© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Configuring Cisco IOS SSL VPN (WebVPN)
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco IOS SSL VPN-WebVPN Corporate Office Branch Office SSL VPN Tunnel IPsec Tunnel Corporate Resources
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Remote-Access Modes Clientless Thin-client Tunnel mode
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Access Mode Summary Clientless ModeThin-Client ModeTunnel Mode Browser-based Microsoft Windows or Linux Web-enabled applications, file sharing (CIFS), Microsoft OWA Gateway performs address or protocol conversion and content parsing and rewriting TCP port forwarding Uses a Java applet Extends application support Telnet, , SSH, Meeting Maker, Sametime Connect Static port-based applications Works like clientless IPsec VPN Tunnel client loaded through Java or ActiveX Supports all IP-based applications Scalable Local administrative permissions required for installation
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Certificate Clientless Mode Access Clients with: Microsoft Windows 2000 or XP Linux Corporate Office Workplace Resources
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Corporate Office Workplace Resources Thin-Client Mode Access Java Applet Certificate Clients with: Microsoft Windows 2000 or XP Linux
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Application Access (Port-Forwarding) Screen
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Tunnel Mode Access Corporate Office Workplace Resources SSL VPN Client Certificate Clients with: Microsoft Windows 2000 or XP Linux
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco IOS SSL VPN Client Full Network Access Leverages depth of Cisco encryption client experience to deliver a lightweight, stable and easy-to-support SSL VPN tunneling client FeaturesBenefits IPsec-like application access through web-pushed client Application agnostic full network access No touch central site configurationLow operating cost Compatible with Cisco softphone for VoIP support Multimedia data; voice desktops for greatest user productivity Client may be either removed at end of session or left permanently installed No trace of client after session provides better security Less than 250-KB downloadFast client download time No reboot required after installationImproved productivity; better user satisfaction
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring WebVPN WebVPN prerequisites Configure AAA –Local or ACS authentication Configure DNS –Router hostname and domain name –Map host to IP address in router host table Configure certificates and trustpoints –CA or self-signed WebVPN configuration Configure a WebVPN gateway Configure a WebVPN context –Configure a URL list for clientless access –Configure Microsoft file shares for clientless access –Configure application port forwarding Configure a WebVPN policy group
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router(config)# aaa new-model router(config)# username cisco password 0|6 cisco123 router(config)# aaa authentication login default local AAA Configuration Local Authentication
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router(config)# aaa group server radius VPN-ACS router(config-sg-radius)# server router(config-sg-radius)# exit router(config)# aaa authntication login default group VPN-ACS Cisco Secure ACS AAA Configuration External Authentication
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v DNS Configuration router(config)# hostname SSL router(config)# ip domain name cisco.com router(config)# ip name server OR router(config)# ip host home.cisco.com Cisco Secure ACS DNS Server
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Certificate and Trustpoint Configuration Prepare for CA support Set the router time and date Verify the DNS parameters Generate an RSA key pair Declare a CA Authenticate the CA Request your own certificate
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v WebVPN Concepts There are three main concepts within Cisco WebVPN WebVPN gateway WebVPN context Policy group Gateway can be thought of as Configuration for the gateway like what IP address/port to listen on. Is their a trustpoint defined/associated? WebVPN Gateway Configuration - AAA Auth list - AAA Auth domain - Enable / Disable CSD - Default Policy Group - Associated Gateway Context is like a container and configures the session parameters like configuring the URL lists, port-forwarding lists, installing Cisco SVC or Cisco Structure Desktop. What kind of authentication to use? WebVPN Context Configuration Policy Group Group policy is the configuration for the clients. Here you actually apply the configuration that you applied in the context.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Gateway Configuration Commands router(config)# webvpn gateway SNRS-GW router(config-webvpn-gateway)# hostname GW-1 router(config-webvpn-gateway)# http-redirect router(config-webvpn-gateway)# ip address port 443 router(config-webvpn-gateway)# ssl encryption rc4-md5 router(config-webvpn-gateway)# ssl trustpoint SNRS-CA router(config-webvpn-gateway)# inservice
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Context Configuration Commands router(config)# webvpn context SSLVPN router(config-webvpn-context)# aaa authentication list VPN-ACS router(config-webvpn-context)# default-group-policy SSL-Policy router(config-webvpn-context)# gateway SNRS-GW router(config-webvpn-context)# login-message "Please enter your credentials router(config-webvpn-context)# title "SNRS WebVPN Page router(config-webvpn-context)# title-color darkseagreen router(config-webvpn-context)# logo file flash:/cisco.gif router(config-webvpn-context)# max-users 300 router(config-webvpn-context)# secondary-color darkgreen router(config-webvpn-context)# secondary-text-color white
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v URL Lists router(config)# webvpn context SSLVPN router(config-webvpn-context)# url-list "Internal router(config-webvpn-url)# heading "Quicklinks router(config-webvpn-url)# url-text "Pod Homepage" url-value home.cisco.com router(config-webvpn-url)# url-text OWA url-value .mydomain.com
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Group Policy Configuration Commands router(config)# webvpn context SSLVPN router(config-webvpn-context)# policy group SSL-policy router(config-webvpn-group)# banner "Login Successful router(config-webvpn-group)# nbns-list NBNS-SERVERS router(config-webvpn-group)# timeout idle 1800 router(config-webvpn-group)# timeout session router(config-webvpn-group)# url-list Internal router(config-webvpn-group)# port-forward Portlist
