9999SSL VPN Lab.docx
《9999SSL VPN Lab.docx》由会员分享,可在线阅读,更多相关《9999SSL VPN Lab.docx(11页珍藏版)》请在冰豆网上搜索。
9999SSLVPNLab
Module6Lab:
SSLVPN
PANadministratorshavetheabilitytoconfigurethefirewalltoprovideclient-to-siteVPNaccessbyconfiguringtheSSLVPNportal.Thiswillprovideameansforanendusertoauthenticatetoawebpage,automaticallydownloadaclientandprovideanetworkconnectionviaIPSecorSSL.Administratorswillthenbeabletoconfigurepolicyforindividualusersastheywouldforanormalfirewallpolicy.
Inthislab,youwillconfigureanSSLVPN,andhaveanotherstudenttestyourconfiguration.Inparticular,theotherstudentwillbecomeanodeonyourlocal192.168.x.0network,andbeabletopingyourstudentPC,andFTPtoyourFTPserveronyourstudentPC.
Part1:
ConfiguringthePANFirewall
1.GototheDevicetab->SSL-VPNClient.ClickRefreshatthebottomofthescreen.MakesurethereisanappropriateversionofSSL-VPNclientloadedonthefirewall.Thisclientwillbedownloadedtotheuser’smachinewhenusersfirstlogintotheSSLVPNPortal.
2.Afterthescreenrefreshes,makesurethatyouhavetheappropriateversioninstalledandactivated.Forexample:
version1.1.0istheappropriateversionforPANOS3.1.0:
Theremaybenewerversionsthan1.1.0,butonlyinstallaversionneweriftheinstructortellsyouto.
3.Next,youwillgenerateaself-signedcertificateusedbytheSSLVPNportal.GotoDevicetab->Certificates.UnderSSLVPN/SSLInboundInspectionCertificate,deleteanycertificatesfoundthere,asthatwasfromapreviousclass.
4.NowclickGenerateaselfsignedcertificate.
5.EnteraNameforthecertificate,CommonName,PassPhrase,CountryCode,State,Locality,Organization,DepartmentandEmailAddressesintheappropriatefields.
AfterclickingOk,thecertificatewillbegeneratedandinstalled.
6.ForSSLVPNs,userscanbeauthenticatedinvariousways,includingalocaluserdatabase,LDAP,orviaaRADIUSserver.Youwillnowcreateusersinyourlocaldatabase.GototheDevicetab->LocalUserDatabase->UsersandclickNew.Createausernameandpasswordbyenteringthemintheappropriatefields.ClickOKwhenfinished.Youcancreatemultipleusernamesifyoudesire.
7.AnAuthenticationProfileisnecessaryinordertotieauthenticationtoaSSLVPNPortal.Thisprofilespecifieswhocanlogin,andhowtheywillbeauthenticated.GotoDevicetab->AuthenticationProfileandclickNew,andenterparametersasbelow:
ClickOktoclosetheAuthenticationProfilescreen.
8.Configureatunnelinterfacetoindicatetothefirewallwheretheuserswillterminateto.YoucanusethedefaulttunnelinterfaceforthefirstSSLVPNPortalyouconfigure.GototheNetworktab->Interfacesandclicktunnel.
9.Setthevirtualrouterandzonewhereyouwouldlikethetunnelinterfacetoterminate.
Inthislab,youareputtingthetunnelinterfaceinthetrust-L3zonesothatyoudon’thavetocreateapolicytoallowtheVPNusersaccesstointernalresources.
Bestpractice:
placethetunnelinterfaceinaseparateRemoteAccesszone.Bydoingthis,youcantheninspecttrafficfromSSLclientsforthreats,andcontrolwhichapplicationstheSSLclientscansendintothecorporatenetwork.Ifyouplacethetunnelinterfaceinanuntrustedzone,makesuretocreateapolicyfromuntrusttotrustthatallowstraffictoflow.
10.DeterminewhichpublicinterfacewillbeusedastheSSLVPNexternalIP.GotoNetworkstab->Interfaces,andmakesurethatinterfacedoesNOThavehttpsenabledinitsmanagementprofile.(Ifthepublicinterfacedidhavehttpsenabled,thenanySSLrequeststothepublicIPwouldbringupafirewallloginpage,nottheSSLVPNloginpage.)
11.YouwillnowcreateanewSSLVPNPortal.Thisassociatesthecertificate,authenticationpage,authenticationprofile,tunnelinterface,externalIPaddressandtheclientintooneSSLVPNinstance.GototheNetworktab->SSL-VPNandclickNew.
12.Onthefirsttab,entertheinformationasfollows:
∙Portalname:
anynameyouchoose
∙Tunnelinterface:
tunnel
∙Authenticationprofile:
allow_local_users
∙Servercertificate:
VPNxx
∙EnableIPSecencapsulation(bynotselectingthisuserswillalwaysuseSSL)
∙EnableredirectHTTPtraffictoHTTPSloginpage(bynotselectingthisusersmustuseHTTPStogetaloginscreen)
∙GatewayAddressInterface:
ethernet1/1(thisiswhereuserswillpointtheirbrowsers)
∙GatewayIPAddress:
172.16.1.xx/24
Hereisanexampleconfiguration:
13.SelecttheClientConfigurationtabandenterinformationasfollows:
∙PrimaryDNS:
10.30.11.50
∙IPPoolfortheclients:
192.168.x.20-192.168.x.30.(TheseIPrangeswillbeenteredintothefirewall’sroutingtable(VR1)—anytraffictargetedtotheseIPs,willbesentoverthetunnelinterface.Becarefulthattheseroutesdonotconflictwithotherroutesonthefirewall.)
∙SplitTunneling-AccessRoute:
Enterthenetworksthatneedtobesentoverthetunnel.Theserouteswillgointotheclient’sroutingtable.Youwanttohavetheclientmachinesendeverythingoverthetunnel,thereforeenter0.0.0.0/0.
ClickOktoclosetheNewSSL-VPNConfigurationscreen.
14.Commityourchanges.
15.Fromthefirewall’sCLI,runthiscommand:
showroutingroute.Makesuretheroutesyouseethereareasyouexpect.YouwillseethatpacketsdestinedfortheIPpoolwillbesentoverthetunnelinterfacebacktotheclients.
Part2:
Establishingatunnelfromtheclient
Inthispart,youwillneedtoworkwithanotherstudenttohavethemtestaccessviayourSSLVPN.
16.Asktheotherstudenttopingyour“public”IPaddressof172.16.1.xx.Thisshouldwork.Ifthisdoesn’twork,troubleshootthegeneralnetworkingissuebeforecontinuing.
17.AlsohavethemtrytopingyourinternalinterfaceIPof192.168.x.1—thisshouldnotwork,astheremotePCisnotconnectedviaanVPNyet.
18.AsktheotherstudenttolaunchtheNetConnectapplicationfromtheirdesktopandconnecttoyourpublicIPof172.16.1.xx.Ifusinghttp,thestudentwillberedirectedtohttps.Therewillbeacertificateerror-thatisfine,theycanproceedwithloadingthepage.Aloginscreenwillappear.
19.EntertheusercredentialsfoundintheRADIUSserver.ClickLogin.
Ifloginisunsuccessful,lookforerrorsinthefirewallssystemlog(Monitortab->System)
20.Ifloginissuccessful,thescreenbelowwillappear.
ClickStarttobeginthedownloadandinstallationprocess.
21.AfteracceptingsomeJAVAandCertificatewarningstheclientshouldautomaticallylaunch.Youshouldseebytesreceivedandsentintheclient.
22.
TherewillbeaniconintheSystemTray,andapop-upwillappearsayingNetConnectisconnected.Thetinyorangelockontheiconalsoindicatesthetunnelisestablished.
23.RightclickontheNetConnecticon,andselectInformation.
24.SelectNetworkConfiguration,andscrolldowntolocatethePANVirtualEthernetAdapter.Noticeitsconfigurationiswhatyouconfigured.
25.Nowthatthetunnelisestablished,theotherstudentshouldpingoverthetunneltoanIPaddressthatisinyourinternalnetwork,forexample,thefirewall’sinternalinterface.Itshouldbesuccessful.Ifitisnotsuccessful,checktheroutingtableontheclientmachine.Makesurethereisaroutethatsendstrafficoverthetunnelinterface.Performatraceroutetoaserverinthecorporatenetwork,totrytodeterminewheretheissueis.
26.Onyourcomputer,startupthe3cdaemonFTPserver.AsktheotherstudenttoFTPtoyourserver.Itshouldbesuccessful.
27.Onthefirewall,gotoMonitor->Logs->Traffictoseetrafficcominginfromtheotherstudent’sPC.
28.Onthefirewall,gotoMonitor->Logs->SystemtoviewSSLVPNrelatedmessages.YoucanentersubtypeeqsslvpnintheFilterfieldtoshowonlySSLVPNrelatedmessages.
29.YoucanseeuserswhohaveestablishedsessionsunderNetworktab->SSLVPN->MoreUsersInfo