ccnp security: securing networks with asa...

© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public

CCNP Security: Securing Networks with

ASA VPNs BRKCRT-8163

Rob Settle, CCIE #23633 (Security, Routing & Switching)

2


Life as a security admin…

✗ Firewalls

✗ IPS

✗ Web Proxy

✗ Mail Relays

✗ 802.1x User

3


Rejoice… VPNs are enablers!

✗ Firewalls

✗ IPS

✗ Web Proxy

✗ Mail Relays

✗ 802.1x

✓ Site-to-Site VPN

✓ Remote Access VPN User

4


Agenda

Overview of CCNP Security VPN v2.0 Exam

VPN v2.0 Topics

‒ ASA VPN Architecture and Fundamentals

‒ VPN Fundamentals

‒ IPSec Site to Site

‒ IPSec Remote Access

‒ AnyConnect VPN

‒ Clientless SSL VPN

‒ High Availability

Q&A

5

Overview of the CCNP Security


Disclaimer / Warning

This session will strictly adhere to Cisco‘s rules of confidentiality

We may not be able to address specific questions

If you have taken the exam please refrain from asking questions from the

exam—this is a protection from disqualification

We will be available after the session to direct you to resources to assist

with specific questions or to provide clarification

7


CCNP Security Requirements

All four CCNP Security exams required

Some legacy CCSP exams qualify for CCNP Security credit. See FAQ:

https://learningnetwork.cisco.com/docs/DOC-10424

Exams

‒ SECURE v1.0 – 642-637

‒ IPS v7.0 – 642-617

‒ FIREWALL v2.0 – 642-618

‒ VPN v2.0 – 642-648

8





642-648 VPN v2.0 Exam

Approximately 90 minute exam

60-70 questions

Register with Pearson Vue

‒ http://www.vue.com/cisco

Exam cost is $200.00 US

9

http://www.vue.com/cisco


Preparing for the VPN v2.0 Exam

Recommended reading

‒ CCNP Security VPN 642-647 Official Cert Guide

‒ CCNP Security VPN 642-648 Official Cert Guide (July 2012)

‒ Cisco ASA 8.4 Configuration Guide

Recommended training via Cisco Learning Partners

‒ Deploying Cisco ASA VPN Solutions

Cisco learning network

www.cisco.com/go/learnnetspace

Practical experience

‒ Real equipment

‒ ASDM in demo mode

10

http://www.cisco.com/go/learnnetspace


Session Notes

Session and exam are based on ASA 8.4 and ASDM 6.4

This session covers most topics but cannot depth of each topic

Proper study and preparation is essential

11

Cisco ASA Architecture

and VPN Fundamentals


ASA Architecture

ASA VPN Overview

ASA Design Considerations

AAA and PKI Refreshers

VPN Configuration Basics

13


Virtual Private Networks (VPNs)

Virtual Private Networks (VPNs) are a way to establish private

connections over another network

VPN Capabilities

Confidentiality Prevent others from reading data traffic

Integrity Ensure data traffic has not been modified

Authentication Prove identity of remote peer and packets

Anti-replay Prevent replay of encrypted traffic

InternetLAN BLAN A

Cisco ASACisco ASA

Site to Site VPN

14


ASA Virtual Private Network Options

15

VPN

Site-to-Site VPN

IPSec IKEv1

IPSec IKEv2

Remote Access VPN

ClientlessSSLVPN

Client Based

SSLVPN IPSec

IPSec IKEv1 IPSec IKEv2

Web Browser

AnyConnect

AnyConnect

Cisco VPN Client


ASA Virtual Private Networks (VPNs)

Site-to-Site VPN

‒ Connects two separate networks using two VPN gateway devices such as an

ASA

‒ Utilizes IPsec

Remote Access VPN

‒ Connects single user to a remote network via gateway such as an ASA

‒ Utilizes IPsec or Secure Sockets Layer (SSL)

InternetLAN BLAN A

Cisco ASACisco ASA

Site to Site VPN

16


Remote Access VPN

Client-based VPN

‒ Remote access using an installed VPN client like AnyConnect

‒ Permits ―full tunnel‖ access

Clientless VPN

‒ Remote access through a web browser that leverages the browser‘s SSL

encryption for protection

‒ Permits limited access but no footprint required

Internet LAN

Remote Access VPN

Clientless WebVPN

Cisco ASA

AnyConnect Client

17


Choosing Remote Access VPN Method

IPsec VPN

‒ Traditional IPsec access

‒ Cisco VPN Client

AnyConnect VPN

‒ Recommended next generation remote access – Windows 7 supported

‒ SSL VPN or IPSec

‒ Hostscan and other advanced features

Clientless SSL VPN (WebVPN)

