LTLnetworker | IT hálózatok, biztonság, Cisco

               IT networks, security, Cisco

Smart tunnels on Cisco ASA

Posted by ltlnetworker on January 17, 2014


Sometimes we have to provide secure remote access for users whose computers we don’t have any influence at all on. These computers don’t have AnyConnect or Cisco VPN client and the users may not have administrator rights so browser-based AnyConnect installation is not an option either. We can set up a WebVPN portal for such users on Cisco ASA with the clientless SSL VPN feature.

Clientless SSL VPN provides a web portal with various services such as intenal websites, CIFS links, Outlook Web Access etc. which are all accessed via the browser. The ASA software provides HTTPS service to the client and proxies the internal server’s material. The SSL core rewriter (or content rewriter) does application proxying therefore not all websites are guaranteed to work properly. For example, as of 9.1(3) the ASA software does not support Microsoft Sharepoint 2013 portal and some tricky content is not displayed.

The SSL VPN code also contains a smart tunnel feature. It is downloaded as an ActiveX control (but see gotchas below) and enables the client to send all the TCP traffic of a specific nonbrowser-based application on the client computer natively into the SSL VPN tunnel. For example the firewall administrator adds notes.exe (or even *.exe) to the smart tunnel list and the Lotus Notes application will send all its TCP traffic into the tunnel (towards the internal mail server). So an application which is separate from the browser will be forced to couple its traffic to the browser.

Apart from a named application, smart tunnel feature can be activated for a web-based application too (called bookmark in ASDM). If an application does not render well through the SSL VPN rewriter, you can modify the bookmark for the application to enable smart tunnel for that bookmark.

st01

Consequently, if the user clicks on this application, all TCP traffic of the web browser will be tunneled into SSL VPN. In case of a smart tunneled web application the URL is simply the original internal URL. The client is forced to tunnel the HTTP or HTTPS request through the SSL VPN tunnel and the ASA merely forwards and de/encapsulates the client-server traffic. (That’s why Sharepoint 2013 portal works with this method.) A side effect is that any other browser request is also sent to our firewall if the user watches other websites in other windows. (Remember, smart tunnel forces the application to send all its TCP traffic into the tunnel.) By default, such traffic is allowed by ASA and you will have extra redirected outbound internet traffic for remote users:

Jan 13 2014 20:47:09 ddd-asa5520 : %ASA-6-716003: Group <GP_uuu_clientless> User <DDD\PeterVPN> IP
<a.b.c.d> WebVPN access GRANTED: smart-tunnel://sp2013/
Jan 13 2014 20:47:09 omg-asa5520 : %ASA-6-716003: Group <GP_uuu_clientless> User <DDD\PeterVPN> IP
<a.b.c.d> WebVPN access GRANTED: smart-tunnel://urs.microsoft.com/
Jan 13 2014 20:48:15 omg-asa5520 : %ASA-6-716003: Group <GP_uuu_clientless> User <DDD\PeterVPN> IP
<a.b.c.d> WebVPN access GRANTED: smart-tunnel://www.adobe.com/

You may want to restrict this type of traffic with a webtype ACL. However, there are some problems with that. First, if you enforce such rules in the firewall the clients will not be able to open other websites while their WebVPN session is active. Second, webtype ACL’s are buggy. Sometimes the ACL denies servers despite a permit statement. It is more sensible to teach the client which hosts or networks belong to the SSL VPN. The concept is similar to split tunneling of VPN clients and it is called tunnel policy. We can set hostnames and IP addresses and the application will only send those requests into the tunnel. (Actually, both hostnames and respective IP addresses/ranges must be added to the split tunnel list.)

st03

st03b

As I mentioned about smart tunneled web application the URL in client browser is simply the original internal URL. This approach is a major difference from the plain WebVPN portal because all traditional web-based applications appear under the same kind of constructed URL which has ASA’s name or IP address. The URL shows that the client’s HTTPS request is served by the ASA and the content is embedded into the WebVPN portal.The floating toolbar icons never disappear to remind you of this. An example of an internal served page without smart tunnel:

st02

DNS resolving

The question may be raised: how DNS resolving works for a smart tunneled application if UDP DNS requests cannot be sent to the ASA? If we enable smart tunnel for some exe application, it is hard to debug the resolve operation of that specific application. Note: ping.exe and nslookup.exe are usually not on the smart tunnel list on ASA so we can’t check the resolving manually. Hostname-based URLs and other applications still work. The applications are somehow deceived by ASA and they send their packets to some special addresses. Maybe the ActiveX control captures their resolving system calls. I’ve discovered this when I tested with *.exe (i. e. enabled smart tunnel for all applications including ping.exe). For both existing and nonexisting hostnames a pseudo-IP address is assigned on the fly:

C:\>ping srv-spi
Pinging srv-spi [3.0.0.0] with 32 bytes of data:
C:\>ping rtrt
Pinging rtrt [3.0.0.31] with 32 bytes of data:
C:\>ping nusuchserver
Pinging nusuchserver [3.0.0.32] with 32 bytes of data:
C:\>ping nosuchserver
Pinging nosuchserver [3.0.0.33] with 32 bytes of data:
C:\>ping sp2013
Pinging sp2013 [3.0.0.24] with 32 bytes of data:

ASA certainly knows the real IP addresses of all requested hostname as it queries the internal DNS servers which are listed in the config. Probably the ASA maintains an internal table of the hostnames, IP addresses and pseudo-addresses as well as performs an implicit NAT on the packets. It is hard to analyze the mechanism as the packets are encrypted in the SSL tunnel and not visible to a packet capture tool.

The ActiveX installation problem

Unfortunately, the Cisco SSL VPN Relay Loader ActiveX control cannot be always installed on clients without admin rights. I got the error message

An error occurred while copying file csvrloader32.ocx. Cannot copy file to destination directory.

I found the following method to enable non-admin IE users to use the Cisco SSL VPN Relay Loader ActiveX control.

log in to the SSL VPN portal
download the cab file: https://asa-sslvpn-portal/+CSCOL+/csvrloader32.cab
extract csvrloader32.ocx
logon to client computer as admin
C:\install\csvrloader32>copy csvrloader32.ocx C:\Windows\System32
C:\install\csvrloader32>cd C:\Windows\System32
C:\Windows\System32>regsvr32 csvrloader32.ocx

   [popup window reports success]
C:\Windows\System32>
logon as non-admin user
use SSL VPN site

I don’t have the ActiveX yellow bar any more.

Proxy

The documentation says about smart tunnels that a proxy is supported between the client and the ASA but only manual proxy setting is supported in the browser. The internal site must be placed in the proxy exception list. My tests: the smart tunnel enabled web application works well with manual proxy regardless of the exception list. ‘Automatically detect settings’ does not work indeed.

Licensing

Clientless SSL VPN requires AnyConnect Premium license. (License for 2 concurrent sessions is included in ASA Base License.)

Software versions

ASA 9.1(3)        asa913-k8.bin
ASDM 7.1(4)    asdm-714.bin
Internet Explorer 10

Advertisements

One Response to “Smart tunnels on Cisco ASA”

  1. Flavio said

    I’m stuck at the DNS resolving concern on the smart tunnel feature:
    sending all the browser’s traffic to the smart-tunnel makes everything work, but charges the remote ASA with potentially the entire client’s surfing traffic; using “split tunneling” feature allow to send only intended traffic but takes away from the browser the ability to resolve private FQDNs, as it would use its pre-configured dns server…so nothing works anymore!
    Nice post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: