通过sdm配置cisco ssl vpn.docx

1、通过sdm配置cisco ssl vpnIntroduction Clientless SSL VPN (WebVPN) allows a user to securely access resources on the corporate LAN from anywhere with an SSL-enabled Web browser. The user first authenticates with a WebVPN gateway which then allows the user access to pre-configured network resources. WebVPN

2、 gateways can be configured on Cisco IOS routers, Cisco Adaptive Security Appliances (ASA), Cisco VPN 3000 Concentrators, and the Cisco WebVPN Services Module for the Catalyst 6500 and 7600 Routers. Secure Socket Layer (SSL) Virtual Private Network (VPN) technology can be configured on Cisco devices

3、 in three main modes: Clientless SSL VPN (WebVPN), Thin-Client SSL VPN (Port Forwarding), and SSL VPN Client (SVC) mode. This document demonstrates the configuration of theWebVPN on Cisco IOS routers. Note:Do not to change either the IP domain name or the host name of the router as this will trigger

4、 a regeneration of the self-signed certificate and will override the configured trustpoint. Regeneration of the self-signed certificate causes connection issues if the router has been configured for WebVPN. WebVPN ties the SSL trustpoint name to the WebVPN gateway configuration. Therefore, if a new

5、self-signed certificate is issued, the new trustpoint name does not match the WebVPN configuration and users are unable to connect.Note:If you run the ip https-secure server command on a WebVPN router that uses a persistent self-signed certificate, a new RSA key is generated and the certificate beco

6、mes invalid. A new trustpoint is created, which breaks SSL WebVPN. If the router that uses the persistent self-signed certificate reboots after you run the ip https-secure server command, the same issue occurs. Refer to Thin-Client SSL VPN (WebVPN) IOS Configuration Example with SDM in order to lear

7、n more about the thin-client SSL VPN. Refer to SSL VPN Client (SVC) on IOS with SDM Configuration Example in order to learn more about the SSL VPN Client.SSL VPN runs on these Cisco Router platforms:Cisco 870, 1811, 1841, 2801, 2811, 2821 and 2851 series routersCisco 3725, 3745, 3825, 3845, 7200 and

8、 7301 series routersPrerequisites Requirements Ensure that you meet these requirements before you attempt this configuration:An advanced image of Cisco IOS Software Release 12.4(6)T or laterOne of the Cisco router platforms listed in the Introduction Components Used The information in this document

9、is based on these software and hardware versions: Cisco 3825 routerAdvanced Enterprise software image - Cisco IOS Software Release 12.4(9)TCisco Router and Security Device Manager (SDM) - version 2.3.1The information in this document was created from the devices in a specific lab environment. All of

10、 the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. The IP addresses used in this example are taken from RFC 1918 addresses which are private and not legal to use on the Interne

11、t.Network Diagram This document uses this network setup:Conventions Refer to the Cisco Technical Tips Conventions for more information on document conventions.Preconfiguration Tasks Before you begin, complete these tasks:Configure a host name and domain name.Configure the router for SDM. Cisco ships

12、 some routers with a preinstalled copy of SDM. If the Cisco SDM is not already loaded on your router, you can obtain a free copy of the software from Software Download ( registered customers only) . You must have a CCO account with a service contract. For detailed information on the installation and

13、 configuration of SDM, refer to Cisco Router and Security Device Manager.Configure the correct date, time, and time zone for your router.Configure WebVPN on Cisco IOS You can have more than one WebVPN gateway associated with a device. Each WebVPN gateway is linked to only one IP address on the route

14、r. You can create more than one WebVPN context for a particular WebVPN gateway. To identify individual contexts, provide each context with a unique name. One policy group can be associated with only one WebVPN context. The policy group describes which resources are available in a particular WebVPN c

15、ontext.Complete these steps in order to configure WebVPN on Cisco IOS:Configure the WebVPN Gateway Configure the Resources Allowed for the Policy Group Configure the WebVPN Policy Group and Select the Resources Configure the WebVPN Context Configure the User Database and Authentication Method Step 1

16、. Configure the WebVPN Gateway Complete these steps in order to configure the WebVPN Gateway:Within the SDM application, click Configure, and then click VPN.Expand WebVPN, and choose WebVPN Gateways.Click Add.The Add WebVPN Gateway dialog box appears.Enter values in the Gateway Name and IP Address f

17、ields, and then check the Enable Gateway check box. Check the Redirect HTTP Traffic check box, and then click OK.Click Save, and then click Yes to accept the changes.Step 2. Configure the Resources Allowed for the Policy Group In order to make it easier to add resources to a policy group, you can co

18、nfigure the resources before you create the policy group.Complete these steps in order to configure the resources allowed for the policy group:Click Configure, and then click VPN. Choose WebVPN, and then click the Edit WebVPN tab.Note:WebVPN allows you to configure access for HTTP, HTTPS, Windows fi

19、le browsing through the Common Internet File System (CIFS) protocol, and Citrix.Click Add.The Add WebVPN Context dialog box appears.Expand WebVPN Context, and choose URL Lists. Click Add. The Add URL List dialog box appears.Enter values in the URL List Name and Heading fields.Click Add, and choose W

20、ebsite.This list contains all the HTTP and HTTPS Web servers that you want to be available for this WebVPN connection. In order to add access for Outlook Web Access (OWA), click Add, choose E-mail, and then click OK after you have filled in all the desired fields.In order to allow Windows file brows

21、ing through CIFS, you can designate an NetBIOS Name Service (NBNS) server and configure the appropriate shares in the Windows domain in order. From the WebVPN Context list, choose NetBIOS Name Server Lists.Click Add.The Add NBNS Server List dialog box appears.Enter a name for the list, and click Add

22、.The NBNS Server dialog box appears.If applicable, check the Make This the Master Server check box.Click OK, and then click OK.Step 3. Configure the WebVPN Policy Group and Select the Resources Complete these steps in order to configure the WebVPN policy group and select the resources:Click Configur

23、e, and then click VPN.Expand WebVPN, and choose WebVPN Context.Choose Group Policies, and click Add.The Add Group Policy dialog box appears.Enter a name for the new policy, and check the Make this the default group policy for context check box. Click the Clientless tab located at the top of the dial

24、og box.Check the Select check box for the desired URL List.If your customers use Citrix clients that need access to Citrix servers, check the Enable Citrix check box.Check the Enable CIFS, Read, and Write check boxes.Click the NBNS Server List drop-down arrow, and choose the NBNS server list that yo

25、u created for Windows file browsing in Step 2.Click OK.Step 4. Configure the WebVPN Context In order to link the WebVPN gateway, group policy, and resources together, you must configure the WebVPN context. In order to configure the WebVPN context, complete these steps:Choose WebVPN Context, and ente

26、r a name for the context.Click the Associated Gateway drop-down arrow, and choose an associated gateway.If you intend to create more than one context, enter a unique name in the Domain field to identify this context. If you leave the Domain field blank, users must access the WebVPN with https:/IPAdd

27、ress . If you enter a domain name (for example, Sales), users must connect with https:/IPAddress/Sales.Check the Enable Context check box.In the Maximum Number of Users field, enter the maximum number of users allowed by the device license.Click the Default Group policy drop-down arrow, and select t

28、he group policy to associate with this context.Click OK, and then click OK.Step 5. Configure the User Database and Authentication Method You can configure Clientless SSL VPN (WebVPN) sessions to authenticate with Radius, the Cisco AAA Server, or a local database. This example uses a local database.C

29、omplete these steps in order to configure the user database and authentication method:Click Configuration, and then click Additional Tasks.Expand Router Access, and choose User Accounts/View.Click the Add button.The Add an Account dialog box appears.Enter a user account and a password.Click OK, and

30、then click OK.Click Save, and then click Yes to accept the changes.Results The ASDM creates these command-line configurations:ausnml-3825-01Building configuration.Current configuration : 4190 bytes! Last configuration change at 17:22:23 UTC Wed Jul 26 2006 by ausnml! NVRAM config last updated at 17:

31、22:31 UTC Wed Jul 26 2006 by ausnml!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname ausnml-3825-01!boot-start-markerboot system flash c3825-adventerprisek9-mz.124-9.T.binboot-end-marker!no logging bufferedenable secret 5 $1$K

32、bIu$5o8qKYAVpWvyv9rYbrJLi/!aaa new-model!aaa authentication login default localaaa authentication login sdm_vpn_xauth_ml_1 localaaa authorization exec default local !aaa session-id common!resource policy!ip cef!ip domain name !voice-card 0 no dspfarm!- Self-Signed Certificate Informationcrypto pki trustpoint ausnml-3825-01_Certificate enrollment selfs