Cisco CCNP Security 300-730 SVPN – Remote Access VPN Part 2

2. SSL Remote Clientless VPN

Hello guys. Welcome to a new video and in this video we are going to configure a clientless SSL VPN connection between this router over here and this ASA. Or to say better from this browser we are going to access this website which is behind this ASA and for that we need to connect into this ASA a browser so it allows to get into this website. So with that being said, let’s go ahead and start configuring. And I have not configured any IP addresses so I’m going to do this a little bit faster than before. So this one is the management. This one is one over here. So let’s go ahead and add IP addresses. 1st, 121-6812. This one’s going to be for the browser. This one’s going to read the router over here. We’re going to do 21 two and 21 for the management.

Over here is going to have one and one two for the ASM. The inside website is going to have 170 216 and that one for this firewall. Let’s go ahead and move it down here so we have more space. Make this over here. TADA. Okay, so it’s good. Let’s go ahead and go into this router first. And this router let’s do a config g. Give it a hostname of r one interface one IP address 192-1811 go two gigabyte IP address 21 one two. Now shut down. We can go ahead and save it. Good. Actually let’s also do the config t. Let’s do an IP route to a default route and this one is going to go to the Isa. So 29 one to one. Let’s go ahead and save it. Now let’s go ahead and open the Isa. Enable no password conflict, say no skills name ASA interface management which is going to be where the ACM is going to be connected. IP address of 100 and 124.

Let’s give her a name. If management now shut down interface gigi one IP address 21 one. I should be able now to being 21 two. Let’s see. Did I do a I didn’t do no shut down, did I? No, I did not. Okay, so let’s go ahead and go to router one. From router one I should be able to ping the ASA which is 21 one. I should be able to, but I am not. Let’s go ahead and go to the ASA. Show IP interface brief. They’re both up. Show interface IP brief over here. One is up which is this one. Rainbow one should be zero zero one. They’re both up. Ping 21 one able to pin the ASA config t. Let’s zoo a route. I know I config. Let’s do a config t interface gigabyte slash one name is outside.

That’s why and that’s why I was unable to ping conflicting. Now we are going to do interface gigabit zero IP address. Once we went to 16 101. Let’s give it a name. If inside that’s going to be the inside, no shut down. Or you can get her with DMZ, whatever you want to do, but I want to do that. Then we’re going to do an Http server enable http management actually I want any IP address to connect to it. We have the management, interface management, access management and save it. So now let’s go ahead and go into this website which is right here. Let’s give it an if config interface zero 172, 16, one two.

I forgot to put that mask route at default gateway 170 216, one. Now we should be able to ping 170, 216 one to one. Good. So we have connectivity between the website and the ASA. Now let’s go ahead and open this browser and let’s give it this IP address. It’s going to be basically the same because it is using a Linux ifconfig interface 192-1812 netmask 24 route at default gate weight 192 that one’s eight that one ping 192 that one eight that one to one. Good. So we have connectivity over here between the browser and this R one. Also we should be able to open the terminal, see if we’re able to pin 21 two. Good, I’ll be able to pin that one to one. No because the ASA doesn’t know how to get back to us. So let’s go into the ASA. Let’s add a route outside and there we go. Now we are able to ping so we’re able to get to the ASA. So that’s good. After that is done, let’s go ahead and open the ASDM and let’s configure the IP address of the ASDM and then we are going to connect to the ASA. If confconfig interface zero one two net mask 252-5250 route at default gateway one one. Now should be able to ping one to one. Good. So we are with Japanese. Now let’s go and connect via the Asem. Always trust we did not configure a username so we don’t need to enter the username because we didn’t configure anything. So you can just log in with our username and password because I did not configure one. Right. So here we go. We are in the ASM. So now we are going to configure clientless SSL VPN. We are going to configuration and you’ll configure a client as a cell VPN whenever the end user does not have admin access, but it has access to a browser and to the internet. Okay so remote access VBN.

We are going to go into clientless. We are going to first do a connection profile. We are going to allow to the outside, apply it, save it, let’s go and create a new one, new connection profile. I want to say this client list profile authentication is going to be local. We are going to manage it and we need to that’s why we’re going to leave it like this. So the client list profile or the profile whenever you create a group profile, that’s for the prelogging policy. So before you log in, those are the policies that are apply. The group policy is the post login policy. So after you log in, what are you going to have access to? So for this one we’re going to call it clientless group. There we go. Out the web banner that we want to put, you can put welcome to Clientless SSL VPN. So whenever you log in, you’re going to get this banner and all we want to do is enable clientless SSL VPN. We can go into the portal, we are going to add a bookmark and that bookmark is going to give us access into that website. So we’re going to call a book let’s go ahead and add it. URL would get our post method.

