Setting up clientless vpn for ASA 5505
It works probable the same on a ASA 5510, 5520, etc. However no guarantees.
Before we get started you need the following:
Internal network in this example will be: 10.110.0.0 /16
Outside network IP address will be: 192.168.10.250 (in normal usage the asa would have a public ip. But i am currently in a test lab where i have the asa behind another gateway.)
1. Login to the ASDM software and start the wizard named: “Clientless SSL VPN Wizard”
Picture 1 Starting Clientless VPN Wizard SSL
2. Click Next
Picture 2 SSL VPN Wizard
3. Fill in the connection profile name in this example I will use: 2is_sslvpn_prof
4. I do not have a valid certificate at the moment but you can add one here.
5. Leave everything default. Click Next
Picture 3 SSL VPN Interface
6. On this moment I don’t have a AAA server group and will use the local user database.
Click Authenticate using the local user database and add users. For the test I have added the user test. This is of course not recommended for production use!
7. Click Next to continue.
Picture 4 User authentication
8. Create a new group policy. In this example I use: 2is_ssl_vpn_grppol.
Click next to continue
Picture 5 Group Policy
9. I have decided to edit the bookmarks later. Click next. However you don’t have to wait. Add them accordingly.
Picture 6 Clientless Connections Only
10. OK
Picture 7 No bookmark defined
11. Click Finish to finish the setup.
Picture 8 Summary
The ASA will execute the following commands. (This is also a manner to set it up. In my opinion I always choose cli above gui. However this is the first time I am configuring clientless vpn so that’s the reason I first do gui.)
webvpn
enable outside
username test password ********* encrypted privilege 0
username test attributes
vpn-group-policy 2is_ssl_vpn_grppol
exit
group-policy 2is_ssl_vpn_grppol internal
group-policy 2is_ssl_vpn_grppol attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list none
exit
exit
tunnel-group 2is_sslvpn_prof type remote-access
tunnel-group 2is_sslvpn_prof general-attributes
default-group-policy 2is_ssl_vpn_grppol
The clientless vpn is now ready. I have tested it remotely.
12. I have DDNS enabled but if you have the public ip address open a browser and go to: https://Public_IP_ADDRESS/
13. Click Continue to this website (not recommended). This error can be fixed by adding a valid certificate to the website. Trusted on a public root CA. (For example sslcertificaten.nl.)
Picture 9 Certificate error
14. Fill the credentials from the local user database and click on login
Picture 10 Login
Picture 11 Final
There are on this point no bookmarks.
14. To fill the page with bookmarks follow the following path: Configuration, Remote Access VPN, Clientless VPN Access, Portal and click bookmarks.
Picture 12 Bookmarks
15. Click Add
16. Give the Bookmark list a Name in this example: 2is_book
Picture 13 bookmark list
17. Click add to make a new bookmark.
18. Fill in the bookmark title
19. Fill in the url in this example http://1.1.1.1/
Picture 14 MBW
Click OK.
15. Add more bookmarks until the list is complete click ok. After the bookmarks are added you must assign the bookmark list to a policy. In this example : 2is_ssl_vpn_grppol
16. Click Assign mark the policy and click ok.
Picture 15 assign bookmark list
17. Click OK
18. Login to the remote webpage to see the new bookmark.
Picture 16 Bookmarks visible!
19. It is also possible to add more protocols to the portal page. For example RDP/SSH. Default only a few protocols are allowed:
Picture 17 Default supported protocols
To add more protocols to the portal page I am writing a new article.