Implementing Cisco IOS SSL VPN

Based on Figure 18-2, the following configuration examples provide basic deployment guidelines for implementing the Cisco IOS SSL VPN solution on the Cisco Integrated Services Routers (ISR) series.

Example 18-1 shows a generic SSL VPN gateway configuration that includes some of the common features available.

Example 18-1. Configuring Cisco IOS SSL VPN

Code View: hostname SSL-Gateway ! aaa new-model aaa authentication login default local group radius ! crypto pki trustpoint Gateway enrollment selfsigned ip-address 192.168.1.1 revocation-check crl rsakeypair keys 1024 1024 ! crypto pki certificate chain Gateway certificate self-signed 02 ! interface Loopback0 ip address 10.10.10.1 255.255.255.0 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ! ip local pool svc-pool 10.10.10.100 10.10.10.110 ! webvpn gateway ssl-vpn ip address 192.168.1.1 port 443 ssl trustpoint Gateway inservice ! ! The following line is required for SSLVPN Client. webvpn install svc flash:/webvpn/svc.pkg ! ! The following line is required for Cisco Secure Desktop. webvpn install csd flash:/webvpn/sdesktop.pkg ! webvpn context ssl-vpn ssl authenticate verify all ! policy group default ! The following line enables SSLVPN Client. functions svc-enabled ! The following line enables clientless Citrix. citrix enabled default-group-policy default ! The following line maps this context to the virtual gateway and defines the domain to use. gateway ssl-vpn domain sslvpn ! The following line enables Cisco Secure Desktop. csd enable inservice ! <..>

The following show and debug commands can be used to verify functionality on a Cisco router (SSL VPN gateway).

• show webvpn sessions

• show webvpn statistics

• show tcp brief all

• debug webvpn