Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
257
Views
0
Helpful
0
Comments

Router: IOS SSLVPN with Virtual-Template and VRF Example

hdashnau
Cisco Employee
Cisco Employee

on ‎03-24-2011 08:24 AM

Reference document for adding a Virtual-Template Interface (VTI) and an IVRF to SSLVPN on an IOS router. This example was based off of 15.1(3)T code and assumes there is a working SSLVPN config in place prior to the addition of Virtual Templates and IVRF.


Define the IVRF

     ip vrf forwarding

     vrf definition vrf1

      rd 1:2

      route-target export 1:2

      route-target import 1:2


Apply the VRF to the "inside" interface.

Note: After you add the VRF command, make sure you reapply the IP address to the interface

     interface GigabitEthernet0/1

      description inside interface

      vrf forwarding vrf1

      ip address 192.168.1.1 255.255.255.0


Create the Virtual-Template and apply the VRF to this interface

     interface Virtual-Template1

      description Virtual-Template Interface attached to IVRF vrf1

      vrf forwarding vrf1

      ip unnumbered GigabitEthernet0/1


Add the Virtual Template to the webvpn context.

Note: You should take the context out of service before applying the Virtual-Template and it is not necessary to add the VRF to the webvpn context in 15.x code

     webvpn context context_1

      no inservice

      virtual-template 1

      inservice


Add a route in the VRF for the internal next hop.

Note: It is not necessary to add a route for the AnyConnect ip pool. It will get added when AnyConnect connects

     ip route vrf Tenant001 192.168.1.0 255.255.255.0 192.168.200.2

This is the AnyConnect ip pool as reference

     ip local pool anyconnect_pool 172.16.1.1 172.16.1.254




Connect AnyConnect and verify reachability. There should be a route in the VRF for the AnyConnect address when connected that points to the Virtual-Access interface that was spawned from the Virtual-Template. The vrf and virtual template should show as attached to the context

"show ip route vrf vrf1" output:
S        172.16.1.1 [0/0] via 0.0.0.0, Virtual-Access2

"sh webvpn context context_1" output:
Admin Status: up
Operation Status: up
Error and Event Logging: Disabled
CSD Status: Disabled
Certificate authentication type: All attributes (like CRL) are verified
AAA Authentication List not configured
AAA Authorization List not configured
AAA Accounting List not configured
AAA Authentication Domain not configured
Authentication mode: AAA authentication
Default Group Policy not configured
Associated WebVPN Gateway: gateway_1
Domain Name and Virtual Host not configured
Maximum Users Allowed: 1500 (default)
NAT Address not configured
VRF Name: vrf1
Virtual Template: 1
Virtual Access  : 2

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents