This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Encrypted Connection Protocols:SSL tunnel uses the SSL protocol with RC4 or AES to encrypt dataIPSec tunnel uses the IPSec protocol with DES, 3DES or AES to encrypt data
Encrypted Client options supported by the ASAAnyConnect VPN Client is an SSL based VPN client that is installed on a desktop and can tunnel any traffic (aka SVC)WEB VPN (aka Clientless VPN) uses the browser as the Client with the ASA acting as a proxy. It can tunnel http,https traffic and a limited number of other supported protocols such as CIFS, OWA, RDP, VNC, SSH, Telnet via pluginsCisco VPN Client is an IPSec client that can tunnel any traffic except for multicast.
ASA VPN ConfigurationThe AnyConnect Configuration document at the url below is an excellent starting place for any ASA VPN configuration. http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00808efbd2.shtml
Configure Step 1. Configure a Self-Issued Certificate Step 2. Upload and Identify the SSL VPN Client Image Step 3. Enable Anyconnect Access Step 4. Create a new Group Policy Configure Access List Bypass for VPN Connections Step 6. Create a Connection Profile and Tunnel Group
for the AnyConnect Client Connections Step 7. Configure NAT Exemption for AnyConnect
VPN Connection Flow SummaryDuring Client connection time Group Policy settings takes precedence over Connection Profile settings.If Connection Profile has a setting and Group Policy is set to "inherit" then Connection Profile settings are used.
ANYCONNECT CLIENT ConnectionConnection Profile (called tunnel group at CLI) = SSLClientProfile
Uses Group Policy = GroupPolicy1Alias = SSLClient
IPSEC CLIENT ConnectionConnection Profile (called tunnel group at CLI) = IPSecVPN
Uses Group Policy = IPSecClientIPSec Client settings: Groupname=IPSecVPN , pre-shared
Link directly to Citrix applications from portal Plugin supports all Citrix Java client parameters/features. ASA optimizes performance by downloading components as needed. Verify your Citrix EULA grants rights and permissions to deploy the client
Clientless WebVPN Native Citrix Support (No Plugin)
ASA automatically intercepts web traffic with content type ICA from Web Presentation Server and modifies return ICA file to client to ensure ASA proxies session.
Java or ActiveX ICA Client is also pushed down to client if not running standalone client on endpoint.
Smart Tunnels are application-level port forwarding
It is a connection between a Winsock 2, TCP-based application and the private site, using a clientless (browser-based) SSL VPN session.
You can specify client applications which you want to grant Smart Tunnel access including Telnet, SSH, RDP, VNC, Passive FTP, Outlook Express, Lotus Notes, Sametime, Citrix Program Neighborhood client, and Outlook via POP/SMTP/IMAP.
SSL VPN loads a stub into each process spawned by an authorized application, and intercepts socket calls to redirect via ASA.
This can be used where other methods such as AnyConnect or Port Forwarding cannot be used.
A browser with Active-X, Java or JavaScript support is required on 32-bit OS’s only, such as Windows XP & 2K
Secure Session (aka Secure Desktop or Vault)Overview
Encrypts data and files associated with or downloaded during remote session into a secure desktop partition
Provides tasktray icon to signify a safe environment for remote user to work in.
Upon session termination, uses U.S. Department of Defense (DoD) sanitation algorithm to remove the partition.
Typically used during clientless SSL VPN sessions--attempts to reduce the possibility that cookies, browser history, temporary files, and downloaded content remain after a remote user logs out, the session times out, or after an abrupt termination occurs.
Runs over Microsoft Windows Vista, Windows XP, and Windows 2000.
If Prelogin policy is configured to install Secure Session, but remote OS does not support Secure Session, then Cache Cleaner install attempted instead.
DAP• Pre-Login Policy• Scan Results• OS DetailsPre-Login Scan
Basic Host ScanExtended Host ScanCustom Checks
Pre-login Policy (Location) Assigned
Initial SSL Connection User login
User/Group Policy Selected
• DefaultWEBVPNGroup• Conn/Group URL (auto)• Group Drop-Down List• Certificate-based (auto)
Connection Profile Selected
Scan Results
DAP• User Attributes• Group Attributes• Connection Type
User Policy
SSL VPN User
Resultant Policy is a collection of multiple data points and attributes, not necessarily collected in order, that are compiled based on policy inheritance and prioritization hierarchy.
ASA VPN Load BalancingLoad balancing is supported on remote sessions initiated with the following: • Cisco AnyConnect VPN Client (Release 2.0 and later) • Cisco VPN Client (Release 3.0 and later) • Cisco VPN 3002 Hardware Client (Release 3.5 or later) • Cisco PIX 501/506E when acting as an Easy VPN client.
Load balancing works with both IPSec clients and WebVPN sessions. All other clients, including LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but they cannot participate in load balancing.
You can configure the number of IPSec and WebVPN sessions to allow, up to the maximum allowed by your configuration and license. With Release 7.1(1), IPSec and WebVPN sessions count or weigh equally in determining the load that each device in the cluster carries.
If using Certificates you must enable redirection using a fully-qualified domain name in vpn load-balancing mode.Use the command “redirect-fqdn enable” in global configuration mode.This is disabled by default.http://www.cisco.com/en/US/partner/docs/security/asa/asa81/config/guide/vpnsysop.html
Additional End Point Assessment License includes:Cisco Secure Desktop - For running Secure Applications on an In-Secure DeviceEnd point Assessment – (NAC Lite)To verify posture of device, enabling ASA to
assign client to a specific group with specific access rights.
Mobile VPN Client Support (ASA-MOBILE-VPN) Phone Proxy – Encrypted Call setup and Firewalling
Configuration: Auto Update, SSH, Telnet, XML/HTTPS, and ASDM Real-time monitoring: Syslog, SNMP, HTTPS, and ASDM Software updates: Auto Update, SCP, HTTP, HTTPS, and TFTP
Wide Range of Management SolutionsProvide Scalable, Cost Optimized Options for Businesses
Family of high performance appliances designed to provide automated analysis of security event information to help identify, manage, and counter attacks
Supports getting events from wide range of Cisco and 3rd party solutions—and also analyzes NetFlow for additional intelligence
Offers event correlation, visualization, rules engine, and reporting
Scalable management solution for wide range of Cisco security solutions including routers, switches, blades, and appliances
Delivers centralized management of firewall, VPN, IPS/IDS, networking, and other services via flexible user interface
Supports device grouping for simplified policy maintenance Provides role-based admin access and workflow capabilities Available on Windows (Linux version coming)
Cisco Security Manager (CS-Manager)
Cisco Monitoring and Response Solution (CS-MARS)
Integrated Remote Management Capabilities Within ASA