We’re going to call a website 172, the 16th, 170, 216, one, two sign it. Let’s go to general. Everything is good over here. Press OK, so we have the client’s group policy that the client’s profile is going to add or it’s going to receive. Let’s go ahead and I’m sure about that. Let’s enable it, apply it, save it. Now we need to go into group policies. And that group policy, we need to assign a user to it. And the user that we created was annual. Apply it, save it. Now we should be able to connect to the client. So VPN, the way you do that, we are going to use the browser. So let’s go and open that browser up and we are going to go to Https, which is the IP address of that ASA. Here we go. It is in the connection that’s not secure because the ASA is using a self signed certificate and it doesn’t trust it. So we are just going to add that exception and there we go. We are going to log into using Nwau passover, cisco. And there you go. Welcome to Connell’s S O VPN. But we’re not not done yet. Remember we added the bookmark. Let’s see if we are able to get into this website right here. So let’s go to bring it up, click on it and there we go.

3. Implement SSLVPN on routers

About it and we are going to configure this MD server right here as the server that’s going to have that VPN configured. So we are going to configure from this router how to configure all the IP addresses and they’re able to ping with each other. Okay. And I’m also going to create a little website at the end so we are able to access it from the SSL VPN, from the client list. SSL VPN. Okay, so I have a Windows device and the iOS server. Let’s go ahead and start configuring. Let’s go ahead and just go ahead and excel here. And the first thing that I want to do actually I have to go to config team and let’s start configuring. So the first thing that I want to do is I want to create a look back interface and I want to give an IP address on exit. And then we are going to configure a virtual interface or virtual template one. And we are going to do an IP or number and we’re going to mention loopac one or loop back zero. And that means that I’m going to borrow loopacres. So if we do show IP interface breathe, you see that the virtual template took the IP address of loop back at zero right here. Okay, so that’s good. Excellent. After we do that, we want to enable authentication.

We want to enable a and the way they do this by doing AAA new model and then you want to do an authentication login. And I want to call this SSL underscore VPN and we’re going to be using the local account. And the local account has a username of my name Oscar and password is going to be Cisco. And this is what I’m going to be using to log in into that SSL website that I’m going to be connecting. I also want to do an IP Http server. I want to turn it on and I also want to do IP Http secure server. And this is to turn on Https and this is to turn on Http. Okay, after that is done, we need to do an IP. I want to do an IP domain name. There we go. IP domain name ccdt. com. The host name is already there so that’s good. Now what I want to do is I want to generate a key, an RSA key and I’m going to call it SSL VPN key pair. And the modulus for this is going to be 24, 24 eight. What did I miss? Let’s see crypto key generates okay, modulus. I forgot to do label that’s. Why? So if we go back to over here, we want to label it this. There we go.

That’s going to create a 248 size bit size bit 2048. There we go. It is done. I think if we do a do show crypto key RSA, let’s do that later so we can see that crypto key. But let’s go ahead and move on. And the next step that we want to do is we want to specify a trust point. And this trust point is going to be called SSL Trust point. And this is a trust point that you want to the PKI that you want to trust, right? And I’m going to give it a subject name if you want to see. To make it official, let’s just do Fdnfa and then we’re going to do SSLVPN Ccdt. com to make it look unofficial. And the RSA key pair, we need to attach the key pair that we just created, which is this one. Sslvpnkeeper done. And then we have to enroll that trust point that we just created. But actually we need to go back to the PKI and we need to do a question mark. Let’s do enrollment. And it needs to be a self signed one exit. And then after that you need to do a crypto PKI enroll. And I want to enroll the one that I just created, which is SSL trust point paste. And you want to do it’s.

Going to ask you, do you want to continue generating a new self sign key? You can say yes, no, generate self sign key. Yes, because I want to self sign. I want to sign it myself since I don’t have a server to do it, the router is going to sign it itself. Okay, so after that is done, we need to create the web VPN and it is the gateway web VPN. And I’m going to call this SSL VPN underscore Gateway. And this gateway is going to have the IP address because the gateway is where this Windows device is going to connect. So it’s going to connect to 21. So I need to give it an IP address of 21, right? And the port that I want to be using is four four three, because that’s for Https and then http redirect 80. So if they go to port 80, it’s going to send it to four four three. All right. And then we do SSL trust points. And we need to paste that trust point that we created. And then to turn it on, we got to say in service, that’s how you turn on that web VPN gateway exits. So after we are done with that, we need to go ahead and create the web VPN context.

So let’s go ahead and do what VPN context. And we’re going to call this SSL VPN underscore context. And inside right here, the first thing that we need to do is we need to add that AAA authentication that we created, which was a list, and we call this SSL underscore VPN, I believe. Let’s go ahead and verify that that was the correct one, otherwise it won’t be able to log in. There we go. SSLVPN, SSLVPN good, that’s the correct one. And then we need to add the gateway that we just created and we call that gateway SSL. VPN underscore Gateway enter. And then if you want to specify the maximum users that you want to connect to your web VPN context, I want to do 100. Now we need to attach that virtual template that we created and then we turn it on in service. And now you’re going to see that the virtual access too is up and running. So that’s good. After that you want to do a login message.

You can do welcome to Ccdgt. com enter. That’s going to be the login message that’s going to appear whenever we log in to that VPN website. And then we do the URL list. And I want to call this and this is going to be the URL that I want to add because I want to add this website right here. I just want to put over here website. That’s fine. The heading of it. Let’s just also call a website all in Capital so you can differentiate between the URL list and the heading. Okay. And then after that what we need to do is let’s see, we need to do a we need to add this website right here and we’re going to be calling this web server. And this web server is going to have a URL value of Http. And I want to put the IP address of this website right here which is 1921-6812. And let’s go ahead and exit out of here. And we need to do it from here still now. So web server. Did I miss something over here? Let’s go and go back into this website heading. Let me go ahead and take a look at my configuration and see how I did it previously. Give me 1 second guys. Okay, so that’s what it is. I forgot that.

What we need to do is give me 1 second. I need to do the URL text first, that’s what it is. So when we do the URL text, let me go ahead and we need to actually go back into login message URL list. And then after the list we added the heading and then we need a URL text. And over here is when we add the web server. So from web server then you do a URL value and you want to do http 192, eight, that one, two, enter. There we go. And then we want to create the default. Let’s go ahead and exit out of here. And you want to do a default group policy. And actually before we do that we want to do a policy group and we are going to be calling this SSL VPN default policy and put over here what we want to do is we want to add the URL list of this one right here. Make sure that I’m doing this right. Paste it. Okay good. So the URL list, client list, VPN default. And then after that we need to apply that default. Go ahead and exit and we do default group policy and we need to attach this SSL VPN default group policy that we just created. Good. So that is all done.

So now if I go to my Windows device which is right here, up and running, let’s go ahead and go into 21, it’s going to say that it’s not secure. Let’s go ahead and continue to that web page. There we go. Let’s go ahead and log in with my username that I created which was Ascor and password Cisco. There we go. As you can see now you can see that the website that we created, right, so you can see that the heading right here is website and down over here it says web server. And the web server was this URL text value that we added. So if you click right here that takes you into this http zero. I don’t know why it is doing it like that, but it’s saying that it’s not secure. Let’s go ahead and continue to the web page. When able to connect, this server may not exist or access to it may not be allowed. So what we want to do, let’s just go ahead and put this down and let’s go ahead and edit this website because I have not edited that yet and I just want to do first an if configur because it is a Linux device interface, zero net mask. And then we’re going to do a route add default, default gateway, actually default GW 192181, which is the default gateway. Done.

And then let’s see if we’re able to pin my D four gateway, make sure that it’s working. Good. So after that is done, what I want to do is I want to go ahead and do a CD VAR and I want to do two www Http. There’s no directory list, so it’s not Http, it’s HTML. And then here I want to do a nano index HTML and I want to edit this right here. I want to edit the title to be or to say welcome to Gcd. com. I want to do the same for the header welcome to Ccdt. com. Yes, save it. So now let’s go ahead and go back to my Windows device. Let’s go ahead and actually just we are going to log out and log back in. So if we go into 21 to go into the SSL website, go ahead and refresh. Yes.

So let’s go ahead and log in my username and password and then let’s go ahead to this website. Click on go into the website anyways. And there we go. As you can see it says welcome to Ccdt. com. And here is the website that I used to go in, the one that we just created, the one that we just edited. And you can see that we are using the MD server to go into this website. And if you don’t believe me, let’s go ahead and do an annual index HTML and let’s put welcome to Ccdt. com. I told you. CTRL x. Yes. Enter. Let’s see if we can reload this website. There we go. Welcome to Ccdt. com. I told you so. As you can see, we were able to configure SSL VPN connection between my Windows device, which is right here, and this Maryland server. And we were connected to this website via the SSL clientless VPN connection between this router and this Windows device. So this is it for this video, guys. I hope you guys enjoyed this video on this clientless SSL VPN.

• Category: Uncategorized