Packet Tracer ASA Clientless VPN Lab

The purpose of this lab is to provide a more advanced understanding of Cisco’s ASA 5505 Adaptive Security Appliance; The Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. In this lab we will Packet Tracer 6.1 to learn how to configure the ASA as a basic Firewall with the addition of clientless vpn access. This knowledge is essential to passing the CCNA Security exam and will be used in daily in your position as a Cisco network engineer.

Clientless VPN:

Clientless SSL VPN (WebVPN) allows for limited but valuable secure access to the corporate network from any location. Users can achieve secure browser-based access to corporate resources at anytime. This document provides a straightforward configuration for the Cisco Adaptive Security Appliance (ASA) 5500 series to allow Clientless SSL VPN access to internal network resources.

The SSL VPN technology can be utilized in three ways: Clientless SSL VPN, Thin-Client SSL VPN (Port Forwarding), and SSL VPN Client (SVC Tunnel Mode). Each has its own advantages and unique access to resources.  In our lab we will be focusing on the clientless SSL VPN.

Clientless SSL VPN

A remote client needs only an SSL-enabled web browser to access http- or https-enabled web servers on the corporate LAN. Access is also available to browse for Windows files with the Common Internet File System (CIFS). A good example of http access is the Outlook Web Access (OWA) client.

Thin-Client SSL VPN (Port Forwarding)

A remote client must download a small, Java-based applet for secure access of TCP applications that use static port numbers. UDP is not supported. Examples include access to POP3, SMTP, IMAP, SSH, and Telnet. The user needs local administrative privileges because changes are made to files on the local machine. This method of SSL VPN does not work with applications that use dynamic port assignments, for example, several FTP applications.

Refer to Thin-Client SSL VPN (WebVPN) on ASA using ASDM Configuration Example in order to learn more about the Thin-Client SSL VPN.

SSL VPN Client (SVC-Tunnel Mode)

The SSL VPN Client downloads a small client to the remote workstation and allows full, secure access to the resources on the internal corporate network. The SVC can be downloaded permanently to the remote station, or it can be removed after the secure session ends.

Clientless SSL VPN can be configured on the Cisco VPN Concentrator 3000 and specific Cisco IOS® routers with Version 12.4(6)T and higher. Clientless SSL VPN access can also be configured on the Cisco ASA at the Command Line Interface (CLI) or with the Adaptive Security Device Manager (ASDM). The ASDM usage makes configurations more straightforward.

Clientless SSL VPN and ASDM must not be enabled on the same ASA interface. It is possible for the two technologies to coexist on the same interface if changes are made to the port numbers. It is highly recommended that ASDM is enabled on the inside interface, so WebVPN can be enabled on the outside interface.

Learning Objectives:

  • Configure group-policy.
  • Configure local user database.
  • Configure user attributes.
  • Configure webvpn.
  • Configure bookmarks.
  • Configure tunnel-group.

  Clientless-VPN (194.3 KiB, 8,282 hits)

  Packet Tracer 6.2 (54.9 MiB, 1,328 hits)
You do not have permission to download this file.

If you have found this lab helpful please help us keep this site running.


You can leave a response, or trackback from your own site.

3 Responses to “Packet Tracer ASA Clientless VPN Lab”

  1. Pavel Jiracek says:

    The ASA is a great addition to Packet Tracer.
    However, this lab doesn’t seem to work for me. I have configured the ASA as instructed and running-config looks good. I have L3 connectivity between the Remote-PC and the ASA but won’t get the login prompt in the PC’s browser.
    I’ve done similar lab with a real ASA no problem.
    Any tips?

  2. Pavel Jiracek says:

    OK,I’ve redone the lab and it works now. Running-config is the same as before, so something got wrong first time.
    Thanks for the nice lab.

  3. Mike says:

    If you configure the same ASA for both Site to Site and Clientless, you will be required to NAT internet traffic and to exclude Site to site Traffic from being NATed. Please assist me on how to configure internet traffic to be NATed and exclude Site to Site traffic from NAT.

Leave a Reply

What is 5 + 13 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)


Powered by WordPress | Designed by: backlinks | Thanks to internet marketing, etiketten drucken and index backlink