Chapter 15: SSL VPNs with Cisco ASA
The key points covered in this chapter are as follows:
• Market trends drive the need for effective remote-access security and present challenges to the IT organization.
• The SSL protocol uses the cryptology concepts presented in this chapter.
• Cisco SSL VPN solutions include clientless and full client tunnel modes of operation.
• Cisco SSL VPN clientless mode can be configured on Cisco ASA using Cisco ASDM.
• Cisco SSL VPN full client tunnel mode can be configured on Cisco ASA using Cisco ASDM and the Cisco AnyConnect VPN Client.
47 trang |
Chia sẻ: vutrong32 | Lượt xem: 1148 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Chapter 15: SSL VPNs with Cisco ASA, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Chapter 15. SSL VPNs with Cisco ASAThis chapter prepares you to meet these objectives:• Describe the use cases and operational requirements of Cisco SSL VPNs• Describe the protocol framework for SSL and TLS• Describe a configuration that is based on SSL VPN deployment options and other design considerations• Describe the steps to configure Cisco VPN clientless mode on Cisco ASA and demonstrate the configuration on Cisco ASDM• Describe the steps to configure Cisco full-tunnel mode on Cisco ASA and demonstrate the configuration on Cisco ASDM using the Cisco AnyConnect VPN ClientContentsRemote-access and mobility services have gone through drastic changes in the past few years. There are three market transitions driving the network architectures of the future:MobilityVideoIT ConsumerizationSSL VPNs in Borderless NetworksThe Cisco SSL VPN technology provides remote-access connectivity from almost any Internet-enabled location with a web browser and its native SSL encryption. Cisco SSL VPN provides the flexibility to support secure access for all users, regardless of the endpoint host from which they establish a connection. If application access requirements are modest, SSL VPN does not require a software client to be preinstalled on the endpoint host. This ability enables companies to extend their secure enterprise networks to any authorized user by providing remote-access connectivity to corporate resources from any Internet-enabled location.Cisco SSL VPN currently delivers three modes of Cisco SSL VPN access: clientless, thin client, and full clientCisco SSL VPNClientless SSL VPN Versus IPsec VPNSSL and TLS provide confidentiality, integrity, and authentication services to the applications that use themSSL is used to encrypt and authenticate the session layer and above. As such, it encrypts more than just HTTP (called HTTPS); it can also encrypt FTP (thus FTPS), POP (for POPS), LDAP (for LDAPS), wireless security (EAP-TLS), and others.SSL and TLS Protocol FrameworkSSL/TLS EncapsulationSSL and TLSSSL CryptographySSL Tunnel EstablishmentSSL Tunnel Establishment ExampleSteps A to I illustrate steps between the Blue Bank server and VeriSign.Steps 1 to 11 illustrate steps between the HTTPS client and the Blue Bank server.Example of an HTTPS SessionCisco SSL VPN Deployment Options and ConsiderationsClientlessThin ClientSSL VPN ClientScenario for the following three types of SSL accessTwo Main SSL Deployment ModesThe following are among the many features of the Cisco AnyConnect VPN client:Optimal gateway selectionMobility-friendlyBroad operating system supportWide range of deployment and connection optionsEase of client administrationPreconnection posture assessment (Premium license required): Client firewall policyCisco SSL VPN Client: Full Network AccessTask 1. Launch the Clientless SSL VPN Wizard from ASDM.Task 2. Configure the SSL VPN interface.Task 3. Configure user authentication.Task 4. Configure user group policy.Task 5. Configure a bookmark list.Task 6. Verify the Clientless SSL VPN Wizard configuration.SSL VPN on Cisco ASA in Clientless ModeClientless Configuration ScenarioClientless SSL VPN Configuration TopologyTask 1: Launch the Clientless SSL VPN Wizard from ASDMWizards > VPN Wizards > Clientless SSL VPN WizardTask 2: Configure the SSL VPN InterfaceTask 3: Configure User AuthenticationTask 4: Configure User Group PolicyTask 5: Configure a Bookmark ListCreating a Bookmark ListTask 6: Verify the Clientless SSL VPN Wizard ConfigurationLog In to the VPN Portal: Clientless SSL VPNResources Accessible in the PortalSSL VPN on ASA Using the Cisco AnyConnect VPN ClientThere are three major phases to configuring SSL VPN full-tunnel mode using Cisco ASDM so that remote clients will connect using Cisco AnyConnect:Phase 1. Configure Cisco ASA for Cisco AnyConnect.Phase 2. Configure the Cisco AnyConnect VPN Client.Phase 3. Verify VPN Connectivity with Cisco AnyConnect.Major phasesCisco AnyConnect Configuration ScenarioEight tasks are required for configuring the Cisco ASA for AnyConnect, which will be further outlined in this section:1. Configure the connection profile.2. Configure VPN protocols and the device certificate.3. Configure the client image.4. Configure the authentication methods.5. Configure the client address management.6. Configure the network name resolution servers.7. Configure the network address translation exemption.8. Configure the AnyConnect client deployment summary.Phase 1: Configure Cisco ASA for Cisco AnyConnectTask 1: Connection Profile IdentificationTask 2: VPN Protocols and Device CertificateTask 3: Client ImageSelecting the Client ImageTask 4: Authentication MethodsTask 5: Client Address AssignmentTask 6: Network Name Resolution ServersTask 7: Network Address Translation ExemptionTask 8: AnyConnect Client Deployment SummaryPhase 2: Configure the Cisco AnyConnect VPN ClientConnecting to the Portal to Eventually Request an AnyConnect Installation DownloadCisco AnyConnect Installed from a VPN Clientless SessionPhase 3: Verify VPN Connectivity with Cisco AnyConnect VPN ClientDetailed Information on Current VPN SessionThe key points covered in this chapter are as follows: • Market trends drive the need for effective remote-access security and present challenges to the IT organization.• The SSL protocol uses the cryptology concepts presented in this chapter.• Cisco SSL VPN solutions include clientless and full client tunnel modes of operation.• Cisco SSL VPN clientless mode can be configured on Cisco ASA using Cisco ASDM.• Cisco SSL VPN full client tunnel mode can be configured on Cisco ASA using Cisco ASDM and the Cisco AnyConnect VPN Client.SummaryFor additional information, refer to this resource:CCNP Security VPN 642-648 Official Cert Guide, Second Edition (Cisco Press)References
Các file đính kèm theo tài liệu này:
- chapter_15_ssl_vpns_with_cisco_asa_4662.pptx