MicroNugget: How to Use ASA VPN Connection Profiles

the a s a VPN connection profiles the adaptive protection gadget can be a VPN gateway for hundreds or thousands of remote access designs but one of the challenges is when those attachments for VPN services come in how does that AS a know exactly how to authenticate a given incoming request the answer to that question is in the magic of the connection profile in this micro nugget we’ll take a look at first of all what they do how they operate and how the a si decides on which tie-in sketch to use to authenticate an incoming asking let’s jump in in this micro nugget we’re gonna take a look at what exactly is a connection profile in the world of the a Si with remote access VPN s and we’ll take a look at how its selected the first things first why is it important let’s take a real-world scenario where we have a user on the internet who needs access to his corporate server how is he going to get it we’re not going to send a request plaintext like HTTP or something like that over the Internet because it’s not secure so to secure it we’re gonna use some type of encryption and three popular options for building remote access VPN SR the client inventories SSL VPN which doesn’t require any administrative rights whatsoever on this check box all it makes is a browser at the sports SSL we can have the full any connect tunneled client which does require software to be installed now or the traditional IPSec flavor of remote access either does so with a VPN software client or any connect can draw that one off extremely so we’re gonna have a connection coming in now the question is when a associate is coming in how does the aasa’ know how to go about authenticating bob because we don’t know it’s him yet until he keeps in his username and password and the answer is duh we’re going to use a linkage profile the connection profile is associated or associated with incoming requests for a VPN tunnel and the aasa’ reviews to that connection profile to learn ok I should show this user based on my internal neighbourhood database or I should identikit this user against the Triple A server and if it’s one of our full purchasers the connection profile could also specify the pools of IP address to use to assign to that user during his trip on our network through the VPN so that what the connection profile does for a living now the dicey side is how does the aasa’ know which attachment chart to use let’s say there’s five or six contact charts how does the aasa’ know which one to use before Bob even gives in his user name and password well the answer is simple the aasa’ is going to rely on three options one of three alternatives a URL and alias or a certificate let’s illustrate each one of those a URL we tell Bob hey Bob when you connect we’re gonna feign this is a global address for a moment when you connect connect to HTTP: whack-whack 192 168 speck one fleck 171 slash sales and if we given that URL we can actually link that specific URL to a specific connection profile so that when Bob smacks that URL the a s ASIS oh he’s knocking on this entrance at that specific URL he’s gonna be associated with connection profile 1 or tie-in profile 2 so that’s one channel other options is we could use an alias what are you mean Keith an alias well an alias is something that represents something else so for example we could have Bob go to the IP address of HTTP colon whack back to the server itself and give him a drop-down list and from that drop-down list we have been able to say here’s alliance chart 1 2 3& 4 and then Bob could simply elect the rectify quote-unquote group to select his correct connection profile if he knows it or if he’s been trained to select a specific one so that’s our second alternative is a drop-down list that the user choice and the third option is to use information from a digital authorization if Bob had a digital certificate an name authorization set on his computer when he makes the connection request the a si if training to do so could look at that digital certificate and look at the contents of it and it could say oh if “the organizations activities” equals auctions I will go ahead and use connection profile number one so we could association it based on information in Bob’s identity certificate that’s on his machine or associated with his user so those are the three alternatives now what happens if we do find a attachment sketch if we use a tie chart we say oh great based on that I well known to certify the user and I know what funds of dresses to give them if he’s a full passageway patient if it didn’t meet a linkage profile there are some defaults and the default for entanglement VPN is this default connection profile and the default for IPSec remote access is this connection profile and we cannot delete those nonetheless we can modify the default behavior of those alliance charts to demonstrate this let’s take a look at a consumer at this machine right here who’s gonna connect and be given a list of options from the drop-down list as far as which linkage chart to choose I happen to have a current a s a set up we’ve connected to the global address and we are gonna select sales tie alias that’s an alias for the connection profile and we’ll go ahead and log on with the username of sales user and the chastise password and there we have a web banner that been put forward for that group and we’ll click on continue and now we’re connected with the client list VPN portal that can now give us access into the network if we wanted to go further into the network we’re going to go 2.5 for example we could from here type in 10 scatter 0 scatter 0 fleck 5 and that should open up the browser associate through this portal to that machine so in this micro nugget we’ve determined what a communication profile is all about it’s the initial mechanism that the aasa’ uses to identify how to show a consumer which Triple A server neighbourhood database etc to use and where appropriate which fund of residences to use we’ve also identified the options of how the a sa can note even before the user authenticates what connection profile they’re going to use either by specifying a URL that’s linked to a bond sketch and alias that the user gets to choose from a drop-down list or use an name authorization and extract information from that to affiliate the link with a specific connection profile I hope this has been informative for you and I’d like to thank you for viewing

You May Also Like