Chapter 10: Designing and Building SSL Remote Access VPNs (WebVPN)

Cisco Press

1 2 3 4 5 6 7 8 Page 7
Page 7 of 8

The webvpn global configuration command is used to enter WebVPN configuration mode.

Next is the ssl encryption [3des-sha1] [des-sha1] [rc4-md5] command. This command specifies the encryption and hashing algorithms that the router will accept from the client as constituents of cipher suites.

So, when a client proposes a number of cipher suites in its ClientHello message, the router will accept one of those that uses the algorithms that you specify using the ssl encryption command. The accepted cipher suite is, as previously described, sent to the client in the ServerHello message—see the section, "Establishing an SSL Connection Between a Remote Access VPN User and an SSL VPN Gateway Using an RSA Handshake" earlier in this chapter for more information of the proposal and acceptance of cipher suites.

The ssl trustpoint trustpoint-name command specifies the PKI trustpoint, which in turn configures parameters (including the certificates, CRL configuration, and so on) that are used for authentication during the SSL RSA handshake. Make sure that the trustpoint name configured using the ssl trustpoint-name corresponds to that specified using the crypto pki trustpoint name command in Step 3.

Step 6: Customize Login and Home Pages (Optional)

As a final, optional, configuration step, it is also possible to customize the appearance of the WebVPN login and home pages using your own text and colors. Example 10-5 includes the commands that can be used to customize the text in login and home pages.

Example 10-5 Commands Used to Customize the Login and Home Pages

 title ""
 url-list "URL.List"
   heading ""
login-message ""

The effect of the commands shown in Example 10-5 is best illustrated by examining Figures 10-51 and 10-52.

figure 10.51

Figure 10-51

Customizing Text in the WebVPN Login Page

figure 10.52

Figure 10-52

Customizing Text in the WebVPN Home Page

A quick comparison between Example 10-5 and Figure 10-51 shows that the title title-string command can be used to specify the HTML title string in the top right corner of the WebVPN login screen.

The login-message message-string command is used to specify the text in the login box in the upper centre of the login screen.

In Figure 10-52, you can see that heading heading-string command is used to configure the text heading on upper left of the home page.

Finally, the text specified in the url-list list-name command is placed on the left of the home page and within the floating toolbar (shown in the lower right in Figure 10-52). URLs that a user can access are listed below this text.

Colors in the login and home pages can also be modified using the following commands:

  • title-color color—Configures the color of the title bars of the login and home pages.

  • The color parameter can be specified as comma-separated red, blue, green values; as HTML color values, beginning with a hash character (#); or the name of an HTML color, with no spaces.

    For more information on HTML color values, do a search using your favorite Internet search engine—a huge number of sites describe these values.

  • text-color [black | white]—This command is used to specify the color of the text in the title bars.

  • secondary-color color—Use this command to specify the color of the secondary title bars of the login and home pages. The color parameter is specified in the same way as with the title-color command.

  • secondary-text-color [black | white]—This specifies the color of the text in the secondary bars.

One final command that you can use to customize the appearance of the login and home pages is logo [file filename | none]. As you can probably guess, this command can be used to specify the logo image that is used (in place of the default Cisco logo in Figures 10-51 and 10-52). The image specified must be JPG, GIF, or PNG or a size less than 100k. The filename parameter is used to specify both the location and name of the image file.

Step 7: Specify URLs

The url-text text url-value url to configure the URLs that remote access users can access. The text parameter is used to specify the text that users can click to access the specified URL—the URL itself is specified with the url parameter. The text specified using this command displays under the text configured using the url-list command discussed in the previous section.

Example 10-6 shows some examples of the use of the url-text command.

Example 10-6 Specifying URLs Using the url-text Command

 url-list "URL.List"
  url-text "URL.TEXT" url-value ""
  url-text "URL.TEXT2" url-value ""
  url-text "URL.TEXT3" url-value ""

Step 8: Configure Port Forwarding

It is also possible to configure port forwarding on a Cisco IOS router. To configure this feature, use the port-forward {list list-name} {local-port port-number} {remote-server server-name-or-ip-address} {remote-port port-number} command, as shown in Example 10-7.

Example 10-7 Configuring Port Forwarding

 port-forward list terminal-services local-port 3389 remote-server
  remote-port 3389

If you compare the port-forward command shown in Example 10-7 to the example of TCP port forwarding described in the section "Enabling TCP Applications over Clientless SSL Remote Access VPNs" earlier in this chapter, you will see that the command syntax is fairly self-explanatory:

  • The list-name parameter configures a name that identifies a TCP application and is displayed in the Application Access window on the client.

  • The local-port parameter is used to specify TCP port of traffic on a client that is redirected over SSL to the Cisco IOS router

  • The server-name-or-ip-address parameter specifies the DNS name or IP address of the TCP application server

  • The remote port parameter specifies the TCP port of the application on the application server.

Example 10-7 shows the configuration of port forwarding for a Windows Terminal Server ( using the default TCP port 3389.

Deploying SSL VPNs (WebVPN) on the ASA 5500

You should be getting the hang of this by now—you know all about SSL remote access VPNs including underlying operation, basic SSL parameters, customizing login and home pages, specifying URLs, port forwarding, e-mail proxy, and file access. So, this section is not going to bore you by reexamining these concepts in too much detail.

Configuring SSL VPNs (WebVPN) on the ASA is a very similar process to enabling SSL VPNs on the Cisco VPN 3000 concentrator or Cisco IOS router:

Step 1 Configure the HTTP server.

Step 2 Enable WebVPN on the outside interface.

Step 3 Configure the WebVPN group policy and attributes.

Step 4 Configure remote access user authentication.

Step 5 Specify URLs.

Step 6 Configure file access and browsing.

Step 7 Configure port forwarding.

Step 8 Specify an SSL trustpoint, SSL version, and SSL encryption algorithm (optional).

Step 9 Customize login and home pages (optional).

These steps are examined in the sections that follow.

Step 1: Configure the HTTP Server

The first step in configuring WebVPN is to enable the HTTP server on the ASA and optionally configure HTTP redirect using the http server enable and http redirect interface [port] commands in global configuration mode command (see Example 10-8).

Example 10-8 Enabling the HTTP Server

http server enable
http redirect Outside0/1 80

The http redirect command in Example 10-8 allows users that connect to the ASA on TCP port 80 (HTTP) on outside interface Outside0/1 to be redirected to port 443 (HTTPS).

Step 2: Enable WebVPN on the Outside Interface

Having enabled the HTTP server, the next step is to enable WebVPN on the outside interface using the enable outside-interface-name command in the WebVPN mode (see Example 10-9).

Example 10-9 Enabling WebVPN on the Outside Interface

enable Outside0/1

In Example 10-9, the webvpn global configuration mode command is used to enter WebVPN mode.

The enable interface-name command then enables WebVPN on interface Outside0/1.

Step 3: Configure the WebVPN User Group Policy and Attributes

As described in Chapter 9, the ASA uses a similar policy-inheritance mechanism to the Cisco VPN 3000 concentrator—there is a user policy, a user group policy, and a default group policy. The user policy inherits setting from the group policy, which in turn inherits settings from the default policy.

The user group policy for WebVPN is configured as shown in Example 10-10.

Example 10-10 Configuration of Group Policy for WebVPN

group-policy webvpn.grp.policy internal
group-policy webvpn.grp.policy attributes
vpn-tunnel-protocol webvpn
  <attributes configured here>

The group-policy name internal global configuration mode command is used to configure an internal user group policy with (in this case) the name wevpn.grp.policy.

The group-policy name attributes command then begins the configuration of attributes associated with the user group named web.grp.policy.

