通过sdm配置cisco ssl vpn.docx
《通过sdm配置cisco ssl vpn.docx》由会员分享,可在线阅读,更多相关《通过sdm配置cisco ssl vpn.docx(34页珍藏版)》请在冰豆网上搜索。
![通过sdm配置cisco ssl vpn.docx](https://file1.bdocx.com/fileroot1/2023-1/23/2de81991-6d5a-4181-aa6d-e75104b538b0/2de81991-6d5a-4181-aa6d-e75104b538b01.gif)
通过sdm配置ciscosslvpn
Introduction
ClientlessSSLVPN(WebVPN)allowsausertosecurelyaccessresourcesonthecorporateLANfromanywherewithanSSL-enabledWebbrowser.TheuserfirstauthenticateswithaWebVPNgatewaywhichthenallowstheuseraccesstopre-configurednetworkresources.WebVPNgatewayscanbeconfiguredonCiscoIOS®routers,CiscoAdaptiveSecurityAppliances(ASA),CiscoVPN3000Concentrators,andtheCiscoWebVPNServicesModulefortheCatalyst6500and7600Routers.
SecureSocketLayer(SSL)VirtualPrivateNetwork(VPN)technologycanbeconfiguredonCiscodevicesinthreemainmodes:
ClientlessSSLVPN(WebVPN),Thin-ClientSSLVPN(PortForwarding),andSSLVPNClient(SVC)mode.ThisdocumentdemonstratestheconfigurationoftheWebVPNonCiscoIOSrouters.
Note:
DonottochangeeithertheIPdomainnameorthehostnameoftherouterasthiswilltriggeraregenerationoftheself-signedcertificateandwilloverridetheconfiguredtrustpoint.Regenerationoftheself-signedcertificatecausesconnectionissuesiftherouterhasbeenconfiguredforWebVPN.WebVPNtiestheSSLtrustpointnametotheWebVPNgatewayconfiguration.Therefore,ifanewself-signedcertificateisissued,thenewtrustpointnamedoesnotmatchtheWebVPNconfigurationandusersareunabletoconnect.
Note:
Ifyouruntheiphttps-secureservercommandonaWebVPNrouterthatusesapersistentself-signedcertificate,anewRSAkeyisgeneratedandthecertificatebecomesinvalid.Anewtrustpointiscreated,whichbreaksSSLWebVPN.Iftherouterthatusesthepersistentself-signedcertificaterebootsafteryouruntheiphttps-secureservercommand,thesameissueoccurs.
RefertoThin-ClientSSLVPN(WebVPN)IOSConfigurationExamplewithSDMinordertolearnmoreaboutthethin-clientSSLVPN.
RefertoSSLVPNClient(SVC)onIOSwithSDMConfigurationExampleinordertolearnmoreabouttheSSLVPNClient.
SSLVPNrunsontheseCiscoRouterplatforms:
Cisco870,1811,1841,2801,2811,2821and2851seriesrouters
Cisco3725,3745,3825,3845,7200and7301seriesrouters
Prerequisites
Requirements
Ensurethatyoumeettheserequirementsbeforeyouattemptthisconfiguration:
AnadvancedimageofCiscoIOSSoftwareRelease12.4(6)Torlater
OneoftheCiscorouterplatformslistedintheIntroduction
ComponentsUsed
Theinformationinthisdocumentisbasedonthesesoftwareandhardwareversions:
Cisco3825router
AdvancedEnterprisesoftwareimage-CiscoIOSSoftwareRelease12.4(9)T
CiscoRouterandSecurityDeviceManager(SDM)-version2.3.1
Theinformationinthisdocumentwascreatedfromthedevicesinaspecificlabenvironment.Allofthedevicesusedinthisdocumentstartedwithacleared(default)configuration.Ifyournetworkislive,makesurethatyouunderstandthepotentialimpactofanycommand.TheIPaddressesusedinthisexamplearetakenfromRFC1918addresseswhichareprivateandnotlegaltouseontheInternet.
