CISCO ASA SVC WebVPN
SSL VPN ClientThe SSL VPN Client (SVC) is a VPN tunneling technology that give remote users the benefits of an IPSEC VPN client without the need for network administrators to install and configure IPSEC VPN Clients on remote computers. The SVC use the SSL encryption that is already present on the remote computer as well as the WebVPN login and authentication of the security appliance.
The n the user connect to the security appliance, if the user satisfies the login and authentication, and if the security appliance identifes the user as requiring the SVC, the security appliance download the SVC to the remote computer. If the security appliance identifies the user as having the option to use the SVC, the security appliance download the SVC to the remote computer while presenting a link on the user screen to skip the SVC installation.
After downloading, the SVC installs and configures itself, and the SVC either remains or uninstalls itself (depending on the configuration) from the remote computer when the connection terminates.
Installing the SVC Software
Installing the SVC consists of copying the SVC image s to the security appliance and assigning an order to the images
Step 1 – Copy the svc image to the security appliance using the copy command in privileged EXEC mode
Step 2 – Assign an ordre to the SVC images using the svc image command from the wevvpn mode
svc image filename oder
Enabling SVC
After installing SVC, you can enable SVC by performing the webvpn mode :
Step 1 – enable interface in webvpn configuration mode
(config) webvpn
(config-webvpn) enable outside
Step 2 – from webvpn enter the svc enable command
(config-webvpn) svc enable
Step 3 – configure a method of address assignment (dhcp, and/or user-assigned addressing, local ip pool)
(config-webvpn) ip local pool vpn_users 192.168.1.100-192.168.1.200 mask 255.255.255.0
Step 4 – Assign IP addresses to a tunnel group
(config) tunnel-group remote_users general-attributes
(config-tunnel-general) address-pool vpn_users
Step 5 – Assign a default group policy to the tunnel group with the default-group-policy
(config-tunnel-general) default-group-policy sales
Step 6 - Create and enable a group alias that displays in the group list on the WebVPN Login page using the group-alias command
(config) tunnel-group remote_users webvpn-attributes
(config-tunnel-webvpn) group-alias sales_department enable
Step 7 – Enable the display of the tunnel-group list on the WebVPN Login pae from webvpn mode
(config) webvpn
(config-webvpn) tunnel-group-list enable
Step 8 – identify WebVPN as a permitted VPN tunneling protocole for the group or user with the vpn-tunnel-protocol
(config) group-policy sales attributes
(config-group-policy) webvpn
(config-goup-webvpn) vpn-tunnel-protocol webvpn
Step 9 – Enable or require an SVC for a specific group or user by using the svc command from either group-policy webvpn mode or username webvpn mode
svc {none enable required}
Enabling permanent SVC installation
Enabling permanent SVC installation disable the automatic uninstalling feature of the SVC. The SVC remains installed on the remote computer for subsequent SVC connections, reducing the SVC connection time for the remote user.
To enable permament SVC installation for a specific group or user, use the svc keep-installer command
svc keep-installer {installed none} – installed specifies the SVC permanently installed on the remote computer, none specifies the SVC is removed from the remote computer after the active SVC connection terminates. By default the permanent SVC installation are disabled. The SVC uninstalls at the end of every SVC session.
Viewing SVC Sessions
You can view information about active SVC sessions using the
show vpn-sessiondb svc
Logging Off SVC Sessions
To log off all SVC sessions use the – vpn-sessiondb logoff svc
You can logoff individual svc sessions using either the name option, or th index option
vpn-session-db logoff name name
vpn-session-db logoff index index
posted by Hervé SCHLECHT @ 6:33 PM
<< Home