Clientless SSL VPN (WebVPN) on ASA

Configuration Example with ASDM

Document ID: 70475

Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Configure
Network Diagram
Procedure
Configuration
Clientless SSL VPN (WEBVPN) Macro Substitutions
Verify
Troubleshoot
Procedures Used to Troubleshoot
Commands Used to Troubleshoot
Problem − Unable to Connect More Than Three WEB VPN Users to PIX/ASA
Problem − WEB VPN Clients Cannot Hit Bookmarks and is Grayed Out
Problem − Citrix Connection Through WEBVPN
Related Information
Introduction
Clientless SSL VPN (WebVPN) allows for limited but valuable secure access to the corporate network from
any location. Users can achieve secure browser−based access to corporate resources at anytime. This
document provides a straightforward configuration for the Cisco Adaptive Security Appliance (ASA) 5500
series to allow Clientless SSL VPN access to internal network resources.

The SSL VPN technology can be utilized in three ways: Clientless SSL VPN, Thin−Client SSL VPN (Port
Forwarding), and SSL VPN Client (SVC Tunnel Mode). Each has its own advantages and unique access to
resources.

1. Clientless SSL VPN

A remote client needs only an SSL−enabled web browser to access http− or https−enabled web servers on the
corporate LAN. Access is also available to browse for Windows files with the Common Internet File System
(CIFS). A good example of http access is the Outlook Web Access (OWA) client.

2. Thin−Client SSL VPN (Port Forwarding)

A remote client must download a small, Java−based applet for secure access of TCP applications that use
static port numbers. UDP is not supported. Examples include access to POP3, SMTP, IMAP, SSH, and
Telnet. The user needs local administrative privileges because changes are made to files on the local machine.
This method of SSL VPN does not work with applications that use dynamic port assignments, for example,
several FTP applications.
Refer to Thin−Client SSL VPN (WebVPN) on ASA using ASDM Configuration Example in order to learn
more about the Thin−Client SSL VPN.

3. SSL VPN Client (SVC−Tunnel Mode)

The SSL VPN Client downloads a small client to the remote workstation and allows full, secure access to the
resources on the internal corporate network. The SVC can be downloaded permanently to the remote station,
or it can be removed after the secure session ends.

Clientless SSL VPN can be configured on the Cisco VPN Concentrator 3000 and specific Cisco IOS® routers
with Version 12.4(6)T and higher. Clientless SSL VPN access can also be configured on the Cisco ASA at the
Command Line Interface (CLI) or with the Adaptive Security Device Manager (ASDM). The ASDM usage
makes configurations more straightforward.

Clientless SSL VPN and ASDM must not be enabled on the same ASA interface. It is possible for the two
technologies to coexist on the same interface if changes are made to the port numbers. It is highly
recommended that ASDM is enabled on the inside interface, so WebVPN can be enabled on the outside
interface.

Refer to SSL VPN Client (SVC) on ASA Using ASDM Configuration Example in order to know more details
about the SSL VPN Client.

Clientless SSL VPN enables secure access to these resources on the corporate LAN:

• OWA/Exchange
• HTTP and HTTPS to internal web servers
• Windows file access and browsing
• Citrix Servers with the Citrix thin client

The Cisco ASA adopts the role of a secure proxy for client computers which can then access pre−selected
resources on the corporate LAN.

This document demonstrates a simple configuration with ASDM to enable the use of Clientless SSL VPN on
the Cisco ASA. No client configuration is necessary if the client already has an SSL−enabled web browser.
Most web browsers already have the capability to invoke SSL/TLS sessions. The resultant Cisco ASA
command lines are also shown in this document.

Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:

• Client−SSL enabled browser, for example, Internet Explorer, Netscape, and Mozilla
• ASA with Version 7.1 or higher
• TCP port 443, which must not be blocked along the path from the client to the ASA

Components Used
The information in this document is based on these software and hardware versions:

• Cisco ASA Software Version 7.2(1)

• Cisco ASDM 5.2(1)
 Note: Refer to Allowing HTTPS Access for ASDM in order to allow the ASA to be configured by the
ASDM.
• Cisco ASA 5510 series

The information in this document was created from the devices in a specific lab environment. All the devices
used in this document began with a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure
At this stage, you can issue the https://inside _IP Address from a web browser to access the ASDM
application. Once ASDM has loaded, begin the configuration for WebVPN.

This section contains the information needed to configure the features described within this document.

Note: Use the Command Lookup Tool ( registered customers only) to obtain more information about the
commands used in this section.