NetworkDiagram
Thisdocumentusesthisnetworksetup:
Conventions
RefertotheCiscoTechnicalTipsConventionsformoreinformationondocumentconventions.
PreconfigurationTasks
Beforeyoubegin,completethesetasks:
Configureahostnameanddomainname.
ConfiguretherouterforSDM.CiscoshipssomerouterswithapreinstalledcopyofSDM.
IftheCiscoSDMisnotalreadyloadedonyourrouter,youcanobtainafreecopyofthesoftwarefromSoftwareDownload(registeredcustomersonly).YoumusthaveaCCOaccountwithaservicecontract.FordetailedinformationontheinstallationandconfigurationofSDM,refertoCiscoRouterandSecurityDeviceManager.
Configurethecorrectdate,time,andtimezoneforyourrouter.
ConfigureWebVPNonCiscoIOS
YoucanhavemorethanoneWebVPNgatewayassociatedwithadevice.EachWebVPNgatewayislinkedtoonlyoneIPaddressontherouter.YoucancreatemorethanoneWebVPNcontextforaparticularWebVPNgateway.Toidentifyindividualcontexts,provideeachcontextwithauniquename.OnepolicygroupcanbeassociatedwithonlyoneWebVPNcontext.ThepolicygroupdescribeswhichresourcesareavailableinaparticularWebVPNcontext.
CompletethesestepsinordertoconfigureWebVPNonCiscoIOS:
ConfiguretheWebVPNGateway
ConfiguretheResourcesAllowedforthePolicyGroup
ConfiguretheWebVPNPolicyGroupandSelecttheResources
ConfiguretheWebVPNContext
ConfiguretheUserDatabaseandAuthenticationMethod
Step1.ConfiguretheWebVPNGateway
CompletethesestepsinordertoconfiguretheWebVPNGateway:
WithintheSDMapplication,clickConfigure,andthenclickVPN.
ExpandWebVPN,andchooseWebVPNGateways.
ClickAdd.
TheAddWebVPNGatewaydialogboxappears.
EntervaluesintheGatewayNameandIPAddressfields,andthenchecktheEnableGatewaycheckbox.
ChecktheRedirectHTTPTrafficcheckbox,andthenclickOK.
ClickSave,andthenclickYestoacceptthechanges.
Step2.ConfiguretheResourcesAllowedforthePolicyGroup
Inordertomakeiteasiertoaddresourcestoapolicygroup,youcanconfiguretheresourcesbeforeyoucreatethepolicygroup.
Completethesestepsinordertoconfiguretheresourcesallowedforthepolicygroup:
ClickConfigure,andthenclickVPN.
ChooseWebVPN,andthenclicktheEditWebVPNtab.
Note:
WebVPNallowsyoutoconfigureaccessforHTTP,HTTPS,WindowsfilebrowsingthroughtheCommonInternetFileSystem(CIFS)protocol,andCitrix.
ClickAdd.
TheAddWebVPNContextdialogboxappears.
ExpandWebVPNContext,andchooseURLLists.
ClickAdd.
TheAddURLListdialogboxappears.
EntervaluesintheURLListNameandHeadingfields.
ClickAdd,andchooseWebsite.
ThislistcontainsalltheHTTPandHTTPSWebserversthatyouwanttobeavailableforthisWebVPNconnection.
InordertoaddaccessforOutlookWebAccess(OWA),clickAdd,chooseE-mail,andthenclickOKafteryouhavefilledinallthedesiredfields.
InordertoallowWindowsfilebrowsingthroughCIFS,youcandesignateanNetBIOSNameService(NBNS)serverandconfiguretheappropriatesharesintheWindowsdomaininorder.
FromtheWebVPNContextlist,chooseNetBIOSNameServerLists.
ClickAdd.
TheAddNBNSServerListdialogboxappears.
Enteranameforthelist,andclickAdd.
TheNBNSServerdialogboxappears.
