通过sdm配置cisco ssl vpn.docx

通过sdm配置cisco ssl vpn.docx

《通过sdm配置cisco ssl vpn.docx》由会员分享，可在线阅读，更多相关《通过sdm配置cisco ssl vpn.docx（34页珍藏版）》请在冰豆网上搜索。

通过sdm配置ciscosslvpn

Introduction

ClientlessSSLVPN（WebVPN）allowsausertosecurelyaccessresourcesonthecorporateLANfromanywherewithanSSL-enabledWebbrowser.TheuserfirstauthenticateswithaWebVPNgatewaywhichthenallowstheuseraccesstopre-configurednetworkresources.WebVPNgatewayscanbeconfiguredonCiscoIOS®routers,CiscoAdaptiveSecurityAppliances（ASA）,CiscoVPN3000Concentrators,andtheCiscoWebVPNServicesModulefortheCatalyst6500and7600Routers.

SecureSocketLayer（SSL）VirtualPrivateNetwork（VPN）technologycanbeconfiguredonCiscodevicesinthreemainmodes:

ClientlessSSLVPN（WebVPN）,Thin-ClientSSLVPN（PortForwarding）,andSSLVPNClient（SVC）mode.ThisdocumentdemonstratestheconfigurationoftheWebVPNonCiscoIOSrouters.

Note:

 DonottochangeeithertheIPdomainnameorthehostnameoftherouterasthiswilltriggeraregenerationoftheself-signedcertificateandwilloverridetheconfiguredtrustpoint.Regenerationoftheself-signedcertificatecausesconnectionissuesiftherouterhasbeenconfiguredforWebVPN.WebVPNtiestheSSLtrustpointnametotheWebVPNgatewayconfiguration.Therefore,ifanewself-signedcertificateisissued,thenewtrustpointnamedoesnotmatchtheWebVPNconfigurationandusersareunabletoconnect.

Note:

 Ifyouruntheiphttps-secureservercommandonaWebVPNrouterthatusesapersistentself-signedcertificate,anewRSAkeyisgeneratedandthecertificatebecomesinvalid.Anewtrustpointiscreated,whichbreaksSSLWebVPN.Iftherouterthatusesthepersistentself-signedcertificaterebootsafteryouruntheiphttps-secureservercommand,thesameissueoccurs.

RefertoThin-ClientSSLVPN（WebVPN）IOSConfigurationExamplewithSDMinordertolearnmoreaboutthethin-clientSSLVPN.

RefertoSSLVPNClient（SVC）onIOSwithSDMConfigurationExampleinordertolearnmoreabouttheSSLVPNClient.

SSLVPNrunsontheseCiscoRouterplatforms:

Cisco870,1811,1841,2801,2811,2821and2851seriesrouters

Cisco3725,3745,3825,3845,7200and7301seriesrouters

Prerequisites

Requirements

Ensurethatyoumeettheserequirementsbeforeyouattemptthisconfiguration:

AnadvancedimageofCiscoIOSSoftwareRelease12.4（6）Torlater

OneoftheCiscorouterplatformslistedintheIntroduction

ComponentsUsed

Theinformationinthisdocumentisbasedonthesesoftwareandhardwareversions:

Cisco3825router

AdvancedEnterprisesoftwareimage-CiscoIOSSoftwareRelease12.4（9）T

CiscoRouterandSecurityDeviceManager（SDM）-version2.3.1

Theinformationinthisdocumentwascreatedfromthedevicesinaspecificlabenvironment.Allofthedevicesusedinthisdocumentstartedwithacleared（default）configuration.Ifyournetworkislive,makesurethatyouunderstandthepotentialimpactofanycommand.TheIPaddressesusedinthisexamplearetakenfromRFC1918addresseswhichareprivateandnotlegaltouseontheInternet.

NetworkDiagram

Thisdocumentusesthisnetworksetup:

Conventions

RefertotheCiscoTechnicalTipsConventionsformoreinformationondocumentconventions.

PreconfigurationTasks

Beforeyoubegin,completethesetasks:

Configureahostnameanddomainname.

ConfiguretherouterforSDM.CiscoshipssomerouterswithapreinstalledcopyofSDM.

IftheCiscoSDMisnotalreadyloadedonyourrouter,youcanobtainafreecopyofthesoftwarefromSoftwareDownload（registeredcustomersonly）.YoumusthaveaCCOaccountwithaservicecontract.FordetailedinformationontheinstallationandconfigurationofSDM,refertoCiscoRouterandSecurityDeviceManager.

Configurethecorrectdate,time,andtimezoneforyourrouter.

ConfigureWebVPNonCiscoIOS

YoucanhavemorethanoneWebVPNgatewayassociatedwithadevice.EachWebVPNgatewayislinkedtoonlyoneIPaddressontherouter.YoucancreatemorethanoneWebVPNcontextforaparticularWebVPNgateway.Toidentifyindividualcontexts,provideeachcontextwithauniquename.OnepolicygroupcanbeassociatedwithonlyoneWebVPNcontext.ThepolicygroupdescribeswhichresourcesareavailableinaparticularWebVPNcontext.

CompletethesestepsinordertoconfigureWebVPNonCiscoIOS:

ConfiguretheWebVPNGateway

ConfiguretheResourcesAllowedforthePolicyGroup

ConfiguretheWebVPNPolicyGroupandSelecttheResources

ConfiguretheWebVPNContext

ConfiguretheUserDatabaseandAuthenticationMethod

Step1.ConfiguretheWebVPNGateway

CompletethesestepsinordertoconfiguretheWebVPNGateway:

WithintheSDMapplication,clickConfigure,andthenclickVPN.

ExpandWebVPN,andchooseWebVPNGateways.

ClickAdd.

TheAddWebVPNGatewaydialogboxappears.

EntervaluesintheGatewayNameandIPAddressfields,andthenchecktheEnableGatewaycheckbox.

ChecktheRedirectHTTPTrafficcheckbox,andthenclickOK.

ClickSave,andthenclickYestoacceptthechanges.

Step2.ConfiguretheResourcesAllowedforthePolicyGroup

Inordertomakeiteasiertoaddresourcestoapolicygroup,youcanconfiguretheresourcesbeforeyoucreatethepolicygroup.

Completethesestepsinordertoconfiguretheresourcesallowedforthepolicygroup:

ClickConfigure,andthenclickVPN.

ChooseWebVPN,andthenclicktheEditWebVPNtab.

Note:

 WebVPNallowsyoutoconfigureaccessforHTTP,HTTPS,WindowsfilebrowsingthroughtheCommonInternetFileSystem（CIFS）protocol,andCitrix.

ClickAdd.

TheAddWebVPNContextdialogboxappears.

ExpandWebVPNContext,andchooseURLLists.

ClickAdd.

TheAddURLListdialogboxappears.

EntervaluesintheURLListNameandHeadingfields.

ClickAdd,andchooseWebsite.

ThislistcontainsalltheHTTPandHTTPSWebserversthatyouwanttobeavailableforthisWebVPNconnection.

InordertoaddaccessforOutlookWebAccess（OWA）,clickAdd,chooseE-mail,andthenclickOKafteryouhavefilledinallthedesiredfields.

InordertoallowWindowsfilebrowsingthroughCIFS,youcandesignateanNetBIOSNameService（NBNS）serverandconfiguretheappropriatesharesintheWindowsdomaininorder.

FromtheWebVPNContextlist,chooseNetBIOSNameServerLists.

ClickAdd.

TheAddNBNSServerListdialogboxappears.

Enteranameforthelist,andclickAdd.

TheNBNSServerdialogboxappears.

Ifapplicable,checktheMakeThistheMasterServercheckbox.

ClickOK,andthenclickOK.