Network Diagram
This document uses this network setup:

Procedure
Configure the WebVPN on the ASA with four major steps:

• Enable the WebVPN on an ASA interface.

• Create a list of servers and/or URLs for WebVPN access.
• Create a group policy for WebVPN users.
• Apply the new group policy to a Tunnel Group.

1. In ASDM, choose Configuration > VPN > WebVPN > WebVPN Access.

Choose the interface to terminate WebVPN users > Enable > Apply.

2. Choose Servers and URLs > Add.

 Enter a name for the list of servers accessible by WebVPN. Click the Add button. The Add Server or
URL dialogue box displays. Enter the name of each server. This is the name that the client sees.
Choose the URL drop−down menu for each server and choose the appropriate protocol. Add servers
to your list from the Add Server or URL dialogue box and click OK.

Click Apply > Save.

3. Expand General in the left menu of ASDM. Choose Group Policy > Add.
♦ Choose Add Internal Group Policy. Uncheck the Tunneling Protocols: Inherit check box.
Check the WebVPN check box.
♦ Choose the WebVPN tab. Uncheck the Inherit check box. Choose from the list of features.
Click OK > Apply.
4. Choose the Tunnel Group in the left column. Click the Edit button.
Click the Group Policy drop−down menu. Choose the policy that was created in Step 3.
It is important to note that if new Group Policies and Tunnel Groups are not created, the defaults are
GroupPolicy 1 and DefaultWEBVPNGroup. Click the WebVPN tab.
Choose NetBIOS Servers. Click the Add button. Fill in the IP address of the WINS/NBNS server.
Click OK > OK. Follow the prompts Apply > Save > Yes to write the configuration.
Configuration
This configuration reflects the changes ASDM made to enable WebVPN:

Ciscoasa
ciscoasa#show running−config
Building configuration...

ASA Version 7.2(1)

hostname ciscoasa
domain−name cisco.com
enable password 9jNfZuG3TC5tCVH0 encrypted
names
dns−guard
interface Ethernet0/0
nameif outside
security−level 0
ip address 172.22.1.160 255.255.255.0
interface Ethernet0/1
nameif inside
security−level 100
ip address 10.2.2.1 255.255.255.0
interface Ethernet0/2
 nameif DMZ1
security−level 50
no ip address
interface Management0/0
description For Mgt only
shutdown
nameif Mgt
security−level 0
ip address 10.10.10.1 255.255.255.0
management−only
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server−group DefaultDNS
domain−name cisco.com
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu Mgt 1500
icmp permit any outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.2.2.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.22.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half−closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp−pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip−invite 0:03:00 sip−disconnect 0:02:00
timeout uauth 0:05:00 absolute
!

!−−− group policy configurations

!

group−policy GroupPolicy1 internal

group−policy GroupPolicy1 attributes
vpn−tunnel−protocol IPSec l2tp−ipsec webvpn
webvpn
functions url−entry file−access file−entry file−browsing mapi port−forward filter
http−proxy auto−download citrix
username cisco password 53QNetqK.Kqqfshe encrypted
!

!−−− asdm configurations

!

http server enable

http 10.2.2.0 255.255.255.0 inside
!
no snmp−server location
no snmp−server contact
snmp−server enable traps snmp authentication linkup linkdown coldstart
!

!−−− tunnel group configurations

!

tunnel−group DefaultWEBVPNGroup general−attributes

default−group−policy GroupPolicy1
tunnel−group DefaultWEBVPNGroup webvpn−attributes
nbns−server 10.2.2.2 master timeout 2 retry 2
!
telnet timeout 5
ssh 172.22.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class−map inspection_default
match default−inspection−traffic
!
policy−map type inspect dns preset_dns_map
parameters
message−length maximum 512
policy−map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service−policy global_policy global
!

!−−− webvpn configurations

!

webvpn
enable outside
url−list ServerList "WSHAWLAP" cifs://10.2.2.2 1
url−list ServerList "FOCUS_SRV_1" https://10.2.2.3 2
url−list ServerList "FOCUS_SRV_2" http://10.2.2.4 3
!
prompt hostname context
!
end

Clientless SSL VPN (WEBVPN) Macro Substitutions

Clientless SSL VPN macro substitutions let you configure users for access to personalized resources that
contain the user ID and password or other input parameters. Examples of such resources include bookmark
entries, URL lists, and file shares.

Note: For security reasons, password substitutions are disabled for file−access URLs (cifs://).

Note: Also for security reasons, use caution when you introduce password substitutions for web links,
especially for non−SSL instances.

These macro substitutions are supported:

1. CSCO_WEBVPN_USERNAME − SSL VPN user login ID

2. CSCO_WEBVPN_PASSWORD − SSL VPN user login password
3. CSCO_WEBVPN_INTERNAL_PASSWORD − SSL VPN user internal resource password
 4. CSCO_WEBVPN_CONNECTION_PROFILE − SSL VPN user login group drop−down, a group
alias within the connection profile
5. CSCO_WEBVPN_MACRO1 − Set through RADIUS/LDAP vendor−specific attribute
6. CSCO_WEBVPN_MACRO2 − Set through RADIUS/LDAP vendor−specific attribute

In order to know more about macro substitutions, refer to Clientless SSL VPN Macro Substitutions.

Verify
Use this section to confirm that your configuration works properly.

Establish a connection to your ASA device from an outside client to test this:

https://ASA_outside_IP_Address

The client receives a Cisco WebVPN page that allows access to the corporate LAN in a secure fashion. The
client is allowed only the access that is listed in the newly created group policy.

Authentication:A simple login and password was created on the ASA for this lab proof of concept. If a single
and seamless sign−on to a domain for the WebVPN users is preferred, refer to this URL:

ASA with WebVPN and Single Sign−on using ASDM and NTLMv1 Configuration Example

Troubleshoot
This section provides information you can use to troubleshoot your configuration.

Note: Do not interrupt the Copy File to Server command or navigate to a different screen while the copy
process is in progress. If the operation is interrupted, it can cause an incomplete file to be saved on the server.

Note: Users can upload and download the new files with the WEBVPN client, but the user is not allowed to
overwrite the files in CIFS on WEB VPN with the Copy File to Server command. When the user attempts to
replace a file on the server, the user receives this message: "Unable to add the file."

Procedures Used to Troubleshoot

Follow these instructions to troubleshoot your configuration.

1. In ASDM, choose Monitoring > Logging > Real−time Log Viewer > View. When a client connects
to the ASA, note the establishment and termination of SSL and TLS sessions in the real−time logs.
2. In ASDM, choose Monitoring > VPN > VPN Statistics > Sessions. Look for the new WebVPN
session. Be sure to choose the WebVPN filter and click Filter. If a problem occurs, temporarily
bypass the ASA device to ensure that clients can access the desired network resources. Review the
configuration steps listed in this document.
Commands Used to Troubleshoot
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to
view an analysis of show command output.

Note: Refer to Important Information on Debug Commands before the use of debug commands.

• show webvpn ?There are many show commands associated with WebVPN. In order to see the use
of show commands in detail, refer to the command reference section of the Cisco Security Appliance.
• debug webvpn ?The use of debug commands can adversely impact the ASA. In order to see the use
of debug commands in more detail, refer to the command reference section of the Cisco Security
Appliance.

Problem − Unable to Connect More Than Three WEB VPN Users to

PIX/ASA
Problem :

Only three WEB VPN clients can connect to ASA/PIX; the connection for the fourth client fails.

Solution :

In most cases, this issue is related to a simultaneous login setting within the group policy.

Use this illustration to configure the desired number of simultaneous logins. In this example, the desired value
was 20.

ciscoasa(config)# group−policy Bryan attributes

ciscoasa(config−group−policy)# vpn−simultaneous−logins 20

Problem − WEB VPN Clients Cannot Hit Bookmarks and is Grayed Out
Problem :

If these bookmarks were configured for users to sign in to the clientless VPN, but, on the home screen under
"Web Applications" they show up as grayed out, how can I enable these HTTP links so that the users are able
to click them and go into the particular URL?

Solution :

You should first make sure that the ASA can resolve the websites through DNS. Try to ping the websites by
name. If the ASA cannot resolve the name, the link is grayed out. If the DNS servers are internal to your
network, configure the DNS domain−lookup private interface.

Problem − Citrix Connection Through WEBVPN

Problem

The error message "the ica client received a corrupt ica file." occurs for Citrix over WEBVPN.

Solution
If you use the secure gateway mode for Citrix connection through WebVPN, the ICA file can corrupt.
Because the ASA is not compatible with this mode of operation, create a new ICA file in the Direct Mode
(non−secure mode).

Related Information
• Technical Support & Documentation − Cisco Systems
• Cisco ASA 5500 Series Adaptive Security Appliances
• ASA with WebVPN and Single Sign−on using ASDM and NTLMv1 Configuration Example

Contacts & Feedback | Help | Site Map

© 2009 − 2010 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.

Updated: Jun 17, 2008 Document ID: 70475