Das Blinken Lichten

In order to not get the annoying “Invalid certificate” errors in Internet Explorer we need to purchase and install a third party certificate for the ASA. Then we can associate the WebVPN with the certificate so we don’t get the warnings.  Of course, you can do this through the ASDM, but what fun is that?  CLI all the way, here we go.

Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them
-Note sections are in italics and embedded directly within the code below
-During the install/setup the CLI asks several questions.  I note when they will appear by inserting a line beginning with ‘Question Prompt –‘ in between the lines of code.  I also put the response you should enter after the line in bold.

Verify that your clock is set correctly
To do this, issue the ‘show clock’ command at the CLI.  If it isn’t configured correctly, define a NTP server (Which you should have done during initial config) and ensure your time zone is set correctly.  I usually use us.pool.ntp.org as an NTP server.  You can resolve it to an IP to get rid of the DNS lookup.

Generate the CSR
ASA(config)# crypto key generate rsa label <Your domain name> modulus 2048
Notes: I use the domain name that I am going to use for the label name, it just makes it easier if everything is the same (FQDN, System FQDN, Label, etc….).  An example would be ‘SSLVPN.test.com’.  Additionally I use a 2048 bit modulus because GoDaddy (The third party CA I am using) will no longer accept the 1024 bit modulus.
ASA(config)# crypto ca trustpoint <Your domain name>
ASA(config-ca-trustpoint)# subject-name CN=<Your domain name>, OU=<Organization Unit>, O=<Organization Name>, C=<Country (US)>, St=<Your State>, L=<Your City>
ASA(config-ca-trustpoint)# keypair <Your domain name>
ASA(config-ca-trustpoint)# fqdn <Your domain name>
ASA(config-ca-trustpoint)# enrollment terminal
ASA(config-ca-trustpoint)# exit
ASA(config)# crypto ca enroll <Your domain name>
Question Prompt – Include the device serial number in the subject name? [yes/no]: NO
Question Prompt – Display Certificate Request to terminal? [yes/no]: YES
Notes: After answering YES the CLI will output the CSR.  You need to copy the CSR so you can submit it to your Certificate Authority (GoDaddy in this case)
Redisplay enrollment request? [yes/no]: NO

Submit your CSR to your Certificate Authority
Again, I used GoDaddy because it seemed to be the cheapest.  The certificate was less then $30 for the year.  You purchase a certificate credit and then when you are ready to submit your CSR you go into their Certificate Management Portal under your login and submit the CSR.  After submitting the request it took about 5 minutes for my certificate to be generated.  You download the certificate file in Zip format.  In the Zip file you should have two certificates.  One is the certificate for the FQDN which you purchased and the other is the certificate for the CA.  This is where it gets a little tricky. First you need to authenticate the CA by importing their certificate.  Then you need to import your actual certificate.  I’m not going to get into the details of how certificates work but if you don’t know how, you should find out.  Google ‘Public Key encryption’.  Alright, so my Zip file had two certificates in it.

gd_bundle.crt – The certificate for the CA
<Domain name>.crt – The certificate for my domain

You’ll need to export both of the certificates to Base-64 encoded X.509.  To do this in Windows double click the certificate.  A certificate window with three tabs should appear as shown below.

Click on the second tab ‘Details’ and select the ‘Copy to File…” button

This will open the Certificate Export Wizard.  Press NEXT

On the next screen select ‘Base-64 encoded X.509 (.CER)’ and press NEXT

On the following screen select a location to output the file to and press NEXT

Press FINISH on the summary screen.  You should get a pop up window indicating that export was successful.

Now browse to where you chose to store the certificate, right click on it, select ‘Open With’, and choose WordPad.  When you open it in WordPad you should get something similar to what is shown below. 

Perform this certificate Export for your certificate as well as the CA’s certificate.   During the rest of the walk through I will refer to these exports as “CA Certificate”(The CA’s certificate) and “CA Certificate Response”(The certificate for your domain).

Install the certificates on the ASA
ASA(config)# crypto ca authenticate <Your domain name>
Notes: You will now receive the prompt shown below.
”Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself”
Copy the CA Certificate and paste it into the CLI window.  Then make sure you are on a new line, type to the word quit, and press enter.
Question Prompt – Do you accept this certificate? [yes/no]: yes
Notes: After you accept the certificate you should get a message indicating that the certificate import was successful
ASA(config)# exit
ASA(config)# crypto ca import <Your domain name> certificate
Notes: You will now receive the prompt shown below.
”Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself”
Copy the CA Certificate Response and paste it into the CLI window.  Then make sure you are on a new line, type to the word quit, and press enter. After you press enter you should get a message indicating that the certificate import was successful

Tell WebVPN to use your new certificate
ASA(config)# ssl trust-point <Your domain name> outside

Verify
You can use the command ‘show crypto ca certificates’ to verify that your certificates imported successfully.  Of course the other way to test would be to just connect to the outside IP on SSL and see if you still get that annoying warning.

SSL VPN is the new buzz phrase among VPN solutions.  Cisco decided to stop supporting their standard IPSec client in 64 bit OS’s.  While some won’t agree with me, I believe this to be a pretty clear indication that Cisco wants us to start using SSL for our client VPN solutions.  IPSec will continue to rule the world of L2L(LAN to LAN) VPN’s for the time being. 

The configuration is actually pretty straightforward.  I’ll walk through the commands below and then follow up with some comments.  I’m going to assume here that you are using a different subnet for your VPN network and your local network.  I’m also assuming you will be using Local authentication.  We may configure Radius in a later post.

Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them

Define or add a No Nat ACL
ASA(config)# access-list nonat extended permit ip <local access range> <subnet> <vpn access range> <subnet>

Apply the No Nat ACL
ASA(config)# nat (inside) 0 access-list nonat

Define your Split Tunnel ACL
ASA(config)# access-list splitVPN standard permit <local access range> <local access subnet>

Define the Group Policy for the WebVPN
ASA(config)# group-policy GP_SSLVPN internal 
ASA(config)# group-policy GP_SSLVPN attributes 
ASA(config-group-policy)# vpn-tunnel-protocol svc webvpn
ASA(config-group-policy)# webvpn 
ASA(config-group-webvpn)# split-tunnel-policy tunnelspecified
ASA(config-group-webvpn)# split-tunnel-network-list value splitVPN
ASA(config-group-webvpn)# split-dns value <dns domain (Ex: interubernet.com>
ASA(config-group-webvpn)# dns-server value <ip address>

Define a DHCP pool for the clients to use
ASA(config)# ip local pool SSL_Pool <VPN Range> mask <Range Mask>

Define a local user to use for the VPN
ASA(config)# username <username> password <password> privilege 0
ASA(config)# username <username> attributes 
ASA(config-username)# vpn-group-policy GP_SSLVPN

Enable WebVPN
ASA(config)# webvpn 
ASA(config-webvpn)# enable outside
ASA(config-webvpn)# svc image disk0:/<anyconnect image file name> 1
ASA(config-webvpn)# svc image disk0:/<2nd anyconnect image file name (for Mac or Linux)> 2
ASA(config-webvpn)# svc enable

Define the tunnel group
ASA(config)# Tunnel-group TG_SSLVPN type remote-access
ASA(config)# Tunnel-group TG_SSLVPN general-attributes
ASA(config-tunnel-general)# default-group-policy GP_SSLVPN
ASA(config-tunnel-general)# address-pool SSL_Pool

Link the tunnel group to WebVPN
ASA(config)# webvpn
ASA(config-webvpn)# tunnel-group-list enable
ASA(config-webvpn)# exit
ASA(config)# tunnel-group TG_SSLVPN webvpn-attributes 
ASA(config-tunnel-webvpn)# group-alias AnyConnect enable

Wrap it up by saving the config
ASA(config)# write

After you have finished entering the above commands you should have the base AnyConnect solution configured.  If you browse to the secure (https://) external address of your ASA you should get the login page for the WebVPN Portal.  Keep in mind that we haven’t configured a certificate for the ASA yet, so anyone browsing to your portal page will get an error indicating that the certificate is invalid.  The ASA will use a self generated certificate any time it doesn’t have a third party one defined.  The VPN solution will work fine without a certificate but clicking on all of the error messages can be annoying.  In one of our next posts we will install a certificate from a third part CA so we don’t get the annoying security warnings.

AnyConnect and WebVPN are perhaps the best features of the ASA appliances in my mind.  Before we dive into the Anyconnect and WebVPN “How to” I thought it might be best to give a brief description of what each feature is and how they work together.  There seems to be some confusion between the two in regards to what they actually are as well as how they are licensed.

WebVPN – WebVPN gives users secure access to the ASA SSL portal.  For those of you who have already connected to an Anyconnect VPN session you know that you first need to log into a web portal.  Once logged in, you can launch the Anyconnect Application which downloads the thin client and connects you to the corporate VPN.   In addition to Anyconnect, there are several other applications that can be installed in the portal.  For instance, there is a RDP (MS’s Remote Desktop) and SSH/Telnet application which means that you can access remote resource on your company’s local network without connecting to Anyconnect first.  We’ll walk through how to configure those at a later point.  Basically, you need a license to connect to the WebVPN portal and then an additional SSL VPN license to use Anyconnect.  Base model ASA’s came with 2 of each.  I will note here that this isn’t nearly as confusing since I upgraded to 8.2 code.  In previous code releases a show version displayed two separate license counts, one for WebVPN and one for SSL VPN. Regardless of how you were connected and what features you were using the license counts appeared to always show the same number.  In 8.2 there is no longer a license count for WebVPN, which clears up some of the confusion.  Bottom Line,  WebVPN is the portal you login into through SSL

AnyConnect – Anyconnect is the actual application you can access from within the web portal that allows true VPN connectivity back to your company’s network.  However you only need to access it through the web portal once if you intend on using the same machine.  Once you connect through the portal the Anyconnect client is downloaded and installed on the machine you are working on.  Then if all you want to do is connect to the VPN you can simply open the Anyconnect application, which by default is installed in the Cisco program group under All Programs.  Anyconnect is the next generation of VPN clients.  Cisco has stopped support for its standard IPSec client VPN app in 64 bit OS’s.  To me, this is a pretty clear indication that Cisco wants us to use Anyconnect going forward for client VPN connections.  There are a lot of new options like SD (Secure Desktop) and pre-login checks which allow you to check the host system for a variety of variables prior to allowing connections.  For instance, you can setup a flow to deny access to Mac-based machines or check to make sure that the client has a particular Anti-Virus application and version.   Lots of neat stuff here and more to come.

Summary – WebVPN is the web portal that can host a variety of applications including Anyconnect.  Anyconnect is the SSL based VPN client from Cisco.