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Port-Forwarding Configuration Commands router(config)# webvpn context SSLVPN router(config-webvpn-context)# port-forward Portlist router(config-webvpn-port-fwd)# local-port remote-server mail.corporate.com remote-port 25 description SMTP router(config-webvpn-port-fwd)# local-port remote-server mail.corporate.com remote-port 110 description POP3 router(config-webvpn-port-fwd)# local-port remote-server mail.corporate.com remote-port 143 description IMAP router(config-webvpn-port-fwd)# exit router(config-webvpn-context)# policy group SSL-policy router(config-webvpn-group)# port-forward Portlist
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring Microsoft File Shares Network browse (listing of domains) Domain browse (listing of servers) Server browse (listing of shares) Listing files in a share Downloading files Modifying files Creating new directories Creating new files Deleting files
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring CIFS router(config)# webvpn context SSLVPN router(config-webvpn-context)# nbns-list NBNS-SERVERS router(config-webvpn-nbnslist)# nbns-server master router(config-webvpn-nbnslist)# nbns-server timeout 10 retries 5
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring CIFS (Cont.) router(config-webvpn-group)# router(config)# webvpn context SSLVPN router(config-webvpn-context)# policy group SSL-policy router(config-webvpn-group)# nbns-list NBNS-SERVERS router(config-webvpn-group)# functions file-access router(config-webvpn-group)# functions file-browse router(config-webvpn-group)# functions file-entry
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying SSL VPN Operation User login Use browser to verify portal page and authentication Commands show webvpn gateway name show webvpn context name show webvpn install show webvpn nbns show webvpn policy show webvpn session show webvpn stats
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v SSL/TLS Certificate
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v SSL VPN Login Page
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v SSL VPN Login Successful
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v SSL VPN Portal Page and Floating Toolbar
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v SSL VPN Logout Dialog
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v SSL VPN Logout
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v show Commands show webvpn gateway show webvpn context show webvpn install show webvpn nbns show webvpn policy show webvpn session show webvpn stats
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v show webvpn gateway Command router# show webvpn gateway Gateway Name Admin Operation SNRS-GW up up router# show webvpn gateway SNRS-GW Admin Status: up Operation Status: up IP: , port: 443 SSL Trustpoint: TP-self-signed
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v show webvpn context Command router# show webvpn context Codes: AS - Admin Status, OS - Operation Status VHost - Virtual Host Context Name Gateway Domain/VHost VRF AS OS Default_context n/a n/a n/a down down SSLVPN SNRS-GW one - up up
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v show webvpn context Command router# show webvpn context SSLVPN Admin Status: up Operation Status: up CSD Status: Disabled Certificate authentication type: All attributes (like CRL) are verified AAA Authentication List not configured AAA Authentication Domain not configured Default Group Policy: SSL-Policy Associated WebVPN Gateway: SNRS-GW Domain Name: Maximum Users Allowed: (default) NAT Address not configured VRF Name not configured
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v show webvpn policy group Command router# show webvpn policy group csdpolicy context all WEBVPN: group policy = SSL-policy ; context = SSLVPN url list name = Internal idle timeout = 2100 sec session timeout = sec port forward name = Portlist nbns list name = NBNS-Servers functions = file-access file-browse file-entry svc-enabled citrix enabled address pool name = webvpn-pool dpd client timeout = 300 sec dpd gateway timeout = 300 sec keep sslvpn client installed = disabled rekey interval = 3600 sec rekey method = lease duration = sec split include = split include = DNS primary server =
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v show webvpn session context Command router# show webvpn session context sslvpn WebVPN context name: SSLVPN Client_Login_Name Client_IP_Address No_of_Connections Created Last_Used user :47:16 00:01:26 user :48:36 00:01:56
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v show webvpn session user Command router# show webvpn session user user1 context all WebVPN user name = user1 ; IP address = ; context = SSLVPN No of connections: 0 Created 00:00:19, Last-used 00:00:18 CSD enabled CSD Session Policy CSD Web Browsing Allowed CSD Port Forwarding Allowed CSD Full Tunneling Disabled CSD FILE Access Allowed User Policy Parameters Group name = ONE Group Policy Parameters url list name = "Cisco" idle timeout = 2100 sec session timeout = sec port forward name = " " tunnel mode = disabled citrix disabled dpd client timeout = 300 sec dpd gateway timeout = 300 sec keep stc installed = disabled rekey interval = 3600 sec rekey method = ssl lease duration = 3600 sec
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Troubleshooting SSL VPN CommandDescription debug webvpnEnables WebVPN basic session monitoring debug webvpn aaaDisplays AAA debug messages debug webvpn cifsDisplays CIFS debug messages debug webvpn citrixDisplays Citrix debug messages debug webvpn cookieDisplays cookie debug messages debug webvpn dnsDisplays DNS messages debug webvpn httpDisplays HTTP messages debug webvpn port-forwardDisplays port-forwarding debug messages debug webvpn webserviceDisplays web service debug messages
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v clear Commands router# clear webvpn session user user1 router# clear webvpn session context all router# clear webvpn nbns router# clear webvpn stats
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary The WebVPN feature, in Cisco IOS Software, provides support for remote-user access to enterprise networks from anywhere on the Internet. In clientless mode, the remote user accesses the internal or corporate network using a web browser. In thin-client mode, the remote user downloads a Java applet. In tunnel mode, remote users use an SSL tunnel to move data at the network (IP) layer. There are several components that must be configured when setting up a Cisco IOS SSL VPN. AAA must be configured for WebVPN authentication.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary (Cont.) Before configuring WebVPN, an administrator must configure DNS-related commands. WebVPN is based on HTTPS, which requires a PKI trustpoint to be configured. Configuring a basic WebVPN portal includes configuring: –Gateway –Context URL lists Group policies There are several show commands available to verify WebVPN functionality. There are debug commands used to troubleshoot WebVPN.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v