ASA 5500 Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
Table 1. Cisco ASA 5505 Adaptive Security Appliance Platform Capabilities and Capacities
Feature
Description
Firewall Throughput
Up to 150 Mbps
Maximum Firewall and IPS Throughput
Up to 75 Mbps with AIP SSC-5
VPN Throughput
Up to 100 Mbps
Concurrent Sessions
10,000/25,000*
IPsec VPN Peers
10; 25*
Premium AnyConnect VPN Peer License Levels**
2, 10, or 25
Interfaces
8-port Fast Ethernet switch with dynamic port grouping (including 2 PoE ports)
Virtual Interfaces (VLANs)
3 (no trunking support)/20 (with trunking support)*
High Availability
Not supported; stateless Active/Standby and redundant ISP support*
* Upgrade available with Cisco ASA 5505 Security Plus license
** Separately licensed feature; includes two with the base system
Performance numbers tested and validated with Cisco ASA Software Release 7.2.
Cisco ASA 5510 Adaptive Security Appliance
The Cisco ASA 5510 Adaptive Security Appliance delivers advanced security and networking services for small and medium-sized businesses and enterprise remote/branch offices in an easy-to-deploy, cost-effective appliance. These services can be easily managed and monitored by the integrated Cisco ASDM application, thus reducing the overall deployment and operations costs associated with providing this high level of security. The Cisco ASA 5510 Adaptive Security Appliance provides high-performance firewall and VPN services and five integrated 10/100 Fast Ethernet interfaces. It optionally provides high-performance intrusion prevention and worm mitigation services through the AIP SSM, or comprehensive malware protection services through the CSC SSM. This unique combination of services on a single platform makes the Cisco ASA 5510 an excellent choice for businesses requiring a cost-effective, extensible, DMZ-enabled security solution.
As business needs grow, customers can install a Security Plus license, upgrading two of the Cisco ASA 5510 Adaptive Security Appliance interfaces to Gigabit Ethernet and enabling integration into switched network environments through VLAN support. This upgrade license maximizes business continuity by enabling Active/Active and Active/Standby high-availability services. Using the optional security context capabilities of the Cisco ASA 5510 Adaptive Security Appliance, businesses can deploy up to five virtual firewalls within an appliance to enable compartmentalized control of security policies on a departmental level. This virtualization strengthens security and reduces overall management and support costs while consolidating multiple security devices into a single appliance.
Businesses can extend their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Up to 250 AnyConnect and/or clientless VPN peers can be supported on each Cisco ASA 5510 by installing an Essential or a Premium AnyConnect VPN license; up to 250 IPsec VPN peers are supported on the base platform.
VPN capacity and resiliency can also be increased by taking advantage of the Cisco ASA 5510's integrated VPN clustering and load-balancing capabilities (available with a Security Plus license). The Cisco ASA 5510 supports up to 10 appliances in a cluster, offering a maximum of 2500 AnyConnect and/or clientless VPN peers or 2500 IPsec VPN peers per cluster. For business continuity and event planning, the Cisco ASA 5510 can also benefit from the Cisco VPN FLEX licenses, which enable administrators to react to or plan for short-term bursts of concurrent Premium VPN remote-access users, for up to a 2-month period.
Table 2 lists features of the Cisco ASA 5510.
Table 2. Cisco ASA 5510 Adaptive Security Appliance Platform Capabilities and Capacities
Feature
Description
Firewall Throughput
Up to 300 Mbps
Maximum Firewall and IPS Throughput
• Up to 150 Mbps with AIP SSM-10
• Up to 300 Mbps with AIP SSM-20
VPN Throughput
Up to 170 Mbps
Concurrent Sessions
50,000; 130,000*
IPsec VPN Peers
250
Premium AnyConnect VPN Peer License Levels**
2,10, 25, 50, 100, or 250
Security Contexts
Up to 5***
Interfaces*
5 Fast Ethernet ports; 2 Gigabit Ethernet + 3 Fast Ethernet*
Virtual Interfaces (VLANs)
50; 100*
Scalability*
VPN clustering and load balancing
High Availability
Not supported; Active/Active****, Active/Standby*
* Upgrade available with Cisco ASA 5510 Security Plus license
** Separately licensed feature; includes two with the base system
*** Separately licensed feature; includes two with the Cisco ASA 5510 Security Plus license
**** Available for the firewall feature set
Performance numbers tested and validated with Cisco ASA Software Release 7.2.
Cisco ASA 5520 Adaptive Security Appliance
The Cisco ASA 5520 Adaptive Security Appliance delivers security services with Active/Active high availability and Gigabit Ethernet connectivity for medium-sized enterprise networks in a modular, high-performance appliance. With four Gigabit Ethernet interfaces and support for up to 100 VLANs, businesses can easily deploy the Cisco ASA 5520 into multiple zones within their network. The Cisco ASA 5520 Adaptive Security Appliance scales with businesses as their network security requirements grow, delivering solid investment protection.
Businesses can extend their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Up to 750 AnyConnect and/or clientless VPN peers can be supported on each Cisco ASA 5520 by installing an Essential or a Premium AnyConnect VPN license; 750 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can be increased by taking advantage of the Cisco ASA 5520's integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520 supports up to 10 appliances in a cluster, offering a maximum of 7500 AnyConnect and/or clientless VPN peers or 7500 IPsec VPN peers per cluster. For business continuity and event planning, the Cisco ASA 5520 can also benefit from the Cisco VPN FLEX licenses, which enable administrators to react to or plan for short-term bursts of concurrent Premium VPN remote-access users, for up to a 2-month period.
The advanced application-layer security and content security defenses provided by the Cisco ASA 5520 can be extended by deploying the high-performance intrusion prevention and worm mitigation capabilities of the AIP SSM, or the comprehensive malware protection of the CSC SSM. Using the optional security context capabilities of the Cisco ASA 5520 Adaptive Security Appliance, businesses can deploy up to 20 virtual firewalls within an appliance to enable compartmentalized control of security policies on a departmental level. This virtualization strengthens security and reduces overall management and support costs while consolidating multiple security devices into a single appliance.
Table 3 lists features of the Cisco ASA 5520.
Table 3. Cisco ASA 5520 Adaptive Security Appliance Platform Capabilities and Capacities
Feature
Description
Firewall Throughput
Up to 450 Mbps
Maximum Firewall and IPS Throughput
• Up to 225 Mbps with AIP SSM-10
• Up to 375 Mbps with AIP SSM-20
• Up to 450 Mbps with AIP SSM-40
VPN Throughput
Up to 225 Mbps
Concurrent Sessions
280,000
IPsec VPN Peers
750
Premium AnyConnect VPN Peer License Levels*
2,10, 25, 50, 100, 250, 500, or 750
Security Contexts*
Up to 20
Interfaces
4 Gigabit Ethernet ports and 1 Fast Ethernet port
Virtual Interfaces (VLANs)
150
Scalability
VPN clustering and load balancing
High Availability
Active/Active**, Active/Standby
* Separately licensed feature; includes two with base system
** Available for the firewall feature set
Performance numbers tested and validated with Cisco ASA Software Release 7.2.
Cisco ASA 5540 Adaptive Security Appliance
The Cisco ASA 5540 Adaptive Security Appliance delivers high-performance, high-density security services with Active/Active high availability and Gigabit Ethernet connectivity for medium-sized and large enterprise and service-provider networks, in a reliable, modular appliance. With four Gigabit Ethernet interfaces and support for up to 100 VLANs, businesses can use the Cisco ASA 5540 to segment their network into numerous zones for improved security. The Cisco ASA 5540 Adaptive Security Appliance scales with businesses as their network security requirements grow, delivering exceptional investment protection and services scalability. The advanced network and application-layer security services and content security defenses provided by the Cisco ASA 5540 Adaptive Security Appliance can be extended by deploying the AIP SSM for high-performance intrusion prevention and worm mitigation.
Businesses can scale their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Up to 2500 AnyConnect and/or clientless VPN peers can be supported on each Cisco ASA 5540 by installing an Essential or a Premium AnyConnect VPN license; 5000 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can also be increased by taking advantage of the integrated VPN clustering and load-balancing capabilities of the Cisco ASA 5540. The Cisco ASA 5540 supports up to 10 appliances in a cluster, supporting a maximum of 25,000 AnyConnect and/or clientless VPN peers or 50,000 IPsec VPN peers per cluster. For business continuity and event planning, the ASA 5540 can also benefit from the Cisco VPN FLEX licenses, which enable administrators to react to or plan for short-term bursts of concurrent Premium VPN remote-access users, for up to a 2-month period.
Using the optional security context capabilities of the Cisco ASA 5540 Adaptive Security Appliance, businesses can deploy up to 50 virtual firewalls within an appliance to enable compartmentalized control of security policies on a per-department or per-customer basis, and deliver reduced overall management and support costs.
Table 4 lists features of the Cisco ASA 5540.
Table 4. Cisco ASA 5540 Adaptive Security Appliance Platform Capabilities and Capacities
Feature
Description
Firewall Throughput
Up to 650 Mbps
Maximum Firewall and IPS Throughput
• Up to 500 Mbps with AIP SSM-20
• Up to 650 Mbps with AIP SSM-40
VPN Throughput
Up to 325 Mbps
Concurrent Sessions
400,000
IPsec VPN Peers
5000
Premium AnyConnect VPN Peer License Levels*
2, 10, 25, 50, 100, 250, 500, 750, 1000, and 2500
Security Contexts
Up to 50*
Interfaces
4 Gigabit Ethernet ports and 1 Fast Ethernet port
Virtual Interfaces (VLANs)
200
Scalability
VPN clustering and load balancing
High Availability
Active/Active**, Active/Standby
* Separately licensed feature; includes two with base system
** Available for the firewall feature set
Performance numbers tested and validated with Cisco ASA Software Release 7.2.
ASA SSL VPN
WEB VPN IN ASA
Introduction
Clientless SSL VPN (WebVPN) allows for limited but valuable secure access to the corporate network from any location. Users can achieve secure browser-based access to corporate resources at anytime. This document provides a straightforward configuration for the Cisco Adaptive Security Appliance (ASA) 5500 series to allow Clientless SSL VPN access to internal network resources.
The SSL VPN technology can be utilized in three ways: Clientless SSL VPN, Thin-Client SSL VPN (Port Forwarding), and SSL VPN Client (SVC Tunnel Mode). Each has its own advantages and unique access to resources.
1. Clientless SSL VPN
A remote client needs only an SSL-enabled web browser to access http- or https-enabled web servers on the corporate LAN. Access is also available to browse for Windows files with the Common Internet File System (CIFS). A good example of http access is the Outlook Web Access (OWA) client.
2. Thin-Client SSL VPN (Port Forwarding)
A remote client must download a small, Java-based applet for secure access of TCP applications that use static port numbers. UDP is not supported. Examples include access to POP3, SMTP, IMAP, SSH, and Telnet. The user needs local administrative privileges because changes are made to files on the local machine. This method of SSL VPN does not work with applications that use dynamic port assignments, for example, several FTP applications.
Refer to Thin-Client SSL VPN (WebVPN) on ASA using ASDM Configuration Example in order to learn more about the Thin-Client SSL VPN.
3. SSL VPN Client (SVC-Tunnel Mode)
The SSL VPN Client downloads a small client to the remote workstation and allows full, secure access to the resources on the internal corporate network. The SVC can be downloaded permanently to the remote station, or it can be removed after the secure session ends.
Clientless SSL VPN can be configured on the Cisco VPN Concentrator 3000 and specific Cisco IOS® routers with Version 12.4(6)T and higher. Clientless SSL VPN access can also be configured on the Cisco ASA at the Command Line Interface (CLI) or with the Adaptive Security Device Manager (ASDM). The ASDM usage makes configurations more straightforward.
Clientless SSL VPN and ASDM must not be enabled on the same ASA interface. It is possible for the two technologies to coexist on the same interface if changes are made to the port numbers. It is highly recommended that ASDM is enabled on the inside interface, so WebVPN can be enabled on the outside interface.
Refer to SSL VPN Client (SVC) on ASA Using ASDM Configuration Example in order to know more details about the SSL VPN Client.
Clientless SSL VPN enables secure access to these resources on the corporate LAN:
- OWA/Exchange
- HTTP and HTTPS to internal web servers
- Windows file access and browsing
- Citrix Servers with the Citrix thin client
The Cisco ASA adopts the role of a secure proxy for client computers which can then access pre-selected resources on the corporate LAN.
This document demonstrates a simple configuration with ASDM to enable the use of Clientless SSL VPN on the Cisco ASA. No client configuration is necessary if the client already has an SSL-enabled web browser. Most web browsers already have the capability to invoke SSL/TLS sessions. The resultant Cisco ASA command lines are also shown in this document.
Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
- Client-SSL enabled browser, for example, Internet Explorer, Netscape, and Mozilla
- ASA with Version 7.1 or higher
- TCP port 443, which must not be blocked along the path from the client to the ASA
Components Used
The information in this document is based on these software and hardware versions:
- Cisco ASA Software Version 7.2(1)
- Cisco ASDM 5.2(1)
Note: Refer to Allowing HTTPS Access for ASDM in order to allow the ASA to be configured by the ASDM.
- Cisco ASA 5510 series
The information in this document was created from the devices in a specific lab environment. All the devices used in this document began with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Configure
At this stage, you can issue the https://inside _IP Address from a web browser to access the ASDM application. Once ASDM has loaded, begin the configuration for WebVPN.
This section contains the information needed to configure the features described within this document.
Note: Use the Command Lookup Tool ( registered customers only) to obtain more information about the commands used in this section.
Network Diagram
This document uses this network setup:
Procedure
Configure the WebVPN on the ASA with four major steps:
- Enable the WebVPN on an ASA interface.
- Create a list of servers and/or URLs for WebVPN access.
- Create a group policy for WebVPN users.
- Apply the new group policy to a Tunnel Group.
- In ASDM, choose Configuration > VPN > WebVPN > WebVPN Access.
Choose the interface to terminate WebVPN users > Enable > Apply.
- Choose Servers and URLs > Add.
Enter a name for the list of servers accessible by WebVPN. Click the Add button. The Add Server or URL dialogue box displays. Enter the name of each server. This is the name that the client sees. Choose the URL drop-down menu for each server and choose the appropriate protocol. Add servers to your list from the Add Server or URL dialogue box and click OK.
Click Apply > Save.
- Expand General in the left menu of ASDM. Choose Group Policy > Add.
- Choose Add Internal Group Policy. Uncheck the Tunneling Protocols: Inherit check box. Check the WebVPN check box.
- Choose the WebVPN tab. Uncheck the Inherit check box. Choose from the list of features. Click OK > Apply.
- Choose the Tunnel Group in the left column. Click the Edit button.
Click the Group Policy drop-down menu. Choose the policy that was created in Step 3.
It is important to note that if new Group Policies and Tunnel Groups are not created, the defaults are GroupPolicy 1 and DefaultWEBVPNGroup. Click the WebVPN tab.
Choose NetBIOS Servers. Click the Add button. Fill in the IP address of the WINS/NBNS server. Click OK > OK. Follow the prompts Apply > Save > Yes to write the configuration.
Configuration
This configuration reflects the changes ASDM made to enable WebVPN:
| Ciscoasa |
|---|
ciscoasa#show running-config Building configuration... ASA Version 7.2(1) hostname ciscoasa domain-name cisco.com enable password 9jNfZuG3TC5tCVH0 encrypted names dns-guard interface Ethernet0/0 nameif outside security-level 0 ip address 172.22.1.160 255.255.255.0 interface Ethernet0/1 nameif inside security-level 100 ip address 10.2.2.1 255.255.255.0 interface Ethernet0/2 nameif DMZ1 security-level 50 no ip address interface Management0/0 description For Mgt only shutdown nameif Mgt security-level 0 ip address 10.10.10.1 255.255.255.0 management-only passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name cisco.com pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu DMZ1 1500 mtu Mgt 1500 icmp permit any outside asdm image disk0:/asdm521.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.2.2.0 255.255.255.0 route outside 0.0.0.0 0.0.0.0 172.22.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute ! !--- group policy configurations ! group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes vpn-tunnel-protocol IPSec l2tp-ipsec webvpn webvpn functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix username cisco password 53QNetqK.Kqqfshe encrypted ! !--- asdm configurations ! http server enable http 10.2.2.0 255.255.255.0 inside ! no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart ! !--- tunnel group configurations ! tunnel-group DefaultWEBVPNGroup general-attributes default-group-policy GroupPolicy1 tunnel-group DefaultWEBVPNGroup webvpn-attributes nbns-server 10.2.2.2 master timeout 2 retry 2 ! telnet timeout 5 ssh 172.22.1.0 255.255.255.0 outside ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global ! !--- webvpn configurations ! webvpn enable outside url-list ServerList "WSHAWLAP" cifs://10.2.2.2 1 url-list ServerList "FOCUS_SRV_1" https://10.2.2.3 2 url-list ServerList "FOCUS_SRV_2" http://10.2.2.4 3 ! prompt hostname context ! end |
Clientless SSL VPN (WEBVPN) Macro Substitutions
Clientless SSL VPN macro substitutions let you configure users for access to personalized resources that contain the user ID and password or other input parameters. Examples of such resources include bookmark entries, URL lists, and file shares.
Note: For security reasons, password substitutions are disabled for file-access URLs (cifs://).
Note: Also for security reasons, use caution when you introduce password substitutions for web links, especially for non-SSL instances.
These macro substitutions are supported:
- CSCO_WEBVPN_USERNAME - SSL VPN user login ID
- CSCO_WEBVPN_PASSWORD - SSL VPN user login password
- CSCO_WEBVPN_INTERNAL_PASSWORD - SSL VPN user internal resource password
- CSCO_WEBVPN_CONNECTION_PROFILE - SSL VPN user login group drop-down, a group alias within the connection profile
- CSCO_WEBVPN_MACRO1 - Set through RADIUS/LDAP vendor-specific attribute
- CSCO_WEBVPN_MACRO2 - Set through RADIUS/LDAP vendor-specific attribute
In order to know more about macro substitutions, refer to Clientless SSL VPN Macro Substitutions.
Verify
Use this section to confirm that your configuration works properly.
Establish a connection to your ASA device from an outside client to test this:
https://ASA_outside_IP_Address
The client receives a Cisco WebVPN page that allows access to the corporate LAN in a secure fashion. The client is allowed only the access that is listed in the newly created group policy.
Authentication:A simple login and password was created on the ASA for this lab proof of concept. If a single and seamless sign-on to a domain for the WebVPN users is preferred, refer to this URL:
ASA with WebVPN and Single Sign-on using ASDM and NTLMv1 Configuration Example
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Note: Do not interrupt the Copy File to Server command or navigate to a different screen while the copy process is in progress. If the operation is interrupted, it can cause an incomplete file to be saved on the server.
Note: Users can upload and download the new files with the WEBVPN client, but the user is not allowed to overwrite the files in CIFS on WEB VPN with the Copy File to Server command. When the user attempts to replace a file on the server, the user receives this message: "Unable to add the file."
Procedures Used to Troubleshoot
Follow these instructions to troubleshoot your configuration.
- In ASDM, choose Monitoring > Logging > Real-time Log Viewer > View. When a client connects to the ASA, note the establishment and termination of SSL and TLS sessions in the real-time logs.
- In ASDM, choose Monitoring > VPN > VPN Statistics > Sessions. Look for the new WebVPN session. Be sure to choose the WebVPN filter and click Filter. If a problem occurs, temporarily bypass the ASA device to ensure that clients can access the desired network resources. Review the configuration steps listed in this document.
Commands Used to Troubleshoot
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
Note: Refer to Important Information on Debug Commands before the use of debug commands.
- show webvpn ?—There are many show commands associated with WebVPN. In order to see the use of show commands in detail, refer to the command reference section of the Cisco Security Appliance.
- debug webvpn ?—The use of debug commands can adversely impact the ASA. In order to see the use of debug commands in more detail, refer to the command reference section of the Cisco Security Appliance.
Problem - Unable to Connect More Than Three WEB VPN Users to PIX/ASA
Problem :
Only three WEB VPN clients can connect to ASA/PIX; the connection for the fourth client fails.
Solution :
In most cases, this issue is related to a simultaneous login setting within the group policy.
Use this illustration to configure the desired number of simultaneous logins. In this example, the desired value was 20.
ciscoasa(config)# group-policy Bryan attributes ciscoasa(config-group-policy)# vpn-simultaneous-logins 20
Subscribe to:
Posts (Atom)