04-03-2018 03:00 PM - edited 03-12-2019 05:10 AM
Hello All,
I am planning to deploy SSL VPN solution,
VPN Gateway : Installing ASA 9.8.1 image on FTD 4150 as a logical device with standard ASA license.
Client: Wind 10 native VPN client - Protocol used for VPN connection is SSTP
I really appreciate if someone can help me in writing the configuration.
Authentication requirement are :
Authentication: Certificate based ( User Certificate and device certificate) and Authentication servers are Active Directory servers using Kerberos
Basically two type of VPN users :
Internal users, who use corp wifi for initiating VPN connection, they need to be verified by the source IP address ( corp wifi subnet), if the source IP falls under corp wifi subnet, only authentication to be done is device authentication, ASA should check with AD using Kerberos and verified that device is in the required VPN devices group, once device verified authentication successful, VPN connection will be established.
External Users :
Users accessing VPN from the internet, the authentication process will be -
1) Source IP address should identified as any Internet IP address, considered as external VPN user
2)the users will be checked against the AD group for external VPN users to confirm that they are valid with access to the VPN
3) The device will be checked against the AD group for the Internal device to confirm that it is a valid device with access to the VPN
Either Internal or external user, source IP needs to be checked before passing user/ device details to AD groups using Kerberos for authentication, how do we achieve this?
External user's three checks - 1) source IP check 2) user should be VPN AD group 3) Device should be in the AD device group
Questions:
1) How to restrict VPN client access based on the source IP of the connection? ACL on outside interface? but I still need to allow VPN access to the external users as well? source will be any address on the Internet.
2) I believe, two connection profiles(tunnel-group) required in this , one of internal users and one for external users, can someone write sample configuration, pls?
let me if you need any further details.
04-03-2018 08:53 PM
04-04-2018 01:46 AM
04-04-2018 06:37 AM
04-04-2018 03:04 PM
Thanks Rahul,
You said, inner protocols are different, any idea what are the inner protocols ? is there a way to restrict win 10 native client to use tls 1.2 to connect to VPN?
04-06-2018 03:28 AM - edited 04-06-2018 03:29 AM
Hi Rahul and Mohammed,
As per below,
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html#id_65223
IKEv2 support was added to the ASA in release 8.4. For IKEv2 remote access, the ASA only supported Cisco AnyConnect 3.0+ clients and no other third-party IKEv2 clients. From ASA release 9.3.2 and onward, we added interoperability with standards-based, third-party, IKEv2 remote access clients (in addition to AnyConnect). Authentication support includes preshared keys, certificates, and user authentication via the Extensible Authentication Protocol (EAP).
Does that third-party covers SSTP clients ? please correct me if I am wrong.
04-06-2018 03:37 AM
In addition to above message,
if I configure vpn-tunnel-protocol as ssl-client and allow VPN connections on 443 from SSTP client ( ie win 10 native vpnclient using SSTP) , does this works?
04-06-2018 05:34 AM
04-09-2018 01:59 AM
04-09-2018 10:33 AM
1) How to restrict VPN client access based on the source IP of the connection? ACL on outside interface? but I still need to allow VPN access to the external users as well? source will be any address on the Internet.
You would have to create a control-plane ACL on the outside allowing the public IP addresses that need to be able to connect. If this is for users on the internet, this does not make sense if they move from network to network.
2) I believe, two connection profiles(tunnel-group) required in this , one of internal users and one for external users, can someone write sample configuration, pls?
Config example for SSLVPN using Anyconnect is below, just replicate the Wizard setup for the 2 groups:
04-11-2018 05:46 AM
04-11-2018 08:33 AM
Makes a little more sense now. If you want both internal and external users to connect, then control plane ACL is not the right way. Control plane ACL just defines what ip addresses can connect to the ASA ip addresses.
You cannot define authentication mechanisms based on the ip addresses that the users come in from. Auth mechanisms are defined per tunnel-group. You have to have them go to different tunnel-groups, each with its own AAA server for authentication. Create a separate group-url for each like below:
ciscoasa(config)#tunnel-group Trusted-Employees type remote-access ciscoasa(config)#tunnel-group Trusted-Employees general-attributes ciscoasa(config)#authentication-server-group (inside) LDAP-AD1 ciscoasa(config)#default-group-policy Employees ciscoasa(config)#tunnel-group Trusted-Employees webvpn-attributes ciscoasa(config)#group-url https://asa-vpn1.companyA.com/Employees enable
ciscoasa(config)#tunnel-group UnTrusted-Employees type remote-access ciscoasa(config)#tunnel-group UnTrusted-Employees general-attributes ciscoasa(config)#authentication-server-group LOCAL ciscoasa(config)#default-group-policy Vendors ciscoasa(config)#tunnel-group Trusted-Employees webvpn-attributes ciscoasa(config)#group-url https://asa-vpn1.companyA.com/Vendors enable
Have them go to those separate URL's so that they both have their own groups to login to. If you have 2 different AAA server, a user cannot go to another URL and login.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide