In this post I’m going to setup a Clientless SSL VPN via the ASDM GUI and then connect to it via the TinyCore Linux PC all from GNS3.
I’m using the topology above. The nodes I’m using will be the ASA with the ASDM connected via the cloud from my local PC, if you want to know how to set the ASA up with access via the ASDM check out one of my other posts: How-To: ASA in GNS3 with ASDM
I’ll also be using R4 and the Remote Worker PC which is running a TinyCore Linux to test the Clientless SSL VPN.
GNS3 Configuration The ASAv image file is added to GNS3 as a QEMU VM Template, this is where I ran into my first issue, evidently for best performance I need to download GNS3 VM, it is recommended to run this within VMware Workstation rather than VirtualBox. Download the Cisco ASAv hda image file (asav952.qcow2) from the Cisco website. Cisco Adaptive Security Virtual Appliance (ASAv) Getting Started Guide, 9.14 17/Sep/2020; Cisco Adaptive Security Virtual Appliance (ASAv) Getting Started Guide, 9.13 11/Sep/2020; Cisco Adaptive Security Virtual Appliance (ASAv) Getting Started Guide, 9.12 03/Mar/2021 Updated; Cisco Adaptive Security Virtual Appliance (ASAv) Getting Started Guide, 9.10 11/Sep/2020.
- Below is the ASAv image I am using and also the version of GNS3. Note if you want to run an ASAv image you must run it in GNS3VM and not in the GNS3 local. ASA image: asav952-204.qcow2 (VIRL image) GNS3VM Version: 2.0.0b3 on Windows. The GNS3 team have a great video showing you how to import the ASAv image into GNS3.
- By Mustapha Maroc. On Sep 28, 2018 at 15:43 UTC. Needs Answer General Networking. Next: Wireless link between buildings.
Configure the Clientless SSL VPN on the ASAv via the ASDM GUI
When you log into the ASDM GUI you’ll get the main screen above. Click on Wizards > VPN Wizards > Clientless SSL VPN Wizard…
The Clientless SSL VPN Wizard window will pop up, click on Next. You’ll get the following window.
Here you need to give your Clientless SSL VPN a Connection Profile Name I’ve named this one SSL_Remote_Access and I’ve also selected the Interface that the SSL VPN will connect in on which is the Outside Interface (Internet). I don’t have my own digital certificate so I’m leaving the Certificate set to None, because of this the ASA will provide a self signed certificate. I’ve also given the Connection an Alias of SSL. Click on Next
The next step is to configure User Authentication you’ll have the choice to use an AAA server (which I dont have) or the Local User DB which I’ve selected. Select Authenticate using the local user database and add a new user, here I’m adding Homer once added click on Next
The next step is to setup a group policy or select an existing policy. Here I’ve setup a new policy called Remote_Users, this policy will inherit the DfltGrpPolicy attributes which I can change later if I need to. Click on Next
In the next step you can configure a list of bookmarks that the Remote users will be able to click on to access resources on the Corp LAN. Click on Manage > Add
Here you give the bookmark a name like EMAIL. Click on Add
You need to configure the IP address of the EMAIL server. I don’t have an email server in my lab but the bookmark will appear once I connect to the Clientless SSL VPN (hopefully).
That is it, you’ll get a summary page click on Finish to send the config to the ASA.
With the ASA configured the next step is to configure R4 in my topology. I’ll have to give Gi0/1 an IP address (18.104.22.168/24) and also a default route to send all traffic to the ASA using the command “ip route 0.0.0.0 0.0.0.0 22.214.171.124” as shown below.
Next configure the TinyCore Linux PC with an IP address in the same range as Gi0/1 I’ll use 126.96.36.199 and set the default gateway to 188.8.131.52.
To configure an IP address on the Linux PC click on Control Panel > Network
Set the IP address and the Gateway and click on Apply
It is always good practice to test the connectivity, open a Terminal Window in the Linux PC and ping the Gateway at 184.108.40.206.
Gns3 Asav Appliance
Now using the built-in Firefox browser on the Linux PC it is time to test the Clientless SSL VPN and see if we can connect to the Corp LAN. In the address bar enter the URL configured earlier which is: https://220.127.116.11/SSL
Looks good because this is a self signed certificate from the ASA the Firefox brower gives you a warning not to trust the site. Click on I Understand the Risks to continue. Once you accept the risk you will get the following login page.
Gns3 Asav Asdm
Enter in the username and password in my case Homer.
Success !! I have logged in and as you can see the EMAIL bookmark I configured during the Clientless SSL VPN setup is there.
I hope you found this useful, get labbing and try it out for yourself.
Gns3 Asav Server
Feedback always welcomed.