Clientless SSL VPN (webvpn) configuration on Cisco ASA

Clientless VPN is useful when  remote users want to establish secure connection to the corporate office, but don't have administrative rights to the PC. WebVPN provides remote access connectivity from almost any Internet-enabled location using a Web browser and its native SSL/TLS encryption. It is best to use ASDM for configuration of WebVPN because it provides much more features and customizations that are not available from CLI. But basic WebVPN can be configured easily from the Command Line Interface.

In the present scenario, we have to configure WebVPN for Sales department and Engineering department of a company. Engineering users will have to be provided with access to webserver as well as FTP server, while sales users may only have access to the webserver.


ASA#
webvpn
 enable OUTSIDE

!
tunnel-group WEBVPN_CONN type remote-access
!
group-policy SALES_GRP_POLICY internal
group-policy SALES_GRP_POLICY attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list none
  filter value SALES_WEB_ACL
  url-entry enable

!
group-policy ENGR_GRP_POLICY internal
group-policy ENGR_GRP_POLICY attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list none
  filter value ENGR_WEB_ACL
  url-entry enable

!
username sales password sales

username sales attributes
 vpn-group-policy SALES_GRP_POLICY
 service-type remote-access
!
username engr password engr
username engr attributes
 vpn-group-policy ENGR_GRP_POLICY
 service-type remote-access

!
access-list ENGR_WEB_ACL webtype permit url http://192.168.100.10/*
access-list ENGR_WEB_ACL webtype permit url ftp://192.168.100.10/*
access-list SALES_WEB_ACL webtype permit url http://192.168.100.10/*


In the following screenshots, we can see that engineering users are able to browse http:// as well as ftp://, while access is denied for sales user while accessing the ftp:// site.

 FTP site allowed for Engineering department.


 FTP site denied for sales department.

No comments:

Post a Comment