Está en la página 1de 8

Cisco SSL VPN with Load Balancing

Overview In this configuration, we will use two Cisco ASAs to provide SSL VPN access and support high availability with VPN Load Balancing. SSL users will be configured for Split Tunneling. This will encapsulate corporate traffic and leave noncorporate traffic to traverse the Internet normally. Cisco Secure ACS will house all accounts and provide authentication through RADIUS and TACACS+. SSL users will be authenticated via RADIUS. ASA device administration will be controlled through TACACS+

Public

Private

216.1.1.2 https://216.1.1.1
VPN LB IP 216.1.1.1

192.168.10.2

ASA1
Corp LAN

Internet

3845 AC

SSL VPN User

216.1.1.3

ASA2

192.168.10.3

192.168.10.100

AnyConnect VPN AnyConnect provides remote users with secure VPN connections to the ASA using Secure Socket Layer (SSL) protocol and the Datagram TLS (DTLS) protocol. SSL Authentication to AnyConnect is done via a Web Browser which can automatically download the VPN client. The AnyConnect client can be installed on Windows, Linux (Multiple Distros) and MAC OS X. ASA VPN Load Balancing Up to 10 ASAs can be configured to support load balancing and redundancy for VPN sessions. This is implemented by grouping two or more ASAs with the same private and public subnets into a virtual cluster. All ASAs in the virtual cluster carry session loads. Load balancing directs session traffic to the least loaded device in the cluster, thus distributing the load among all devices. It makes efficient use of system resources and provides increased performance and high availability. If a machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster IP address. The virtual cluster master then directs these connections to another active device in the cluster. Should the virtual cluster master itself fail, another device in the cluster immediately and automatically takes over as the new virtual session master. Even if several devices in the cluster fail, users can continue to connect to the cluster as long as any one device in the cluster is up and available.

Prepare ASA Flash Files


Download the latest ASA 8.X image, ASDM image, and AnyConnect Client Files. Upload these to the flash on both ASAs. ASA01# sh flash --#-- --length-- -----date/time------ path 117 15610084 Jun 20 2012 10:10:38 asdm-643.bin 118 24938496 Jun 20 2012 10:14:06 asa841-k8.bin 122 5387450 Jun 20 2012 10:16:48 anyconnect-dart-win-2.5.3041-k9.pkg 123 6285465 Jun 20 2012 10:17:26 anyconnect-macosx-i386-2.5.3041-k9.pkg
Morgan Stepp CCIE #12603 | morganstepp@yahoo

Page 1 of 8

Configure ASA AnyConnect SSL VPN


interface GigabitEthernet0/0 description SSL VPN Public Interface nameif Outside security-level 0 ip address 216.1.1.2 255.255.255.0 ! interface GigabitEthernet0/1 description LAN Private Interface nameif Inside security-level 100 ip address 192.168.10.2 255.255.255.0 ! access-list SSL-ACL1 line 1 remark Corporate LAN Subnet access-list SSL-ACL1 line 2 standard permit 192.168.10.0 255.255.255.0 ! This ACL is used to specify which subnets are encrypted (tunneled). All other traffic will traverse the SSL users local Internet connection. ! ip local pool SSL-POOL1 10.10.50.0-10.10.50.254 mask 255.255.255.0 ! Address Pool assigned to SSL VPN users. All Corporate LAN routers will need a route for this subnet pointing to the ASA. ! access-list NO-NAT permit ip 10.10.50.0 192.168.10.0 access-list NO-NAT permit ip 192.168.10.0 10.10.50.0 ! nat (Inside) 0 access-list NO-NAT ! Do not NAT SSL VPN clients at 10.10.50.0 to internal network 192.168.10.0 ! webvpn enable Outside ! Enable WebVPN on the Outside interface anyconnect-essentials ! Enable AnyConnect anyconnect image disk0:/anyconnect-dart-win-2.5.3041-k9.pkg 1 anyconnect image disk0:/anyconnect-macosx-i386-2.5.3041-k9.pkg 2 ! Provide SSL VPN Client images for Windows and MAC. Latest clients can be downloaded from Cisco. anyconnect enable ! Enable AnyConnect Client tunnel-group-list enable ! Enable the display of the tunnel-group list on the WebVPN Login page. This allows users to select and login to their desired Group. ! ! group-policy SSL-POLICY1 internal ! Create an internal group policy "SSL-POLICY1" group-policy SSL-POLICY1 attributes vpn-tunnel-protocol ssl-client ! Specify SSL as a permitted VPN tunneling protocol split-tunnel-policy tunnelspecified split-tunnel-network-list value SSL-ACL1 ! Encrypt (tunnel) the traffic specified in the split tunnel ACL only webvpn anyconnect keep-installer installed
Morgan Stepp CCIE #12603 | morganstepp@yahoo

Page 2 of 8

! Stop the SSL VPN Client from attempting to install every time users connect anyconnect ssl rekey time 30 ! Specify the number of minutes until the rekey takes place anyconnect ssl rekey method ssl anyconnect ask none default anyconnect homepage value http://www.cisco.com ! Launch Web Page for SSL Users. Can be internal Intranet or Public. In this example, we will auto launch Ciscos homepage post SSL Authentication. ! ! tunnel-group SSL-TUNNEL1 type remote-access tunnel-group SSL-TUNNEL1 general-attributes address-pool SSL-POOL1 ! Associate the VPN Client address pool authentication-server-group RADIUS LOCAL ! Authenticate users to a Radius servers such as Cisco ACS. You can also do local authentication. default-group-policy SSL-POLICY1 ! Associate the group policy "SSL-POLICY1" tunnel-group SSL-TUNNEL1 webvpn-attributes group-alias SSL-GROUP1 enable ! Configure the group alias as "SSL-GROUP1". This will display on the SSL VPN WebPage

Configure ASA VPN Load Balancing


crypto ikev1 enable Inside crypto ikev1 enable Outside ! Enable IKEv1 on the VPN Load Balancing Interfaces ! crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! ! Enable VPN Load Balancing vpn load-balancing priority 10 interface lbpublic Outside interface lbprivate Inside cluster key cisco cluster ip address 216.1.1.1 cluster encryption participate

Configure ACS for RADIUS and TACACS+


Configure ACS to support RADIUS and TACACS+ for the ASA. RADIUS will be used for SSL VPN User Authentication. TACACS+ will be used for device authentication and administration. Enter the device Hostname and IP Address along with the shared secret for RADIUS and TACACS+ Authentication. Create End Users and assign a password.

Morgan Stepp CCIE #12603 | morganstepp@yahoo

Page 3 of 8

Configure ASA for RADIUS and TACACS+


no aaa authentication ssh console LOCAL no aaa authentication http console LOCAL no aaa authentication enable console LOCAL ! Remove local Authentication Method Lists aaa authentication ssh console TACACS+ LOCAL aaa authentication http console TACACS+ LOCAL aaa authentication enable console TACACS+ LOCAL ! Configure Device Authentication to use TACACS+. If TACACS+ is unavailable, use LOCAL username database ! aaa-server TACACS+ (Inside) host 192.168.10.100
Morgan Stepp CCIE #12603 | morganstepp@yahoo

Page 4 of 8

key cisco ! Configure TACACS+ Host and Shared Secret ! aaa-server RADIUS protocol radius aaa-server RADIUS (Inside) host 192.168.10.100 key cisco ! Configure RADIUS Host and Shared Secret ! tunnel-group SSL-TUNNEL1 general-attributes authentication-server-group RADIUS LOCAL ! Authenticate users to a Radius servers such as Cisco ACS. You can also do local authentication. Note: Before logging out of this device, verify your Authentication is working. ASA01# test aaa-server authentication TACACS+ host 192.168.10.100 username morgan.stepp password cisco INFO: Attempting Authentication test to IP address <192.168.10.100> (timeout: 12 seconds) INFO: Authentication Successful

Establish AnyConnect SSL VPN


Enter the IP address of the ASA's WebVPN interface in your web browser. This always requires HTTPS. You can also have the client reserve a public DNS entry for this IP, example - vpn.cisco.com resolves to 216.1.1.1. After successful login, the AnyConnect Client you specified automatically installs on the users system. The Tunnel-Group Alias SSLGROUP1 is displayed below.

The SSL VPN verifies connection establishment

Morgan Stepp CCIE #12603 | morganstepp@yahoo

Page 5 of 8

The SSL VPN Home Page launches Post VPN connection

The AnyConnect Client automatically minimizes in the System Tray

Verify Configuration
View AnyConnect Sessions

ASA01# show vpn-sessiondb anyconnect Session Type: AnyConnect Username : morgan.stepp Index : 16 Assigned IP : 10.50.0.5 Public IP : 1.1.1.1 Protocol : Clientless SSL-Tunnel DTLS-Tunnel License : AnyConnect Essentials Encryption : RC4 AES128 Hashing : SHA1 Bytes Tx : 541923 Bytes Rx : 341600 Group Policy : SSL-POLICY1 Tunnel Group : SSL-TUNNEL1 Login Time : 10:07:41 EDT Wed Jun 22 2011
Morgan Stepp CCIE #12603 | morganstepp@yahoo

Page 6 of 8

Duration : 1h:43m:31s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A

VLAN

: none

View RADIUS Authenticated SSL VPN Sessions

Verify Load Balancing Configuration


ASA01# show vpn load-balancing -------------------------------------------------------------------------Status Role Failover Encryption Cluster IP Peers -------------------------------------------------------------------------Enabled Master n/a Enabled 216.1.1.1 1 Peers: -------------------------------------------------------------------------Public IP Role Pri Model Load-Balancing Version -------------------------------------------------------------------------216.1.1.2* Master 10 ASA-5540 3 216.1.1.3 Backup 9 ASA-5540 3 Total License Load: -------------------------------------------------------------------------Public IP AnyConnect Premium/Essentials Other VPN ------------------------------- --------------------Limit Used Load Limit Used Load -------------------------------------------------------------------------216.1.1.2* 2500 1 0% 5000 0 0% 216.1.1.3 2500 0 0% 5000 0 0%

Verify Load Balancing Password


ASA01#sh run vpn load vpn load-balancing
Morgan Stepp CCIE #12603 | morganstepp@yahoo

Page 7 of 8

priority 10 interface lbpublic Outside interface lbprivate Inside cluster key ***** ! Password Encrypted cluster ip address 216.1.1.1 cluster encryption participate

ASA01# more system:running-config | b vpn load vpn load-balancing priority 10 interface lbpublic Outside interface lbprivate Inside cluster key cisco ! Password Un-encrypted cluster ip address 216.1.1.1 cluster encryption participate

Morgan Stepp CCIE #12603 | morganstepp@yahoo

Page 8 of 8