Cisco VPN - Virtual Private Network

The opening installment of a series that focuses on VPN technology. Here you will find a brief description of VPNs and their types. Next, IPsec-based VPNs are described in more detail, primarily the Remote Access VPN type. The entire description is general, but the future focus is on deployment on Cisco devices, primarily Cisco ASA. At the end, the parameters supported by the Cisco VPN Client, the integrated client on Google Android and on Windows XP/Vista/7 are mentioned.

After the first theoretical part, we'll take a look, really only lightly, at the Cisco ASA security appliance, which we'll use to configure various VPNs in later parts. We will also mention a few important points that we will use next time when configuring IPsec Remote Access VPNs. For the Cisco ASA, we will only look at the features that relate to the VPN. The ASA currently stands for the ASA 5500 series (I'm working with the ASA 5510), but we can run VPNs on most routers.

We have completed a theoretical description of the whole IPsec Remote Access VPN issue as well as a basic introduction (let's say initial configuration) of Cisco ASA. Today we will focus on the practical configuration of the aforementioned extended type of VPN for user access to the corporate environment. In the first part of the article, we will describe the individual building blocks that we will configure on the Cisco ASA and their interrelationships. In the second part there are already links to the individual items in ASDM that we need to configure.

SSL VPNs are now considered a modern type of VPN connection. They have a number of advantages, especially over the traditional IPsec protocol. With Cisco, however, we need to find out licensing information first, as AnyConnect licenses are quite expensive. Clientless SSL VPN is a special type of VPN where we don't need a client (a web browser will do for that). It doesn't have quite the same capabilities as a standard VPN, but it can be suitable for many situations. The basic functionality will securely mediate our internal web and file servers. We'll take a look at that today. There are also various plugins that can be used, for example, to allow access via SSH or RDP. And more advanced features are coming, such as Smart Tunnel.

Last time we covered the basic features of Clientless SSL VPN on Cisco ASA. This allows us to access some corporate resources from the Internet from a computer where we don't need administrator rights and just need a web browser and Java or ActiveX. Now we'll look at the advanced features that add more access (Port Forwarding and Smart Tunnels) and security (Cisco Secure Desktop). The description of each feature is brief and does not cover all options.

Cisco no longer supports traditional IPsec VPN for remote user (and VPN Client) connections. Instead, it uses the new AnyConnect client and (modern) SSL VPN or IPsec IKEv2. In this article, we will look at the principle of SSL VPN as presented by Cisco and show how to configure it using ASDM.

This article is a follow-up to the last article where we created SSL VPNs. Now we'll look at ways to increase the security of your connection, or better yet, determine under what conditions a user can connect. When the user is allowed to log in to the VPN, after correct authentication, the user is connected. Let's describe the options to check various parameters of the connected device and enable, restrict or completely disable the connection accordingly. We will use Cisco Secure Desktop component Host Scan and Dynamic Access Policies.

Cisco ASA offers a number of possible ways to authenticate a client connecting to a VPN. The most common is to authenticate the user with a name and password against various sources (locally, LDAP, RADIUS). We can also use two-factor authentication (Double Authentication), where the user is authenticated against two different sources. We can also do certificate authentication and combine it into multi-factor authentication. In this article, we will first look at a bit of theory and in the second half we will look at authentication with a certificate as well as a name and password.