Tip:
Highlight text to annotate it
X
00:00:01 - VPN Related Odds and Ends regarding the ASA--
00:00:04 - let's begin. 00:00:05 - In this series, we've have a lot
of fun in going through 00:00:08 - the topics, describing them, configuring
00:00:11 - them, verifying them. 00:00:11 - It's been a blast.
00:00:13 - Now, I have a laundry list of all the
00:00:14 - things I wanted to cover. 00:00:16 - And as I looked back on what we've
covered, we've done a 00:00:17 - fantastic job.
00:00:19 - And there's a few items I thought to myself, self, this
00:00:22 - topic doesn't deserve an entire Nugget, but still, I
00:00:25 - want to chat about it with you. 00:00:26 - So how do we do that?
00:00:27 - Well, I'm going to do it right here on the
00:00:29 - Odds and Ends section. 00:00:30 - It's like the kitchen sink of all
these little ideas or 00:00:33 - concepts or add-ons that I wanted
to make sure we 00:00:35 - covered with you.
00:00:36 - So the first think I want to do is take a look at the
00:00:38 - AnyConnect Client Profile. 00:00:40 - Now, you'll remember, we used that
to push down a backup 00:00:43 - server list to this AnyConnect
client. 00:00:45 - And we could also push down a backup
list to the VPN 00:00:48 - software client.
00:00:49 - We did both of those in our previous Nugget.
00:00:52 - But what else can we do in that client profile?
00:00:54 - There's a few additional bells and whistles I'd like to talk
00:00:56 - about with you right now. 00:00:58 - The best way to take a look at
some of the additional 00:01:01 - functions of the client profile
for the AnyConnect is 00:01:04 - to create a new one.
00:01:05 - So under Configuration, Remote Access VPN, Network (Client)
00:01:08 - Access, and AnyConnect Client Profile, we'll
00:01:11 - simply click on Add. 00:01:12 - And we'll say New.
00:01:14 - we're going to create a new AnyConnect client profile.
00:01:17 - There's the actual file name. 00:01:18 - It will be stored on Flash.
00:01:19 - And we'll assign is to group three. 00:01:21 - That means if we apply this, anybody
connected with or 00:01:23 - associated with group three is
going to get this XML profile 00:01:27 - downloaded, and there AnyConnect
client is going to 00:01:30 - abide by it.
00:01:31 - So we'll click on OK. 00:01:32 - We'll go to edit it.
00:01:33 - Let's take a look at the Details. 00:01:35 - In the Details, we've already been
the backup 00:01:37 - servers, which is great.
00:01:38 - We did that for our fault tolerance 00:01:40 - in a previous Nugget.
00:01:41 - But we also have a second option for
00:01:42 - doing the same thing. 00:01:44 - Under the server list, if we had
a server, we can specify 00:01:47 - the primary server.
00:01:48 - And-- check this out-- we can also specify a backup server
00:01:51 - list here if we want to. 00:01:53 - This would also be the place where
we tell the AnyConnect 00:01:55 - client, hey, we want you IPsec
as opposed to SSL. 00:01:59 - The default behavior is SSL VPN
AnyConnect client. 00:02:03 - But if you want to use the IPsec
and the ASAs configured 00:02:07 - to support it, you can do it.
00:02:08 - It's going to be using IKE version two with the
00:02:10 - AnyConnect for remote access if you set that up.
00:02:13 - So I wanted to make you aware of that.
00:02:14 - Going back up to Preferences, a couple of options I want to
00:02:17 - point out-- 00:02:17 - Start Before Logon.
00:02:18 - That's pretty cool-- 00:02:19 - SBL.
00:02:20 - All it means is this. 00:02:21 - Dear Mr. Windows Machine, when
you boot up and the AnyConnect 00:02:25 - software starts, I want you go
ahead and not allow that user 00:02:29 - to log on locally to the Windows
box until the VPN is 00:02:33 - up and running.
00:02:34 - So what happens is the VPN client starts, it launches a
00:02:37 - connection, and the user has to 00:02:39 - authenticate through the VPN.
00:02:41 - And once that's in place with the tunnel up, then and only
00:02:44 - then will the user be able to log on locally
00:02:46 - to the Windows box. 00:02:47 - You've got to be pretty serious
if you mean that. 00:02:50 - Why?
00:02:51 - Because if the VPN doesn't work, the user is now locked
00:02:53 - out of their own system. 00:02:55 - So just be aware of what that does.
00:02:57 - User Controllable over here simply says does the user,
00:03:00 - when they click on that little gear icon on their AnyConnect
00:03:03 - and they change their parameters, do you want the
00:03:06 - user to be able to control that, yes or no?
00:03:08 - So if you don't want the user to be able to control it and
00:03:10 - you want to force it, you can do those two combinations.
00:03:13 - And that would force the VPN to be up and active, and a VPN
00:03:17 - tunnel up before the user could log in.
00:03:20 - This is a pre-connect message. 00:03:21 - That's not too exciting.
00:03:23 - What certificate store to use-- 00:03:24 - certificate store is where the
actual digital certificates 00:03:28 - are stored.
00:03:28 - It's kind of a play on words there. 00:03:30 - Auto Connect on Start, which means
it starts the VPN 00:03:35 - automatically--
00:03:36 - Minimize on Connect, that's just graphical.
00:03:38 - And then we have Local Lan Access. 00:03:39 - What does that do?
