9999SSL VPN Lab.docx

9999SSL VPN Lab.docx

《9999SSL VPN Lab.docx》由会员分享，可在线阅读，更多相关《9999SSL VPN Lab.docx（11页珍藏版）》请在冰豆网上搜索。

9999SSLVPNLab

Module6Lab:

SSLVPN

PANadministratorshavetheabilitytoconfigurethefirewalltoprovideclient-to-siteVPNaccessbyconfiguringtheSSLVPNportal.Thiswillprovideameansforanendusertoauthenticatetoawebpage,automaticallydownloadaclientandprovideanetworkconnectionviaIPSecorSSL.Administratorswillthenbeabletoconfigurepolicyforindividualusersastheywouldforanormalfirewallpolicy.

Inthislab,youwillconfigureanSSLVPN,andhaveanotherstudenttestyourconfiguration.Inparticular,theotherstudentwillbecomeanodeonyourlocal192.168.x.0network,andbeabletopingyourstudentPC,andFTPtoyourFTPserveronyourstudentPC.

Part1:

ConfiguringthePANFirewall

1.GototheDevicetab->SSL-VPNClient.ClickRefreshatthebottomofthescreen.MakesurethereisanappropriateversionofSSL-VPNclientloadedonthefirewall.Thisclientwillbedownloadedtotheuser’smachinewhenusersfirstlogintotheSSLVPNPortal.

2.Afterthescreenrefreshes,makesurethatyouhavetheappropriateversioninstalledandactivated.Forexample:

version1.1.0istheappropriateversionforPANOS3.1.0:

Theremaybenewerversionsthan1.1.0,butonlyinstallaversionneweriftheinstructortellsyouto.

3.Next,youwillgenerateaself-signedcertificateusedbytheSSLVPNportal.GotoDevicetab->Certificates.UnderSSLVPN/SSLInboundInspectionCertificate,deleteanycertificatesfoundthere,asthatwasfromapreviousclass.

4.NowclickGenerateaselfsignedcertificate.

5.EnteraNameforthecertificate,CommonName,PassPhrase,CountryCode,State,Locality,Organization,DepartmentandEmailAddressesintheappropriatefields.

AfterclickingOk,thecertificatewillbegeneratedandinstalled.

6.ForSSLVPNs,userscanbeauthenticatedinvariousways,includingalocaluserdatabase,LDAP,orviaaRADIUSserver.Youwillnowcreateusersinyourlocaldatabase.GototheDevicetab->LocalUserDatabase->UsersandclickNew.Createausernameandpasswordbyenteringthemintheappropriatefields.ClickOKwhenfinished.Youcancreatemultipleusernamesifyoudesire.

7.AnAuthenticationProfileisnecessaryinordertotieauthenticationtoaSSLVPNPortal.Thisprofilespecifieswhocanlogin,andhowtheywillbeauthenticated.GotoDevicetab->AuthenticationProfileandclickNew,andenterparametersasbelow:

ClickOktoclosetheAuthenticationProfilescreen.

8.Configureatunnelinterfacetoindicatetothefirewallwheretheuserswillterminateto.YoucanusethedefaulttunnelinterfaceforthefirstSSLVPNPortalyouconfigure.GototheNetworktab->Interfacesandclicktunnel.

9.Setthevirtualrouterandzonewhereyouwouldlikethetunnelinterfacetoterminate.

Inthislab,youareputtingthetunnelinterfaceinthetrust-L3zonesothatyoudon’thavetocreateapolicytoallowtheVPNusersaccesstointernalresources.

Bestpractice:

placethetunnelinterfaceinaseparateRemoteAccesszone.Bydoingthis,youcantheninspecttrafficfromSSLclientsforthreats,andcontrolwhichapplicationstheSSLclientscansendintothecorporatenetwork.Ifyouplacethetunnelinterfaceinanuntrustedzone,makesuretocreateapolicyfromuntrusttotrustthatallowstraffictoflow.

10.DeterminewhichpublicinterfacewillbeusedastheSSLVPNexternalIP.GotoNetworkstab->Interfaces,andmakesurethatinterfacedoesNOThavehttpsenabledinitsmanagementprofile.（Ifthepublicinterfacedidhavehttpsenabled,thenanySSLrequeststothepublicIPwouldbringupafirewallloginpage,nottheSSLVPNloginpage.）

11.YouwillnowcreateanewSSLVPNPortal.Thisassociatesthecertificate,authenticationpage,authenticationprofile,tunnelinterface,externalIPaddressandtheclientintooneSSLVPNinstance.GototheNetworktab->SSL-VPNandclickNew.

