We will be working on following topology.
First of all we gather requirement for our ClientLess VPN, the requirement portion is inspired by the Keith CBT video.
Type of VPN:- Clientless VPN
Randon machines on Internet
They all support global PKI (SSL)
Not managed by company
Banner message: No
Custom Bookmark: Yes
WebType ACL: No
Allow portal URL browsing: yes
Use LOCAL AAA
Custom URL:- https://22.214.171.124/finance
Connections supported:- SSL ClientLess only
Connection profile linked to finance group:
New user in new Finance group -“finance-user”
Require use of specific connection profile
Goal:- Our goal is to use Clientless VPN from outside Windows XP box(126.96.36.199) to connect to inside Webserver(188.8.131.52) and Backtrack (184.108.40.206) machine , we will configure this setup using ASDM.
We will first do it with the inbuilt wizards of ASDM. Click on Wizards>VPN Wizards>Clientless SSL VPN Wizard. The screen will look like this.
Screen gives us overview of SSL Clientless VPN.Click on Next.
Now in the next screen, it will ask for Connection Profile name and other parameters, configure as follows, this is also mentioned in the start. Check the box “Display Group Alias List at the login page”. And click on Next.
Now on this screen, we can use our AD or ACS database as AAA method , as of now we will use Local database of the ASA. Fill in the user details and password and then click on Add.The screen will like below , then click on next.
Now on the next page we will define our Group Policies for finance users. Create a name for the group like “finance-group” and then click on Next.
On this page it will ask for Bookmark, Click on Manage to create a new bookmark or we can use existing from the dropdown.
Now on the small screen we can configure our bookmark, click on ADD and specify the bookmark name and on the right side click on Add button. A new Screen will pop-up where we configure the parameters of the Web Server as follows.
Then click on the Ok screen of every screen and Then Click on the Next screen. And click on the Finish button. In the next screen the we can preview of CLI commands to be send to the ASA.
Click on send button.
Test the scenario. Now login to Windows XP residing outside of the ASA interface. And open the Internet Explorer and type either https://220.127.116.11/ to see the dropdown menu or use “https://18.104.22.168/finance” and accept the security warning.
We will see the drop menu select “finance”. Select it and enter username and password as mentioned earlier .
After login you will see the bookmarks as mentioned earlier in the post.
Now click on the webserver link that is shown as bookmark. It will be redirected to inside Web server built on 2003 server.
Enjoy we have successfully installed and tested Clientless VPN , click on home button it will redirect us to the home page.