00:03:40 - Local Lan Access says if we have a tunnel everything
00:03:43 - policy and we want that user to be able to access resources
00:03:47 - on their local area network, meaning on their same subnet,
00:03:51 - Local Lan Access will give them that ability.
00:03:54 - Now, maybe we don't want that. 00:03:55 - Maybe when the tunnel's up, we
want 100% of all the traffic 00:03:58 - to be tunneled. e could say, nope,
I 00:04:00 - don't Local Lan Access.
00:04:01 - I don't want it user controllable. 00:04:02 - And then if we don't have a split
tunneling policy, that 00:04:05 - user will not be able to access
anything on his own 00:04:08 - local subnet out in Des Moines,
Iowa, or wherever he 00:04:10 - happens to be.
00:04:12 - Auto Reconnect is on by default. 00:04:13 - That's important.
00:04:15 - That's especially important if you have a backup server list.
00:04:18 - So if you're connected and something happens, dead peer
00:04:20 - detection kicks in. 00:04:22 - It doesn't get a response.
00:04:23 - It says, oh, that connection's dead.
00:04:24 - It can go ahead and try to reconnect. 00:04:26 - And that reconnect will trigger
going to a second 00:04:29 - server if the first one is not
available. 00:04:31 - So Auto Reconnect is great.
00:04:32 - Auto Update is also very good. 00:04:34 - If you put a new image for AnyConnect
on the ASA, it will 00:04:38 - go ahead and automatically update
clients who are abiding 00:04:41 - by this client profile.
00:04:42 - That is also on by default. 00:04:44 - And then we have some other details
regarding PIN numbers 00:04:47 - for SmartCards and what protocols
are supported-- 00:04:50 - IP version 4, 6, 4 then 6 or 6
then 4. 00:04:54 - And if you don't want it to be
user controllable, you can 00:04:56 - take those off.
00:04:57 - If we go to Preferences, part two, this is also kind of
00:05:00 - interesting. 00:05:01 - We have this option right here
called Automatic VPN Policy. 00:05:05 - Now, what this is--
00:05:07 - the intent of it is to allow the AnyConnect client, if it
00:05:11 - detects that it's on a corporate network, one of your
00:05:14 - networks, that it can go ahead and not have to bring up the
00:05:17 - VPN tunnel. 00:05:18 - So the VPN client's running.
00:05:20 - And if you're on the corporate network, it says, oh, you're
00:05:22 - on the corporate network. 00:05:23 - You're safe.
00:05:23 - You're on a trusted network. 00:05:24 - You don't need the tunnel.
00:05:26 - If you're on a non-corporate network-- for example, you're
00:05:29 - at Starbucks, you're at your home office, somewhere else--
00:05:32 - it can detect, hey, I'm not on my trusted networks.
00:05:35 - I'd better build the tunnel. 00:05:37 - That's what the Automatic VPN Policy
is all about. 00:05:40 - So if we say disconnect, all it
says is that hey, if you're 00:05:42 - on the trusted network, you can
go ahead and disconnect 00:05:45 - any VPN tunnels.
00:05:46 - You don't need them. 00:05:47 - You can also say I want to pause
it. 00:05:49 - I want to do nothing.
00:05:50 - But if you want to say disconnect when you're on
00:05:53 - trusted networks, that will happen for them.
00:05:56 - The next part is what if you're on
00:05:57 - an untrusted network? 00:05:58 - Go ahead and connect.
00:06:00 - And these are the two options that, if you're going to use
00:06:03 - this feature, you'd probably have. 00:06:05 - Now, the problem is how does your
machine know if it's on 00:06:08 - the trusted networks or not?
00:06:09 - So the Trusted Network Policy-- 00:06:11 - TND.
00:06:12 - How does it know? 00:06:13 - And the answer is you have DNS
servers. 00:06:16 - And you have DNS names.
00:06:18 - So if I say, for example, *cbtnuggets.com, if I've been
00:06:25 - assigned cbtnuggets.com, very likely through DHCP, my
00:06:29 - machine is going to say, oh, cbtnuggets.com? 00:06:31 - That's a trusted the DNS domain.
00:06:33 - I must be on a trusted network. 00:06:35 - Tah-dah.
00:06:36 - That's how it figures it out. 00:06:37 - Now, could that be spoofed or whatever?
00:06:38 - Could that be tricked? 00:06:39 - Yes.
00:06:40 - But that's how it figures it out. 00:06:41 - We also have trusted DNS servers.
00:06:43 - So we can specify maybe 23.1.2.3. 00:06:47 - And we can have a comma and you
can put another one in. 00:06:49 - You could also have multiple DNS
trusted domains, as well. 00:06:52 - And that's also how can figure
out if it's 00:06:54 - on a trusted network.
00:06:56 - So how do clients get DNS domains, and how they get DNS
00:07:00 - server information? 00:07:02 - Most likely, through DHCP--
00:07:04 - so if the DHCP is handing out the domain and the DNS server
00:07:08 - information, and it matches in the profile here, then the
00:07:12 - client can assume, oh, I'm on a trusted network and I don't
00:07:15 - need, based on this policy, a VPN tunnel up at the moment.
00:07:19 - So are a lot of people using this? 00:07:21 - No, they're not.
00:07:23 - But just be aware that it's important that if you're at
00:07:26 - Starbucks or if you're at some other location, there's no
00:07:29 - guarantee that you're even talking to an authorized
00:07:32 - access point. 00:07:33 - It could be a rogue access point.
00:07:34 - So once you have connectivity through the internet, building
00:07:38 - the VPN tunnel, then you can guarantee that all your
00:07:41 - traffic leaving your interface, especially if you
00:07:43 - have a no split tunnel policy, all traffic leaving your
00:07:47 - interface is going to be encrypted and sent up to the
00:07:49 - head end device. 00:07:50 - So anybody eavesdropping or stealing
data between you and 00:07:53 - the head end is going to get cipher
text for the payload, 00:07:56 - which is a great idea.
00:07:57 - So that's what the trusted network policy is all about--
00:08:01 - by specifying what you want to do if you're on
00:08:03 - a non-trusted network. 00:08:05 - And how it can tell whether or
not it's on a trusted network. 00:08:09 - Backup servers we already took
a look at. 00:08:11 - The server list with the ability
to do backup servers-- 00:08:13 - we took a look at that as well.
00:08:15 - One other thing I wanted to point out-- on this server
00:08:17 - list right here, if we click on Add, we have the option for
00:08:19 - the server, the backups, as we did before.
00:08:22 - Here's the IPsec or the SSL option. 00:08:24 - But over here, we also the ability
to train the 00:08:27 - AnyConnect client on where a CA
server is that we could use 00:08:30 - a simple certificate enrollment
protocol with in 00:08:33 - the event that we needed to subscribe
or get a digital 00:08:36 - certificate on an AnyConnect client.
00:08:40 - We were taking a look at the AnyConnect client profile.
00:08:43 - What about the clientless SSL portal? 00:08:45 - Now, because they don't have a
software client running, what 00:08:48 - can we do to them or for them to
spice up their life? 00:08:51 - The answer is we can change colors,
we can change logos, 00:08:54 - and we can even provide an on screen
keyboard. 00:08:58 - To kick things up a notch for our
clientless SSL VPNs, we 00:09:02 - can go to the Portal Details at
this location right here. 00:09:05 - And we can take a look at bookmarks,
which we've already 00:09:07 - created and assigned.
00:09:09 - Bookmarks make it really easy or convenient for remote
00:09:12 - access users, who are using clientless, to get access to
00:09:15 - the resource. 00:09:15 - They click and it goes.
00:09:17 - We also have the plug-ins providing additional
00:09:19 - functionality, such as remote desktop and VCN for remote
00:09:23 - desktop access, SSH/Telnet for remote CLI access, all with no
00:09:29 - additional administrative rights needed for our
00:09:31 - clientless SSL VPN user out there on the internet.
00:09:35 - Now, let's take a look at the customization now.
00:09:38 - There are lots of cool options that we can do for our
00:09:40 - clientless SSL VPN users. 00:09:42 - We can change the color scheme.
00:09:44 - If we want to go all feng shui, we can reorganize logos
00:09:47 - and make it look different. 00:09:48 - And that's all well and good.
00:09:50 - But for basic functionality, what does a user really want?
00:09:53 - They want to connect and they want to be able to log on.
00:09:55 - Down here, we have our on screen keyboard option.
00:09:58 - By default, it's off. 00:09:59 - But if you have users that have
a tablet device or they 00:10:03 - have a touch screen on their computer,
you can say, I want 00:10:05 - to show-- for the login page, I
want to bring up an on 00:10:09 - screen keyboard so they can tap
the keys of that keyword 00:10:12 - to enter in their credentials.
00:10:14 - If we want to have a pop up keyboard for every time
00:10:17 - they're required to authenticate, regardless of
00:10:19 - where they're going, this option here simply does that.
00:10:22 - So it's off by default, on for the initial login page, on for
00:10:26 - all authentication pages. 00:10:27 - Again, this is under Configuration,
Remote Access 00:10:29 - VPN, Clientless SSL VPN Access,
Portal, and 00:10:33 - Customization.
00:10:35 - While we were looking at the clientless SSL details of the
00:10:37 - portal, one of the things we looked at was the plug-ins
00:10:40 - that are there. 00:10:41 - And that leads us to our next topic
here. 00:10:43 - And that is what failover--
00:10:44 - stateful active/standby failover-- 00:10:47 - what it fails to do for clientless.
00:10:50 - Now, we already know that if we have a user who's connected
00:10:53 - to an ASA and a failover pair, that if he's going connected
00:10:56 - to the active device and that fails for some
00:10:58 - reason, he's done. 00:10:59 - He needs to reconnect.
00:11:01 - And if he reconnects to the same IP address, hopefully
00:11:03 - that standby unit has now gone active and
00:11:05 - he's off to the races. 00:11:07 - But what doesn't happen is this.
00:11:08 - Let's say this is ASA 1 and this is ASA 3 and these guys
00:11:13 - are a failover pair. 00:11:14 - What doesn't happen is a replication
between these two 00:11:18 - ASAs, configuration-wise, of the
plug-ins. 00:11:21 - That means if I add a new plug-in
to ASA 1, ASA 3 is not 00:11:26 - going to have that plug-in.
00:11:27 - That plug-in, that software, that JAR file, is not going to
00:11:30 - just show up magically by default. 00:11:32 - So we need to make sure the plug-ins
are both on Flash and 00:11:36 - both devices for them to be used.
00:11:39 - In a previous Nugget, we took a look at using AAA.
00:11:41 - And we had an ACS server. 00:11:43 - And we had RADIUS.
00:11:44 - It was great. 00:11:44 - The user would authenticate.
00:11:46 - He would supply his username and password to the ASA.
00:11:49 - The ASA would submit those to the ACS via
00:11:52 - RADIUS and get a response. 00:11:53 - So we can do authentication and/or
authorization and/or 00:11:57 - accounting over to the ACS server.
00:11:59 - Fantastic. 00:12:00 - We used RADIUS.
00:12:01 - However, I want to point out that with AAA, RADIUS is not
00:12:05 - our only option. 00:12:06 - And TACACS+ is not our only option.
00:12:08 - There's a whole other world of possibilities that come in
00:12:12 - very, very helpful in a production environment.
00:12:15 - I'd like to take just a moment and share some of those
00:12:17 - options for AAA access with you right now.
00:12:20 - The best way to see our additional options for AAA is
00:12:23 - to create a new AAA server group. 00:12:26 - So I'm going to click on Add here.
00:12:27 - We'll call this test for a test group.
00:12:30 - And here's our protocols. 00:12:31 - We have RADIUS.
00:12:32 - We have TACACS+. 00:12:32 - But we have NT, if you have Legacy
NT 00:12:35 - systems, the NT domains--
00:12:36 - SDI, Kerberos, which we've used in a more current
00:12:39 - implementation of a Windows domain, Lightweight Directory
00:12:42 - Access Protocol, and HTTP Form, which can be used as
00:12:45 - part of a single sign on process. 00:12:47 - So if we take a look at, for example,
LDAP, we 00:12:50 - can click on OK.
00:12:51 - We now have a test group. 00:12:52 - The protocol is LDAP.
00:12:54 - But we don't have a servers. 00:12:55 - So we'll specify the details for
the LDAP server by 00:12:58 - highlighting this LDAO group, clicking
on Add, 00:13:02 - and we'll add a server--
00:13:03 - which interface he's located off of, what his IP address
00:13:06 - is, the time out, the protocol to use.
00:13:09 - And we're also going to specify how to logon, because
00:13:12 - the LDAP server isn't just going to say, yeah, I'll
00:13:14 - confirm anything you want to. 00:13:15 - Let me know.
00:13:16 - So we put the username and password required to log on to
00:13:19 - that device. 00:13:20 - Now, the other problem is this.
00:13:22 - In LDAP, we might have parameters for it coming back
00:13:24 - that don't match exactly Cisco attributes.
00:13:27 - So how do we associate an LDAP attribute of X with a Cisco
00:13:31 - attribute of Y? 00:13:32 - We're going to go ahead and use
an LDAP app from your map, 00:13:35 - which we can create.
00:13:36 - Now, at the moment, I don't have any created, but you
00:13:38 - could go to the LDAP attribute map and say, OK.
00:13:40 - The name of this LDAP attribute equates to this,
00:13:44 - after we've done Cisco of, user, as an example--
00:13:47 - to go ahead and correlate the two together.
00:13:49 - So that's how we can specify an LDAP app server.
00:13:51 - I'm going to click on OK here. 00:13:53 - We'll click on Apply.
00:13:54 - But now, you can see that we could have multiple different
00:13:58 - AAA resources. 00:13:59 - So for authentication or authorization,
we could do 00:14:02 - that authentication and authorization
against our 00:14:05 - RADIUS using ACS, against an LDAP
server or some other type 00:14:09 - of remote server.
00:14:10 - And we could also pull down parameters. 00:14:12 - So instead of that LDAP server,
if we specified an IP 00:14:15 - address for a user with the LDAP
map-- we could say, this 00:14:18 - field called IP address maps to
the IP address we want the 00:14:22 - user to have--
00:14:23 - it would be able to correctly associate the two details, the
00:14:27 - IP address parameter for the Cisco side with whatever the
00:14:29 - parameter name is on the LDAP database, and
00:14:32 - pull down that detail. 00:14:33 - The end result is we can give you
authentication and 00:14:36 - authorization with external servers,
such 00:14:39 - as RADIUS and LDAP.
00:14:41 - Our next option is the single sign on and how we can
00:14:44 - facilitate that. 00:14:45 - A single sign on makes a lot of
sense. 00:14:47 - For example, if a user connects
through the VPN and 00:14:50 - then they go to server A and they
got to server B and they 00:14:52 - go to server C and every single
server is asking them 00:14:54 - again and again and again for their
00:14:56 - credentials, that's a pain. 00:14:58 - It's not very usable.
00:14:59 - Single sign on is the concept of the user connecting once.
00:15:03 - And then as they connect to other devices in that same
00:15:06 - network, they aren't prompted again and again and again for
00:15:09 - their username or password. 00:15:11 - To implement single sign on, let's
take a look at what we 00:15:13 - can do for the clientless options
for single sign on. 00:15:17 - So we go under Clientless SSL VPN.
00:15:19 - We go to Group Policies. 00:15:20 - But let's go to the sales group
and edit it. 00:15:22 - And under the More Options, we
have the 00:15:25 - single sign on option.
00:15:27 - So we can inherit whatever the default policy is going to be.
00:15:29 - Or we could say we want to specify servers that we want
00:15:33 - to do single sign on for. 00:15:34 - So we'll click on Add.
00:15:35 - And we'll say that this address of 10.0.0.5--
00:15:39 - that specific server, all 32 bits of it in all its glory--
00:15:43 - we want to go ahead and do basic HTTP, NTLM, which is a
00:15:48 - fancy way of saying NT LAN Manager, or CIFS--
00:15:52 - that's what that equates to-- or FTP.
00:15:55 - So what this is going to do is it's going to use the username
00:15:57 - and password of the user who's connected currently through
00:16:01 - the SSL clientless VPN. 00:16:03 - And the ASA will provide that username
and 00:16:06 - password to this server.
00:16:09 - So if I open up through the VPN portal--
00:16:12 - 10.0.0.5-- 00:16:13 - using a CAFS URL, or if I go to
HTTP or FTP, it will also 00:16:19 - include-- the ASA will-- on my
behalf, my 00:16:21 - username and password.
00:16:22 - Hence, single sign on functionality-- 00:16:24 - so we'll click on OK.
00:16:26 - And now that is in place for that sales group.
00:16:29 - So anybody who's a member of sales group coming in through
00:16:31 - clientless SSL to that one device will have single sign
00:16:34 - on functionality as their username and password or
00:16:36 - passthrough. 00:16:37 - That's option number one.
00:16:38 - Another option is to use a dedicated single sign on
00:16:42 - server that we have on our inside network, as an example.
00:16:46 - To do that, we go under Advanced. 00:16:48 - And we have this option for Single
Sign On 00:16:51 - Servers right here.
00:16:52 - And we simply click on Add. 00:16:54 - And there's only two options here.
00:16:55 - We have the SAML POST, and we have SiteMinder.
00:16:59 - And then you specifiy the server name--
00:17:00 - call him Bubba-- 00:17:02 - and the address you can reach him
at and the protocol you 00:17:05 - want to use.
00:17:06 - Let's use a 10.0.0.99. 00:17:09 - And then the key-- we'll see it's
going to be 00:17:11 - Cisco, as an example.
00:17:13 - And the single sign on the server can facilitate a single
00:17:16 - sign on functionality for clients who are connected
00:17:19 - through the clientless SSL VPN. 00:17:23 - Another option for single sign
on is with smart tunnels. 00:17:26 - As you'll recall, the smart tunnel
for the clientless SSL 00:17:29 - VPN is where it recognizes an application
that's on the 00:17:32 - local machine.
00:17:33 - And based on that application being present or running, the
00:17:36 - tunnel is built. 00:17:37 - We can also build in the single
sign on functionality 00:17:40 - in conjunction with that.
00:17:42 - With this option, under smart tunnels, we can specify auto
00:17:46 - sign on servers to be used in conjunction 00:17:48 - with those smart tunnels.
00:17:50 - So we click on Add. 00:17:51 - So up here, we have the smart tunnel
00:17:53 - application we created earlier. 00:17:54 - Down here, we have the smart tunnel
auto 00:17:56 - sign on server list.
00:17:57 - Let's add a server there. 00:17:58 - Let's say it's list-1.
00:18:01 - And we'll say we're going to add one server at 10.0.0.88,
00:18:06 - as an example. 00:18:07 - So with that server in place, we'll
click on Apply. 00:18:10 - The way that that gets used is,
if we go back to the 00:18:13 - actual group policy, and for example,
the sales group, and 00:18:17 - we go to the portal, check this
out. 00:18:19 - Here we have our smart tunnel.
00:18:20 - So we can say, I want to go ahead and do a smart tunnel
00:18:23 - application. 00:18:24 - And I want to go to RDP local.
00:18:26 - And I also want to use an auto sign on server in
00:18:28 - conjunction with that. 00:18:29 - We'll use list-1 as our list and
our sign on servers. 00:18:33 - And this is yet another option
that we have to facilitate a 00:18:36 - single sign on on behalf of our
clients. 00:18:40 - The local CA has nothing to do
with local California. 00:18:43 - Although there's nothing wrong
with California, local CA 00:18:47 - talks about the local certificate
authority 00:18:49 - functionality that we can install
right 00:18:51 - here on this ASA.
00:18:52 - Let's say we had a moderate number of users and we wanted
00:18:56 - to use digital certificates for 00:18:58 - authenticating those users.
00:18:59 - So we've got Bob. 00:19:01 - We've got Lois.
00:19:02 - We've got Susan. 00:19:04 - And they all need identity certificates,
but we don't 00:19:07 - want to use PKI for it.
00:19:08 - We could use a local CA on the ASA itself to be the CA that
00:19:13 - hands out Bob his identity certificate 00:19:15 - and Lois and Susan.
00:19:17 - And then we could probably have a real certificate on our
00:19:20 - box, because when these users connect initially and they
00:19:23 - want to authenticate this machine, we want to make sure
00:19:25 - that it's the real machine. 00:19:26 - So the ASA gets its own identity
certificate from a 00:19:30 - PKI player like VeriSign or Go
Daddy whoever. 00:19:33 - The ASA turns around and acts as
a CA server to hand out 00:19:36 - certificates.
00:19:37 - And then if we to, we cna do certificate-based 00:19:40 - authentication of our VPN clients,
because everybody has 00:19:43 - certificates.
00:19:44 - And what is this really doing? 00:19:45 - It's saving us a few dollars.
00:19:47 - That's all it's doing. 00:19:48 - So instead of going to PKI for
Bob's identity certificate, 00:19:52 - we're getting it directly from
the ASA. 00:19:54 - It's fairly easy to set up.
00:19:56 - Let me walk you through that process. 00:19:58 - To configure our ASA to be a certificate
authority for the 00:20:01 - benefit of its own VPN clients
who are going to be coming in, 00:20:06 - we would go under Certificate Management.
00:20:08 - And here, we have our CA certificates and our identity
00:20:10 - certificates. 00:20:11 - But now, we're going to go down
to the 00:20:13 - local certificate authority.
00:20:15 - And we're going to click the box that says make
00:20:17 - this guy a CA server. 00:20:19 - And that's how easy it is.
00:20:21 - You can also specify the details for the issuer name,
00:20:24 - the key sizes, the lifetime. 00:20:25 - If we go down here to More Options,
we have certificate 00:20:28 - revocation lists, distribution
points, and so forth. 00:20:31 - Let's take a moment and talk about
what could cause a 00:20:34 - certificate not to be believed.
00:20:36 - There's three basic things that would cause a device to
00:20:39 - not believe a certificate it received. 00:20:41 - Number one--
00:20:42 - validity. 00:20:45 - If I have a certificate and it
says it's valid from yesterday 00:20:48 - till tomorrow, it's valid.
00:20:50 - However, if I get a certificate and it says it's
00:20:53 - valid from tomorrow till the day after tomorrow, I'm going
00:20:56 - say that certificate is not valid yet.
00:20:58 - So the time frame on a certificate has to be checked.
00:21:00 - So that's one. 00:21:02 - Secondly, is it signed?
00:21:04 - What does I that, Keith? 00:21:05 - It means is it signed by a CA server
that my browser trusts? 00:21:09 - And if it's not, I'm not going
to trust the certificate. 00:21:12 - I'm going to pop up that error
warning. 00:21:13 - So the certificate needs to be
signed by 00:21:15 - a CA service trusted.
00:21:17 - And third, it needs to be not revoked, because what happens?
00:21:24 - Let's say you and I are in a company and we have user
00:21:27 - certificates. 00:21:28 - We've both been issued user certificates.
00:21:29 - And then you and I both decide that we are going to move to a
00:21:33 - different department. 00:21:34 - So we were in one department.
00:21:35 - Now, we're going to a different department.
00:21:37 - And our certificates that we had are no longer
00:21:39 - supposed to be good. 00:21:40 - Well, how do we let the world know
about that? 00:21:42 - We report those serial numbers
for our two certificates which 00:21:46 - are no longer supposed to be valid.
00:21:48 - They're reported back up to the CA so if anybody asks the
00:21:52 - CA server about revocation lists or certificates that are
00:21:55 - no longer valid, the CA server can tell it.
00:21:58 - So how do people ask for a CRL? 00:22:01 - Well, certificate revocation list
is a long list of all the 00:22:05 - certificates that have been revoked
by that CA. 00:22:09 - So we could ask for a CRL and we
could ask for it via HTTP. 00:22:12 - Or we could ask for it via LDAP.
00:22:15 - Both those methods could be used to request the CRL, the
00:22:19 - certificate revocation list. 00:22:21 - There's also some functionality
of using SCEP, 00:22:24 - the simple certificate enrollment
protocol, to check 00:22:27 - and validate whether a certificate
is valid. 00:22:29 - And there's one other option, too.
00:22:30 - It's called OCSP-- 00:22:34 - online certificate status protocol,
OCSP. 00:22:39 - And that way, instead of saying,
please give me the 00:22:42 - entire list of all revoked certificates,
we could simply 00:22:45 - send the serial number for the
certificate we want to check 00:22:48 - and then get a message back to
confirm whether or not that 00:22:50 - certificate we just received is
on the naught list, as I 00:22:53 - like to call it-- on the certificate
revocation list. 00:22:56 - So those are some options for verifying
if a certificate is 00:22:58 - valid or not.
00:22:59 - So here on the ASA, if we wanted to be a CA server, we
00:23:03 - can specify all the details that we want to.
00:23:05 - We should put a pass phrase to protect this.
00:23:08 - Let's use cisco123-- 00:23:10 - not the best pass phrase, but for
testing, it'll work fine. 00:23:13 - And also, let's go ahead and specify
and SMTP server. 00:23:16 - So if we wanted to put in a server,
we could go ahead and 00:23:19 - add one, like, for example, 10.2.3.4.
00:23:23 - Hopefully, that's a real SMTP server. 00:23:25 - We'll click OK.
00:23:27 - And the reason we want to do that is because it's going to
00:23:30 - actually send out messages. 00:23:31 - When we say, hey, I'd like to bring
up a new client. 00:23:34 - This can actually email, using
the SMTP server we specified, 00:23:38 - the certificate enrollment invitation.
00:23:41 - So if I had 15 clients that I wanted to have certificates,
00:23:45 - this email would go out to all 15 of them.
00:23:47 - They would click on a link, which would facilitate them
00:23:50 - having their identity certificate installed from
00:23:53 - this device. 00:23:54 - Well, let's click on Apply.
00:23:55 - And there's the details of what's about to happen.
00:23:58 - We'll click on Send. 00:23:59 - And that's great.
00:24:00 - So now, we've got our CA server up
00:24:02 - and running and active. 00:24:03 - Now, how do we manage our users?
00:24:06 - So now, we're looking at adding users.
00:24:08 - These are users that we want to hand out certificates to
00:24:11 - for authentication. 00:24:12 - So let's click on Add.
00:24:14 - And let's say we're going to create a user called
00:24:16 - sales-user. 00:24:18 - That's who the certificate is going
to go to. 00:24:20 - And let's say they're at sales1@cbtnuggets.com.
00:24:27 - for the subject, let's go ahead and do the select.
00:24:29 - So we'll say this is going to be common name.
00:24:32 - It's going to be sales1. 00:24:34 - Maybe that's his name.
00:24:37 - And for the company name, it's going to be CBT Nuggets.
00:24:40 - Now, again, you can add all you want there.
00:24:42 - So these are all going to be in the user's identity
00:24:45 - certificates. 00:24:46 - So what we're doing here is we're
not passing out machine 00:24:49 - certificates.
00:24:49 - These are going to be certificates for users.
00:24:52 - So we can authenticate users based on digital certificates.
00:24:55 - We'll click on OK. 00:24:57 - So what's happening is this ASA--
00:24:59 - it's pretty amazing. 00:25:00 - The ASA is going to send email
to this email address using 00:25:03 - the SMTP server we specified--
00:25:05 - hopefully, he's sitting there ready to go--
00:25:07 - and is sending an invitation to that user to join in and to
00:25:11 - get a user identity certificate. 00:25:14 - Why?
00:25:14 - Because then we can use that identity certificate for the
00:25:17 - authentication of that user. 00:25:19 - There's going to be an OTP--
00:25:20 - a one time password-- 00:25:22 - that the user is going to have
to submit. 00:25:24 - And that's how when somebody does
connect to the ASA and 00:25:26 - says, yeah, I'd like to get that
certificate you told me 00:25:28 - about, the ASA is going to say,
OK, great. 00:25:30 - What's your one time password?
00:25:32 - Based on that one time password, the ASA will say,
00:25:34 - oh, I know exactly who this is. 00:25:36 - You've clicked on this link.
00:25:37 - You've supply the right one time password.
00:25:39 - Here is the actual identity certificate 00:25:41 - for the user to use.
00:25:43 - After we have sent out the invitations and after people
00:25:45 - have taken advantage of that-- they've signed up and they've
00:25:47 - got their identity certificate-- 00:25:49 - we can see those certificates right
here. 00:25:51 - So if we go back to Manage and
we say View or Regenerate a 00:25:54 - one time password, this is the
password 00:25:57 - that's going to be sent.
00:25:58 - So if I regenerate that, change it, and click OK, I
00:26:02 - would then want to go ahead and re-email it again.
00:26:05 - So the one time password emailed to the user.
00:26:08 - And they're going to need that to go ahead and complete the
00:26:10 - enrollment process with this CA. 00:26:13 - Understanding the licensing is
an important thing on the ASA, 00:26:16 - primarily because if we don't have
the proper license in 00:26:19 - place, we won't get the proper
functionality. 00:26:21 - For example, it's very difficult
to do botnet 00:26:24 - filtering without a botnet license.
00:26:26 - It's very difficult to get a couple VPN users concurrently
00:26:29 - connected if we have the basic license that doesn't have the
00:26:32 - additional VPN support. 00:26:34 - So let's take a look a thte types
of licenses that we 00:26:36 - might have.
00:26:37 - We have some permanent licenses. 00:26:39 - And we have some that are temporary
in nature. 00:26:42 - Now, there's two cases for temporary.
00:26:45 - We might have an evaluation license. 00:26:47 - And then we also might have a time
based. 00:26:51 - An example of that for evaluation
would be something 00:26:53 - like we ordered the ASA.
00:26:55 - We didn't order the right licenses. 00:26:57 - We need to go ahead and get a temporary
license or an eval 00:27:00 - license on just so we can make
do until we get all the 00:27:03 - paperwork straightened out, maybe
a two week or a four 00:27:06 - week or a six week license for
some functionality that's 00:27:09 - needed by a critical business.
00:27:10 - Or it is for somebody to evaluate a product, so we give
00:27:13 - them a temporary license. 00:27:14 - A time based license may be like
the botnet, which is good 00:27:18 - for a year.
00:27:19 - So you buy a botnet license. 00:27:20 - It's good for a year.
00:27:22 - And then before that year is out, hopefully you renew it
00:27:25 - and you reapply the new key to restore that.
00:27:27 - So I'd take a look at how these licenses interact.
00:27:31 - Just for a moment, let's go for the botnet as an example.
00:27:34 - Let's say we have the botnet installed, not a butnet
00:27:38 - malicious code, by the botnet license. 00:27:40 - And it's a 12 month license.
00:27:44 - And then it gets down to two months left.
00:27:47 - So 10 months have gone by. 00:27:48 - We have two months left.
00:27:49 - We don't want to wait until our license expires and we
00:27:52 - don't have the functionality. 00:27:53 - We could buy another 12 month license.
00:27:57 - And now, we have botnet for a total of 14 months.
00:28:01 - So the key here is for a specific feature like botnet,
00:28:05 - the time is stackable. 00:28:07 - You don't get two times the botnet
support. 00:28:09 - You just have the botnet feature
and you have, for now, 00:28:11 - a total of 14 months.
00:28:13 - So that's how that part works. 00:28:14 - But let's take a look at VPN support.
00:28:17 - Let's say we have a temporary license, and it's four weeks
00:28:21 - for 1,000 VPN connections. 00:28:24 - So for whatever reason, we got
a temporary license. 00:28:26 - It was for four weeks.
00:28:28 - It's going to time out. 00:28:29 - And it's for 1,000 VPNs.
00:28:31 - If we got another license-- 00:28:33 - another four week license--
00:28:35 - for 1,000 VPNs, what would we have? 00:28:39 - We would have eight weeks to support
1,000 VPNs. 00:28:43 - It doesn't mean we get 2,000.
00:28:45 - The temporary licenses are going to say, OK.
00:28:47 - You have 1,000, and it's good for eight weeks.
00:28:50 - And that's because they're the same feature.
00:28:51 - Now, the problem is if we had one license that said 500 VPN
00:28:55 - users for four weeks, and this guy said 800-- we don't have a
00:28:58 - license like that-- but 800 VPN users for more weeks, you
00:29:03 - can't do two features that are not exactly the same.
00:29:06 - So this one's 500. 00:29:07 - That one's 800.
00:29:09 - You'd have to choose the one you want and use that key.
00:29:12 - So in this case-- 00:29:13 - in this hypothetical example--
00:29:15 - you could choose 800 or 500 [INAUDIBLE]. 00:29:17 - We're talking about temporary licenses.
00:29:19 - Now, if you have real licenses that you purchased, let's take
00:29:23 - a look at some options where you get the full
00:29:25 - *** for the buck. 00:29:26 - One of those would be clusters.
00:29:30 - If you have a cluster and you have three devices in your
00:29:33 - cluster for VPN support, and all three of them have 1,000
00:29:38 - users each, you're going to get a total of 3,000 VPN users
00:29:43 - who could all connect. 00:29:44 - The same holds true with the current
version of ASA 8.4 if 00:29:48 - we have failover.
00:29:50 - So here's our failover pair. 00:29:51 - Here's our primary.
00:29:53 - There's our secondary. 00:29:54 - This guy has a license for 1,000.
00:29:56 - This guy has a license for 1,000. 00:29:58 - Overall, we're going to have 2,000
people. 00:30:02 - That wasn't always the case.
00:30:03 - But that is now, so that's a good thing.
00:30:06 - So you have licenses on both. 00:30:07 - You get to use the whole set of
licenses. 00:30:10 - So the thing to remember with licenses--
00:30:12 - primarily with these temporary licenses--
00:30:14 - is if you have different licenses-- 00:30:17 - for example, maybe you have 250
versus 500 and they're 00:30:21 - both temporary--
00:30:22 - you get to choose one of them. 00:30:23 - You don't get both.
00:30:25 - So if we had an ASA that had a premium license--
00:30:31 - it had botnet-- 00:30:34 - and then we added this one, we'd
have a result of the ASA 00:30:37 - premium with botnet plus 500 users
for the duration of 00:30:40 - whatever that time is.
00:30:41 - If we wanted to use 250 instead, great.
00:30:44 - You can apply this temporary license to this current
00:30:46 - license, and that would give you the ASA premium plus
00:30:49 - botnet plus 250 until that timed out.
00:30:52 - And botnet, by the way, is always timed out.
00:30:54 - The reason we could add the license for botnet and for the
00:30:57 - VPN is because they're different services.
00:30:59 - The real rub is when we have temporary licenses for
00:31:03 - different quantities of the same feature--
00:31:05 - for example, 250 versus 500 SSL VPN connections.
00:31:10 - That's when the temporary licenses just don't mix
00:31:13 - together well. 00:31:14 - IPv6 is a wonderful protocol.
00:31:17 - In the context of the VPN course with ASAs, is all they
00:31:21 - are asking us to do is describe the support for it.
00:31:24 - And let's just put our big thumb up and
00:31:25 - say, yes, it is supported. 00:31:28 - Some things, you should know, however,
besides just the fact 00:31:30 - that it's supported.
00:31:32 - If Bob right here wants to use IPv6 to build a VPN tunnel to
00:31:38 - the ASA, he has got to use the AnyConnect client.
00:31:43 - The legacy IPsec VPN software client-- 00:31:47 - the one with the gold block icon--
00:31:49 - that doesn't support IPv6. 00:31:51 - So for remote access, we're going
to use 00:31:53 - AnyConnect for IPv6.
00:31:55 - For the site to site, it's really quite simple once we
00:31:58 - think about it. 00:31:59 - What do we need to have this work?
00:32:00 - Well, we need to have a peering 00:32:01 - between these two devices.
00:32:03 - They could peer with IPv4 or they could peer with IPv6.
00:32:07 - That's OK. 00:32:08 - But check this out.
00:32:09 - On the inside of the network, they would both need to be the
00:32:11 - same, meaning both sites would need to be version 4 on the
00:32:15 - inside or they would both to be version 6 on the inside.
00:32:18 - But we couldn't go from version 4 on site one to
00:32:22 - version 6 on site two, because they're two
00:32:25 - incompatible protocols. 00:32:26 - We need to use the same.
00:32:27 - So as long as the two peers can peer with each other, and
00:32:31 - the inside networks of the two sites are running the same
00:32:34 - exact protocol, we could do IPsec site to site tunnels all
00:32:38 - day long, which include IPv6. 00:32:41 - I absolutely appreciate you joining
me. 00:32:43 - I hope this has been informative
for you. 00:32:45 - And I'd like to thank you for viewing.