Deploying Cisco ASA VPN Solutions (VPN) v2.0 Global Knowledge European Remote Labs Instructor Guide
1. Contents Global Knowledge European Remote Labs Instructor Guide 1. Contents... 2 2. Introduction... 3 3. Remote Labs Topology, Connections and Setup... 4 4. Initial Lab Configuration Set-up... 5 5. Lab Clear Down Procedure... 6 6. Lab Exercises... 8 7. Support Information... 14 Web Support Portal... 19 E-Mail... 19 Telephone... 19 Other Contact Methods... 19 Copyright Global Knowledge Page 2
2. Introduction Global Knowledge European Remote Labs Instructor Guide This guide has been developed to complement the existing Cisco, CAG and Lab Guides relating to the Deploying Cisco ASA VPN Solutions v2.0 course. As such, this document should ONLY be read and utilised in conjunction with those Cisco guides. The Global Knowledge VPN v2.0 Remote Lab has been built to mirror, as closely as possible, the Cisco lab configuration. You may therefore assume that any detail not contained in this Remote Lab Instructor Guide will remain as documented in the Cisco manuals. Instructions and login/connection details for access to the Global Knowledge Remote lab solution will be provided via an Access E-Mail. This will contain links to any required documentation, along with detail of contact methods to obtain further information and Support services. Copyright Global Knowledge Page 3
3. Remote Labs Topology, Connections and Setup VPN v2.0 Instructor Web Page - Figure 3-1 Core Devices The RBB router is common to all pods and provides the Internet Backbone connection. There are 2 Core Switches deployed for the 8 pod, 8 delegate racks, but only 1 Core Switch for the 4 pod, 4 delegate racks. Core Switch 2 is not required for the smaller racks (as noted on the Instructor Web Page diagram). Lab IP Addressing The Pod Addressing scheme follows the Cisco Lab Guide, with each Pod using an identical addressing scheme. The RBB and Core Switch(es) are configured with vlans and vrf routing to allow for this. Copyright Global Knowledge Page 4
4. Initial Lab Configuration Set-up Load the Base configurations for all devices from the Device Management tool on the Instructor Web Access page. All PC s will have been reset to default, prior to the lab being available for use. It is recommended for the ASA s to first run the Erase Device then Load Base Config occasionally a previous class may not have cleared down correctly and the Erase will ensure no configuration corruption. Note: The initial configuration for the Pod ASA Firewalls will ensure that the correct starting IOS and ASDM files are loaded. It is also sufficient to test basic connectivity (see Lab 2-1, Task 1 in Lab Notes section below). The Core RBB Router is used as an NTP Master Clock for the ASA s Ensure that the Router clock is set to the current time/date. PC Logins The Pod Client and Server logins for all pods are: Core Device Logins Username: administrator Password: cisco Core Router logins are: VTY password: cisco Enable password: cisco123 For several labs, the students are required to login to the Core RBB router: Username: student Password: cisco Core Switch logins are: Enable password: globalk Copyright Global Knowledge Page 5
IMPORTANT NOTE Loading Lab Start Configurations The course lab exercises are written such that each lab builds on the configuration completed in the previous lab exercise. However, there may be circumstances where the lab has not been completed fully and successfully. To assist in these circumstances, Lab Start Configurations have been provided, via the Device Management tool, for each lab. There are 2 important points to remember when using these Lab Start Configs, however: 1. A number of lab exercises demand the uploading of additional software to the ASA Flash memory. Loading a Lab Start Configuration will not install these files. The Instructor/Student(s) should identify whether these files are in place and, where necessary, identify and perform, from previous lab exercises, the lab steps required to upload/construct these files. 2. The Student ASDM sessions to the ASA s should be closed down, prior to loading the Lab Start Configs for the next lab. Failure to do this could result in cached config data from the ASDM sessions overwriting the new Lab Start Config and cause lab errors. Copyright Global Knowledge Page 6
5. Lab Clear Down Procedure Load the Base configurations for all devices, from the Device Management tool on the Instructor Web Access page. PC clear down will be performed by the Remote Lab Support team. Notify Remote Lab Support that you have finished using the equipment by replying to the End of Course Confirmation e-mail, which will have been sent to you during the class. Please do NOT reply to the End of Course Confirmation e-mail for ANY OTHER purpose this may cause confusion, it may be taken that you have completed your class and your rack may be disconnected or cleared as a result..!! If, for any reason, you have not received the above e-mail, please send an e-mail to the Support e-mail address (Section 2 above), confirming the Course and Rack used, that you have completed the class and finished using the equipment. Copyright Global Knowledge Page 7
6. Lab Exercises Global Knowledge European Remote Labs Instructor Guide Lab 2-1: Configuring Basic Clientless VPN Access on the Cisco ASA Adaptive Security Appliance Setup Setup is completed as part of the Initial Lab Setup (as detailed on Page 5 of this guide). Base Configs for all devices should have been loaded. Task 1 All OK (Note: ASA has no enable password set, just press Enter at the Password: prompt) Answer (N)o to the question; Would you like to enable anonymous error reporting to help improve the product? Task 2 All OK Task 3 Step 4: Change default Trustpoint name from 1 to 0. Enrolment URL: 10.0.1.11/certsrv/mscep/mscep.dll Accept the Warning Message regarding the Trustpoint0 configuration. Allow the screen to refresh, then click Cancel and verify that the Identity Certificate has been loaded. You may need to click Refresh to display the certificate. Task 4 All OK Task 5 All OK - Do NOT attempt to login at this stage full login access will be setup and tested in the following lab task. Task 6 Step 5: Then click OK Step 9: Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks and add.. Step 11: Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies and edit the BASIC-CLIENTLESS-POLICY. Configure a banner. Step 19: You may need to change the Filter By setting to view the SSL VPN connection. Copyright Global Knowledge Page 8
Lab 2-2: Configuring Advanced Application Access for Clientless SSL VPNs Setup No setup required. Lab configs used are as at completion of previous lab (Lab 2-1). However, if necessary, load Lab 2-2 configs onto appropriate ASA devices. Task 1 All OK (this task is a repeat of the previous lab verification) Task 2 Step 5: Note: VNC is NOT enabled on the w2k8s host. Step 15: The username is administrator with the password cisco. Step 16: Click the image of a house in the top-right corner of the WebVPN session to return to the clientless portal Alternatively: The lab guide images show the RDP session running in the original portal window. To achieve this, click the web page messages and allow the ActiveX add on to run. Step 18: VNC is NOT enabled on the w2k8s server, however Telnet and SSH are configured and can be tested: Telnet login is: administrator / cisco SSH login is: admin / cisco Students might also want to configure a Bookmarks for telnet and/or SSH. Step 19: HTTP access does not work if enabled via the Filter on URL option. Task 3 Step 12: Start the native RDP session from the Windows PC Start menu click in the Search Programs and Files box and enter mstsc /h:600 /w:800. Starting mstsc from a Command Prompt does not work correctly with the Smart Tunnel Auto-Start (although this method is fine if the Smart Tunnel is started manually). Log with username administrator and password cisco Copyright Global Knowledge Page 9
Lab 2-3: Customizing the SSL VPN Portal on the Cisco ASA Adaptive Security Appliance Setup No setup required. Lab configs used are as at completion of previous lab (Lab 2-2). However, if necessary, load Lab 2-3 configs onto appropriate ASA devices. Task 1 All OK Task 2 All OK Copyright Global Knowledge Page 10