‒ Recommended for thin, flexible access from any computer – no software required

‒ Permits network access via HTTP/S, plug-ins, and port forwarding

‒ Cisco Secure Desktop

18


Choosing an ASA for Site-to-Site VPN

Model considerations

‒ VPN throughput

‒ Number of VPN peers

No licenses required for IPSec

‒ ASA 5505 Security Plus license increases session max

‒ 3DES/AES license ASA 5505 ASA 5510 ASA 5520 ASA 5540 ASA 5550 ASA 5585-X

VPN Throughput

(Mbps) 100 170 225 325 425 Up to 5,000

VPN Sessions 10/25 250 750 5,000 5,000 Up to 10,000

19

ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X

VPN Throughput

(Mbps) 200 250 300 400 700

VPN Sessions 250 250 750 2500 5000


Choosing an ASA for Remote Access VPN

Model considerations

‒ VPN throughput

‒ Number of Remote Access User Sessions (combined)

ASA 5505 ASA 5510 ASA 5520 ASA 5540 ASA 5550 ASA 5585-X

VPN Throughput

(Mbps) 100 170 225 325 425 Up to 5,000

IPsec VPN

Sessions 25 250 750 5,000 5,000 Up to 10,000

SSL VPN

Sessions 25 250 750 2,500 5,000 Up to 10,000

20

ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X

VPN Throughput

(Mbps) 200 250 300 400 700

IPsec VPN

Sessions 250 250 750 2,500 5,000

SSL VPN Sessions 250 250 750 2,500 5,000


Remote Access VPN Licensing

Other VPN – IPSec IKEv1

AnyConnect Essentials

‒ AnyConnect client provides full tunnel connectivity

‒ Windows, Mac, Linux, iOS, and Android

AnyConnect Premium

‒ Adds Clientless (Web VPN) and Hostscan features

‒ Adds additional AnyConnect client features

http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_mana

gement/license.html

Three RA approaches

21

http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license.html






Remote Access Licensing

22

Other VPN - Basic IPSec IKEv1No License Required

AnyConnect EssentialsPlatform License

AnyConnect PremiumPer User License

Premium SharedFlex

AnyConnect MobilePlatform License

Advanced Endpoint Assessment

Platform License

OR


ASA License Keys

Two types – Permanent and Time-Based

One Permanent license

Time-Based licenses can be stacked

Some licensed features use higher value but some combine

Understand the rules:

http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_mana

gement/license.html

23



VPN Configuration


VPN Configuration Components

Users

DB

Group

Policies

Connection Profiles

IPSec

SSL VPN

Web VPN

25


VPN Group Policy

Internal (ASA) or External (RADIUS)

Sample of various settings:

‒ WINS, DNS, DHCP, web proxy settings

‒ VPN access hours, idle timeout, network filter, permitted VPN protocols

‒ Split tunneling

Default Group Policy is called DfltGrpPolicy. Can be modified but NOT

deleted.

Settings are inherited:

‒ User ==> Connection Profile‘s Group Policy ==> Default Group Policy

26


External Group Policy

Stored on a RADIUS server as a special user account

RADIUS user includes Vendor-Specific Attributes (VSAs) for Group Policy

settings

Group Policy configuration includes the RADIUS username and password

27


VPN Group Policy

28


VPN Connection Profile

Formerly called Tunnel Group. Command line still uses tunnel-group

terminology.

Core VPN Service Attributes

‒ VPN Type (IPsec Site-to-Site, IPsec Remote Access, SSL VPN, Clientless)

‒ Authentication, authorization, and accounting servers

‒ Default group policy

‒ Client address assignment method

‒ VPN type specific attributes for IPsec and SSL VPN

29



Default Connection Profiles. They can be modified but NOT deleted.

‒ DefaultRAGroup – Remote Access connections

‒ DefaultWEBVPNGroup – Clientless SSL VPN connections

‒ DefaultL2LGroup – IPsec site-to-site connections

Settings are inherited

CustomTunnelGroup

DefaultRAGroup

30



31


VPN Configuration Methods

Command line

ADSM with Connection Profiles and Group Policies

ASDM VPN Wizard

32

AAA and PKI Refreshers


AAA Refresher

Authentication, Authorization, and Accounting (AAA)

‒ Authentication: Proving the identity of the user

‒ Authorization: Granting permissions to the user

‒ Accounting: Logging the actions of the user

AAA servers are used to perform one or more of the AAA functions

‒ Supported AAA servers include RADIUS, TACACS+, RSA/SDI, NT, Kerberos,

LDAP, HTTP Forms, and LOCAL database

‒ Server example – Cisco ACS for RADIUS or TACACS+

34


Public Key Infrastructure (PKI) Refresher

Pre-Shared Key (PSK) deployments do not scale (symmetric keys)

PKI scale better with improved security and management

Uses Digital Certificates and public key cryptography

Asymmetric Cryptography

‒ Encryption with the public key is decrypted with the private

‒ Encryption with the private key is decrypted with the public

Private Key Encryption

Hello World f7#%s9v2*!@fs Hello WorldPublic Key Decryption

35


Public Key Infrastructure (PKI) Refresher

Each device has a public key, private key, and certificate signed by the

Certificate Authority

Certificates are issued:

‒ Manually

‒ Certificate Signing Requests (CSR)

‒ Simple Certificate Enrollment Protocol (SCEP)

Certificate Signing Request (CSR)

Private/Public Key Generation

User Private

User Public

CA Server CA Signs Certificate

CA Private

User Certificate

DN=joe.user

5 Public Key

1 2 3 4 5

36


PKI Refresher

Validation steps

‒ Check validity of the certificate based on date/time and certificate attributes

‒ Check the certificate using the stored Certificate Authority certificate

‒ Ensure certificate has not been revoked (optional)

Check the Certificate Revocation List (CRL)

Online Certificate Status Protocol (OCSP)

37


PKI Refresher

Enrollment options

‒ Manually enroll ASA and endpoints by creating certificates and loading them

‒ ASA can also utilize SCEP to enroll directly with the CA

‒ VPN Clients can enrollment online with the ASA using Simple Certificate

Enrollment Protocol (SCEP) proxy

ASA Configuration Guide -- Certificates

‒ http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.

html

38

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html

IPSec and SSL Encryption Fundamentals


IPsec Connection Overview

1. Interesting Traffic

2. Phase 1 (ISAKMP)

3. Phase 1.5 (ISAKMP, remote access)

4. Phase 2 (IPSec)

5. Data Transfer

6. IPSec Tunnel Termination

Host A Host B Cisco Security Appliance A

Cisco Security Appliance B

Branch Site Central Office

40



1. Match Interesting Traffic

‒ Access Control List (ACL) defines matching source/destination addresses to

protect

‒ Both sides have mirrored ACLs

‒ Internet Key Exchange (IKE) kicks off when a packet matches the ACL

ASA 1 ASA 2

ACL ACL

41



2. Phase 1 – ISAKMP

‒ Main Mode or Aggressive Mode exchange

‒ ISAKMP policies matched

‒ Diffie-Hellman exchange – Creates shared key

‒ Identities exchanged and authenticated

‒ ISAKMP Security Association (SA) created (bi-directional)

‒ Negotiate Phase 2 parameters

ASA 1 ASA 2

ACL ACL

IKE IKE UDP 500

42



3. Phase 1.5 – Xauth and mode config

‒ Additional user authentication

‒ Client configuration – IP Address, DNS Server, etc.

ASA 1 ASA 2

ACL ACL

IKE IKE UDP 500

Clientless WebVPN

43



4. Phase 2 – IPSec Security Associations (SA)

‒ SA is a unidirectional data channel

‒ Negotiated encryption and hashing

‒ Re-keyed after time or byte limit

5. Data transfer over IPSec SAs

ASA 1 ASA 2

ACL ACL

IKE IKE UDP 500

IPSec IPSec ESP or AH

Tunneled Traffic IPSec SAs

44



6. Tunnel termination

‒ Lack of interesting traffic

‒ Peer quits responding

‒ Admin termination

‒ Re-keyed after time or byte limit

ASA 1 ASA 2

ACL ACL

IKE IKE UDP 500

IPSec IPSec ESP or AH

✖ ✖

✖ ✖

45


IKEv1 Details

Main Mode

‒ Three 2-way exchanges (6 messages) for:

ISAKMP policy

Diffie-Hellman exchange

Verifying the IPSec peer‘s identity

‒ Protects identities by exchanging them in secure tunnel

Negotiate ISAKMP Policy

Diffie-Hellman Exchange

Identity and Authentication

46


IKEv1 Details

Aggressive Mode

‒ Performs the 3 exchanges in a single exchange

‒ Faster than Main Mode due to less messages (3 total)

‒ Exposes identities

‒ 3 total exchanges

‒ Required in some cases! Dynamic peers with Pre-Shared Key (Easy VPN)

ISAKMP Policy

DH Exchange

Identity and Auth

47


IKEv2

Internet Key Exchange version 2 – RFC 4306

Introduced in ASA 8.4 and AnyConnect 3.0

Benefits

‒ Denial of Service prevention using cookies

‒ Fewer negotiation messages

‒ Built-in Dead Peer Detection

‒ Built-in Configuration Payload and User Authentication (using EAP)

‒ Allows unidirectional authentication

‒ Built-in NAT Traversal

‒ Better rekeying and collision handling

48


IPSec Details

Phase 2 – Quick Mode

‒ Exchange protected by Phase 1 IKE Security Association (SA)

‒ Negotiates IPSec SA parameters

‒ Creates IPSec SAs

‒ Periodically renegotiates the IPSec SAs

‒ (optional) Performs Diffie-Hellman exchange for Perfect Forward Secrecy (PFS)

InternetLAN BLAN A

Cisco ASACisco ASA

Site to Site VPN

49


Phase 1 Configuration – Diffie-Hellman

Group Key Length Purpose

1 768-bit Considered weak and no longer recommended.

2 (default) 1024-bit Minimum strength required by VPN client.

5 1536-bit Used to support larger key sizes of AES.

7 163-bit Elliptical Weak algorithm meant for mobile devices. Deprecated.

50


SSL and TLS

TLS is the evolution of SSL (developed by Netscape Communications)

Server and client (optional) are be authentication via X.509 certificates

Cryptographic algorithms and shared secrets are negotiated

SSL VPN use the TLS encryption to protect tunneled IP traffic

Standard browsers and AnyConnect use TLS for SSL VPNs

51

Internet LAN

Remote Access VPN

Cisco ASA


VPN Ports and Protocols

Protocol Port Purpose

Internet Key Exchange

(IKE / ISAKMP) UDP 500 IPSec Phase 1 key negotiation

Encapsulating Security

Payload (ESP)

IP Protocol

50 IPSec Phase 2 encrypted payload

Authentication Header

(AH)

IP Protocol

51 IPSec Phase 2 authenticated payload

NAT Traversal (NAT-T) UDP 4500 Phase 1 and 2 UDP encapsulation when NAT is present

IPSec over TCP

IPSec over UDP

TCP and

UDP 10000

Used to bypass 3rd party network issues with IKE, ESP, and

AH by encapsulating IPSec in UDP or TCP packets

SSL VPN TCP and

UDP 443

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS) VPNs. DTLS uses UDP.

52


Debugging Basics

Enable logging

Issue relevant debug commands

Utilize ASDM Log Viewer, CLI, or syslog

53


ASDM Real-Time Log Viewer

54


ASDM VPN Monitoring

55


Debugging VPN Connections

Debugging commands

‒ debug crypto [ ikev1 | ikev2 ] (Phase 1 debugs)

‒ debug crypto ipsec (Phase 2 debugs)

‒ debug [ webvpn | aaa | radius | dap ]

Common IPSec VPN problems

‒ http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e

0aca.shtml

IPSec debug guide

‒ http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008

00949c5.shtml

56

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

IPSec Site-to-Site VPNs


IPSec Site-to-Site VPNs

Site to Site VPN overview

Site to Site VPN configuration

Site to Site debugging

58


Site to Site VPNs

Site-to-site VPNs are used to connect two sites together

They are often used to connect a branch offices to the main office

Used instead of private WAN connections

InternetLAN BLAN A

Cisco ASACisco ASA

Site to Site VPN

59


Site-to-Site IPsec Connection Creation

Key configuration choices:

‒ Peer IP Address

‒ Authentication type (Pre-Shared Key or certificate)

‒ IKE Policy (Phase 1)

‒ IPsec Policy (Phase 2)