The vpn-tunnel-protocol webvpn specifies that this user group is restricted to WebVPN only (and does not include IPsec).

User group attributes relating to WebVPN are then configured under the webvpn command (more on this later).

Step 4: Configure Remote Access User Authentication

To authenticate remote access users during login, you can use either the local username/password database or a AAA server.

Example 10-11 shows the configuration of a local username/password database.

Example 10-11 Configuration of a Local Username/Password Database

username pete password ueQDRVFmwEjd4hRT encrypted
username dave password IkTiDoEuVyjoxmBU encrypted
username john password hN7LzeyYjw12FSIU encrypted
username mark password 7EwWZdAmpPRnJfI1 encrypted

In Example 10-11, a local username and password database (consisting, in this case, of four users) is configured using the username username password password global configuration mode command. The ASA encrypts passwords by default, and so the encrypted keyword is added in the configuration file.

As previously described, a local username and password database is not scalable, and so is only suitable for small-scale deployments. For larger-scale deployments, users can be authenticated using RADIUS, TACACS+, NT domain, Kerberos, and SDI.

If you want to use an authentication server for user authentication, you can use the aaa-server server-tag protocol server-protocol and aaa-server server-tag [(interface-name)] host server-ip [key] [timeout seconds] commands.

The aaa-server protocol command is used to specify group AAA parameters and protocols associated with servers, and the aaa-server host command is used to configure parameters associated with a particular server (such as IP address and key).

Step 5: Specify URL Lists

The next step is to specify the URLs that the remote access users can access via links on his/her home page. As shown in Example 10-12, you can accomplish this by configuring a URL list.

Example 10-12 Specifying URLs Using the url-list Command

url-list URL.List "URL.TEXT"
url-list URL.List "URL.TEXT2"
url-list URL.List "URL.TEXT3"

The url-list list-name displayname url command configures the URLs that users can access. The listname parameter groups URLs together, and the displayname parameter configures the names that will be displayed, and users can click to access the specified URLs.

Having configured the URL list, you should now link to the list under the user group (WebVPN) attributes using the url-list {value name | none} command (see Example 10-13).

Example 10-13 Linking to the URL List Under the User Group

group-policy webvpn.grp.policy attributes
 functions url-entry (line 1)
 url-list value URL.List (line 2)

The url-list {value name | none} command in highlighted line 2 links to the URL list configured in Example 10-13 (URL.List in this example).

If you want remote access users to also be able to manually enter URLs that they want to access via WebVPN (in addition to URLs accessible via the URL list), you can configure the functions url-entry command shown in highlighted line 1.

After the URL list is configured, you can then optionally configure an HTTP or HTTPS proxy server in WebVPN mode, as demonstrated in Example 10-14.

Example 10-14 Configuring an HTTP/HTTPS Proxy Server

 http-proxy 80
 https-proxy 443

The webvpn global configuration mode command is used to enter WebVPN mode.

The http-proxy ip-address [port] and https-proxy ip-address [port] commands are then used to configure the IP addresses of HTTP and HTTPS proxy servers (, in this case). Note that the default ports for HTTP and HTTPS are specified in this example (ports 80 and 443, respectively).

Step 6: Configure File Access, Entry, and Browsing

As shown in Example 10-15, to enable file access and file sharing, it is necessary to first configure one or more WINS servers/NetBIOS name servers (NBNS) using the name-server {ip-address-or-hostname} [master] [timeout timeout] [retry retries] command, and then to enable file access, entry, and browsing as appropriate using the functions command.

Example 10-15 Configuring File Access, Entry, and Browsing

nbns-server master timeout 2 retry 2
nbns-server timeout 2 retry 2
group-policy webvpn.grp.policy attributes
 functions file-access file-entry file-browsing
1 2 3 4 5 6 7 8 Page 7
Page 7 of 8
SD-WAN buyers guide: Key questions to ask vendors (and yourself)