Re: VPN Configuration query

Chts · ‎04-03-2018

Hello All,

I am planning to deploy SSL VPN solution,

VPN Gateway : Installing ASA 9.8.1 image on FTD 4150 as a logical device with standard ASA license.
Client: Wind 10 native VPN client - Protocol used for VPN connection is SSTP

I really appreciate if someone can help me in writing the configuration.

Authentication requirement are :

Authentication: Certificate based ( User Certificate and device certificate) and Authentication servers are Active Directory servers using Kerberos

Basically two type of VPN users :
Internal users, who use corp wifi for initiating VPN connection, they need to be verified by the source IP address ( corp wifi subnet), if the source IP falls under corp wifi subnet, only authentication to be done is device authentication, ASA should check with AD using Kerberos and verified that device is in the required VPN devices group, once device verified authentication successful, VPN connection will be established.
External Users :
Users accessing VPN from the internet, the authentication process will be -

1) Source IP address should identified as any Internet IP address, considered as external VPN user
2)the users will be checked against the AD group for external VPN users to confirm that they are valid with access to the VPN
3) The device will be checked against the AD group for the Internal device to confirm that it is a valid device with access to the VPN
Either Internal or external user, source IP needs to be checked before passing user/ device details to AD groups using Kerberos for authentication, how do we achieve this?

External user's three checks - 1) source IP check 2) user should be VPN AD group 3) Device should be in the AD device group

Questions:

1) How to restrict VPN client access based on the source IP of the connection? ACL on outside interface? but I still need to allow VPN access to the external users as well? source will be any address on the Internet.

2) I believe, two connection profiles(tunnel-group) required in this , one of internal users and one for external users, can someone write sample configuration, pls?

let me if you need any further details.

Mohammed al Baqari · ‎04-03-2018

Let's start with the fact that ASA can't terminate SSTP as far as I know.
It can pass through only since its on port 443. Why don't you use IKEv2
built in client since you are using W10

Chts · ‎04-04-2018

Hi Mohammed,
Thanks for the reply, I believe all ASA 9.3 and above versions support SSTP VPN connections but I haven't tested this yet. SSTP protocol is Client(Company) requirement due to some security reasons. VPN users PC's will be hardcoded to use SSTP protocol to connect VPN.

Rahul Govindan · ‎04-04-2018

Mohammed is correct. Although SSTP uses SSL as tunneling protocol, the inner protocols are different. The only SSL based client officially supported is AnyConnect. ASA 9.3 onwards supports standards based IKEv2 clients.

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html#id_65223

Chts · ‎04-04-2018

Thanks Rahul,
You said, inner protocols are different, any idea what are the inner protocols ? is there a way to restrict win 10 native client to use tls 1.2 to connect to VPN?

Chts · ‎04-06-2018

Hi Rahul and Mohammed,

As per below,

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html#id_65223

IKEv2 Remote Access Clients

IKEv2 support was added to the ASA in release 8.4. For IKEv2 remote access, the ASA only supported Cisco AnyConnect 3.0+ clients and no other third-party IKEv2 clients. From ASA release 9.3.2 and onward, we added interoperability with standards-based, third-party, IKEv2 remote access clients (in addition to AnyConnect). Authentication support includes preshared keys, certificates, and user authentication via the Extensible Authentication Protocol (EAP).

Does that third-party covers SSTP clients ? please correct me if I am wrong.

Chts · ‎04-06-2018

In addition to above message,

if I configure vpn-tunnel-protocol as ssl-client and allow VPN connections on 443 from SSTP client ( ie win 10 native vpnclient using SSTP) , does this works?

Rahul Govindan · ‎04-06-2018

"Third Party IKEv2 clients" is what is supported. Clients like Strongswan or the MAC/Windows native clients. This does not include SSTP protocol clients.

SSL-client is only meant for AnyConnect. I tested this in my lab and the ASA does not respond back to an SSTP connection after initial SSL setup.

Chts · ‎04-09-2018

Thank you, Rahul. Thanks for testing in the lab as well. will discuss this with the client.
Could you or anyone please answer my questions? and sample configuration?

Rahul Govindan · ‎04-09-2018

1) How to restrict VPN client access based on the source IP of the connection? ACL on outside interface? but I still need to allow VPN access to the external users as well? source will be any address on the Internet.

You would have to create a control-plane ACL on the outside allowing the public IP addresses that need to be able to connect. If this is for users on the internet, this does not make sense if they move from network to network.

2) I believe, two connection profiles(tunnel-group) required in this , one of internal users and one for external users, can someone write sample configuration, pls?

Config example for SSLVPN using Anyconnect is below, just replicate the Wizard setup for the 2 groups:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

Chts · ‎04-11-2018

Thank you, Rahul,

Basically, I need to do two checks:

1) If the user initiating VPN connection from the internal wifi subnet, the user device should be verified by AD device membership group for authentication

2)If the user initiating VPN connection from the Internet, the user device and user should be verified from AD device membership group and AD VPN users membership group.

This is my requirement...so before passing to authentication I need to verify the source IP address of clients VPN connection, based on that authentication will be done.

If I write a control Plane ACL with source IP addresses as internal wifi subnet and stick it to the outside interface... only those connections(internal) will be accepted and any other source IP address connections ( for instance external users - Internet addresses) will be blocked. but I need to allow these connections as well and identify as the external user so authentication will be passed to the AD for User and Device group memberships verifications.

How do I achieve this? below configuration is OK for Internal users :

no sysopt connection permit-vpn
access-list vpn_internal_users extended permit tcp inetnal_wifi_subnet mask host VPN_gateway eq 443
access-group vpn_internal_users in int outside control-plane

so only internal_wifi_subnet connections will be accepted, How do I allow external users connections? attaching a vpn-filter(with any any acl) within the group-policy of external users helps?

Rahul Govindan · ‎04-11-2018

Makes a little more sense now. If you want both internal and external users to connect, then control plane ACL is not the right way. Control plane ACL just defines what ip addresses can connect to the ASA ip addresses.

You cannot define authentication mechanisms based on the ip addresses that the users come in from. Auth mechanisms are defined per tunnel-group. You have to have them go to different tunnel-groups, each with its own AAA server for authentication. Create a separate group-url for each like below:

ciscoasa(config)#tunnel-group Trusted-Employees type remote-access
ciscoasa(config)#tunnel-group Trusted-Employees general-attributes
ciscoasa(config)#authentication-server-group (inside) LDAP-AD1
ciscoasa(config)#default-group-policy Employees
ciscoasa(config)#tunnel-group Trusted-Employees webvpn-attributes
ciscoasa(config)#group-url https://asa-vpn1.companyA.com/Employees enable

ciscoasa(config)#tunnel-group UnTrusted-Employees type remote-access
ciscoasa(config)#tunnel-group UnTrusted-Employees general-attributes
ciscoasa(config)#authentication-server-group LOCAL
ciscoasa(config)#default-group-policy Vendors
ciscoasa(config)#tunnel-group Trusted-Employees webvpn-attributes
ciscoasa(config)#group-url https://asa-vpn1.companyA.com/Vendors enable

Have them go to those separate URL's so that they both have their own groups to login to. If you have 2 different AAA server, a user cannot go to another URL and login.