‒ Interesting traffic ACL – Local and Remote networks

60


IPSec Wizard Configuration

61


Site-to-Site IPsec Configuration

1. Enable IKEv1 or IKEv2 on interface

2. Allow IPSec traffic into ASA (sysopt command or outside ACL)

3. Create Connection Profile

‒ Specify parameters such as peer address, protected networks, IKE parameters,

and IPSec parameters

62


Group Policy

IPSec Config

Connection Profile

IPSec Manual Configuration

63


Site-to-Site IPsec IKEv2

ASA supports fallback to IKEv1 for easy migration

Similar to a standard IPSec IKEv1 configuration

‒ Enable IKEv2 on the interface

‒ Configure and use IKEv2 Policies

‒ Configure and use IKEv2 Tunnel Group settings

64


Debugging Site-to-Site Connections

Ensure Phase 1 (ISAKMP) Policies match

Ensure Phase 2 (IPSec) Transforms match

Ensure crypto Access Control Lists match

Ensure Pre-Shared Keys Match or Certificates are valid

‒ Ensure clocks are synchronized if using certificates

Ensure IPSec traffic can reach the ASA (sysopt command or ACL)

Debugging commands

‒ debug crypto [ ikev1 | ikev2 ] (Phase 1 debugs)


65

IPSec Remote Access VPN


IPSec Remote Access VPN

Easy VPN Basics

Easy VPN Certificate Authentication example

Deploying Easy VPN Hardware Clients

Easy VPN Debugging

67


Traditional IPsec VPN utilizing client software on the endpoint

Minimal client configuration for simplified deployment

Also works with hardware clients such as an ASA or Cisco router

Traffic can be tunneled over UDP or TCP for easier firewall and NAT traversal

Numerous authentication options. PSK, username/password, certificates, and combinations.

Easy VPN Remote Access VPN

Internet LAN

Remote Access VPN

Clientless WebVPN

Cisco ASA

AnyConnect Client

68


IPSec Remote Access Configuration

1. Enable IKEv1 or IKEv2 on interface

2. Allow IPSec traffic into ASA (sysopt command or outside ACL)

3. Create Connection Profile with IPSec enabled

‒ Configure group authentication

‒ Configure user authentication

‒ Configure IPSec parameters

4. Customize group policy or create a custom group policy

‒ Configure user network settings

5. Configure Cisco VPN Client or Cisco AnyConnect

69


Certificate Authentication for Easy VPN

Full EZVPN certificate configuration example:

‒ http://www.cisco.com/en/US/products/ps6120/products_configuration_example09

186a0080930f21.shtml

70

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml


Deploying an Easy VPN Hardware Client

Utilizes hardware such as Cisco ASA or Cisco ISR in two modes:

‒ Client mode performs Port Address Translation (PAT) for hosts behind client

‒ Network Extension Mode (NEM) connects the client network to the head-end

InternetLAN

Branch A

Cisco ASA

Easy VPN

Teleworker A

Teleworker B

Cisco ASA

Cisco ISR

Cisco ISR

Cisco ASA

Branch B

71


Easy VPN Hardware Authentication

Authentication options for Phase 1.5 Xauth:

‒ Default authentication: Interactive CLI authentication

‒ No authentication (beyond group authentication during Phase 1)

‒ Secure Unit Authentication (SUA): Single user behind Client authenticates once

‒ Individual User Authentication (IUA): Each user behind Client must authenticate

HTTP redirection intercepts web traffic to permit interactive SUA or IUA

authentication

ASA VPN Server

72


Deploying an Easy VPN Server

Uses a Dynamic Crypto Map

‒ Only IPSec Transform set defined

‒ Peers are unknown due to Remote Access clients with dynamic addresses

Easy VPN attributes are stored in the Group Policy and User attributes

Sample Group Policy settings

‒ Enable/disable NEM: nem

‒ Secure Unit Authentication: secure-unit-authentication

‒ Split Tunnel ACL: split-tunnel-network-list

‒ Split Tunnel Policy: split-tunnel-policy [ excludespecified | tunnelall |

tunnelspecified ]

‒ VPN Filter: vpn-filter

73


AnyConnect IKEv2 Remote Access

IKEv2 permits use of AnyConnect instead of Cisco VPN Client

Uses WebVPN attributes (not IPSec attributes) in Connection Profile

Allows Client Services features which run over SSL

‒ If services are disabled, provides basic IPSec IKEv2 tunnel

‒ Services: AnyConnect update, AnyConnect profile update, Hostscan, etc.

74


IPSec Certificate Authentication

Utilizes certificate for authentication instead of PSK

Certificates can be revoked to disable a client if stolen/compromised

Can be enabled with AAA to provide 2-factor authentication

75


IPSec Certificate Authentication Configuration

Configure a trustpoint (CA certificate) and ASA certificate

Configure Certificate for IKE Authentication in the Connection Profile

Configure clients to use a Client Certificate instead of PSK

76


Debugging Remote Access Connections

Ensure Phase 1 (IKE / ISAKMP) policies match

Ensure Phase 2 (IPSec) Transforms match

Ensure address pools are valid and not exhausted

Ensure Pre-Shared Keys Match or Certificates are valid

‒ Ensure clocks are synchronized if using certificates

Ensure AAA servers are reachable and functional

Utilize ASDM Monitoring VPN functionality

Ensure connections are mapping to correct group policy and connection profile

Debugging commands

‒ debug crypto [ ikev1 | ikev2] (Phase 1 and 1.5 debugs)


‒ debug aaa

‒ debug radius

77

AnyConnect SSL VPN


AnyConnect SSL VPN

AnyConnect Overview

AnyConnect Configuration

AnyConnect Profiles

AnyConnect Advanced Deployment

79


AnyConnect Secure Mobility Client

Complete client solution for secure connectivity

‒ VPN, 3G/4G, WiFi hotspot, trusted WiFi, 802.1x, MACSEC

Components

‒ IPSec IKEv2 VPN

‒ SSL VPN

‒ Posture Assessment (HostScan)

‒ Web Security (ScanSafe)

‒ Telemetry (Ironport integration)

‒ Network Access Manager (Wireless, 802.1x, MACSEC)

Understanding the components

80


AnyConnect Remote Access Overview

Provides full tunnel access similar to IPsec remote access

AnyConnect Profiles allow client settings pushed from head-end

Provides extra security with Cisco Secure Desktop functionality

Requires the use of AnyConnect client

Client can be pre-loaded or downloaded from the ASA using WebVPN

81


AnyConnect Remote Access Overview

Actual protocol is Transport Layer Security (TLS v1.0) or Datagram

Transport Layer Security (DTLS)

TLS uses TCP 443, DTLS uses UDP 443

DTLS functions over UDP to provide better performance for real-time

applications (voice) that are sensitive to packet delays and jitter

‒ Uses TLS first to negotiate and establish DTLS connections

‒ Uses DTLS to transmit datagrams

SSL VPN Protocol

82


AnyConnect Configuration

Key design and configuration choices:

‒ Client deployment: pre-deploy and/or web deployment

‒ VPN Protocol: TLS or IPSec IKEv2

‒ Authentication type: password, one-time-password, certificate, or two methods

‒ Split tunneling policy

‒ Cisco Secure Desktop requirements

‒ AnyConnect Profile options

83


AnyConnect Profiles

Profiles are XML files stored on the ASA flash and pushed to clients

Profile settings configure the client to simplify user interaction

Profiles are edited via ASDM

Sample profile settings

Load uploaded profiles for user with Group Policies

ASA VPN hostname or IP address Enable Start Before Logon for Windows users

VPN Server Selection Auto Reconnect

Backup Server list Auto Update

Certificate selection Trusted Network Detection

84


AnyConnect Profile Configuration

85


AnyConnect Certificate Authentication

Certificate authentication can enable simplified authentication, 2-factor

authentication, and on-demand VPN (mobile)

Configuration

1. Select ASA Device Certificate from Connection Profile screen

86


AnyConnect Certificate Authentication

2. Enable Certificate or Both authentication methods in Connection Profile

3. Configure clients with valid certificates or enable SCEP Proxy

87


AnyConnect Double Authentication

Allows the use of two AAA servers

1. Configure first AAA server as normal

2. Configure Secondary Authentication Server Group

88


Simple Certificate Enrollment Protocol (SCEP)

SCEP Proxy allows clients to self provision certificates

The ASA proxies requests from clients to CA

AnyConnect Client

Internet

CA Server

LAN

Cisco ASA

Authentication

SCEP Request Proxied SCEP Request

Issued CertificateIssued Certificate

89

Advanced Cisco AnyConnect Solutions


Cisco Secure Desktop

Advanced endpoint analysis, security, and remediation

Downloaded and executed when AnyConnect or Clientless session is initiated

Works on Windows, Mac, and Linux (varying capabilities)

Results of host analysis can be used with Dynamic Access Policies

Capabilities

‒ Host scan – Checks for OS, patch levels, registry entries, processes, and files

‒ Endpoint assessment – Checks and remediates Anti-Virus, Anti-Spyware, and Personal Firewall

‒ Vault – Secure desktop session

‒ Cache cleaner – Securely delete web browsing data remnants

‒ Keystroke logger detection

‒ Onscreen keyboard – Mitigate keystroke logger threat

91


Cisco Secure Desktop Setup

CSD ASDM installation

1. On CSD Setup page, upload CSD image

2. Click ‗Enable Secure Desktop‘

Enable features needed like pre-login policy, onscreen keyboard, etc.

