Cisco CCNP Security 300-730 SVPN – Remote Access VPN Part 5

  • By
  • January 26, 2023
0 Comment

6. clientless ssl vpn deep dive

My topology and as you can see right here, my topology, everything, it is working. I’m able to pin all the interfaces, the IP address and all the interfaces as you can see right here. So let’s go ahead and start with this configuration. So I have my ASDM over here and I configured to be connected to the manager interface on the ASA so we are going to fire up this ASM over here that I have it open is this one right here. So let’s go ahead and connect to the Aseam and we are going to connect to IP address. That should bring up the ACM. There you go, say yes, always trust this publisher, allow it. And now we need to log in with that username and password that I configure. Here we go, that shouldn’t take long. There we go. So we are inside the ASM now so let’s go ahead and the only thing we are going to be configuring is going to be we are going to go into configuration from the ASDM and then we are going to go into remote access VPN and from over here we are going to configure the clientless SSL VPN. You could do it from the wizard which is a lot easier to do it right here. Clientless SSL we take you step by step but we’re not going to be doing that. We are going to do it manually.

Okay? So the first thing that we need to do is we need to go ahead and configure a group policy. And this group policy we are going to call this remote group policy one and the banner we are not going to inherit. Because if we inherit this, it is going to use the default group policy that it is enabled by default, that the ACM comes by default. But we don’t want to inherit. We say welcome to remote group one and then if you go to options, you got options over here so you are able to pick the toner lane protocol that you want. We are not going to inherit because we inherit like I said it’s going to take it from the default group policy and all we need to do is we want to check the clientless SSL VPN. We’re not going to do any SSL VPN clients. We’re not going to do IPsec with IQB one or IPsec IQB two. So all we’re going to be doing is clientless Sslvn. So that’s all I want the users to all the users that are going to be connected to this group policy to only have access to the client list. SSL VPN you can do other stuff like web ACL you can do the access hours, see my Channels logins, you can restrict access to VLANs and a lot of other stuff, but we’re not going to do any of that. Let’s go ahead and go to the portal. Actually let’s not do that. We are going to manually do that and then we are going to add more options. And these other options we are not going to go over that right now.

So let’s go ahead and click OK and apply so you can save it after you do that. The next step to do is to create the connection profile and as you can see there are two connection profiles that comes by default. The default RA group is for the Cisco and connect VPN and this one VPN is for the SSL clientless VPN connection. So we are going to create a new one and we are going to call this remote profile one the alias. We are going to leave it like that for now. DNS servers you can just do eight to eight for now. And the group policy right now what we need to do is we need to go ahead and attach the group policy that we just created which is remote group policy one. Okay and you want to enable SSL VPN protocol on it and we are going to be using AAA server group. It’s going to be the local one. We’re not going to do a certificate or any of that. We are going to use the local now if we go ahead, domain name is an invalid DNS name. Let’s just do Ccdt. com. There we go. It’s going to get rid of that error for general, we’re not going to touch that authentication.

We’re not going to touch any of that. What we want to configure is the kindless SSL VPN and from here we are going to create a group URL. So for this right here, what is going to happen is since we are going to connect to https 21 doesn’t like my keyboard 21, let’s just call it group one and this one is going to add a it is basically just adding a group URL. So whenever if you are connecting to group one you just want to go to 21 slash group one and that’s going to take you to that 21, right? And if you have a group two that we’re going to configure later you can go ahead and do another URL for that group and just give them that URL for that group which we are going to do later. There we go. It is enabled. Oh that is good. And we are going to customize the login and the logo. So it’s going to do that and apply it so we can save it. And now since we have this select we need to enable it on the outside network which is 21. Go ahead and apply it. Okay so now let’s go ahead and go into advanced it’s not advanced we want to go into the portal and over here we want to create some BOOKMARKS. So let’s go ahead and create bookmark one and the get post method select that and we want to pick right here is going to be a website. Just going to be the title of it and it’s going to take us to this website and it is 109, 216812. Go ahead and click okay, so we have the BOOKMARKS created. That’s good.

After that we want to go ahead and do some customization. We want to add our own custom portal. So let’s go ahead and add a new one. And it does take up a little bit. So let’s just not do that for now. Let’s just go ahead and click cancel. Let’s go ahead and save our configuration. And now let’s go ahead and go back to the connection profiles. Connection profiles. No, because we did not do the customization. So what we need to do is we need to go into, let’s go into the group policies and let’s go ahead and edit the one that we created. And from over here let’s go ahead and go to the portal. And we don’t want to inherit, we want to pick the one that we created. BOOKMARKS one, go in and add it, apply it, save it. And now after we do that, what we need to do is we need to create a user that is going to be able to connect to that client SSL and let’s go ahead and go local users. I already have one that I created from the ASA, but we are going to add a new one and this one is going to be just called a group one. Password Cisco. Confirm password Cisco.

And we don’t want them to have access to ASDM, as it says in the net and console. So we are going to say no ASDM SSH tonet or console or we want it to be able to remote or login into that portal, click OK and apply it and save it. So now we should be able to connect from this Firefox browser into this ASA. So let’s go ahead and try that and see if we are able to do that. So we are going to bring up that we’re going to go into 21. Actually let’s just put Https group one. You’re going to go into advanced, add an exemption, confirm it and there we go. So now the username that we configured I believe was group one and the password was Cisco login fail. Let’s try it again. Was a group Cisco. And there you go. As you can see here’s, my banner that I configure from the group policies. Welcome to group one. Continue. As you can see right here we have access. Now we are inside the ASA, we are the SSL VPN service and we have this website right here that we can go ahead and click and it should take us to that WordPress website. As you can see it already says turnkey Linux, just another WordPress site. So it is working. And if you want to go ahead and modify your portal, you can go ahead and do that. And the way to do that is that we need to go into customization.

And since we have this default customization attached to the connection profile, if you go into the connection profile and you go into advanced client SSL VPN, we’re using that default customization. So let’s go ahead and cancel. And let’s go ahead and do customization. Let’s go over here and let’s go into the login page. You can change the title if you want to. Let’s go ahead and SSL VPN Group One. Okay, on the title panel, you can go ahead and say group one. You can change the font, let’s just change it to pink, the login form. You can edit the title log in group one. Please enter username and password as you say, group one. So we can differentiate. And as you can see, you can add more stuff to it. The portal inside of the portal, we can go ahead and configure that. SSL VPN Group One. We can change the color to pink and you can change a lot of more stuff. As you can see right here, the logout page, the title of the logout, group one, you can add that too. And let’s go ahead and save that. And you can see apply it. And now let’s go ahead and go into the browser. As you can see, it took me, it was able to take me into that website over here that I gave him access to it. So now let’s go ahead and go back and let’s just go ahead and log out. And as you can see right here, it already says SSL VPN Service Group one because we modify that and it says please enter your username and password, group one. So that’s good. Let’s go ahead and log in. Was the group one password Cisco? Just group Cisco. There we go. And you can see that we change the title of whenever. No, that’s it for the banner. We did not configure that. We did not change that, but we changed the color as you can see right here. And the website is still right here, which is the BOOKMARKS. We did not edit any of that.

And if you click on Log out, you can see right here, log out, group one. So that’s good. So as you can see right now, it was everything that we configured, was configured. And also if you want to customize your own one, you can go ahead and do that as well. Let’s just go ahead and call it group one. The log on page, group one. Let’s just leave everything as default. Group one. Group one. Group one. And what I want to do is I want to change the font to Red. Let’s go ahead into the panel and change this to Red as well. And go ahead and click okay. And apply it. Now let’s go ahead and go into the browser again. Let’s go and refresh it. And as you can see right here, it was not apply and why it was not apply. It was not apply because the connection profile is still using the default customization. So we need to change it to group one. So let’s go into connection profiles.

Let’s go into remote profile one and we are going to go into advanced advanced client list. And over here we are going to change it to group one, apply it and save it. Good. Now let’s go ahead and go into the browser refresh. And now you can see that it is red because we are now using we are now using the customization that we created for group one. And also if you want to create two different groups and all that and just have the same user to have access to two groups, we can go ahead and do that. So first let’s go ahead and create another group. This one is going to be for the customization group two, the titles. We are going to change everything to group two. So we can differentiate title panel group two. And let’s go ahead and change the color. I want it to be orange. Login form group two also right here. Change it to group two. Okay, let’s see what else we have over here. Group two, let’s go ahead and select that and we are going to select the orange. Anything else? Log out page froze a little bit. Let’s just give it a second. There we go. Log out page group two. So that is good. Let’s go ahead and add that. There we go. It doesn’t have any connection profiles for now because we need to go ahead and create a connection profile. So let’s go ahead and if you want to supply it, let’s verify that it is there yet. Group two is still there. Connection profiles. Let’s go ahead and create a new connection profile. And this one is why did I call the other one remote profile one? Let’s go ahead and call this one remote profile two. Good. And let’s go ahead and create and give it an alias which is going to be group two. And this group two right here, it is going to this is why we are going to select either group two or group one. We have to modify that and we also need to configure a group policy for this.

Let’s go ahead and go into advanced client list and for this one we are not going to use the default. We are going to use group two. Okay, we are going to add a https one group two. Good. Let’s go ahead and click. Okay, apply it. Let’s go ahead and the BOOKMARKS we can go ahead and create another bookmark too. BOOKMARKS two, go ahead and add it. Okay, this is going to be website group two and it’s going to go to one nine two, that one’s eight, that one two to this website right here. Click okay. So now let’s go ahead and configure that. We need to configure that group policy. Let’s go ahead and create a new group policy and we call that let’s go ahead and cancel. We call that remote group policy one. Let’s go ahead and name this remote group policy two. Remote group policy two. We’re going to say welcome to group two and you have more options. We don’t want to inherit. We just want to use the client that says that we can for the portal we’re now going to inherit. We are going to use bookmark to see more options. We don’t have to do anything in there either. Go ahead and click okay and apply it. And now what we need to do is we need to go into let’s go ahead and go into the connection profiles group remote policy tool and let’s go ahead and create and add that group policy to the connection profile. There we go. See if I have anything else. No, it looks good.

The les is group two. So now we also need to go ahead and create an alias for group one. Group one. And now let’s go ahead and enable those two. And after we enable those two, what we want to do is we want to say allow user to select connection profile on login and that’s going to be for both of them. So that’s good. Let’s go ahead and leave it like that. Let’s go ahead and apply it. Save it. Let’s go ahead and go into the browser. All right, so we’re going to refresh the browser. Let’s go ahead and do this one right here. And as you can see now it is a different login page. So you can see it is letting you to select the group. Let’s go ahead and go into group one and see what color we get. Group Cisco, welcome to group one. That’s good. You can see that everything is red. And group one we can see we have that website in there. So that’s good. So now let’s go ahead and log out and it tells you you’re logging out of group one. Let’s go ahead and log on again. But now we are going to select group two and let’s see what happens when you restart group two. The same username and password. And there we go, it tells you right there, welcome to group two. So we have successfully configured and look at the bookmark, it says website group two. There you go.

So we have successfully configured two connection profiles. We also did two group policies and we enable to allow the user to select that connection profile on the login page of the login page. So that’s how you do that. And also if you want to see how different they are, if you want to go to group policy and we are going to configure group policy, remote group policy too. And what we’re going to say is that whenever they are going to use that more options, I don’t want to choose clientless SSL VPN. I only wanted to use SSL client VPN. All right, let’s go and click okay. And that is for group two. Let’s see if it’s going to let me on now. Let’s go ahead and go over here. Refresh. Let’s go log out. Let’s go ahead and go back. Sorry for that. Here we go. And let’s select the group two. Which one, which is the one that we added? And let’s go ahead and do group the username and password. Cisco there we go. So as you can see right here, it does not let you own because any connect is not enabled on the VPN server. So we cannot log into the group two, but we are able to log in into group one. So let’s go and do group. Cisco so it lets you own on group one, but it doesn’t let you own group two because if you go into the remote group policy, two more options. It only lets you own the SSL VPN client.

So if you go into clientless SSL VPN, select that applied and let’s go ahead and save it. And now let’s go and go into the browser. Let’s go and log out. Log back in. And it should let me now into my portal. Cisco there you go. So that’s how you’re able to configure the connection profile, the group policies, the BOOKMARKS. You can customize the portal. So we did all that good stuff. We were also able to let the users select either if they want to log in into group one or group two by adding the aliases and by enabling those users, like we said, for the connection profile, too, we allow that user to select the connection profile on the login page, either group two or group one. So this is set for this video, guys. I hope you guys enjoyed this video video. I hope you guys understood everything I was configuring. And if you guys have any questions, just go ahead and leave the questions on this video below.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img