SSL VPN delivers the following three modes of SSL VPN access:
Clientless--Clientless mode provides secure access to private web resources and web content. This mode is useful for accessing content found in web browsers, databases, and online tools that employ a web interface.
Thin-client (port-forwarding Java applet)--Thin-client mode extends the capability of the cryptographic functions of the web browser to enable remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), Telnet, and SSH.
Full tunnel client--Full tunnel client mode offers extensive application support through its dynamically downloaded Cisco AnyConnect VPN Client (next-generation SSL VPN Client) for SSL VPN. Full tunnel client mode delivers a lightweight, centrally configured, and easy-to-support SSL VPN tunneling client that provides network layer access to any application virtually.
Before you can configure the SSL VPN Smart Tunnels Support feature, the virtual gateway must be configured and enabled. This gateway configuration specifies the IP address, port number, and trustpoint for the SSL VPN. Enabling the virtual gateway enables the SSL VPN service.
An SSL VPN virtual context must be configured to associate the virtual SSL VPN gateway with the configured features.
- WebVPN Gateway
The WebVPN Gateway is used to terminate the SSL connection from the user. The basic configuration requires an IP address on the same subnet as one of the public network interfaces; this could be the same address used on the public network interface, or another address in the same subnet. Alternately, you can define a loopback interface, and use an address in that subnet, just as long as the address is reachable on the public network.
The other mandatory component is the crypto PKI trustpoint used. This can be a Certificate Authority (CA) signed certificate, or a self-signed certificate.
Optionally, you may provide a hostname that is associated with the gateway, since there may be multiple WebVPN gateways. It is also a common practice to register the addresses and hostnames with a DNS authority.
- WebVPN context
The WebVPN context is where the SSL VPN is terminated, and the user's VPN session is established. The context also contains all of the policies that can be applied to a user, including authentication, authorization, and accounting (AAA), virtual routing and forwarding instances (VRFs), and group policies. This is where the user authentication takes place, and group policies are applied to the user session. Furthermore, the context can define the way the SSL VPN Web portal will appear to the user by specifying the colors and the images. The context is basically a container for user sessions.
The WebVPN context uses a WebVPN gateway for the SSL session termination endpoint IP address. Multiple contexts can use one WebVPN gateway by using the domain keyword, and specifying a label.
Scenario:
Verification:
Scenario:
- SSL VPN gateway
webvpn gateway SSL_GW
ip address 172.20.1.2 port 443
ssl trustpoint TP-self-signed-4294967295
logging enable
inservice
where TP-self-signed-4294967295 is automatically generated by the IOS router after webvpn gateway command
crypto pki trustpoint TP-self-signed-4294967295
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4294967295
revocation-check none
rsakeypair TP-self-signed-4294967295
crypto pki certificate chain TP-self-signed-4294967295
certificate self-signed 01
- SSL VPN context
webvpn context WEBVPN
title "clientless web vpn example"
title-color blue
ssl authenticate verify all
!
url-list "URLs"
url-text "Google" url-value "http://www.google.com"
!
time-range "EVERYDAY"
periodic weekdays 0:00 to 20:00
!
acl "WebAccess"
permit url "http://*.com" syslog
!
!
policy group SSL_POLICY
url-list "URLs"
acl "WebAccess"
banner "test banner"
default-group-policy SSL_POLICY
aaa authentication list WEBVPN
gateway SSL_GW
inservice
Verification:
VPNConcentrator# show webvpn gateway SSL_GW
Admin Status: up
Operation Status: up
Error and Event Logging: Enabled
IP: 172.20.1.2, port: 443
SSL Trustpoint: TP-self-signed-4294967295
FVRF Name not configured
VPNConcentrator# show webvpn context WEBVPN
Admin Status: up
Operation Status: up
Error and Event Logging: Disabled
CSD Status: Disabled
Certificate authentication type: All attributes (like CRL) are verified
AAA Authentication List: WEBVPN
AAA Authentication Domain not configured
Default Group Policy: SSL_POLICY
Associated WebVPN Gateway: SSL_GW
Domain Name and Virtual Host not configured
Maximum Users Allowed: 1000 (default)
NAT Address not configured
VRF Name not configured
VPNConcentrator#show webvpn policy group SSL_POLICY context all
WEBVPN: group policy = SSL_POLICY ; context = WEBVPN
banner = "test banner"
url list name = "MYURL"
idle timeout = 2100 sec
session timeout = Disabled
citrix disabled
dpd client timeout = 300 sec
dpd gateway timeout = 300 sec
keep sslvpn client installed = disabled
rekey interval = 3600 sec
rekey method =
lease duration = 43200 sec
VPNConcentrator#show webvpn session context all
WebVPN context name: WEBVPN
Client_Login_Name Client_IP_Address No_of_Connections Created Last_Used
test 172.20.1.6 1 00:40:20 00:33:35
test 172.20.1.6 1 00:14:43 00:00:38
test 10.1.1.2 1 00:08:50 00:04:20
No comments:
Post a Comment