11 2014
Duration     : 0h:04m:55s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

You need to remember that only traffic generated from the browser session can be encrypted, not like IPsec, where all traffic generated from the computer is sent over the tunnel (with one exception - split tunnel). If we for example ping the host, the traffic will be sent over the internet:


As you see the ping is not allowed on the outside interface and we can’t ping this host.

asa1(config)# sh run access-list OUT
access-list OUT extended permit icmp any host
We can test the tunnel by generating http from the webvpn portal:


I enabled http server on R15.



To secure web based application is straightforward. For other types application we can use Port Forwarding (legacy) and Smart Tunnel. More information about both you can find here:

a) Port Forwarding:

b) Smart Tunnel:

I pasted documentation from 8.2 version because the one I’m working on (8.4) doesn’t include CLI, only gui.

No comments:

Post a Comment