This chapter describes the use cases and operational requirements of SSL VPNs and offers a detailed presentation on the operations of SSL. The chapter explains configurations, deployment options, and design considerations. It describes the steps to configure both Cisco VPN clientless mode and Cisco full-tunnel mode on Cisco ASA using the Cisco AnyConnect client.
Chapter 15 SSL VPNs with Cisco ASA © 2012 Cisco and/or its affiliates All rights reserved Contents This chapter prepares you to meet these objectives: • Describe the use cases and operational requirements of Cisco SSL VPNs • Describe the protocol framework for SSL and TLS • Describe a configuration that is based on SSL VPN deployment options and other design considerations • Describe the steps to configure Cisco VPN clientless mode on Cisco ASA and demonstrate the configuration on Cisco ASDM • Describe the steps to configure Cisco full-tunnel mode on Cisco ASA and demonstrate the configuration on Cisco ASDM using the Cisco AnyConnect VPN Client © 2012 Cisco and/or its affiliates All rights reserved SSL VPNs in Borderless Networks • Remote-access and mobility services have gone through drastic changes in the past few years • There are three market transitions driving the network architectures of the future: – Mobility – Video – IT Consumerization © 2012 Cisco and/or its affiliates All rights reserved Cisco SSL VPN • The Cisco SSL VPN technology provides remote-access connectivity from almost any Internet-enabled location with a web browser and its native SSL encryption • Cisco SSL VPN provides the flexibility to support secure access for all users, regardless of the endpoint host from which they establish a connection • If application access requirements are modest, SSL VPN does not require a software client to be preinstalled on the endpoint host • This ability enables companies to extend their secure enterprise networks to any authorized user by providing remote-access connectivity to corporate resources from any Internet-enabled location • Cisco SSL VPN currently delivers three modes of Cisco SSL VPN access: clientless, thin client, and full client © 2012 Cisco and/or its affiliates All rights reserved Clientless SSL VPN Versus IPsec VPN © 2012 Cisco and/or its affiliates All rights reserved SSL and TLS Protocol Framework • SSL and TLS provide confidentiality, integrity, and authentication services to the applications that use them • SSL is used to encrypt and authenticate the session layer and above • As such, it encrypts more than just HTTP (called HTTPS); it can also encrypt FTP (thus FTPS), POP (for POPS), LDAP (for LDAPS), wireless security (EAP-TLS), and others © 2012 Cisco and/or its affiliates All rights reserved SSL/TLS Encapsulation © 2012 Cisco and/or its affiliates All rights reserved SSL and TLS © 2012 Cisco and/or its affiliates All rights reserved SSL Cryptography © 2012 Cisco and/or its affiliates All rights reserved SSL Tunnel Establishment © 2012 Cisco and/or its affiliates All rights reserved 10 Task 2: VPN Protocols and Device Certificate © 2012 Cisco and/or its affiliates All rights reserved 33 Task 3: Client Image © 2012 Cisco and/or its affiliates All rights reserved 34 Selecting the Client Image © 2012 Cisco and/or its affiliates All rights reserved 35 Task 4: Authentication Methods © 2012 Cisco and/or its affiliates All rights reserved 36 Task 5: Client Address Assignment © 2012 Cisco and/or its affiliates All rights reserved 37 Task 6: Network Name Resolution Servers © 2012 Cisco and/or its affiliates All rights reserved 38 Task 7: Network Address Translation Exemption © 2012 Cisco and/or its affiliates All rights reserved 39 Task 8: AnyConnect Client Deployment Summary © 2012 Cisco and/or its affiliates All rights reserved 40 Phase 2: Configure the Cisco AnyConnect VPN Client Connecting to the Portal to Eventually Request an AnyConnect Installation Download © 2012 Cisco and/or its affiliates All rights reserved 41 Cisco AnyConnect Installed from a VPN Clientless Session © 2012 Cisco and/or its affiliates All rights reserved 42 Phase 3: Verify VPN Connectivity with Cisco AnyConnect VPN Client © 2012 Cisco and/or its affiliates All rights reserved 43 Detailed Information on Current VPN Session © 2012 Cisco and/or its affiliates All rights reserved 44 Summary The key points covered in this chapter are as follows: • Market trends drive the need for effective remote-access security and present challenges to the IT organization • The SSL protocol uses the cryptology concepts presented in this chapter • Cisco SSL VPN solutions include clientless and full client tunnel modes of operation • Cisco SSL VPN clientless mode can be configured on Cisco ASA using Cisco ASDM • Cisco SSL VPN full client tunnel mode can be configured on Cisco ASA using Cisco ASDM and the Cisco AnyConnect VPN Client © 2012 Cisco and/or its affiliates All rights reserved 45 References • For additional information, refer to this resource: – CCNP Security VPN 642-648 Official Cert Guide, Second Edition (Cisco Press) © 2012 Cisco and/or its affiliates All rights reserved 46 © 2012 Cisco and/or its affiliates All rights reserved 47 ... configure Cisco full-tunnel mode on Cisco ASA and demonstrate the configuration on Cisco ASDM using the Cisco AnyConnect VPN Client © 2012 Cisco and/or its affiliates All rights reserved SSL VPNs. .. Consumerization © 2012 Cisco and/or its affiliates All rights reserved Cisco SSL VPN • The Cisco SSL VPN technology provides remote-access connectivity from almost any Internet-enabled location with a web... using Cisco AnyConnect: – Phase Configure Cisco ASA for Cisco AnyConnect – Phase Configure the Cisco AnyConnect VPN Client – Phase Verify VPN Connectivity with Cisco AnyConnect © 2012 Cisco and/or