Sunday, October 9, 2016

Clientless Secure Sockets Layer (SSL) VPN on a Cisco Router

To allow clientless remote access users permission to corporate applications, the security appliance (ISR) acts as a proxy. It converts web and even some non-web applications so that they can be protected by SSL. The Cisco ISR offers the following techniques to provide resource and application access:

* URL and Common Internet File System (CIFS) file access: When the client browser establishes the SSL session and the user is authenticated, the gateway can present a page with resource bookmarks. These allow the user to access pre-configured web pages or file shares. The user can also enter an address of a resource and access it that way if it is within the user's permission.

* Port forwarding: Provide access to TCP-based applications by mapping application-specific ports on the remote computer to application-specific ports on the internal servers. Port forwarding requires that a Java applet be downloaded to the client. This applet listens on ports on the client machine and forwards the connection to the gateway.

Deployment Tasks

The basic deployment tasks for creating a basic Cisco IOS Software SSL VPN with either client-based or clientless solution are as follows:

Task 1: Configure the ISR with basic SSL VPN gateway features to include provisioning a certificate to enable SSL/TLS server authentication.

Task 2: Configure basic user authentication by adding user accounts with passwords and creating an access policy for all remote users.

Task 3: (Optional) Configure full tunneling VPN access to internal resources if the connection requires access that is like being connected to the internal network directly.

Task 4: (Optional) Deploy the Cisco AnyConnect VPN client if full tunneling is required.

Task 5: (Optional) Configure clientless VPN access to internal resources if the connection only requires browser-based access.


In this scenario, I've used my 1841 router with Advance Security IOS as the SSL VPN gateway since this device have enough space on its flash memory to load the Cisco AnyConnect file.

R1#show flash
-#- --length-- -----date/time------ path
1         1821 Nov 19 2007 23:57:00 +00:00 sdmconfig-18xx.cfg
2       861696 Nov 19 2007 23:57:20 +00:00 es.tar
3      1164288 Nov 19 2007 23:57:46 +00:00 common.tar
4         1038 Nov 19 2007 23:58:10 +00:00 home.shtml
5       113152 Nov 19 2007 23:58:30 +00:00 home.tar
6     21846564 Jan 26 2013 10:03:34 +00:00 c1841-advsecurityk9-mz.124-9.T.bin

R1#copy tftp://172.16.1.50/anyconnect-win-2.5.1025-k9.pkg flash
Destination filename [anyconnect-win-2.5.1025-k9.pkg]?
Accessing tftp://172.16.1.50/anyconnect-win-2.5.1025-k9.pkg...
Loading anyconnect-win-2.5.1025-k9.pkg from 172.16.1.50 (via FastEthernet0/1): !!!!!!!!!!!!!!!!!!
[OK - 4436544 bytes]

4436544 bytes copied in 19.988 secs (221960 bytes/sec)

R1#show flash
-#- --length-- -----date/time------ path
1         1821 Nov 19 2007 23:57:00 +00:00 sdmconfig-18xx.cfg
2       861696 Nov 19 2007 23:57:20 +00:00 es.tar
3      1164288 Nov 19 2007 23:57:46 +00:00 common.tar
4         1038 Nov 19 2007 23:58:10 +00:00 home.shtml
5       113152 Nov 19 2007 23:58:30 +00:00 home.tar
6     21846564 Jan 26 2013 10:03:34 +00:00 c1841-advsecurityk9-mz.124-9.T.bin
7      4436544 Jan 27 2013 02:00:54 +00:00 anyconnect-win-2.5.1025-k9.pkg

4718592 bytes available (27197440 bytes used)

R1#configure terminal
R1(config)#aaa ?
  new-model  Enable NEW access control commands and functions.(Disables OLD
             commands.)

R1(config)#aaa new-model
R1(config)#aaa ?
  accounting      Accounting configurations parameters.
  attribute       AAA attribute definitions
  authentication  Authentication configurations parameters.
  authorization   Authorization configurations parameters.
  cache           AAA cache definitions
  configuration   Authorization configuration parameters.
  dnis            Associate certain AAA parameters to a specific DNIS number
  group           AAA group definitions
  local           AAA Local method options
  max-sessions    Adjust initial hash size for estimated max sessions
  nas             NAS specific configuration
  new-model       Enable NEW access control commands and functions.(Disables
                  OLD commands.)
  pod             POD processing
  route           Static route downloading
  session-id      AAA Session ID
  session-mib     AAA session MIB options
  traceback       Traceback recording
  user            AAA user definitions

R1(config)#aaa authentication ?
  arap             Set authentication lists for arap.
  attempts         Set the maximum number of authentication attempts
  banner           Message to use when starting login/authentication.
  dot1x            Set authentication lists for IEEE 802.1x.
  enable           Set authentication list for enable.
  eou              Set authentication lists for EAPoUDP
  fail-message     Message to use for failed login/authentication.
  login            Set authentication lists for logins.
  password-prompt  Text to use when prompting for a password
  ppp              Set authentication lists for ppp.
  sgbp             Set authentication lists for sgbp.
  username-prompt  Text to use when prompting for a username

R1(config)#aaa authentication login ?
  WORD     Named authentication list.
  default  The default authentication list.

R1(config)#aaa authentication login SSL_VPN_AUTHENTICATION ?
  enable         Use enable password for authentication.
  group          Use Server-group
  krb5           Use Kerberos 5 authentication.
  krb5-telnet    Allow logins only if already authenticated via Kerberos V
                 Telnet.
  line           Use line password for authentication.
  local          Use local username authentication.
  local-case     Use case-sensitive local username authentication.
  none           NO authentication.
  passwd-expiry  enable the login list to provide password aging support

R1(config)#aaa authentication login SSL_VPN_AUTHENTICATION local
R1(config)#username vpnuser password cisco123
R1(config)#ip http ?
  access-class                   Restrict http server access by access-class
  active-session-modules         Set up active http server session modules
  authentication                 Set http server authentication method
  client                         Set http client parameters
  help-path                      HTML help root URL
  max-connections                Set maximum number of concurrent http server
                                 connections
  path                           Set base path for HTML
  port                           Set http port
  secure-active-session-modules  Set up active http secure server session
                                 modules
  secure-ciphersuite             Set http secure server ciphersuite
  secure-client-auth             Set http secure server with client
                                 authentication
  secure-port                    Set http secure server port number for
                                 listening
  secure-server                  Enable HTTP secure server
  secure-trustpoint              Set http secure server certificate trustpoint
  server                         Enable http server
  session-module-list            Set up a http(s) server session module list
  timeout-policy                 Set http server time-out policy parameters

R1(config)#ip http server
R1(config)#ip http secure-server
Jan 27 02:52:22.947: %PKI-6-AUTOSAVE: Running configuration saved to NVRAM
R1(config)#ip local ?
  policy  Enable policy routing
  pool    IP Local address pool lists

R1(config)#ip local pool ?
  WORD     Create named local address pool
  default  Create default local address pool

R1(config)#ip local pool SSL_VPN_POOL ?
  A.B.C.D     First IP address of range
  cache-size  Number of free entries to search
  group       Create ip local pool group
  <cr>

R1(config)#ip local pool SSL_VPN_POOL 192.168.1.10 ?
  A.B.C.D     Last IP address of range
  cache-size  Number of free entries to search
  group       Create ip local pool group
  <cr>

R1(config)#ip local pool SSL_VPN_POOL 192.168.1.10 192.168.1.150

R1(config)#webvpn ?
  context  Specify webvpn context
  gateway  Virtual Gateway configuration
  install  Install package command

R1(config)#webvpn install ?
  csd  Install a Secure Desktop package
  svc  Install a SSLVPN Client package
  <cr>

R1(config)#webvpn install svc ?
  WORD  Filename of installing package

R1(config)#webvpn install svc anyconnect-win-2.5.1025-k9.pkg
SSLVPN Package SSL-VPN-Client : installed successfully

SSL_VPN_GW(config)#webvpn gateway ?
  WORD  Name of virtual gateway

R1(config)#webvpn gateway SSL_VPN_GW
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R1(config-webvpn-gateway)#
Jan 27 02:44:43.279: %SSH-5-ENABLED: SSH 1.99 has been enabled
Jan 27 02:44:44.827: %PKI-4-NOAUTOSAVE: Configuration was modified.  Issue "write memory" to save new certificate
R1(config-webvpn-gateway)#do write memory
Building configuration...
[OK]
R1(config-webvpn-gateway)#?
SSLVPN Gateway Submode commands:
  exit           Exit from gateway configuration mode
  hostname       Hostname used in URL & Cookie mangling
  http-redirect  enable HTTP redirect feature
  inservice      Enable webvpn gateway
  ip             Virtual Gateway IP config
  no             Negate or set default values of a command
  ssl            SSL configurations for front end client connections

R1(config-webvpn-gateway)#ip ?
  address  Virtual Gateway IPaddr

R1(config-webvpn-gateway)#ip address ?
  A.B.C.D  Gateway IP address

R1(config-webvpn-gateway)#ip address 172.16.1.254 ?
  port       port configuration
  secondary  configure gateway as secondary IP
  <cr>

R1(config-webvpn-gateway)#ip address 172.16.1.254 port ?
  443           Default secure port
  <1025-65535>  Port number

R1(config-webvpn-gateway)#ip address 172.16.1.254 port 443
R1(config-webvpn-gateway)#http-redirect ?
  port  port number to redirect
  <cr>

R1(config-webvpn-gateway)#http-redirect port ?
  80            Default redirect port
  <1025-65535>  Port number

R1(config-webvpn-gateway)#http-redirect port 80
R1(config-webvpn-gateway)#ssl ?
  encryption  SSL transforms
  trustpoint  SSL trustpoint

R1(config-webvpn-gateway)#ssl encryption ?
  3des-sha1  3DES and SHA1
  aes-sha1   AES and SHA1
  rc4-md5    RC4 and MD5

R1(config-webvpn-gateway)#ssl encryption 3des-sha1 ?
  aes-sha1  AES and SHA1
  rc4-md5   RC4 and MD5
  <cr>

R1(config-webvpn-gateway)#ssl encryption 3des-sha1 aes-sha1
R1(config-webvpn-gateway)#inservice
R1(config-webvpn-gateway)#exit
R1(config)#do show webvpn gateway

Gateway Name                       Admin  Operation
------------                       -----  ---------
SSL_VPN_GW                         up     up


R1(config)#webvpn context ?
  WORD  Name of webvpn context

R1(config)#webvpn context SSL_VPN_CONTEXT
R1(config-webvpn-context)#?
SSLVPN Submode commands:
  aaa                   AAA config for context
  csd                   Cisco Secure Desktop config
  default-group-policy  Default group policy
  exit                  Exit from SSLVPN mode
  gateway               Associate gateway to context
  inservice             Bring context to inservice
  login-message         Login messsage to be displayed
  logo                  Logo file to be displayed
  max-users             Maximum users for this context
  nbns-list             NBNS list configuration submode
  no                    Negate or set default values of a command
  policy                Policy configuration
  port-forward          Port-forward list config submode
  secondary-color       Secondary color for the browser
  secondary-text-color  Secondary text color for the browser
  ssl                   SSL configurations for backend server connections
  text-color            Text color for the browser
  title                 Title to be displayed on the browser
  title-color           Title color for the browser
  url-list              URL list configuration submode
  vrf-name              VRF associated to context

R1(config-webvpn-context)#gateway SSL_VPN_GW
R1(config-webvpn-context)#policy ?
  group  Group Policy configuration

R1(config-webvpn-context)#policy group ?
  WORD  Group Policy name

R1(config-webvpn-context)#policy group SSL_VPN_POLICY
R1(config-webvpn-group)#?
SSLVPN Group Policy Configuration Commands:
  banner        Specify the banner to be used
  citrix        Citrix configuration
  exit          Exit from group-policy configuration mode
  filter        Network ACL
  functions     Configuring VPN features
  hide-url-bar  Disable URL bar on portal page
  nbns-list     NBNS list
  no            Negate a command or set its defaults
  port-forward  Port-forward list
  svc           Tunnel specific configuration
  timeout       WebVPN timeout values
  url-list      URL list

R1(config-webvpn-group)#banner ?
  WORD  Banner string

R1(config-webvpn-group)#banner "Welcome to SSL VPN Lab"
R1(config-webvpn-group)#functions ?
  file-access   Enable File Access
  file-browse   Allow File Browsing
  file-entry    Allow File Entry
  svc-enabled   Enabled to run tunnel-mode
  svc-required  Required to run tunnel-mode

R1(config-webvpn-group)#functions svc-enabled
R1(config-webvpn-group)#svc ?
  address-pool           Assign addresses from the pool to remote users
  default-domain         Specify the default domain
  dns-server             DNS Server
  dpd-interval           WebVPN dpd interval
  homepage               Specify the homepage to be used
  keep-client-installed  Keep tunnel client installed after termination
  msie-proxy             Microsoft Internet Explorer browser proxy settings
  rekey                  SSLVPN Client rekey command
  split                  Split Tunnel configuration commands
  wins-server            WINS Server

R1(config-webvpn-group)#svc keep-client-installed
R1(config-webvpn-group)#svc address-pool ?
  WORD  Address pool name

R1(config-webvpn-group)#svc address-pool SSL_VPN_POOL
R1(config-webvpn-group)#exit
R1(config-webvpn-context)#default-group-policy ?
  WORD  default group policy name

R1(config-webvpn-context)#default-group-policy SSL_VPN_POLICY
R1(config-webvpn-context)#aaa ?
  accounting      accounting parameters
  authentication  authetication parameters

R1(config-webvpn-context)#aaa authentication ?
  domain  domain to be used for authentication
  list    authetication list

R1(config-webvpn-context)#aaa authentication list ?
  WORD  list name

R1(config-webvpn-context)#aaa authentication list SSL_VPN_AUTHENTICATION
R1(config-webvpn-context)#inservice
Jan 27 03:12:21.843: %SSLVPN-5-UPDOWN: sslvpn context : SSL_VPN_CONTEXT changed state to UP
R1(config-webvpn-context)#do show webvpn context

Codes: AS - Admin Status, OS - Operation Status
       VHost - Virtual Host

Context Name        Gateway  Domain/VHost      VRF      AS    OS
------------        -------  ------------      -------  ----  --------
SSL_VPN_CONTEXT     SSL_VPN_ -                 -        up    up


For some reason the SSL VPN connection initially didn't work. So I ran some debugs on R1 and found the error. My Google search has led me that the error is due to an incompatible cipher algorithm. I've changed it to another type and it was loading successfully afterwards.

R1#debug ssl openssl errors
<output truncated>
Jan 27 06:40:00.854: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:00.858: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.846: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.850: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.970: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.970: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.978: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.978: SSLVPN: Entering APPL with Context: 0x64703D58,
          Data buffer(buffer: 0x649035D8, data: 0xE75BD078, len: 1,
          offset: 0, domain: 0)
Jan 27 06:40:02.978: SSLVPN: Fragmented App data - buffered
Jan 27 06:40:02.978: SSLVPN: Entering APPL with Context: 0x64703D58,
          Data buffer(buffer: 0x649035B8, data: 0xE7204718, len: 483,
          offset: 0, domain: 0)
Jan 27 06:40:02.978: SSLVPN: Appl. processing Failed : 2    
Jan 27 06:40:02.978: SSLVPN: server side not ready to send.


SSL_VPN_GW#show run | sec webvpn
webvpn gateway SSL_VPN_GW
 ip address 172.16.1.254 port 443
 http-redirect port 80
 ssl encryption 3des-sha1 aes-sha1 
 ssl trustpoint TP-self-signed-514137430
 inservice
 !
webvpn install svc flash:/webvpn/svc.pkg
 !
webvpn context SSL_VPN_CONTEXT
 ssl authenticate verify all
 !
 !
 policy group SSL_VPN_POLICY
   functions svc-enabled
   banner "Welcom to SSL VPN Lab"
   svc address-pool "SSL_VPN_POOL"
   svc keep-client-installed
 default-group-policy SSL_VPN_POLICY
 aaa authentication list SSL_VPN_AUTHENTICATION
 gateway SSL_VPN_GW
 inservice

SSL_VPN_GW#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SSL_VPN_GW(config)#webvpn gateway SSL_VPN_GW
SSL_VPN_GW(config-webvpn-gateway)#no ssl encryption 3des-sha1 aes-sha1
SSL_VPN_GW(config-webvpn-gateway)#ssl encryption ?
  3des-sha1  3DES and SHA1
  aes-sha1   AES and SHA1
  rc4-md5    RC4 and MD5

SSL_VPN_GW(config-webvpn-gateway)#ssl encryption rc4-md5


SSL_VPN_GW#show webvpn session context all
WebVPN context name: SSL_VPN_CONTEXT
Client_Login_Name  Client_IP_Address  No_of_Connections  Created  Last_Used
vpnuser            172.16.1.50                2         00:01:50  00:01:08

SSL_VPN_GW#show webvpn session user vpnuser context all
WebVPN user name = vpnuser ; IP address = 172.16.1.50 ; context = SSL_VPN_CONTEXT
    No of connections: 1
    Created 00:03:03, Last-used 00:02:21
    Client Port: 20512
    User Policy Parameters
      Group name = SSL_VPN_POLICY
    Group Policy Parameters
      banner = "Welcom to SSL VPN Lab"
      idle timeout = 2100 sec
      session timeout = 43200 sec
      functions = svc-enabled
      citrix disabled
      address pool name = "SSL_VPN_POOL"
      default domain = "lab.com"
      dpd client timeout = 300 sec
      dpd gateway timeout = 300 sec
      keep sslvpn client installed = enabled
      rekey interval = 3600 sec
      rekey method =
      lease duration = 43200 sec