Lab 3-1: Configuring Basic Cisco AnyConnect Client Full-Tunnel SSL VPNs Using Local Password Authentication Setup No setup required. Lab configs used are as at completion of previous lab (Lab 2-3). However, if necessary, load Lab 3-1 configs onto appropriate ASA devices. Task 1 Step 6: Upload the AnyConnect file to ASA Flash > disk0: Task 2 All OK Additional Steps (required for Task 3, next): By default, the Cisco AnyConnect Secure Mobility Client does not permit Remote Access RDP sessions. Because this is a remote lab, attempting to launch the AnyConnect client via the remote lab Client PC will result in an error message: VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established. Perform the following additional steps to permit Remote Access RDP sessions: Step 22: Choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile. Click ADD and create a profile called profile Step 23: Select BASIC-FT-GROUP-POLICY for the Group Policy and leave all other settings at default. Click OK. Step 24: Edit the newly created profile. In the Preferences (Part 1) screen, under Windows VPN Establishment, choose AllowRemoteUsers Step 25: Click OK then Apply. The profile will be included as part of the AnyConnect Client download to the PC. Task 3 Step1: Navigate to the Cisco ASA at https://vpn.domain.com Task 4 Ignore Step 5. Step 6: Go to the C:\VPN\AnyConnect Deploy 3.0.1047 folder. Copyright Global Knowledge Page 11
Lab 3-2: Deploying the Cisco AnyConnect Client with Centralized Management Setup No setup required. Lab configs used are as at completion of previous lab (Lab 3-1). Task 1 Step 3: Choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software Step 4: Upload the software package to the ASA Flash > disk0: Task 2 Step 2: Delete the profile.xml file (this is the file was downloaded from the ASA to the PC, during Lab 3-1, Task 2). Step 5: Delete the profile named profile that you created earlier in Lab 3-1, Task 2. Choose Delete Profile and XML File and click Apply. Then proceed to add the new profile as described. Step 7: Additionally, change the Windows VPN Establishment option to Allow Remote Users. Task 3 All OK Copyright Global Knowledge Page 12
Lab 3-3: Configuring Basic Cisco AnyConnect Full Tunnel SSL VPNs Using Local CA and SCEP Proxy Setup No setup required. Lab configs used are as at completion of previous lab (Lab 3-2). Task 1 All OK Task 2 All OK. Task 3 Step 3: Choose Configuration > Remote Access VPN > Advanced > Certificate to AnyConnect and Clientless SSL VPN Connection Profile Maps Task 4 All OK Task 5 Step 1: certmgr.msc Step 2: Ignore Step 2 account is already Administrator. Step 5: Delete the local CA Server. Go to Configuration > Certificate Management > Local Certificate Authority > CA Server. Open the More Option field and then select Delete Certificate Authority Server and Apply. Step 14: Accept the Warning Message. Step 19: To get this to work correctly, it may be necessary to delete the AnyConnect profile file first. If so, on the Client PC, go to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile and delete the MY-CLIENT-PROFILE.xml file. Copyright Global Knowledge Page 13
Lab 4-1: Deploying Basic Remote Access IPSec VPN with IKEv2 Setup No setup required. Lab configs used are as at completion of previous lab (Lab 3-3). Task 1 All OK Task 2 All OK Copyright Global Knowledge Page 14
Lab 5-1: Deploying a Basic Cisco ASA Security Appliance IPSec IKEv1 Site-to-Site VPN Setup No setup required. Lab configs used are as at completion of previous lab (Lab 4-1). Task 1 All OK Task 2 Step 3: Login credential for the BBR router is: Username: <Leave Blank> Password: cisco123 Task 3 Step 3: Next, choose Configuration > Site-to-Site VPN > Advanced > Tunnel Groups Step 17: Click OK is NOT required. Task 4 Step 7: Verify that the authentication mode IS rsacertificate. Copyright Global Knowledge Page 15
Lab 6-1: Deploying Cisco Secure Desktop in Cisco SSL VPN s Setup No setup required. Lab configs used are as at completion of previous lab (Lab 5-1). Task 1 Step 4: The Flash File System Path will be: disk0:/csd_3.6.181-k9.pkg Step 7: Choose Configuration > Remote Access VPN > Advanced > Certificate to AnyConnect and Clientless SSL VPN Connection Profile Maps Task 2 Step 5: Click the Login Denied label NOT the Plus(+) sign. Step 14: Install the required ActiveX (accept all prompts to install the ActvieX module). Task 3 Step 5: Add a Process Scan Endpoint ID: 10 Process Name: mstsc.exe. Step 8: Endpoint Attribute Type = Disabled Result should show: enabled! = ok Step 14: Install the required ActiveX (accept all prompts to install the ActiveX module). Copyright Global Knowledge Page 16
Lab 6-2: Configuring a Load-Balancing SSL VPN Cluster Setup Load the Lab 6-2 Config onto the even-numbered Pod ASA s (ASA 2) and the Core Switches, from the Device Management tool (Note: Oddnumbered pod ASA s (ASA 1) will RETAIN their config from the previous labs). Odd and Even numbered Pods will be paired up for this lab. Pod 1 ASA becomes ASA 1 and pairs with Pod 2 ASA becomes ASA 2 Pod 3 ASA becomes ASA 1 and pairs with Pod 4 ASA becomes ASA 2 Pod 5 ASA becomes ASA 1 and pairs with Pod 6 ASA becomes ASA 2 Pod 7 ASA becomes ASA 1 and pairs with Pod 8 ASA becomes ASA 2 Please NOTE that there is NO new Web diagram for access. Students will pair up and use the odd-numbered pod page to launch the PC s for test access. However, access to the second ASA (ASA 2) will still be via the even-numbered pod web page diagram. Task 1 Pre-Configuration: The Cisco ASA is not designed to operate efficiently as a Default Gateway. However, in this lab topology it is being used as such. There are a number of functions within the ASA IOS that can cause odd behavior when used as a Default Gateway. One such is Proxy ARP. In this lab, where 2 ASA s are connected via a common network, the Proxy ARP function causes an unwanted situation where only one of the ASA MAC addresses is reported to the Server PC (the reported ASA is running the Proxy ARP on behalf of the other ASA). The result is that it is only possible to access the Server PC via one of the VPN connections. To allow both connections to access the Server, the default Proxy ARP settings need to be modified. On both ASA devices, open a console session and issue the following command: sysopt noproxyarp inside Step 2: Open Internet Explorer and navigate to https://vpn.domain.com. Step 4: Open Firefox and navigate to https://vpn-backup.domain.com. Task 2 Step 14: Click Yes in response to the Load Balancing Apply Confirmation message. Task 3 Step 9: Check the Send FQDN to client instead of an IP Address when redirecting box. Step 10: Click Yes in response to the Load Balancing Apply Confirmation message. Copyright Global Knowledge Page 17
Step 12: Open Internet Explorer and navigate to https://cluster.domain.com. You may be redirected to either ASA. Step 13: Therefore access the CLI of the ASA you are connected to and enter the show vpn load-balancing command. Task 4 Step 12: Using Firefox, again open a VPN session to https://cluster.domain.com. This time you should be redirected to the vpn-backup.domain.com ASA as the existing session is already connected to vpn.domain.com ASA. Confirm that load-balancing is taking place by issuing the show vpn loadbalancing command on the CLI s of both ASA s. You should see one session on each ASA, with 50% load. Copyright Global Knowledge Page 18
7. Support Information Web Support Portal E-Mail The Web Support Portal provides the following: Direct logging of Support Calls into the Support Call database Direct Real-time monitoring of your logged Support Call progress Recall of previous logged Support Calls (max. 30 days) Knowledge Base Self-Help FAQ s on Common Support Questions and Calls, Course information and Guides, Hints and Tips Bulletin Board Current Lab Status, New Course Information, New Document Releases Access to User and Setup Guides, Classroom Kit Lists and other information (access to some data will require valid Event credentials) For login information and details of how to use our Web-based Support Portal, please access the User Guide at the following URL: http://rlsupport.globalknowledge.net/docs/portal-userguide.pdf To access the Web Support Portal, go to: http://rlsupport.globalknowledge.net The Support Team E-Mail address is: rls@globalknowledge.net Telephone Support Direct Telephone Line: +44 (0)118 989 7735 Other Contact Methods We do not normally encourage contact methods (e.g. Skype, MSN etc.), other than the above, as these other methods often do not easily provide a means to record and track support information. Such information is important to us, as it allows us to continually monitor and improve our support service to you. Copyright Global Knowledge Page 19