Based on Figure 18-2, the following configuration examples provide basic deployment guidelines for implementing the Cisco IOS SSL VPN solution on the Cisco Integrated Services Routers (ISR) series.
Note
The Cisco SSL VPN (WebVPN) feature was introduced in Cisco IOS Software Release 12.3(14)T supporting SSL Version 3.
Example 18-1 shows a generic SSL VPN gateway configuration that includes some of the common features available.
Caution
There is a slight variation in command syntax between Cisco IOS version 12.3T and 12.4T when you are configuring an SSL VPN. Example 18-1 is captured from a Cisco IOS version 12.4T-based router.
Code View: hostname SSL-Gateway ! aaa new-model aaa authentication login default local group radius ! crypto pki trustpoint Gateway enrollment selfsigned ip-address 192.168.1.1 revocation-check crl rsakeypair keys 1024 1024 ! crypto pki certificate chain Gateway certificate self-signed 02 ! interface Loopback0 ip address 10.10.10.1 255.255.255.0 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ! ip local pool svc-pool 10.10.10.100 10.10.10.110 ! webvpn gateway ssl-vpn ip address 192.168.1.1 port 443 ssl trustpoint Gateway inservice ! ! The following line is required for SSLVPN Client. webvpn install svc flash:/webvpn/svc.pkg ! ! The following line is required for Cisco Secure Desktop. webvpn install csd flash:/webvpn/sdesktop.pkg ! webvpn context ssl-vpn ssl authenticate verify all ! policy group default ! The following line enables SSLVPN Client. functions svc-enabled ! The following line enables clientless Citrix. citrix enabled default-group-policy default ! The following line maps this context to the virtual gateway and defines the domain to use. gateway ssl-vpn domain sslvpn ! The following line enables Cisco Secure Desktop. csd enable inservice ! <..> |
Tip
Refer to the following Cisco technical documentation for further details on configuring Cisco IOS SSL VPN and various other parameters:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/g_sslvpn.htm
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00805eeaea.html#wp1356909
The following show and debug commands can be used to verify functionality on a Cisco router (SSL VPN gateway).
show webvpn sessions
show webvpn statistics
show tcp brief all
debug webvpn