SSL VPN Principle
SSL VPN is an emerging technology that provides flexible and low-cost internet-based remote access solutions through the local SSL encryption of web browsers. SSLvpn does not need to pre-install special client software in the computer, any computer that can access the Internet can establish an SSLVPN session, so as to achieve network access anytime, anywhere.SSL VPNs primarily provide secure access to web-based applications.
SSL VPNs operate at the session layer of OSI.
Cisco refers to SSL VPNs as Web VPNs .1. The client mode of SSLVPN is
shown in the figure below. Taking the ASA security device as the VPN gateway as an example, the two components for implementing SSL VPN include the SSL VPN server and the SSL VPN client.
SSL VPN can be deployed according to the following three access methods.
1) Clientless mode
Clientless mode is not actually no client at all, but uses a computer web browser for remote access without additional software.2) Clientless mode provides secure access to web resources and web content-based access. Clientless mode can also provide remote file sharing through the Common Internet File System (cifs), which lists a list of file server connections in the portal web page, enabling remote users to browse the listed domains, servers, directories, folders, files Wait. The disadvantage of clientless mode is that it only protects web traffic.
3) Keep client mode (also known as port forwarding mode)
Thin client mode provides remote access to tcp-based servers, such as post office protocol pop3, simple mail transfer protocol smtp, remote login ssh, etc. The thin client mode dynamically downloads java or activex programs to the user desktop by the SSL VPN application after establishing the SSL VPN session, which allows some non-web programs to be transmitted through the ssl vpn. Thin client mode extends the encryption capabilities of web browsers.
3) Thick client mode (also known as tunnel mode or full tunnel client mode)
The thick client mode provides remote access to a large number of applications supported by downloading SSL VPN client (SSL VPN client, SVC) software, providing Full network layer (layer 3) access to all applications. When using the thick client mode, the client software is generally downloaded and installed on the user's computer dynamically after the client establishes an SSL VPN at the central site.
Because the client needs to be installed on the user's computer, all users must have administrator rights on their computer. The client cannot be installed without administrator privileges, and only clientless or thin client mode can be used.2. Authentication, encryption and content control of
sslvpn Sslvpn usually supports two ways of authentication, digital certificate and user name and password. The user uses the https protocol to access, and after obtaining the certificate, enters the user name and password in the web browser, and starts to access the content resources.
Sslvpn encrypts data traffic using ssl, which was developed by netscape. The latest version of SSL is sslv3, which supports RC4, DES and 3DES. After development, the IETF established a draft standard for Transport Layer Encryption (TLS) based on SSL, and RFC2246 defined TLS1.0.
For sslvpn without client or thin client, different applications can be opened according to different users to control user access. A user using ssl vpn initially connects to a web page. Use the user name and password to log in to the page, and a list of corresponding links is listed on the page, and the user uses the list to access the corresponding server.3. The use environment of sslvpn Whether the
user uses a web browser to access the application The
user may use a non-private computer to access (Internet cafes, libraries, etc.)
The administrator has less management rights to the user's computer and cannot control the user's installation of software
In addition, it is also necessary to consider whether non-web applications are supported. At this time, you need to check the list of non-web programs supported by the manufacturer. This is mainly due to the inability to install the client on a non-private computer that may not have administrator rights.
Thick client configuration cases :
1. Topology
2. Experimental steps:
1) Start the topology after replacing the flash of ASA1.
Use the following FLASH to replace the FLASH in the target location (c:\users\administrator\appdata\local\temp\ASA1)
( friends who need files can contact me )2) Configure the IP address of all devices and the route of ASA1 (ISP does not need to configure).
Configure the ip address of SW1:
Configure the address and route for ASA1:
Configure the ISP's address:
Intranet: 192.168.1.100
External network: 202.2.2.100
internet: 202.3.3.100You can configure the IP in the system. The internet: 202.3.3.100 is built with centos6.5, the intranet is windows2008R2, and the internet client is windowsxp. You don't need to take screenshots to configure IP, you can configure it yourself.
3) Install web and ftp on PC1, and open the remote desktop.
Configure the internet site:
4) Configure sslvpn on ASA1.
5) Visit http://202.1.1.1 on PC2, download and install the client, and test access to remote desktop, ftp, and web.
A successful connection prompt pops up in the lower right corner of the desktop:
Double-click the chart in the lower right corner to pop up the following information.
So far the client installation is successful.
6) Test access to the internal website, ftp, and remote desktop on the client.
But at this time, the internet website 202.3.3.100 cannot be accessed (because the tunnel separation and dns separation are not done).
7) Configure tunnel separation and dns separation.
The first line of the above command ends with 255.255.255.0 any
After disconnecting, connect the vpn again, as shown below:
See the breakdown of tunnel separation:
Browse again 202.3.3.100
Also access the internal website:
Check that the obtained dns is 192.168.1.100 (this realizes dns separation, and you can use the domain name to access both intranet and extranet websites)
Configure another tunnel group vpn_group1, and then set the user benet to belong to vpn_group.
8) Control the user's access rights to use the web interface.
First, write an XML file named url_list1.xml. The content of the file is as follows:
(Note that the content of the screenshot below is incomplete. You should use the more command to view the url_list1.xml file template. The file is in disk0 :/csco_config/97/bookmarks, the name is Template)
Then put the file in the root directory of the ftp server at 192.168.1.100 of the intranet, the user name is yangdawei, and the password is 123-abc. Import the file url_list1.xml into the url list of the asa firewall using the FTP service on the ASA firewall.
The last hidden part of the above command is: @192.168.1.100/url_list1.xml.
View a list of existing urls
delete url list
revert webvpn url-list url-list-nameList of application URLs
Command to close the address input field:
Verify access