92


Pre-login Policy Decision Tree

93


Onscreen Keyboard Configuration

A B C

94


Keystroke Logger Configuration

95


Dynamic Access Policies (DAP)

Create powerful rules that enable dynamic access

DAP selection criteria are combined with logical expressions

‒ AAA attributes from LDAP or RADIUS

‒ Endpoint attributes from Endpoint Assessment and Host Scan

96


Dynamic Access Policies Configuration

If criteria met, Access and Authorization Policies can be set

‒ Permit, Quarantine, or Terminate connection and display message to user

‒ Apply a Network ACL

‒ Apply a Web ACL (clientless)

‒ Enable/disable file browsing, file server entry, HTTP proxy, and URL entry (clientless)

‒ Enable/disable/auto-start port forwarding lists (clientless)

‒ Enable bookmark lists (clientless)

‒ Permit or deny access methods such as AnyConnect and/or Clientless

97


Selection Hierarchy for VPN Attributes

98

User Group Policy

Connection Profile Group Policy

Dynamic Access Policy

User Attributes

Default Group Policy


Troubleshooting AnyConnect Client

A B C

99


Debugging AnyConnect SSL VPN


Ensure connections are mapping to correct group policy and connection

profile

Utilize AnyConnect client logging and DART

Debugging commands

‒ show webvpn ?

‒ debug webvpn ?

‒ debug aaa

‒ debug radius

100

Clientless SSL VPN


Clientless SSL VPN

Clientless VPN Overview

Clientless Capabilities

‒ Application access

‒ Smart Tunnels

‒ Plug-ins

Troubleshooting Clientless SSL VPNs

Advanced Authentication and Single Sign-On in a Clientless SSL VPN

Customizing the Portal

102


Clientless SSL VPN Overview

Provides network access using a standard web browser. No client.

Secure access through multiple methods

‒ Internal websites – delivering internal websites over HTTPS

‒ Windows file shares – web-based file browsing capabilities

‒ Plug-ins – Java applets for telnet, SSH, RDP, VNC, and Citrix (ICA)

‒ Smart Tunnels – Automatic tunneling of application traffic through the SSL VPN

‒ Port Forwarding – Opening local ports to be forwarded over the SSL VPN

Provides extra security with Cisco Secure Desktop functionality

103


Clientless SSL VPN Configuration

Key design and configuration choices:

‒ Which access methods to permit (web, file browsing, plug-ins, etc.)

‒ Bookmarks for users

‒ Different web portals for different groups

‒ Authentication type: password, one-time-password, certificate, or two methods

‒ Cisco Secure Desktop requirements

104


Clientless ASDM Configuration

1. Upload Plug-ins and CSD to flash if needed

2. Configure AAA servers for required user authentication methods

3. Install an SSL certificate on the ASA for secure remote connections

4. Create Group Policy

• Define most of the Clientless options

5. Create Connection Profile

• User authentication type

• Associate Group Policy

• Create Connection Aliases and Group URLs for users to access this Clientless SSL VPN

6. Enable SSL VPN on the appropriate interface

105


Clientless SSL VPN Bookmarks

Methods for assigning bookmarks

‒ Group policy

‒ User attributes

‒ LDAP or RADIUS attributes

‒ Dynamic Access Policy (DAP) result

URL Variables for Single Sign On

‒ CSCO_WEBVPN_USERNAME — User login name

‒ CSCO_WEBVPN_PASSWORD — Obtained from user login password

‒ CSCO_WEBVPN_INTERNAL_PASSWORD — Obtained from the Internal password field. You can use this field as Domain for Single Sign-on operations.

‒ CSCO_WEBVPN_CONNECTION_PROFILE — User login group drop-down

‒ CSCO_WEBVPN_MACRO1 — Set via Radius or LDAP vendor specific attribute

‒ CSCO_WEBVPN_MACRO2 — Set via Radius or LDAP vendor specific attribute

106


Bookmark Settings

107


Clientless Smart Tunnels

Allows a TCP-based application to tunnel through the clientless VPN

Benefits

‒ Better performance than plug-ins

‒ Simplifies user experience compared to forwarding local ports

‒ Does not require administrative privileges like port forwarding

Available for Windows (using Internet Explorer) and Mac

Configuring Smart Tunnels in Group Policy

108


Deploying Advanced Application Access for

Clientless SSL VPN

Configuring Smart Tunnels

109


Clientless Plug-ins

Java applets that enable secure application connectivity through the SSL

VPN browser session and enables new URL and bookmark types

‒ Citrix Client (ica://), RDP (rdp://, rdp2://), Shell (telnet://, ssh://), VNC (vnc://)

‒ Does not require administrator privileges on endpoint

110


Clientless Plug-ins Configuration

1. Load the plug-ins via ASDM

2. Customize bookmarks with Plug-Ins URLs

111


Clientless Port Forwarding

Port forwarding supports TCP applications over the SSL VPN

Works by opening local ports and forwarding the connection as defined by

the port forward configuration

DNS is intercepted to force applications to connect to the local ports

Requires administrative rights on the endpoint to function

Works on Windows, Mac, and Linux

112


Port Forwarding Configuration

1. Configure Port Forwarding List

2. Specify Port Forwarding List in Group Policy

113


Port Forwarding Configuration

114


Customizing the Clientless SSL VPN User

Interface and Portal

115


Customizing the SSL Login Page

Page can be branded

116


WebACL Example

117


Debugging Clientless SSL VPN


Ensure connections are mapping to correct group policy and connection

profile

Debugging commands

‒ show webvpn ?

‒ debug webvpn ?

‒ debug aaa

‒ debug radius

‒ debug dap

118

Cisco ASA VPN High Availability


High Availability Options

Redundant head-end peering

‒ Configure two head-ends with 2 IPsec tunnels

‒ Utilize two interfaces with 2 ISPs for additional redundancy

‒ Static route tracking is used to switch between ISPs

120

InternetCompanyNetwork

Remote Access VPNCisco ASA

AnyConnect Client

Cisco ASA

ISP 1

CompanyNetwork

ISP High Availability

ISP 1

Cisco ASA



Active / Standby chassis redundancy

‒ ASA must be in single context and routed mode to support VPNs

‒ Configure both Failover link and Stateful link to preserve VPN sessions

121

Internet

CompanyNetwork

Active/Standby

Cisco ASA- Active

Cisco ASA- Standby

Failover Link



External Load Balancer

‒ Utilize a stateful load balancer to distribute

VPN sessions among ASAs

VPN Load Balancing feature

‒ Virtual load balancing built into ASA

‒ No external load balancer required

‒ Works with IPsec (remote access),

SSL VPN tunnels, and SSL VPN clientless

‒ Use a single Unified Client Certificate or multiple certificates

122

Internet

CompanyNetwork

VPN Load Balancing

Virtual Load Balancing Cluster

Cisco ASACisco ASA Cisco ASA Cisco ASA Cisco ASA


Summary

Overview of CCNP Security VPN v2.0 Exam

VPN v2.0 Topics

‒ ASA VPN Architecture and Fundamentals

‒ VPN Fundamentals

‒ IPSec Site to Site

‒ IPSec Remote Access

‒ AnyConnect VPN

‒ Clientless SSL VPN

‒ High Availability

Q&A

123


Final Thoughts

Get hands-on experience with the Walk-in Labs located in World of

Solutions, booth 1042

Come see demos of many key solutions and products in the main Cisco

booth 2924

Visit www.ciscoLive365.com after the event for updated PDFs, on-

demand session videos, networking, and more!

Follow Cisco Live! using social media:

‒ Facebook: https://www.facebook.com/ciscoliveus

‒ Twitter: https://twitter.com/#!/CiscoLive

‒ LinkedIn Group: http://linkd.in/CiscoLI

124

http://www.ciscolive365.com/

https://www.facebook.com/ciscoliveus

https://twitter.com/

http://linkd.in/CiscoLI


Complete Your Online

Session Evaluation Give us your feedback and you

could win fabulous prizes.

Winners announced daily.

Receive 20 Passport points for each

session evaluation you complete.

Complete your session evaluation

online now (open a browser through

our wireless network to access our

portal) or visit one of the Internet

stations throughout the Convention

Center.

Don‘t forget to activate your

Cisco Live Virtual account for access to

all session material, communities, and

on-demand and live activities throughout

the year. Activate your account at the

Cisco booth in the World of Solutions or visit

www.ciscolive.com.

125

http://www.ciscolive.com

Questions?

126

ccnp security: securing networks with asa...

Documents