Deployment Scenarios of WebVPN
The Cisco WebVPN solution is useful in deployments where remote and home users need limited application support without installing a separate VPN client. The WebVPN solution can be deployed in many ways; however, the sections that follow cover two design scenarios for ease of understanding:
- WebVPN with external authentication
- WebVPN with e-mail proxies
Note
The design scenarios discussed in this section should be used solely to reinforce learning. They should be used for reference purposes only.
WebVPN with External Authentication
SecureMe has recently learned about the WebVPN functionality in Cisco ASA and wants to deploy it for a group of mobile contractors in London who do not have access to Cisco VPN Client. These contractors use a web server for browsing, a terminal server, and a Windows file server to save and retrieve their documents.
Figure 16-24 shows SecureMe's network topology for WebVPN.
Figure 16-24. SecureMe's WebVPN topology in London
The security requirements for SecureMe's London office are as follows:
- Allow access to a web server with an IP address of 192.168.30.150
- Deny access to the internal web-server located at wwwin.securemeinc.com
- Allow access to a file server with an IP address of 192.168.30.151
- Allow access to a terminal server with an IP address of 192.168.30.160
- Use an SDI server as the external database for user lookup
Example 16-90 shows the relevant configuration of the London ASA.
Example 16-90. Relevant WebVPN Configuration for the London ASA
London# show running-config : Saved : ASA Version 7.0(1) ! ip address on the outside interface interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.201.1 255.255.255.0 ! ip address on the inside interface interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.30.1 255.255.255.0 ! hostname London domain-name securemeinc.com ! DNS lookup for hostname dns domain-lookup inside dns name-server 192.168.30.200 ! WebVPN ACL to deny users to access wwwin.securemeinc.com using HTTP access-list HTTP webtype deny url http://wwwin.securemeinc.com access-list HTTP webtype permit url any ! Default Gateway route outside 0.0.0.0 0.0.0.0 209.165.201.2 1 ! URL Mangling. A link to an internal web-server at 192.168.30.150 is displayed url-list HTTP_Link "Internal" http://192.168.30.150 ! Port Forwarding for Terminal Services using local port 1100 port-forward TerminalServer 1100 192.168.30.160 3389 ! SDI configuration for user authentication aaa-server SDI_Server protocol sdi aaa-server SDI_Server host 192.168.30.10 ! Configuration of an internal user-group called SecureMeWebGrp configured for WebVPN group-policy SecureMeWebGrp internal group-policy SecureMeWebGrp attributes vpn-tunnel-protocol webvpn webvpn ! The allowed list of functions functions url-entry file-access file-entry file-browsing port-forward filter ! WebVPN ACL is applied under the group WebVPN menu filter value HTTP ! URL Mangling list is applied under the group WebVPN menu url-list value HTTP_Link ! Port Forwarding List is applied under the group WebVPN menu port-forward value TerminalServer ! Configuration of ASDM for Appliance management http server enable http 0.0.0.0 0.0.0.0 inside ! WebVPN global configuration webvpn enable outside logo none ! WebVPN users will be authenticated against an SDI server authentication-server-group SDI_Server ! WebVPN user group-policy is applied default-group-policy SecureMeWebGrp ! Configuration of WINS server located at 192.168.30.190 nbns-server 192.168.30.190 master timeout 2 retry 2
WebVPN with E-Mail Proxies
SecureMe is looking to deploy the WebVPN e-mail proxy functionality for its remote users who need to check their corporate e-mail. These users generally use either POP3 or IMAP4 depending on their email client configuration. Figure 16-25 shows SecureMe's network topology for e-mail proxy.
Figure 16-25. SecureMe's E-Mail Proxy WebVPN Topology
The security requirements for SecureMe's Sydney office are as follows:
- Allow POP3 and IMAP4 access to the e-mail server with a hostname of email-server.securemeinc.com. Use port 1000 for secure POP3 and 1010 for secure IMAP4. The users specify the pipe (|) as the username delimiter and the at (@) symbol as the server delimiter.
- Use a RADIUS server as the external user database.
- Use a DNS server to resolve email server name
Example 16-91 shows the complete configuration of the Sydney ASA.
Example 16-91. Sydney ASA Configuration to Implement E-Mail Proxies
Sydney# show running-config : Saved : ASA Version 7.0(1) ! ip address on the outside interface interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.202.135 255.255.255.224 ! ip address on the inside interface interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.80.1 255.255.255.0 ! hostname Sydney domain-name securemeinc.com ! DNS lookup for hostname dns domain-lookup inside dns name-server 192.168.80.90 ! Default Gateway route outside 0.0.0.0 0.0.0.0 209.165.202.136 1 ! Radius configuration for user authentication aaa-server Radius_Server protocol radius aaa-server Radius_Server host 192.168.80.100 key cisco123 ! Configuration of an internal user-group called SecureMeWebGrp configured for WebVPN group-policy SecureMeWebGrp internal group-policy SecureMeWebGrp attributes vpn-tunnel-protocol webvpn webvpn ! Configuration of ASDM for Appliance management http server enable http 0.0.0.0 0.0.0.0 inside ! WebVPN global parameters webvpn enable outside logo none authentication-server-group Radius_Server default-group-policy SecureMeWebGrp ! IMAP4 configuration imap4s enable outside port 1010 server email-server name-separator | server-separator @ default-group-policy SecureMeWebGrp authentication-server-group Radius_Server authentication aaa ! POP3 configuration pop3s enable outside port 1000 server email-server name-separator | server-separator @ default-group-policy SecureMeWebGrp authentication-server-group Radius_Server authentication aaa