CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.15 – Digital Certificates [Cisco Secure Firewall ASA] – Cisco

Описание

​Существует несколько способов организации SSL VPN.Мы рассмотрим универсальный метод, который обеспечивает полный доступ к внутренним корпоративным ресурсам. Удаленный клиент при подключении через браузер непосредственно к cisco, скачивает специальное клиентское приложение Cisco AnyConnect Client на свой компьютер.

​Будем рассматривать настройку SSL VPN параллельно 2-мя способами через графический интерфейс Cisco ASDM и через консоль CLI.Используемое оборудование Cisco ASA-5505 (Security Appliance Software Version 9.1(6)6)​

Introduction

This document provides a sample configuration on Cisco Adaptive Security Appliance (ASA) for AnyConnect VPN remote access for Windows with the Common Access Card (CAC) for authentication.

The scope of this document is to cover the configuration of Cisco ASA with Adaptive Security Device Manager (ASDM), Cisco AnyConnect VPN Client and Microsoft Active Directory (AD)/Lightweight Directory Access Protocol (LDAP).

The configuration in this guide uses Microsoft AD/LDAP server. This document also covers advanced features such as OCSP, LDAP attribute maps and Dynamic Access Polices (DAP).

Active directory services interface editor

• In the Active Directory server, choose Start > Run.

• Type adsiedit.msc. This starts the editor.

• Right click on an object and click Properties.

This tool shows all attributes for specific objects. See Figure D2.

Figure D2: ADSI Edit

Archiving the local ca server certificate and keypair

To archive the local CA server certificate and keypair, enter the following command:

Asa configuration

1. In ASDM, choose Remote Access VPN> AAA Setup > LDAP Attribute Map.

2. Click Add.

3. In the Add LDAP Attribute Map window, complete these steps. See Figure A3.

   Figure A3: Adding LDAP Attribute Map

   

   1. Enter a name in the Name textbox.

   2. In the Map Name Tab, type msNPAllowDialin in the Customer Name text box.

   3. In the Map Name Tab, choose Tunneling-Protocols in the drop-down option in the Cisco Name.

   4. Click Add.

   5. Choose the Map Value tab.

   6. Click Add.

   7. In the Add Attribute LDAP Map Value window, type TRUE in the Customer Name text box and type 20 in the Cisco Value text box.

   8. Click Add.

   9. Type FALSE in the Customer Name text box and type 1 in the Cisco Value text box. See Figure A4.

      

   10. Click Ok.

   11. Click Ok.

   12. Click APPLY.

   13. Configuration should look like Figure A5.

       Figure A5: LDAP Attribute Map configuration

       

4. Choose Remote Access VPN> AAA Setup > AAA Server Groups. See Figure A6.

   Figure A6: AAA Server Groups

   

5. Click on the server group that you want to edit. In the Servers in the Selected Group section, choose the server IP address or hostname, and then click Edit.

6. In Edit AAA Server window, in the LDAP Attribute Map text box, choose the LDAP attribute map created in the drop-down menu. See Figure A7

   Figure A7: Adding LDAP Attribute Map

   

7. Click Ok.

Note: Turn on LDAP debugging while you test in order to verify if LDAP binding and attribute mapping work properly. See Appendix C for troubleshooting commands.

Cisco anyconnect client configuration

This section covers the configuration of the Cisco AnyConnect VPN client.

Assumptions – Cisco AnyConnect VPN Client and middleware application is already installed in the host PC. ActivCard Gold and ActivClient were tested.

Note: This guide uses the group-url method for initial AC client install only. Once the AC client is installed, you launch the AC application just like the IPsec client.

Note: The DoD certificate chain needs to be installed on the local machine. Check with the PKI POC in order to obtain the certificates/batch file.

Cli book 1: cisco asa series general operations cli configuration guide, 9.15 – digital certificates [cisco secure firewall asa]

Client services and certificate

You must enable client services and certificates on the correct interface, which is the outside interface in this case. Here is an example configuration:

crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint OUTSIDE
ssl trust-point OUTSIDE outside

Note: The same trustpoint is also assigned for Secure Sockets Layer (SSL), which is intended and required.

Components used

The information in this document is based on these software and hardware versions:

• Cisco 5500 Series Adaptive Security Appliance (ASA) that runs the software version 8.0(x) and later

• Cisco Adaptive Security Device Manager (ASDM) version 6.x for ASA 8.x

• Cisco AnyConnect VPN Client for Windows

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure ca to use ocsp

1. Choose Remote Access VPN> Certificate Management > CA Certificates.

2. Highlight an OCSP in order to choose a CA to configure to use OCSP.

3. Click Edit.

4. Ensure that Check certificate for revocation is checked.

5. In the Revocation Methods section, add OCSP. See Figure 24.

   OCSP Revocation Check

   

6. Ensure Consider Certificate valid…cannot be retrieved is unchecked if you want to follow strict OCSP checking.

Note: Configure/Edit all the CA server that uses OCSP for revocation.

