SSL VPN With Load Balancing
SSL VPN With Load Balancing
Overview In this configuration, we will use two Cisco ASAs to provide SSL VPN access and support high availability with VPN Load Balancing. SSL users will be configured for Split Tunneling. This will encapsulate corporate traffic and leave noncorporate traffic to traverse the Internet normally. Cisco Secure ACS will house all accounts and provide authentication through RADIUS and TACACS+. SSL users will be authenticated via RADIUS. ASA device administration will be controlled through TACACS+
Public
Private
216.1.1.2 https://216.1.1.1
VPN LB IP 216.1.1.1
192.168.10.2
ASA1
Corp LAN
Internet
3845 AC
216.1.1.3
ASA2
192.168.10.3
192.168.10.100
AnyConnect VPN AnyConnect provides remote users with secure VPN connections to the ASA using Secure Socket Layer (SSL) protocol and the Datagram TLS (DTLS) protocol. SSL Authentication to AnyConnect is done via a Web Browser which can automatically download the VPN client. The AnyConnect client can be installed on Windows, Linux (Multiple Distros) and MAC OS X. ASA VPN Load Balancing Up to 10 ASAs can be configured to support load balancing and redundancy for VPN sessions. This is implemented by grouping two or more ASAs with the same private and public subnets into a virtual cluster. All ASAs in the virtual cluster carry session loads. Load balancing directs session traffic to the least loaded device in the cluster, thus distributing the load among all devices. It makes efficient use of system resources and provides increased performance and high availability. If a machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster IP address. The virtual cluster master then directs these connections to another active device in the cluster. Should the virtual cluster master itself fail, another device in the cluster immediately and automatically takes over as the new virtual session master. Even if several devices in the cluster fail, users can continue to connect to the cluster as long as any one device in the cluster is up and available.
Page 1 of 8
Page 2 of 8
! Stop the SSL VPN Client from attempting to install every time users connect anyconnect ssl rekey time 30 ! Specify the number of minutes until the rekey takes place anyconnect ssl rekey method ssl anyconnect ask none default anyconnect homepage value http://www.cisco.com ! Launch Web Page for SSL Users. Can be internal Intranet or Public. In this example, we will auto launch Ciscos homepage post SSL Authentication. ! ! tunnel-group SSL-TUNNEL1 type remote-access tunnel-group SSL-TUNNEL1 general-attributes address-pool SSL-POOL1 ! Associate the VPN Client address pool authentication-server-group RADIUS LOCAL ! Authenticate users to a Radius servers such as Cisco ACS. You can also do local authentication. default-group-policy SSL-POLICY1 ! Associate the group policy "SSL-POLICY1" tunnel-group SSL-TUNNEL1 webvpn-attributes group-alias SSL-GROUP1 enable ! Configure the group alias as "SSL-GROUP1". This will display on the SSL VPN WebPage
Page 3 of 8
Page 4 of 8
key cisco ! Configure TACACS+ Host and Shared Secret ! aaa-server RADIUS protocol radius aaa-server RADIUS (Inside) host 192.168.10.100 key cisco ! Configure RADIUS Host and Shared Secret ! tunnel-group SSL-TUNNEL1 general-attributes authentication-server-group RADIUS LOCAL ! Authenticate users to a Radius servers such as Cisco ACS. You can also do local authentication. Note: Before logging out of this device, verify your Authentication is working. ASA01# test aaa-server authentication TACACS+ host 192.168.10.100 username morgan.stepp password cisco INFO: Attempting Authentication test to IP address <192.168.10.100> (timeout: 12 seconds) INFO: Authentication Successful
Page 5 of 8
Verify Configuration
View AnyConnect Sessions
ASA01# show vpn-sessiondb anyconnect Session Type: AnyConnect Username : morgan.stepp Index : 16 Assigned IP : 10.50.0.5 Public IP : 1.1.1.1 Protocol : Clientless SSL-Tunnel DTLS-Tunnel License : AnyConnect Essentials Encryption : RC4 AES128 Hashing : SHA1 Bytes Tx : 541923 Bytes Rx : 341600 Group Policy : SSL-POLICY1 Tunnel Group : SSL-TUNNEL1 Login Time : 10:07:41 EDT Wed Jun 22 2011
Morgan Stepp CCIE #12603 | morganstepp@yahoo
Page 6 of 8
Duration : 1h:43m:31s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A
VLAN
: none
Page 7 of 8
priority 10 interface lbpublic Outside interface lbprivate Inside cluster key ***** ! Password Encrypted cluster ip address 216.1.1.1 cluster encryption participate
ASA01# more system:running-config | b vpn load vpn load-balancing priority 10 interface lbpublic Outside interface lbprivate Inside cluster key cisco ! Password Un-encrypted cluster ip address 216.1.1.1 cluster encryption participate
Page 8 of 8