SSL VPN (Secure Sockets Layer Virtual Private Network) allows users to remotely access restricted network resources via a secure and authenticated pathway by encrypting all network traffic and giving the appearance that the user is on the local network, regardless of geographic location. This protocol achieves a higher level of compatibility with client platforms and configurations for remote networks and firewalls, providing a more reliable connection.
Who Can Use SSL VPN?
SSL VPN allows access to administrative systems, critical infrastructure, and sensitive information maintained by system administrators. SSL VPN access can be granted to University system administrators as well as vendors and other external collaborators, provided that the user has a valid NetID and password and is in an LDAP (Lightweight Directory Access Protocol) group with SSL VPN access.
There are two SSL VPN options (Note: Enabled features will be determined by user need and the nature of applications and resources that need to be accessed):
Web Proxy — Users access all available resources through a web-based interface. Resources appear as bookmarks on the SSL VPN start page and secure access is granted as though the user is using an internal IP address. Through this interface, users can access web-based applications, use file sharing, remote desktop/Citrix (Windows Only), and Telnet/SSH. Any computer with a web browser should allow you to access SSL VPN Web Proxy, and because you are working in a web interface.
Network Connect — Users download a local VPN client that uses the SSL protocol and do not need to work through the web interface, providing additional connectivity if necessary. The Network Connect client is assigned a unique IP address from a role-specific pool of addresses, rather than the IP address that is used by Web Proxy connections.
The example is based on the diagram below
For this example, the router needs to provide a user on the 192.168.137.x network secure access to R1 through an SSL web portal. HTTP acccess, to R1, is provided through a URL link. HTTPS and SSH access, to R1, is provided by port forwarding. In a real world example, this type of access could allow emergency access for a network administrator from any computer.
The first step is to set up the authentication method for the user. The IOS SSL VPN uses the default AAA method by default. For this example, we will use local authentication with the commands below
aaa authentication login default local
username cisco password cisco
The next step is to setup the IP and port information for connectivity to the SSL VPN. The IOS SSL VPN allows the IP to be based on the interface IP of the router or a virtual IP address. Additionally, the port can be the standard 443/tcp or it can be another manually assigned port. For this example, we will use the fa1/0 interface of the router and port 8000/tcp. This is shown below.
webvpn gateway SSL1
ip address 192.168.137.100 port 8000 ssl trustpoint TP-self-signed-4294967295 inservice
Notice the "ssl trustpoint" in the configuration. This is automatically created when the "inservice" command is added to active the configuration.
The next step is to create the "webvpn context". As stated earlier, this is the container for the VPN parameters. Within the "webvpn context" container, there are number of parameters that are defined and applied. For example:
A URL can be defined
The URL can be applied to a policy group
The policy group can then be applied to the context
This is all within the "webvpn context" container. An example is shown below
This portion shows how to forward ports. When a user uses a web browser to access https://127.0.0.1:5000, they are redirected to https://192.168.1.2 through the SSL connection. Similarly, when a users uses an SSH client to access 127.0.0.1 on port 5001, they are redirected to 192.168.1.2 on port 22. In the "port-forward" command, notice the "auto-download" parameter. This causes the port forward connectivity to launch automatically, instead of requiring the user to click on the "thin client" start button shown below
The screenshots below show the GUI experience based on the configuration above.