Configure ocsp

The configuration of an OCSP can vary and depends upon the OCSP responder vendor. Read the manual of the vender for more information.

Configure ocsp rules

Note: Verify that a Certificate Group Matching Policy is created and the OCSP responder is configured before you complete these steps.

Note: In some OCSP implementations, a DNS A and PTR record can be needed for the ASA. This check is done in order to verify that the ASA is from a .mil site.

1. Choose Remote Access VPN> Certificate Management > CA Certificates 2.

2. Highlight an OCSP in order to choose a CA to configure to use OCSP.

3. Choose Edit.

4. Click the OCSP Rule tab.

5. Click Add .

6. In the Add OCSP Rule window, complete these steps. See Figure 25.

   Figure 25: Adding OCSP Rules

   

   1. In the Certificate Map option, choose DefaultCertificateMap or a map created previously.

   2. In the Certificate option, choose OCSP responder.

   3. In the index option, enter 10.

   4. In the URL option, enter the IP address or the hostname of the OCSP responder. If you use the hostname, make sure DNS server is configured on ASA.

   5. Click Ok.

   6. Click Apply.

Configuring digital certificates

This section describes how to configure local CA certificates. Make sure that you follow the sequence of tasks listed to correctly configure this type of digital certificate. This section includes the following topics:

Configuring key pairs

To generate key pairs, perform the following steps:

Configuring proxy support for scep requests

To configure the ASA to authenticate remote access endpoints using third-party CAs, perform the following steps:

Configuring the ca certificate lifetime

To configure the local CA server certificate lifetime, perform the following commands:

Configuring the crl lifetime

To configure the CRL lifetime, perform the following commands:

Configuring the issuer name

To configure the certificate issuer name, perform the following commands:

Configuring the local ca server

To configure the local CA server, perform the following commands:

Configuring the server keysize

To configure the server keysize, perform the following commands:

Configuring trustpoints

To configure a trustpoint, perform the following steps:

Create an ip address pool

This is optional if you use another method such as DHCP.

1. Choose Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools.

2. Click Add.

3. In the Add IP Pool window, enter the name of the IP pool, starting and ending IP address and choose a subnet mask. See Figure 13.

   Figure 13: Adding IP Pool

   

4. Choose Ok.

5. Choose Remote Access VPN > Network (Client) Access > Address Assignment > Assignment Policy.

6. Select the appropriate IP address assignment method. This guide uses the internal address pools. See Figure 14.

   Figure 14: IP Address Assignment method

   

7. Click Apply.

Create tunnel group and group policy

Group Policy

Note: If you do not want to create a new policy, you can use the default built in-group policy.

Crypto map configuration

Here is a crypto map example configuration:

crypto dynamic-map DYN 1 set pfs group1
crypto dynamic-map DYN 1 set ikev2 ipsec-proposal secure
crypto dynamic-map DYN 1 set reverse-route
crypto map STATIC 65535 ipsec-isakmp dynamic DYN
crypto map STATIC interface outside

Customizing the local ca server

To configure a customized local CA server, perform the following commands:

Debugging the local ca server

To debug the newly configured local CA server, perform the following commands:

Deleting the local ca server

To delete an existing local CA server (either enabled or disabled), enter one of the following commands:

Disabling the local ca server

To disable the local CA server, perform the following commands:

Enable anyconnect profile

You must enable the AnyConnect profile on the ASA. Here is an example configuration:

webvpn
 enable outside
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1 regex "Windows NT"
anyconnect profiles Anyconnect disk0:/anyconnect.xml
 anyconnect enable
tunnel-group-list enable

Example 1: allowed connection with correct attribute mapping

This example shows the output of debug ldap and debug aaa common during a successful connection with the scenario 2 shown in Appendix A.

Example 2: allowed connection with mis-configured cisco attribute mapping

This example shows the output of debug ldap and debug aaa common during an allowed connection with the scenario 2 shown in Appendix A.

Example 2: denied connection with dap

Thia example shows the output of debug dap errors and debug dap trace during an unsuccessful connection with the scenario 3 shown in Appendix A.

Examples

The following example enables the local CA server:

hostname (config)# crypto ca server

Exporting a trustpoint configuration

To export a trustpoint configuration, enter the following command:

Ikev2 policies

Here is an IKEv2 policy example configuration:

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400

Importing a trustpoint configuration

To import a trustpoint configuration, enter the following command:

Install root ca certificates

Complete these steps:

1. Choose Remote Access VPN > Certificate Management > CA Certificate > Add.

2. Choose Install from File and browse to the certificate.

3. Choose Install Certificate.

   Figure 4: Installing Root Certificate

   

4. This window should appear. See Figure 5.

   Figure 5

   

   Note: Repeat steps 1 through 3 for every certificate that you want to install. DoD PKI requires a certificate for each of these: Root CA 2, Class 3 Root, CA## Intermediate, ASA ID and OCSP Server. The OCSP certificate is not needed if you do not use OCSP.

   Figure 6: Installing Root Certificate

   

Ipsec proposals

Here is an IPsec proposal example configuration:

crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption aes 3des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256-SHA
protocol esp encryption aes-256
protocol esp integrity sha-1

Key pairs

Key pairs are RSA keys, which have the following characteristics:

Maintaining the local ca certificate database

To maintain the local CA certificate database, make sure that you save the certificate database file, LOCAL-CA-SERVER.cdb, with the write memory command each time that a change to the database occurs. The local CA certificate database includes the following files:

New connection

1. The AC window appears. See Figure 34.

   Figure 34: New VPN Connection

   

2. Choose the appropriate host if AC does not automatically try the connection.

3. Enter your PIN when prompted. See Figure 35.

   Figure 35: Enter PIN

   

Obtaining certificates automatically with scep

To obtain certificates automatically using SCEP, perform the following steps:

Obtaining certificates manually

To obtain certificates manually, perform the following steps:

Removing key pairs

To remove key pairs, perform the following steps:

Scenario 1: active directory enforcement using remote access permission dial-in – allow/deny access

This example maps the AD attribute msNPAllowDailin to Cisco’s attribute cVPN3000-Tunneling- Protocol.

• The AD attribute value: TRUE = Allow; FALSE = Deny

• Cisco attribute value: 1 = FALSE, 4 (IPSec) or 20 (4 IPSEC 16 WebVPN) = TRUE,

For ALLOW condition, you map:

For DENY dial-in condition, you map:

Scenario 2 : active directory enforcement using group membership to allow/deny access

This example uses the LDAP attribute memberOf to map to the Tunneling Protocol attribute in order to establish a group membership as a condition. For this policy to work, you must have these conditions:

Note: Be aware that the ASA can only read the first string of the memeberOf attribute in this release. Make sure that the new group created is on the top of the list. The other option is to put a special character in front of the name as AD looks at special characters first. In order to work around this caveat,use DAP in 8.x software to look at multiple groups.

Scenario 3: dynamic access policies for multiple memberof attributes

This example uses DAP to look at multiple memberOf attributes in order to allow access based off of Active Directory group membership. Prior to 8.x, the ASA only read the first memberOf attribute. With 8.x and later, the ASA can look at all the memberOf attributes.

Setting up enrollment parameters

To set up enrollment parameters, perform the following commands:

Start cisco anyconnect vpn client – windows

From the host PC, chooseStart > All Programs > Cisco > AnyConnect VPN Client.

Note: See Appendix E for Optional AnyConnect Client Profile Configuration.

Start remote access

Choose the group and host to which you want to connect.

Since certificates are used, choose Connect in order to to establish the VPN. See Figure 36.

Figure 36: Connecting

Storing crls

To establish a specific location for the automatically generated CRL of the local CA, perform the following site-to-site task in either single or multiiple context mode:

Supported ca servers

The ASA supports the following CA servers:

Cisco IOS CS, ASA Local CA, and third-party X.509 compliant CA vendors including, but not limited to:

The local ca

The local CA performs the following tasks:

Troubleshooting aaa and ldap

• debug ldap 255—Displays LDAP exchanges

• debug aaa common 10—Displays AAA exchanges

Troubleshooting certificate authority / ocsp

• debug crypto ca 3

• In the config mode—logging class ca console(or buffer) debugging

These examples show a successful certificate validation with the OCSP responder and a failed certificate group matching policy.

Figure C3 shows the debug output that has a validated certificate and a working certificate group matching Policy.

Figure C4 shows the debug output of a mis-configured certificate group matching policy.

Troubleshooting dap

• debug dap errors—Displays DAP errors

• debug dap trace—Displays DAP function trace

Tunnel group interface and image settings

Note: If you do not want to create a new group, you can use the default built-in group.

Настройка c помощью asdm

​
Запускаем Cisco ASDM, откроется основной экран
​

​
Здесь выбираем «Wizard»—«SSL VPN Wizard».
​
В открывшемся окне выбираем пункт «Cisco SSL VPN Client (AnyConnect VPN Client)» и нажимаем «Next»:
​

Здесь вводим имя нашего профайла, проверяем, что стоит имя нашего внешнего интерфейса (в данном случае Inet). Если на cisco настроено несколько vpn подключений, то также указываем имя алиаса. Запоминаем доступы к SSL VPN Service и ASDM.Затем нажимаем «Next»:

Ставим аутентификацию с использованием локальной базы и создаем нового пользователя (задаем имя и пароль, нажимаем «Add»). Затем нажимаем «Next»:
​

Здесь указываем имя отдельной групповой политики для SSL клиентов и нажимаем «Next»:

Здесь сначала создаем пул ip адресов, из которого будут выдаваться ip адреса для SSL VPN клиентов.Задаем название pool-а, начальный и конечный адреса и маску подсети. Нажимаем «OK».

​
На этой же странице загружаем образ клиента Cisco AnyConnect под Windows.
Для того чтобы его загрузить во flash cisco ASA, необходимо нажать в соответствующем пункте «Browse», в следующем появившемся окошке «Upload»,
затем в следующем окошке «Browse local files» и указать нужный файл из списка. Далее нажимаем по порядку «Select»—«Upload File»—«OK»
(после нажатий будут всплывать информационные окошки об успешном выполнении). В итоге, получиться вот такое окно:
​

Нажимаем «Next»:

​
Это окно напоминает, что адреса, которые используются в пуле не должны попадать под политики NAT, если он настроен на cisco.
Нажимаем «OK». Здесь показаны все наши настройки, которые будут сконфигурированы. Нажимаем «Finish».
​
Более точные настройки (не через Wizard) можно посмотреть в разделе Configuration – Remote Access VPN
​

​
Нам необходимо добавить образы клиента под Mac и Linux, для этого заходим в раздел Network (Client) Access – AnyConnect Client Settings,
Здесь мы увидим уже загруженный образ клиента под Windows, нажимаем кнопку с зеленым плюсиком Add, и по аналогии как в Wizard добавляем образы под Linux и Mac.
После чего нажимаем кнопку “Aplly” внизу страницы.

По умолчанию весь трафик клиента попадает в туннель, так как эта настройка наследуется из политики по умолчанию.Для того чтобы указать какой трафик должен попадать в туннель, необходимо создать ACL, который будет его описывать и изменить политику туннелирования.

Сначала создадим access-list, под который будет попадать трафик 192.168.2.0/24.Для этого заходим в раздел Configuration – Firewall – Advanced – Standart ACL, нажимаем кнопку с зеленым плюсиком Add, в выпадающем списке выбираем Add ACL.В появившемся окне вводим номер ACL и нажимаем OK.

​
Теперь нужно добавить содержимое для этого листа, это будет одна строка, встаем на наш аксесс лист 117, нажимаем кнопку с зеленым плюсиком Add, в выпадающем списке выбираем Add ACL.
Появится окно для ввода содержимого, Action оставляем Permit, в строку address вводим 192.168.2.0/24. Нажимаем ОК и Aplly внизу страницы.
Аксесс-лист готов.
​

Теперь настраиваем split tunneling. Для этого нужно зайти в настройки самой групповой политики. Идем Configuration – Remote Access VPN – Network (Client) Access – Group Policies.В открывшемся окне в списке политик находим нашу SSL_VPN_Group. Встаем на нее, нажимаем кнопку Edit.

Откроется окно настроек групповой политики. Слева разворачиваем вкладку Advanced, выбираем Split Tunneling.Напротив записи Policy убираем галку Inherit, и в выпадающем списке выбираем Tunnel Network List Bellow.Напротив записи Network List убираем галку Inherit, и в выпадающем списке выбираем аксесс-лист 117. Нажимаем ОК и Aplly внизу страницы.

Если имеется локальный DNS сервер также нужно прописать его в групповой политике.
Идем туда же в настройки групповой политики. Слева выбираем Servers. Напротив строки DNS servers убираем галку Inherit и вписываем адрес локального DNS сервера. Нажимаем ОК и Aplly внизу страницы.
​

​

Настройка с помощью cli

​Теперь посмотрим какие настройки появились у нас в CLI.​Акксесс-лист для опции Split Tunneling.​

access-list 117 standard permit 192.168.2.0 255.255.255.0

Пул для ip адресов​

Appendix d – verify ldap objects in ms

In Microsoft server 2003 CD, there are additional tools that can be installed in order to view the LDAP structure as well as the LDAP objects/attributes. In order to install these tools, go to the Support directory in the CD and then Tools. Install SUPTOOLS.MSI.

Appendix e

An AnyConnect profile can be created and added to a workstation. The profile can reference various values such as ASA hosts or certificate matching parameters such as distinguished name or issuer. The profile is stored as an .xml file and can be edited with Notepad. The file can be added to each client manually or pushed from the ASA through a group policy. The file is stored in: