Transcription
ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.16Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000800 553-NETS (6387)Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version ofthe UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this emarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (1721R) 2021Cisco Systems, Inc. All rights reserved.
CONTENTSPREFACEAbout This GuidexviiDocument Objectives xviiRelated Documentation xviiDocument Conventions xviiCommunications, Services, and Additional Information xviiiPART ISite-to-Site and Client VPN 21CHAPTER 1VPN Wizards1VPN Overview 1IPsec Site-to-Site VPN Wizard 2AnyConnect VPN Wizard 4Clientless SSL VPN Wizard 6IPsec IKEv1 Remote Access Wizard 8IPsec IKEv2 Remote Access Wizard 12CHAPTER 2IKE15Configure IKE 15Enable IKE 15IKE Parameters for Site-to-Site VPN 16About IKEv2 Multi-Peer Crypto Map 19Guidelines for IKEv2 Multi-Peer 21IKE Policies 21Add or Edit an IKEv1 Policy 23Add or Edit an IKEv2 Policy 24Configure IPsec 26ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.16iii
ContentsCrypto Maps 27Create or Edit an IPsec Rule Tunnel Policy (Crypto Map) - Basic Tab 29Create or Edit IPsec Rule Tunnel Policy (Crypto Map) - Advanced Tab 31Create or Edit IPsec Rule Traffic Selection Tab 32IPsec Pre-Fragmentation Policies 35Configure IKEv2 Fragmentation Options 36IPsec Proposals (Transform Sets) 37CHAPTER 3High Availability Options39High Availability Options 39VPN and Clustering on the FXOS Chassis 39VPN Load Balancing 40Failover 40VPN Load Balancing 40About VPN Load Balancing 40VPN Load-Balancing Algorithm 41VPN Load-Balancing Group Configurations 41Frequently Asked Questions About VPN Load Balancing 42Licensing for VPN Load Balancing 43Prerequisites for VPN Load Balancing 44Guidelines and Limitations for VPN Load Balancing 44Configuring VPN Load Balancing 45Configure VPN Load Balancing with the High Availability and Scalability Wizard 46Configure VPN Load Balancing (Without the Wizard) 47CHAPTER 4General VPN Setup 51System Options 51Configure Maximum VPN Sessions 53Configure DTLS 53Configure DNS Server Groups 54Configure the Pool of Cryptographic Cores 55Client Addressing for SSL VPN Connections 55Group Policies 56External Group Policies 58ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.16iv
ContentsPassword Management with AAA Servers 59Internal Group Policies 60Internal Group Policy, General Attributes 60Configure Internal Group Policy, Server Attributes 63Internal Group Policy, Browser Proxy 64AnyConnect Client Internal Group Policies 65Internal Group Policy, Advanced, AnyConnect Client 65Configure Split-Tunneling for AnyConnect Traffic 68Configure Dynamic Split Tunneling 71Configure Dynamic Split Exclude Tunneling 71Configure Dynamic Split Include Tunneling 72Configure the Management VPN Tunnel 73Configure Linux to Support Excluded Subnets 74Internal Group Policy, AnyConnect Client Attributes 74Internal Group Policy, AnyConnect Login Settings 77Using Client Firewall to Enable Local Device Support for VPN 77Internal Group Policy, AnyConnect Client Key Regeneration 81Internal Group Policy, AnyConnect Client, Dead Peer Detection 81Internal Group Policy, AnyConnect Customization of Clientless Portal 82Configure AnyConnect Client Custom Attributes in an Internal Group Policy 83IPsec (IKEv1) Client Internal Group Policies 84Internal Group Policy, General Attributes for IPsec (IKEv1) Client 84About Access Rules for IPsec (IKEv1) Client in an Internal Group Policy 85Internal Group Policy, Client Firewall for IPsec (IKEv1) Client 85Internal Group Policy, Hardware Client Attributes for IPsec (IKEv1) 87Clientless SSL VPN Internal Group Policies 89Internal Group Policy, Clientless SSL VPN General Attributes 89Internal Group Policy, Clientless SSL VPN Access Portal 91Configure Internal Group Policy, Portal Customization for a Clientless SSL VPN 93Internal Group Policy, Login Settings for a Clientless SSL VPN 93Internal Group Policy, Single Signon and Auto Signon Servers for Clientless SSL VPN Access93Site-to-Site Internal Group Policies 93Configure VPN Policy Attributes for a Local User 95ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.16v
ContentsConnection Profiles 97AnyConnect Connection Profile, Main Pane 97Specify a Device Certificate 98Connection Profiles, Port Settings 99AnyConnect Connection Profile, Basic Attributes 99Connection Profile, Advanced Attributes 100AnyConnect Connection Profile, General Attributes 101Connection Profile, Client Addressing 102Connection Profile, Client Addressing, Add or Edit 103Connection Profile, Address Pools 103Connection Profile, Advanced, Add or Edit IP Pool 103AnyConnect Connection Profile, Authentication Attributes 103Connection Profile, Secondary Authentication Attributes 105AnyConnect Connection Profile, Authorization Attributes 108AnyConnect Connection Profile, Authorization, Add Script Content to Select Username 109Clientless SSL VPN Connection Profile, Assign Authorization Server Group to Interface 112Connection Profiles, Accounting 112Connection Profile, Group Alias and Group URL 112Connection Profiles, Clientless SSL VPN 113Clientless SSL VPN Connection Profile, Basic Attributes 114Clientless SSL VPN Connection Profile, General Attributes 115Clientless SSL VPN Connection Profile, Authentication 115Clientless SSL VPN Connection Profile, Authentication, Add a Server Group 115Clientless SSL VPN Connection Profile, Secondary Authentication 116Clientless SSL VPN Connection Profile, Authorization 116Clientless SSL VPN Connection Profile, NetBIOS Servers 116Clientless SSL VPN Connection Profile, Clientless SSL VPN 117IKEv1 Connection Profiles 117IPsec Remote Access Connection Profile, Basic Tab 117Add/Edit Remote Access Connections, Advanced, General 118IKEv1 Client Addressing 120IKEv1 Connection Profile, Authentication 120IKEv1 Connection Profile, Authorization 120IKEv1 Connection Profile, Accounting 120ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.16vi
ContentsIKEv1 Connection Profile, IPsec 120IKEv1 Connection Profile, IPsec, IKE Authentication 121IKEv1 Connection Profile, IPsec, Client Software Update 121IKEv1 Connection Profile, PPP 121IKEv2 Connection Profiles 122IPsec IKEv2 Connection Profile, Basic Tab 122IPsec Remote Access Connection Profile, Advanced, IPsec Tab 123Mapping Certificates to IPsec or SSL VPN Connection Profiles 124Certificate to Connection Profile Maps, Policy 124Certificate to Connection Profile Maps Rules 125Certificate to Connection Profile Maps, add Certificate Matching Rule Criterion 125Add/Edit Certificate Matching Rule Criterion 125Site-to-Site Connection Profiles 127Site-to-Site Connection Profile, Add, or Edit128Site-to-Site Tunnel Groups 130Site-to-Site Connection Profile, Crypto Map Entry 132Managing CA Certificates 133Site-to-Site Connection Profile, Install Certificate 133AnyConnect VPN Client Image 134Configure AnyConnect VPN Client Connections 135Configure AnyConnect Client Profiles 135Exempt AnyConnect Traffic from Network Address Translation 136AnyConnect HostScan 142Prerequisites for HostScan 142Licensing for AnyConnect HostScan 142HostScan Packaging 142Install or Upgrade HostScan 142Uninstall HostScan 143Assign AnyConnect Feature Modules to Group Policies 144HostScan Related Documentation 145AnyConnect Secure Mobility Solution 145Add or Edit MUS Access Control 147AnyConnect Customization and Localization 147AnyConnect Customization and Localization, Resources 148ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.16vii
ContentsAnyConnect Customization and Localization, Binary and Script 148AnyConnect Customization and Localization, GUI Text and Messages 149AnyConnect Customization and Localization, Customized Installer Transforms 149AnyConnect Customization and Localization, Localized Installer Transforms 149AnyConnect Custom Attributes 150IPsec VPN Client Software151Zone Labs Integrity Server 152ISE Policy Enforcement 153Configure ISE Change of Authorization 153CHAPTER 5IP Addresses for VPNs157Configure an IP Address Assignment Policy 157Configure IP Address Assignment Options 158View Address Assignment Methods 158Configure Local IP Address Pools 158Configure Local IPv4 Address Pools 159Configure Local IPv6 Address Pools 159Assign Internal Address Pools to Group Policies 160Configure DHCP Addressing 161Assign IP Addresses to Local Users 162CHAPTER 6Dynamic Access Policies163About Dynamic Access Policies 163DAP Support of Remote Access Protocols and Posture Assessment Tools 164Remote Access Connection Sequence with DAPs 164Licensing for Dynamic Access Policies 165Configure Dynamic Access Policies 165Add or Edit a Dynamic Access Policy 167Test Dynamic Access Policies 168Configure AAA Attribute Selection Criteria in a DAP 168Retrieve Active Directory Groups 170AAA Attribute Definitions 171Configure Endpoint Attribute Selection Criteria in a DAP 171Add an Anti-Malware Endpoint Attribute to a DAP 172ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.16viii
ContentsAdd an Application Attribute to a DAP 173Add AnyConnect Endpoint Attributes to a DAP 173Add a File Endpoint Attribute to a DAP 175Add a Device Endpoint Attribute to a DAP 175Add a NAC Endpoint Attribute to a DAP 176Add an Operating System Endpoint Attribute to a DAP 176Add a Personal Firewall Endpoint Attribute to a DAP 176Add a Policy Endpoint Attribute to a DAP 177Add a Process Endpoint Attribute to a DAP 177Add a Registry Endpoint Attribute to a DAP 178Add Multiple Certificate Authentication Attributes to DAP 178DAP and Antimalware and Personal Firewall Programs 179Endpoint Attribute Definitions 179Create Additional DAP Selection Criteria in DAP Using LUA 182Syntax for Creating LUA EVAL Expressions 183LUA Procedures for HostScan 4.6 and Later 184LUA Script for 'ANY' Antimalware (endpoint.am) with Last Update 184LUA Script for 'ANY' Personal Firewall 184Additional LUA Functions 184Examples of DAP EVAL Expressions 186Configure DAP Access and Authorization Policy Attributes 188Perform a DAP Trace 192Examples of DAPs 192Use DAP to Define Network Resources 192Use DAP to Apply a WebVPN ACL 193Enforce CSD Checks and Apply Policies via DAP 193CHAPTER 7Email Proxy195Configure Email Proxy 196Requirements for Email Proxy 196Set AAA Server Groups 196Identify Interfaces for Email Proxy 198Configure Authentication for Email Proxy 198Identify Proxy Servers 199ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.16ix
ContentsConfigure Delimiters 200CHAPTER 8Monitor VPN 203Monitor VPN Connection Graphs 203Monitor VPN Statistics 203CHAPTER 9SSL Settings 209SSL Settings 209CHAPTER 10Easy VPN 213About Easy VPN 213Configure Easy VPN Remote 216Configure Easy VPN Server 219Feature History for Easy VPN 219CHAPTER 11Virtual Tunnel Interface221About Virtual Tunnel Interfaces 221Guidelines for Virtual Tunnel Interfaces 221Create a VTI Tunnel 223Add an IPsec Proposal (Transform Sets) 224Add an IPsec Profile 224Add a VTI Interface 225CHAPTER 12Configure an External AAA Server for VPN 227About External AAA Servers 227Understanding Policy Enforcement of Authorization Attributes 227Guidelines For Using External AAA Servers 228Configure Multiple Certificate Authentication 228Active Directory/LDAP VPN Remote Access Authorization Examples 229Policy Enforcement of User-Based Attributes 229Place LDAP Users in a Specific Group Policy 230Enforce Static IP Address Assignment for AnyConnect Tunnels 232Enforce Dial-in Allow or Deny Access 234ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.16x
ContentsEnforce Logon Hours and Time-of-Day Rules 236PART IIClientless SSL VPNCHAPTER 13Clientless SSL VPN Overview239241Introduction to Clientless SSL VPN 241Prerequisites for Clientless SSL VPN 242Guidelines and Limitations for Clientless SSL VPN 242Licensing for Clientless SSL VPN 243CHAPTER 14Basic Clientless SSL VPN Configuration245Rewrite Each URL 245Configure Clientless SSL VPN Access 246Trusted Certificate Pools 247Enable HTTP Server Verification 247Import a Certificate Bundle 248Export the Trustpool 248Remove Certificates 249Edit the Policy of the Trusted Certificate Pool 249Update the Trustpool 249Remove a Certificate Bundle 250Edit the Policy of the Trusted Certificate Pool 250Java Code Signer 250Configure Browser Access to Plug-ins 251Prerequisites with Plug-Ins 251Restrictions with Plug-Ins 252Prepare the Security Appliance for a Plug-in 252Install Plug-ins Redistributed by Cisco 253Provide Access to a Citrix XenApp Server 255Create and Install the Citrix Plug-in 255Configure Port Forwarding 256Prerequisites for Port Forwarding 257Restrictions for Port Forwarding 257Configure DNS for Port Forwarding 258ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.16xi
ContentsAdd/Edit a Port Forwarding Entry 260Assign a Port Forwarding List 260Enable and Switch off Port Forwarding 261Configure File Access 261CIFS File Access Requirement and Limitation 262Add Support for File Access 262Ensure Clock Accuracy for SharePoint Access 262Virtual Desktop Infrastructure (VDI) 262Limitations to VDI 263Citrix Mobile Support 263Limitations of Citrix 263About Citrix Mobile Receiver User Logon 263Configure the ASA to Proxy a Citrix Server 264Configure a VDI Server or VDI Proxy Server 264Assign a VDI Server to a Group Policy 264Configure Browser Access to Client-Server Plug-ins 265About Installing Browser Plug-ins 265Requirements for Installing Browser Plug-ins 267Set Up RDP Plug-in 267Prepare the Security Appliance for a Plug-in 267CHAPTER 15Advanced Clientless SSL VPN Configuration269Microsoft Kerberos Constrained Delegation Solution 269How KCD Works 270Authentication Flow with KCD 270Create a Kerberos Server Group for Constrained Delegation 272Configure Kerberos Constrained Delegation (KCD) 273Monitoring Kerberos Constrained Delegation 274Configure the Use of External Proxy Servers 275Use HTTPS for Clientless SSL VPN Sessions 276Configure Application Profile Customization Framework 278Manage APCF Profiles 278Upload APCF Packages 279Manage APCF Packets 279ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.16xii
ContentsAPCF Syntax 280Configure Session Settings 283Encoding 284View or Specify Character Encoding 284Configure Content Caching 286Content Rewrite 287Create Rewrite Rules 288Configuration Example for Content Rewrite Rules 288Use Email over Clientless SSL VPN 289Configure Web email: MS Outlook Web App 289Configure Bookmarks 289Add a Bookmark for a URL with a GET or Post Method 290Add a URL for a Predefined Application Template 292Add a Bookmark for an Auto Sign-On Application 293Import and Export a Bookmark List 294Import and Export GUI Customization Objects (Web Contents) 295Add and Edit POST Parameters 295Customize External Ports 300CHAPTER 16Policy Groups301Smart Tunnel Access 301About Smart Tunnels 302Prerequisites for Smart Tunnels 302Guidelines for Smart Tunnels 303Configure a Smart Tunnel (Lotus Example) 304Simplify Configuration of Applications to Tunnel 305Add Applications to Be Eligible for Smart Tunnel Access 306About Smart Tunnel Lists 309Create a Smart Tunnel Auto Sign-On Server List 309Add Servers to a Smart Tunnel Auto Sign-On Server List 309Enable and Switch Off Smart Tunnel Access 311Configure Smart Tunnel Log Off 311Configure Smart Tunnel Log Off when Its Parent Process Terminates 311Configure Smart Tunnel Log Off with a Notification Icon 311ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.16xiii
ContentsClientless SSL VPN Capture Tool 312Configure Portal Access Rules 312Optimize Clientless SSL VPN Performance 314Configure Content Transformation 314Use Proxy Bypass 314CHAPTER 17Clientless SSL VPN Remote Users317Clientless SSL VPN Remote Users 317Usernames and Passwords 318Communicate Security Tips 318Configure Remote Systems to Use Clientless SSL VPN Features 318Capture Clientless SSL VPN Data 325Create a Capture File 325Use a Browser to Display Capture Data 326CHAPTER 18Clientless SSL VPN Users327Manage Passwords 327Use Single Sign-On with Clientless SSL VPN 328SSO Using SAML 2.0 328About SSO and SAML 2.0328Guidelines and Limitations for SAML 2.0330Configure a SAML 2.0 Identity Provider (IdP) 332Configure ASA as a SAML 2.0 Service Provider (SP) 333Use Auto Sign-On334Username and Password Requirements 335Communicate Security Tips 336Configure Remote Systems to Use Clientless SSL VPN Features 336About Clientless SSL VPN 336Prerequisites for Clientless SSL VPN 337Use the Clientless SSL VPN Floating Toolbar 337Browse the Web 337Browse the Network (File Management) 338Use the Remote File Explorer 338Use Port Forwarding 339ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.16xiv
ContentsUse email Via Port Forwarding 340Use email Via Web Access 341Use email Via email Proxy 341Use Smart Tunnel 341CHAPTER 19Clientless SSL VPN with Mobile Devices343Use Clientless SSL VPN with Mobile Devices 343Restrictions of Clientless SSL VPN with Mobile 343CHAPTER 20Customizing Clientless SSL VPN345Customize the Clientless SSL VPN User Experience345Customize the Logon Page with the Customization Editor345Replace the Logon Page With Your Own Fully Customized Page 347Create the Custom Login Screen File 347Import the File and Images 349Configure the Security Appliance to Use the Cus
CONTENTS PREFACE About This Guide xvii DocumentObjectives xvii RelatedDocumentation xvii DocumentConventions xvii Communications,Services,andAdditionalInformation xviii PART I Site-to-Site and Client VPN 21 CHAPTER 1 VPN Wizards 1 VPNOverview 1 IPsecSite-to-SiteVPNWizard 2 AnyConnectVPNWizard 4 Cl