Step3.ConfiguretheWebVPNPolicyGroupandSelecttheResources

CompletethesestepsinordertoconfiguretheWebVPNpolicygroupandselecttheresources:

ClickConfigure,andthenclickVPN.

ExpandWebVPN,andchooseWebVPNContext.

ChooseGroupPolicies,andclickAdd.

TheAddGroupPolicydialogboxappears.

Enteranameforthenewpolicy,andchecktheMakethisthedefaultgrouppolicyforcontextcheckbox.

ClicktheClientlesstablocatedatthetopofthedialogbox.

ChecktheSelectcheckboxforthedesiredURLList.

IfyourcustomersuseCitrixclientsthatneedaccesstoCitrixservers,checktheEnableCitrixcheckbox.

ChecktheEnableCIFS,Read,andWritecheckboxes.

ClicktheNBNSServerListdrop-downarrow,andchoosetheNBNSserverlistthatyoucreatedforWindowsfilebrowsinginStep2.

ClickOK.

Step4.ConfiguretheWebVPNContext

InordertolinktheWebVPNgateway,grouppolicy,andresourcestogether,youmustconfiguretheWebVPNcontext.InordertoconfiguretheWebVPNcontext,completethesesteps:

ChooseWebVPNContext,andenteranameforthecontext.

ClicktheAssociatedGatewaydrop-downarrow,andchooseanassociatedgateway.

Ifyouintendtocreatemorethanonecontext,enterauniquenameintheDomainfieldtoidentifythiscontext.IfyouleavetheDomainfieldblank,usersmustaccesstheWebVPNwithhttps:

//IPAddress.Ifyouenteradomainname（forexample,Sales）,usersmustconnectwithhttps:

//IPAddress/Sales.

ChecktheEnableContextcheckbox.

IntheMaximumNumberofUsersfield,enterthemaximumnumberofusersallowedbythedevicelicense.

ClicktheDefaultGrouppolicydrop-downarrow,andselectthegrouppolicytoassociatewiththiscontext.

ClickOK,andthenclickOK.

Step5.ConfiguretheUserDatabaseandAuthenticationMethod

YoucanconfigureClientlessSSLVPN（WebVPN）sessionstoauthenticatewithRadius,theCiscoAAAServer,oralocaldatabase.Thisexampleusesalocaldatabase.

Completethesestepsinordertoconfiguretheuserdatabaseandauthenticationmethod:

ClickConfiguration,andthenclickAdditionalTasks.

ExpandRouterAccess,andchooseUserAccounts/View.

ClicktheAddbutton.

TheAddanAccountdialogboxappears.

Enterauseraccountandapassword.

ClickOK,andthenclickOK.

ClickSave,andthenclickYestoacceptthechanges.

Results

TheASDMcreatesthesecommand-lineconfigurations:

ausnml-3825-01

Buildingconfiguration...

Currentconfiguration:

4190bytes

!

!

Lastconfigurationchangeat17:

22:

23UTCWedJul262006byausnml

!

NVRAMconfiglastupdatedat17:

22:

31UTCWedJul262006byausnml

!

version12.4

servicetimestampsdebugdatetimemsec

servicetimestampslogdatetimemsec

servicepassword-encryption

!

hostnameausnml-3825-01

!

boot-start-marker

bootsystemflashc3825-adventerprisek9-mz.124-9.T.bin

boot-end-marker

!

nologgingbuffered

enablesecret5$1$KbIu$5o8qKYAVpWvyv9rYbrJLi/

!

aaanew-model

!

aaaauthenticationlogindefaultlocal

aaaauthenticationloginsdm_vpn_xauth_ml_1local

aaaauthorizationexecdefaultlocal

!

aaasession-idcommon

!

resourcepolicy

!

ipcef

!

ipdomainname

!

voice-card0

nodspfarm

!

!

---Self-SignedCertificateInformation

cryptopkitrustpointausnml-3825-01_Certificate

enrollmentselfs