Pages

Saturday, December 12, 2015

VPN Pieces and Parts

Concepts and techniques


1. Tweaking the Any-connect client Profile
Default protocol used is SSL, we can choose IPSec if we want.
Under Preferences1 and 2 we have options for more customization.
Trusted DNS servers, user controllable, Proxy settings, Automatic VPN Policy

2. Customizing the Clientless SSL Portal

Config -> Remote Access VPN -> Clienteles SSL VPN access -> portal -> bookmarks
plugins
Customization
We can bring onscreen key board. Off by default

3. What failover fails to do for Clienteles
Configuration replication does not happen in case of Clientless for failover setup.

4. AAA server options
Configuration -> Remote Access VPN -> AAA/Local Users -> AAA Server Groups
Apart from RADIUS and TACACS+ we can use some other protocols like NT Domain, SDI, Kerberos, LDAP, HTTP Form

5. Single sign-on Options

If a user sign on to server A and to Server B and Server C it is difficult to authenticate each time. Single Sign-on is a concept where the user authenticated once and no authentication prompt if user connects to other servers on the same network.

Clientless SSL VPN Policies -> Group Policies -> More Options -> Single Sign-on -> Authentication Type (Basic, NTLM, and FTP). This is related to Group.

Another option is to have dedicated Single sign on server
Clientless SSL VPN Policies -> Advanced -> Single Sign-on Server -> Authentication Type -> SiteMinder

Another option is smart tunnel.
Clientless SSL VPN Policies  -> Portal -> Smart Tunnels -> Add server

This will reflect under Group Policies -> Portal -> Smart tunnel application, Auto Sign-on Server. Select the server created above.

6. Local CA

Instead of having PKI CA which provides identity certificate to each users, we can have local CA which will provide identity cert to every user. ASA gets the real one its own identity certificate from PKI CA which in-turn provide identity cert to users.This will save a lot of money.

Config -> remote Access VPN -> Certificate Management -> Local CA -> CA server
Create certificate authority server
three things that cause a device not to believe cert
-validity
-is it signed by CA server that my browser trust
-not revoked

We can ask for CRL list using Http/LDAP.
Other option to validate the certificate is by using protocol like SCEP and OCSP

To add user
Config -> remote Access VPN -> Certificate Management -> Local CA -> Manage User Database -> Add
Sales-user
Email-id
Subject

7. Licensing
we need to have proper license to have all functionality.
To have botnet we need to have botnet license.

License Types
Permanent
Temporary
-evaluation based
-Time based  like botnet


8. IPv6 Support
Yes, it is supported. If user wants to connect to ASA using VPN, the user has to use RA Any-connect, Legacy VPN Client does not support IPv6. For site to site, both sites need to have same version either v4 or v6.


No comments:

Post a Comment