Topology ( Firewall is pre-configured )
For the public services, web and ftp servers are in service. This computer is in outside network(192.168.1.151/24). However, This outside user can't access inside network (192.168.0.2/24(remote.mgk.com): Web, FTP, VNC, RDP and SSH)
For outside users, I'm going to use clientless ssl vpn to connect internet users to inside network of MGK company.
First, add Group: set group name, banner, acls(only allow web and ftp of inside network), Bookmark
ACLs: if you didn't set DNS server, you will have to set ip addresses that you want to allow.
End of the acls, there is implicit deny any.
At the last of acl configuration, you should choose ACL name to More option->Web acl.
I have made a mistake here. I should have configured like "remote.mgk.com/*." instead of mgk.com for ftp://" and "http://"
The domain name of inside network server for web and ftp is 'inserver1.mgk.com.'
FTP: ftp://inserver1.mgk.com
WEB: http://inserver1.mgk.com
If you don't have DNS server, you should use ip addresses instead of domain-name.
When you are done, don't forget choosing bookmark that you have configured on Portal.
Group configuration:
Second, add connection profile: add name, Aliases, authentication(local), DNS(if you don't have, leave it). Don't forget choosing Group policy(Clientless_Group)
Connection Profile
Group url: outside users can access vpn wiht this url: https:/remote.mgk.com
OK->apply
Certificate: For the Clientless vpn user, ASA will use specific certificate that obtained from inside Certificate Authority server of inside network.
This is the certificate that ASA have for Clientless ssl vpn.
If you don't have certificate, ASA will generate self signed certificate.
Last, add users: we are going to use local database. Set user name, Group policy and Connection profile.
Group policy and Connection profile
Configuration
Result
First, before test the Clientless ssl vpn, we have to install certificate from root certificate.
This is the certificate from mgk.com CA server that I have install on the outside network computer.
Test:
1. login: because I have installed CA certificate(mgk-ROOT-CA), there is no alarm.
go to https://remote.mgk.com
login
first web page.
click "Inserver1 for Web"
Click home butten and click "Inserver1 for FTP"
Type password
I can successfully connect Web and FTP sites on inside network.
No comments:
Post a Comment