Hi there and welcome back to this series on the Cisco Configuration Professional tool. In this article, we will be configuring our 9th lab where we will deal with clientless SSL VPN (or WebVPN). Remember that SSL VPN can be configured in one of three modes: clientless, thin-client and full-client. Even though the Cisco ASA is the normal device we will use to terminate VPN connections such as this, the Cisco router is also capable.
Our network diagram is shown below:
The configuration tasks for Lab #9 are as follows:
- * Configure RTR2’s Loopback1 interface to accept clientless SSL VPN connections. Use the local database for authentication.
- * Create a username of sslvpn with a password of sslvpn to access the configured SSL VPN service.
- * Test your SSL VPN service by connecting a host on RTR3’s Fa0/1 interface using a subnet of 188.8.131.52/30.
SSL VPN takes the requirement off users of having to establish a VPN connection through a pre-installed VPN client. With SSL VPN, users can access the SSL VPN gateway through their normal web browser and depending on the type of SSL VPN configured, they can access the organisation’s resources directly from their browser or by downloading the SSL VPN client.
As usual, CCP offers us wizards to configure or edit SSL VPN. To begin with our first task, I will select RTR2 as the community member to configure and then navigate to Configure > Security > VPN > SSL VPN > SSL VPN Manager.
Notice that the prerequisite for configuring SSL VPN is that AAA must be enabled. This is because of the user authentication to the VPN gateway. I can follow the blue link to enable AAA or I can click on Launch the selected task and I will still be required to enable AAA as shown below:
Let’s first enable AAA so I will click OK to complete this prerequisite task.
Notice what CCP does: if it were just to enable AAA, we may be locked out of our router (except the console) because by default, when AAA is enabled on a router, the router will automatically apply local authentication on all lines except the console. This means that if you don’t have a username/password configured in the local database, you will be locked out via telnet or SSH. In our case, though, this does not apply because CCP already discovered our router using a username and password. In any case, the configuration to be sent to the router is as shown below:
aaa new-model aaa authorization exec default local aaa authentication login default local line vty 0 4 login authentication default authorization exec default exit
Once our commands have been delivered, we get the informational dialog box shown above informing us that AAA has been successfully enabled and when we click on the OK button, the SSL VPN Wizard start screen is displayed as shown below:
On the next screen, we can specify the IP address through which users can access the SSL VPN portal page. We will also specify a name for this SSL VPN connection. Notice that I am using the router’s self-generated certificate for this SSL VPN.
From above, you can see that the URL to access the SSL VPN will be https://184.108.40.206/ which is the default URL i.e. https://<interface_ip_addr>/. We could have specified another URL in the URL field e.g. https://220.127.116.11/WEBVPN.
On the next screen, we see why it was necessary to enable AAA. We have the option of using an external AAA server or the router’s local database or both. In this article, we will stick with the local database.
When the Locally on this router option is selected, CCP allows us to add/edit usernames and passwords.
Task #2 requires us to create a new username of sslvpn so I will click on the Add button which brings up the Add an Account dialog box as shown below:
Note: We could have created this username separately in CCP instead of through the SSL VPN wizard.
When we are done creating the new user, CCP presents us with the next screen where we can configure the intranet websites. For this article, we would not be configuring any URL links, so I will just move on.
The next screen presented deals with enabling full-client SSL VPN. For this lab, this is not a requirement so I will uncheck the Enable Full Tunnel option.
CCP comes with predefined themes which control the color, texts and logos displayed on the SSL VPN portal page. The SSL VPN wizard does not allow us to create a theme but we can edit the theme when done under the Edit SSL VPN tab.
Clicking Next brings us to the summary page of the SSL VPN wizard. Notice that CCP advices me to enable DNS on my router but since I would not be doing any name resolution, I will leave DNS unconfigured.
The command to be delivered to the router is as follows:
aaa authentication login ciscocp_vpn_xauth_ml_1 local webvpn gateway gateway_1 ip address 18.104.22.168 port 443 http-redirect port 80 inservice ssl trustpoint TP-self-signed-4279256517 exit webvpn context WEBVPN aaa authentication list ciscocp_vpn_xauth_ml_1 gateway gateway_1 inservice max-users 1000 secondary-color white title-color #CCCC66 text-color black policy group policy_1 exit default-group-policy policy_1 exit ! IP address / user account command username sslvpn privilege 1 secret 0 ******
After our configuration has been successfully delivered, the Edit SSL VPN tab will be displayed as shown below
Let us now test our SSL VPN to see if we can access it. I will connect a virtual machine to interface Fa0/1 of RTR3 using 22.214.171.124/30 subnet. The default gateway of that virtual machine will be RTR3. Also, I will advertise this new network into EIGRP. The configuration on RTR3 is as follows:
interface Fa0/1 ip address 126.96.36.199 255.255.255.252 no shut router eigrp 10 network 188.8.131.52 0.0.0.3
As shown below, the virtual machine can also ping the default gateway.
Great! Now, I will open a web page to https://184.108.40.206. As shown below, I am presented with a Security Alert dialog box because of the untrusted certificate presented by the SSL VPN server. Since I trust that certificate, I will click on Yes to proceed.
If everything goes well, I should then be presented with the SSL VPN login screen as shown below:
I will authenticate using the sslvpn user we created and upon successful authentication, I should be placed in the SSL VPN portal.
Notice that this portal does not present us with much. However, we can still use the URL field in the top left corner to access resources. For example, I will type http://220.127.116.11/ in that field. Notice that a new window is opened and I am presented with the login screen for the HTTP server at 18.104.22.168.
After successful login, you can see that I have access to 22.214.171.124 via HTTP.
This brings us to the end of Lab #9 where we have configured Clientless SSL VPN. As we saw, a user only needs an SSL-enabled browser to connect to the VPN thus removing the need to have a pre-installed VPN client. However, we noticed that the user did not have access to any resource after a successful connection. In the next article, we will provide access to these resources and also deal with customization.
I hope you have found this article helpful and I look forward to the next article in the series.
Clientless SSL VPN (WebVPN) on Cisco IOS with SDM Configuration Example: http://www.cisco.com/c/en/us/support/docs/security/ssl-vpn-client/70663-webvpn.html