write mem

IOS SSL VPN – Clientless in a Bomb Shell

Posted by Joe in Thursday, August 6th 2009

Topics: VPN

(2 votes, average: 5 out of 5)

Loading ...

SSL VPN on IOS for some reason is a pain in the butt to configure. I think the ASA config is much easier and faster. I guess once you’ve done it a few times they both are pretty easy. I did a basic config using clientless mode with some port forwards and local authentication. In this scenario I simply wanted to connect to R4 for telnet and ssh access.

Ill put out some thin and thick client configs later. For the clientless mode SSL config there are basically 3 things to remember.

1. Configure authentication

aaa new-model aaa authentication login default local username bobjones password bobjones

2. Configure the webvpn gateway.

webvpn gateway WebVPN_Gateway hostname WebVPN_Gateway ip address 192.168.40.2 port 443 http-redirect port 80 inservice ! Enables the Gateway. You will also notice that the RSA Key is automatically generated. If you want one that is exportable, you will need to create it yourself.

3. Configure the webvpn context. This provides the webvpn configuration

webvpn context WEBVPN_CONTEXT ! port-forward "R4-Access" local-port 2222 remote-server "192.168.4.4" remote-port 22 description "SSH to R4" local-port 2323 remote-server "192.168.4.4" remote-port 23 description "Telnet to R4" ! title "Welcome to wr-mem SSL VPN" color Blue secondary-color Green text-color Gray secondary-text-color Gold policy group webvpn_policy port-forward "R4-Access" auto-download default-group-policy webvpn_policy gateway WebVPN_Gateway domain wr-mem ! You must tie the context to a gateway. The domain parameter will allow you to differentiate this context from another. https://xxx.xxx.xxx.xxx/wr-mem inservice ! Enables the context and also creates the PKI trustpoint along with the certificate. exit exit

Once you get it all in its pretty simple to modify or muddle your way through to make changes. Ill put out some more advanced configs later.

The whole deal:

interface FastEthernet1/1 ip address 192.168.4.2 255.255.255.0 duplex auto speed auto no shut ! interface FastEthernet1/0 ip address 192.168.40.2 255.255.255.0 duplex auto speed auto no shut ! aaa new-model aaa authentication login default local username bobjones password bobjones ! webvpn gateway WebVPN_Gateway hostname WebVPN_Gateway ip address 192.168.40.2 port 443 http-redirect port 80 inservice ! Enables the Gateway. You will also notice that the RSA Key is automatically generated. If you want one that is exportable, you will need to create it yourself. webvpn context WEBVPN_CONTEXT ! port-forward "R4-Access" local-port 2222 remote-server "192.168.4.4" remote-port 22 description "SSH to R4" local-port 2323 remote-server "192.168.4.4" remote-port 23 description "Telnet to R4" ! title "Welcome to wr-mem SSL VPN" color Blue secondary-color Green text-color Gray secondary-text-color Gold policy group webvpn_policy port-forward "R4-Access" auto-download default-group-policy webvpn_policy gateway WebVPN_Gateway domain wr-mem ! You must tie the context to a gateway. The domain parameter will allow you to differentiate this context from another. https://xxx.xxx.xxx.xxx/wr-mem inservice ! Enables the context and also creates the PKI trustpoint along with the certificate. exit exit

3 users responded to this post

hc_andy said in September 11th, 2009 at 2:22 am

How does the user then receive the auto-download app (eg: telnet app).

I can bring up th portal with a list of URL’s but if I want to telnet to another host, where do I do this from the portal?

A snip opf my config is here…

port-forward “remoteapps”
local-port 60001 remote-server “192.168.2.1″ remote-port 23 description “Telnet Cisco827″
!
policy group NSTEST_GROUP
url-list “saleslist”
url-list “mktlist”
url-list “misclist”
port-forward “remoteapps” auto-download

Thanks.

Andy

hc_andy said in September 11th, 2009 at 3:41 am

Sorry worked it out by going reading this…

To configure the client application, use the locally mapped IP address and port number of the server. To find this information, do the following:

•Start SSL VPN on the remote system and click the Thin Client link on the SSL VPN home page. The Thin Client window is displayed.

•In the Name column, find the name of the server that you want to use, and then identify its corresponding client IP address and port number (in the Local column).

•Use this IP address and port number to configure the client application. The configuration steps vary for each client application.

So if I wanted to telnet to a host using this configuration:

port-forward “remoteapps”
local-port 60001 remote-server “192.168.2.1″ remote-port 23 description “Cisco827″

I would just open my telnet client like Putty and put into it the IP 192.168.2.1 and use the local port of 60001. Works a charm!

I thought it was going to auto-download some java app to allow me to telnet and that there was going to be a link on the portal I click on to launch the java app – not so – just enter the ip and local port into your telnet client.

Taken from:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html#wp1054618

Joe said in September 14th, 2009 at 12:56 pm

Eventually I’ll throw some more advanced configs up. My favorite SSL solution is the the ASA but I need to get IOS down for CCIE studies. Thanks for the comments.

2 Pingback & Trackback On This Post

Twitter Trackbacks for write mem - IOS SSL VPN - Clientless in a Bomb Shell [wr-mem.com] on Topsy.com said in August 21st, 2009 at 3:47 am

wygydizy said in September 25th, 2009 at 9:09 am