Ifapplicable,checktheMakeThistheMasterServercheckbox.
ClickOK,andthenclickOK.
Step3.ConfiguretheWebVPNPolicyGroupandSelecttheResources
CompletethesestepsinordertoconfiguretheWebVPNpolicygroupandselecttheresources:
ClickConfigure,andthenclickVPN.
ExpandWebVPN,andchooseWebVPNContext.
ChooseGroupPolicies,andclickAdd.
TheAddGroupPolicydialogboxappears.
Enteranameforthenewpolicy,andchecktheMakethisthedefaultgrouppolicyforcontextcheckbox.
ClicktheClientlesstablocatedatthetopofthedialogbox.
ChecktheSelectcheckboxforthedesiredURLList.
IfyourcustomersuseCitrixclientsthatneedaccesstoCitrixservers,checktheEnableCitrixcheckbox.
ChecktheEnableCIFS,Read,andWritecheckboxes.
ClicktheNBNSServerListdrop-downarrow,andchoosetheNBNSserverlistthatyoucreatedforWindowsfilebrowsinginStep2.
ClickOK.
Step4.ConfiguretheWebVPNContext
InordertolinktheWebVPNgateway,grouppolicy,andresourcestogether,youmustconfiguretheWebVPNcontext.InordertoconfiguretheWebVPNcontext,completethesesteps:
ChooseWebVPNContext,andenteranameforthecontext.
ClicktheAssociatedGatewaydrop-downarrow,andchooseanassociatedgateway.
Ifyouintendtocreatemorethanonecontext,enterauniquenameintheDomainfieldtoidentifythiscontext.IfyouleavetheDomainfieldblank,usersmustaccesstheWebVPNwithhttps:
//IPAddress.Ifyouenteradomainname(forexample,Sales),usersmustconnectwithhttps:
//IPAddress/Sales.
ChecktheEnableContextcheckbox.
IntheMaximumNumberofUsersfield,enterthemaximumnumberofusersallowedbythedevicelicense.
ClicktheDefaultGrouppolicydrop-downarrow,andselectthegrouppolicytoassociatewiththiscontext.
ClickOK,andthenclickOK.
Step5.ConfiguretheUserDatabaseandAuthenticationMethod
YoucanconfigureClientlessSSLVPN(WebVPN)sessionstoauthenticatewithRadius,theCiscoAAAServer,oralocaldatabase.Thisexampleusesalocaldatabase.
Completethesestepsinordertoconfiguretheuserdatabaseandauthenticationmethod:
ClickConfiguration,andthenclickAdditionalTasks.
ExpandRouterAccess,andchooseUserAccounts/View.
ClicktheAddbutton.
TheAddanAccountdialogboxappears.
Enterauseraccountandapassword.
ClickOK,andthenclickOK.
ClickSave,andthenclickYestoacceptthechanges.
Results
TheASDMcreatesthesecommand-lineconfigurations:
ausnml-3825-01
Buildingconfiguration...
Currentconfiguration:
4190bytes
!
!
Lastconfigurationchangeat17:
22:
23UTCWedJul262006byausnml
!
NVRAMconfiglastupdatedat17:
22:
31UTCWedJul262006byausnml
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
servicepassword-encryption
!
hostnameausnml-3825-01
!
boot-start-marker
bootsystemflashc3825-adventerprisek9-mz.124-9.T.bin
boot-end-marker
!
nologgingbuffered
enablesecret5$1$KbIu$5o8qKYAVpWvyv9rYbrJLi/
!
aaanew-model
!
aaaauthenticationlogindefaultlocal
aaaauthenticationloginsdm_vpn_xauth_ml_1local
aaaauthorizationexecdefaultlocal
!
aaasession-idcommon
!
resourcepolicy
!
ipcef
!
ipdomainname
!
voice-card0
nodspfarm
!
!
---Self-SignedCertificateInformation
cryptopkitrustpointausnml-3825-01_Certificate
enrollmentselfs