Cisco IOS SSL VPN Example

Document

Feb 20, 2012 2:00 AM
Feb 20th, 2012

Introduction

This Document discuss about the SSL VPN.

SSL VPN Overview:

What is SSL VPN?

SSL VPN (Secure Sockets Layer Virtual Private Network) allows users to remotely access restricted network resources via a secure and authenticated pathway by encrypting all network traffic and giving the appearance that the user is on the local network, regardless of geographic location. This protocol achieves a higher level of compatibility with client platforms and configurations for remote networks and firewalls, providing a more reliable connection.

Who Can Use SSL VPN?

SSL VPN allows access to administrative systems, critical infrastructure, and sensitive information maintained by system administrators. SSL VPN access can be granted to University system administrators as well as vendors and other external collaborators, provided that the user has a valid NetID and password and is in an LDAP (Lightweight Directory Access Protocol) group with SSL VPN access.

OPTIONS

There are two SSL VPN options (Note: Enabled features will be determined by user need and the nature of applications and resources that need to be accessed):

Web Proxy — Users access all available resources through a web-based interface. Resources appear as bookmarks on the SSL VPN start page and secure access is granted as though the user is using an internal IP address. Through this interface, users can access web-based applications, use file sharing, remote desktop/Citrix (Windows Only), and Telnet/SSH. Any computer with a web browser should allow you to access SSL VPN Web Proxy, and because you are working in a web interface.

Network Connect — Users download a local VPN client that uses the SSL protocol and do not need to work through the web interface, providing additional connectivity if necessary. The Network Connect client is assigned a unique IP address from a role-specific pool of addresses, rather than the IP address that is used by Web Proxy connections.

The example is based on the diagram below

1. Network Diagram

diagram.bmp

Example:

For this example, the router needs to provide a user on the 192.168.137.x network secure access to R1 through an SSL web portal. HTTP acccess, to R1, is provided through a URL link. HTTPS and SSH access, to R1, is provided by port forwarding. In a real world example, this type of access could allow emergency access for a network administrator from any computer.

The first step is to set up the authentication method for the user. The IOS SSL VPN uses the default AAA method by default. For this example, we will use local authentication with the commands below

aaa new-model

aaa authentication login default local

username cisco password cisco

The next step is to setup the IP and port information for connectivity to the SSL VPN. The IOS SSL VPN allows the IP to be based on the interface IP of the router or a virtual IP address. Additionally, the port can be the standard 443/tcp or it can be another manually assigned port. For this example, we will use the fa1/0 interface of the router and port 8000/tcp. This is shown below.

webvpn gateway SSL1

hostname SSL1

ip address 192.168.137.100 port 8000
ssl trustpoint TP-self-signed-4294967295
inservice

Notice the "ssl trustpoint" in the configuration. This is automatically created when the "inservice" command is added to active the configuration.

The next step is to create the "webvpn context". As stated earlier, this is the container for the VPN parameters. Within the "webvpn context" container, there are number of parameters that are defined and applied. For example:

  1. A URL can be defined
  2. The URL can be applied to a policy group
  3. The policy group can then be applied to the context

This is all within the "webvpn context" container. An example is shown below

webvpn context SSL
url-list "R1"
heading "R1"
url-text "R1-http" url-value "http://192.168.1.2"
policy group default
url-list "R1"
default-group-policy default

This shows the URL list, R1, being defined and then applied to the policy group, default. The policy group, default, is then applied to the context with the "default-group-policy" command.

In a similar manner, the IOS SSL VPN can support port forwarding. This is shown below.

webvpn context SSL
port-forward "R1"
local-port 5000 remote-server "192.168.1.2" remote-port 443 description "R1 HTTPS"
local-port 5001 remote-server "192.168.1.2" remote-port 22 description "R1 SSH"
policy group default
port-forward "R1" auto-download
default-group-policy default

This portion shows how to forward ports. When a user uses a web browser to access https://127.0.0.1:5000, they are redirected to https://192.168.1.2 through the SSL connection. Similarly, when a users uses an SSH client to access 127.0.0.1 on port 5001, they are redirected to 192.168.1.2 on port 22. In the "port-forward" command, notice the "auto-download" parameter. This causes the port forward connectivity to launch automatically, instead of requiring the user to click on the "thin client" start button shown below

diagram2.bmp

The screenshots below show the GUI experience based on the configuration above.

1. The user accesses the web portal at https://192.168.137.100:8000

diagram3.bmp

2. The user logs in and is presented with the web portal

diagram4.bmp

3. At the same time as step 2, the port forwarding window appears with the setting for port forwarding

diagram5.bmp

Below is the full relevant config for the example above

aaa new-model
!
!
aaa authentication login default local
username cisco password 0 cisco
no ip http server
no ip http secure-server
webvpn gateway SSL1
hostname SSL1
ip address 192.168.137.100 port 8000
ssl trustpoint TP-self-signed-4294967295
inservice
!
webvpn context SSL
ssl authenticate verify all
!
url-list "R1"
heading "R1"
url-text "R1-http" url-value "http://192.168.1.2"
!
!
port-forward "R1"
local-port 5000 remote-server "192.168.1.2" remote-port 443 description "R1 HTTPS"
local-port 5001 remote-server "192.168.1.2" remote-port 22 description "R1 SSH"
!
policy group default
url-list "R1"
port-forward "R1" auto-download
banner "Welcome to the IOS SSL Lab"
default-group-policy default
gateway SSL1
inservice

Verify

You can use this section to confirm that your configuration works properly. For verify sections, include Show commands and Sample outputs.

Related Information

  • Link 1
  • Link 2
Average Rating: 0 (0 ratings)

Actions

Login or Register to take actions

This Document

Posted February 20, 2012 at 2:00 AM
Stats:
Comments:0 Avg. Rating:0
Views:2372 Contributors:0
Shares:0

Related Content

Documents Leaderboard

Rank Username Points
1 65
2 56
3 55
4 30
5 24
Rank Username Points
5