Friday, August 1, 2014

ASA_VPN Clientless SSL VPN with Certifiate.

Topology ( Firewall is pre-configured )




For the public services, web and ftp servers are in service. This computer is in outside network(192.168.1.151/24). However, This outside user can't access inside network (192.168.0.2/24(remote.mgk.com): Web, FTP, VNC, RDP and SSH)



For outside users, I'm going to use clientless ssl vpn to connect  internet users to inside network of MGK company.


First, add Group: set group name, banner, acls(only allow web and ftp of inside network), Bookmark


ACLs: if you didn't set DNS server, you will have to set ip addresses that you want to allow.
           End of the acls, there is implicit deny any.
           At the last of acl configuration, you should choose ACL name to More option->Web acl.

I have made a mistake here. I should have configured like "remote.mgk.com/*." instead of mgk.com for ftp://" and "http://"
The domain name of inside network server for web and ftp is 'inserver1.mgk.com.'

Bookmark: This is what outside users can access inside server.
                   FTP:   ftp://inserver1.mgk.com
                  WEB:  http://inserver1.mgk.com
                  If you don't have DNS server, you should use ip addresses instead of domain-name.
                  When you are done, don't forget choosing bookmark that you have configured on Portal.


Group configuration:
 
Second, add connection profile: add name, Aliases, authentication(local), DNS(if you don't have, leave it). Don't forget choosing Group policy(Clientless_Group)

Connection Profile
 Group url: outside users can access vpn wiht this url: https:/remote.mgk.com
OK->apply

Certificate: For the Clientless vpn user, ASA will use specific certificate that obtained from inside Certificate Authority server of inside network.


This is the certificate that ASA have for Clientless ssl vpn.
If you don't have certificate, ASA will generate self signed certificate.

Last, add users: we are going to use local database. Set user name, Group policy and Connection profile.

 Group policy and Connection profile

Configuration

Result

First, before test the Clientless ssl vpn, we have to install certificate from root certificate.

This is the certificate from mgk.com CA server that I have install on the outside network computer.

Test:
1. login: because I have installed CA certificate(mgk-ROOT-CA), there is no alarm.
     go to https://remote.mgk.com


login
first web page.

click "Inserver1 for Web"

Click home butten and click "Inserver1 for FTP"

Type password
I can successfully connect Web and FTP sites on inside network.

No comments:

Post a Comment