12.Onthefirsttab,entertheinformationasfollows:

∙Portalname:

anynameyouchoose

∙Tunnelinterface:

tunnel

∙Authenticationprofile:

allow_local_users

∙Servercertificate:

VPNxx

∙EnableIPSecencapsulation（bynotselectingthisuserswillalwaysuseSSL）

∙EnableredirectHTTPtraffictoHTTPSloginpage（bynotselectingthisusersmustuseHTTPStogetaloginscreen）

∙GatewayAddressInterface:

ethernet1/1（thisiswhereuserswillpointtheirbrowsers）

∙GatewayIPAddress:

172.16.1.xx/24

Hereisanexampleconfiguration:

13.SelecttheClientConfigurationtabandenterinformationasfollows:

∙PrimaryDNS:

10.30.11.50

∙IPPoolfortheclients:

192.168.x.20-192.168.x.30.（TheseIPrangeswillbeenteredintothefirewall’sroutingtable（VR1）—anytraffictargetedtotheseIPs,willbesentoverthetunnelinterface.Becarefulthattheseroutesdonotconflictwithotherroutesonthefirewall.）

∙SplitTunneling-AccessRoute:

Enterthenetworksthatneedtobesentoverthetunnel.Theserouteswillgointotheclient’sroutingtable.Youwanttohavetheclientmachinesendeverythingoverthetunnel,thereforeenter0.0.0.0/0.

ClickOktoclosetheNewSSL-VPNConfigurationscreen.

14.Commityourchanges.

15.Fromthefirewall’sCLI,runthiscommand:

showroutingroute.Makesuretheroutesyouseethereareasyouexpect.YouwillseethatpacketsdestinedfortheIPpoolwillbesentoverthetunnelinterfacebacktotheclients.

Part2:

Establishingatunnelfromtheclient

Inthispart,youwillneedtoworkwithanotherstudenttohavethemtestaccessviayourSSLVPN.

16.Asktheotherstudenttopingyour“public”IPaddressof172.16.1.xx.Thisshouldwork.Ifthisdoesn’twork,troubleshootthegeneralnetworkingissuebeforecontinuing.

17.AlsohavethemtrytopingyourinternalinterfaceIPof192.168.x.1—thisshouldnotwork,astheremotePCisnotconnectedviaanVPNyet.

18.AsktheotherstudenttolaunchtheNetConnectapplicationfromtheirdesktopandconnecttoyourpublicIPof172.16.1.xx.Ifusinghttp,thestudentwillberedirectedtohttps.Therewillbeacertificateerror-thatisfine,theycanproceedwithloadingthepage.Aloginscreenwillappear.

19.EntertheusercredentialsfoundintheRADIUSserver.ClickLogin.

Ifloginisunsuccessful,lookforerrorsinthefirewallssystemlog（Monitortab->System）

20.Ifloginissuccessful,thescreenbelowwillappear.

ClickStarttobeginthedownloadandinstallationprocess.

21.AfteracceptingsomeJAVAandCertificatewarningstheclientshouldautomaticallylaunch.Youshouldseebytesreceivedandsentintheclient.

22.

TherewillbeaniconintheSystemTray,andapop-upwillappearsayingNetConnectisconnected.Thetinyorangelockontheiconalsoindicatesthetunnelisestablished.

23.RightclickontheNetConnecticon,andselectInformation.

24.SelectNetworkConfiguration,andscrolldowntolocatethePANVirtualEthernetAdapter.Noticeitsconfigurationiswhatyouconfigured.

25.Nowthatthetunnelisestablished,theotherstudentshouldpingoverthetunneltoanIPaddressthatisinyourinternalnetwork,forexample,thefirewall’sinternalinterface.Itshouldbesuccessful.Ifitisnotsuccessful,checktheroutingtableontheclientmachine.Makesurethereisaroutethatsendstrafficoverthetunnelinterface.Performatraceroutetoaserverinthecorporatenetwork,totrytodeterminewheretheissueis.

26.Onyourcomputer,startupthe3cdaemonFTPserver.AsktheotherstudenttoFTPtoyourserver.Itshouldbesuccessful.

27.Onthefirewall,gotoMonitor->Logs->Traffictoseetrafficcominginfromtheotherstudent’sPC.

28.Onthefirewall,gotoMonitor->Logs->SystemtoviewSSLVPNrelatedmessages.YoucanentersubtypeeqsslvpnintheFilterfieldtoshowonlySSLVPNrelatedmessages.

29.YoucanseeuserswhohaveestablishedsessionsunderNetworktab->SSLVPN->MoreUsersInfo