Configuring Clientless SSL VPN (WebVPN) on Cisco IOS Routers
A Tekcert member recently posted a question in the forums regarding IOS Clientless SSL VPN, a.k.a WebVPN. This prompted me to test the functionality in a lab environment and post my findings. To make it easier to find, I decided to make it a full-blown blog post. So, here we go...
The first step I took was to get a router with 12.4T code running on a LAN with a desktop connected to it. The following configuration is broken into chunks to help break down the process.
Configure basic settings on the router, including hostname, domain, usernames, etc. (not all of this is required for WebVPN to work, but it is what I had on my router so you're getting it all):
service timestamps debug datetime msec service timestamps log datetime msec service password-encryption hostname R1 boot-start-marker boot-end-marker enable secret 5 $1$AAgP$EGtD.sBs/zDbFhMkfBUSR. aaa new-model aaa session-id common ip source-route ip cef username tekcert privilege 15 password cisco interface GigabitEthernet2/0 ip address 192.168.146.2 255.255.255.0 negotiation auto ip domain-name tekcert.com ip http server ip http authentication local ip http secure-server
A key point to make here is that enabling http secure-server (https) forces the router to create a self-signed certificate if it hasn't already done so. If you have a Certificate Authority (CA) server or have purchased a cert from one of the dozens of providers on the net, you can upload the cert to the router and use that instead of a self-signed cert. Since this is a lab, I went ahead and used the self-signed cert.
Now comes the specific WebVPN configuration:
webvpn gateway TekcertSSLVPNGW1 hostname R1 ip address 192.168.146.2 port 443 http-redirect port 80 ssl trustpoint TP-self-signed-cert inservice ! webvpn context Context1 ssl authenticate verify all ! url-list "InternalWebServers" heading "TekcertSSLVPNGW1" url-text "Tekcert Blogs" url-value "http://tekcert.com" url-text "Tekcert Forums" url-value "http://tekcert.com/forum" ! nbns-list NBNSServers nbns-server 192.168.146.1 ! policy group policy_1 url-list "InternalWebServers" nbns-list "NBNSServers" functions file-access functions file-browse functions file-entry hide-url-bar citrix enabled default-group-policy policy_1 gateway TekcertSSLVPNGW1 max-users 2 inservice
Once this is configured, you can test it by opening a browser and going to the IP address configured in the gateway. The following two pictures show the pre-login page and the post-login page.
You can also check webvpn status with a few commands. Here are some examples:
R1#show webvpn gateway Gateway Name Admin Operation ------------ ----- --------- TekcertSSLVPNGW1 up up R1# R1#show webvpn session context all WebVPN context name: Context1 Client_Login_Name Client_IP_Address No_of_Connections Created Last_Used tekcert 192.168.146.1 2 00:17:17 00:17:10 R1# R1#show webvpn stat User session statistics: Active user sessions : 1 AAA pending reqs : 0 Peak user sessions : 1 Peak time : 01:21:15 Active user TCP conns : 1 Terminated user sessions : 1 Session alloc failures : 0 Authentication failures : 0 VPN session timeout : 0 VPN idle timeout : 0 User cleared VPN sessions: 0 Exceeded ctx user limit : 0 Exceeded total user limit: 0 Client process rcvd pkts : 84 Server process rcvd pkts : 0 Client process sent pkts : 736 Server process sent pkts : 0 Client CEF received pkts : 96 Server CEF received pkts : 0 Client CEF rcv punt pkts : 0 Server CEF rcv punt pkts : 0 Client CEF sent pkts : 0 Server CEF sent pkts : 0 Client CEF sent punt pkts: 0 Server CEF sent punt pkts: 0 SSLVPN appl bufs inuse : 0 SSLVPN eng bufs inuse : 0 Active server TCP conns : 0
For additional information on configuring SSL VPNs, check out this doc at Cisco.com.
If you have any questions, feel free to ask by posting a comment below or posting it in the forums. Hope this helps!