Configuring Clientless VPN for ASA 5505 part 1

Setting up clientless vpn for ASA 5505

It works probable the same on a ASA 5510, 5520, etc. However no guarantees.

Before we get started you need the following:

Internal network in this example will be: 10.110.0.0 /16

Outside network IP address will be: 192.168.10.250 (in normal usage the asa would have a public ip. But i am currently in a test lab where i have the asa behind another gateway.)

1. Login to the ASDM software and start the wizard named: “Clientless SSL VPN Wizard”

Picture1_Starting_Clientless_VPN_Wizard_SSL

Picture 1 Starting Clientless VPN Wizard SSL

2. Click Next

  Picture 2 SSL VPN Wizard

Picture 2 SSL VPN Wizard

3. Fill in the connection profile name in this example I will use: 2is_sslvpn_prof

4. I do not have a valid certificate at the moment but you can add one here.

5. Leave everything default. Click Next

  Picture 3 SSL VPN Interface

Picture 3 SSL VPN Interface

6. On this moment I don’t have a AAA server group and will use the local user database.

Click Authenticate using the local user database and add users.  For the test I have added the user test. This is of course not recommended for production use!

7. Click Next to continue. 

 Picture 4 User authentication

Picture 4 User authentication

8. Create a new group policy. In this example I use: 2is_ssl_vpn_grppol.

Click next to continue

  Picture 5 Group Policy

Picture 5 Group Policy

 9. I have decided to edit the bookmarks later. Click next. However you don’t have to wait. Add them accordingly.

Picture 6 Clientless Connections Only

Picture 6 Clientless Connections Only

 10. OK

Picture 7 No bookmark defined

Picture 7 No bookmark defined

 11. Click Finish to finish the setup.

Picture 8 Summary

Picture 8 Summary

The ASA will execute the following commands. (This is also a manner to set it up. In my opinion I always choose cli above gui. However this is the first time I am configuring clientless vpn so that’s the reason I first do gui.)

      webvpn

        enable outside

      username test password ********* encrypted privilege 0

      username test attributes

        vpn-group-policy 2is_ssl_vpn_grppol

      exit

      group-policy 2is_ssl_vpn_grppol internal

      group-policy 2is_ssl_vpn_grppol attributes

        vpn-tunnel-protocol ssl-clientless

        webvpn

          url-list none

      exit

      exit

      tunnel-group 2is_sslvpn_prof type remote-access

      tunnel-group 2is_sslvpn_prof general-attributes

        default-group-policy 2is_ssl_vpn_grppol

 The clientless vpn is now ready. I have tested it remotely.

12. I have DDNS enabled but if you have the public ip address open a browser and go to: https://Public_IP_ADDRESS/

13. Click Continue to this website (not recommended). This error can be fixed by adding a valid certificate to the website. Trusted on a public root CA. (For example sslcertificaten.nl.)

Picture 9 Certificate error

Picture 9 Certificate error

14. Fill the credentials from the local user database and click on login

 Picture 10 Login 

Picture 10 Login

  Picture 11 Final

Picture 11 Final

 There are on this point no bookmarks.

14. To fill the page with bookmarks follow the following path: Configuration, Remote Access VPN, Clientless VPN Access, Portal and click bookmarks.

 Picture 12 Bookmarks

Picture 12 Bookmarks

15. Click Add

16. Give the Bookmark list a Name in this example: 2is_book

Picture 13 bookmark list

Picture 13 bookmark list

 17. Click add to make a new bookmark.

18. Fill in the bookmark title

19. Fill in the url in this example http://1.1.1.1/

Picture 14 MBW

Picture 14 MBW

Click OK.

 15. Add more bookmarks until the list is complete click ok. After the bookmarks are added you must assign the bookmark list to a policy. In this example : 2is_ssl_vpn_grppol

 16. Click Assign mark the policy and click ok.

  Picture 15 assign bookmark list

Picture 15 assign bookmark list

17. Click OK

18. Login to the remote webpage to see the new bookmark.

  Picture 16 Bookmarks visible!

Picture 16 Bookmarks visible!

19. It is also possible to add more protocols to the portal page. For example RDP/SSH. Default only a few protocols are allowed:

Picture 17 Default supported protocols

Picture 17 Default supported protocols

To add more protocols to the portal page I am writing a new article.

 

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *

*