Configuration Example, Security
Configure IOS SSL VPN on IOS router
Yesterday I blogged about configuring a VPN client on an IOS router and today I blogged about importing PKCS12 certificates for WebVPN purposes. This follow up blog is about configuring the WebVPN functionality together with the AnyConnect client and port forwarding on an IOS router. I use the same setup as with the VPN client and also configured split-tunneling for the AnyConnect connection.
The Cisco IOS SSL VPN feature supports multiple options, like:
- Clientless: usage of a web portal;
- Thin client: usage of a web portal with port forwarding feature;
- Full client: usage of the Cisco AnyConnect client;
This example shows you how to configure all options listed above. The fist step involves configuring the authentication method with an AAA method.
aaa new-model
aaa authentication login sslvpn local
username rene privilege 15 secret 5 $1$FkgJ$u3uU0rstyeaBXswW0EIX55
The authentication method is called sslvpn and uses the local database on the router for authenticating users. Next you have to configure the basic IP and port information for connecting to the SSL VPN feature of the router. I use the public IP address of the router and configured the WebVPN on port TCP/4400. I use the SSL trustpoint from my previous blog post.
webvpn gateway gateway_1
ip address 83.137.194.62 port 4400
ssl trustpoint trustpoint_www
inservice
To use the full client feature, you have to upload an AnyConnect client to the routers flash. You can upload multiple AnyConnect clients for different operating systems. I just upload a client for Windows.
webvpn install svc flash:/webvpn/svc.pkg sequence 1
Next you have to configure a “webvpn context”. Within the webvpn context you define multiple VPN parameters. The webvpn context contains configuration parameters to access an URL through the web portal, define the port forwarding features or apply a policy group to the webvpn context. Below you see an example configuration of a webvpn context.
webvpn context home
title “Booches Portal”
ssl authenticate verify all
!
url-list “WebServers”
heading “WebServers”
url-text “Inside webserver” url-value “http://192.168.1.10”
!
login-message “Booches”
!
port-forward “Port Forwarding”
local-port 444 remote-server “192.168.1.150” remote-port 5001 description “NAS TCP/5001 (Management)”
local-port 443 remote-server “192.168.1.150” remote-port 443 description “NAS TCP/443 (Photo,File System)”
local-port 222 remote-server “192.168.1.200” remote-port 22 description “Ubuntu TCP/22 (Management)”
!
policy group policy1
url-list “WebServers”
port-forward “Port Forwarding”
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
hide-url-bar
svc address-pool “sslvpn”
svc keep-client-installed
svc split include 192.168.1.0 255.255.255.0
You can configure multiple webvpn contexts with different authentication methods, url-list or port forwarding parameters. Next you see some screenshots from the WebVPN. To access the WebVPN feature the user has to browse to https://83.137.194.62:4400/home, because I configured gateway gateway_1 domain home (full config at the end). The web portal login page is displayed below.
After logging in you will get to the web portal menu, where you can choose between the multiple client options.
The Bookmarks section list the URL list to access internal websites. The Tunnel Connection (SVC) option starts the Cisco AnyConnect client. If the AnyConnect client isn’t yet installed on the remote client, it will be pushed by the router. The Thin Client Application starts the port forwarding feature.
All the relevant configuration from the example above can be found below.
aaa new-model
aaa authentication login sslvpn local
username rene privilege 15 secret 5 $1$FkgJ$u3uU0rstyeaBXswW0EIX55
!
ip local pool sslvpn 10.10.1.1 10.10.1.254
!
webvpn gateway gateway_1
ip address 83.137.194.62 port 4400
ssl trustpoint trustpoint_www
inservice
!
webvpn install svc flash:/webvpn/svc.pkg sequence 1
!
webvpn context home
title “Booches Portal”
ssl authenticate verify all
!
url-list “WebServers”
heading “WebServers”
url-text “Inside webserver” url-value “http://192.168.1.10”
!
login-message “Booches”
!
port-forward “Port Forwarding”
local-port 444 remote-server “192.168.1.150” remote-port 5001 description “NAS TCP/5001 (Management)”
local-port 443 remote-server “192.168.1.150” remote-port 443 description “NAS TCP/443 (Photo,File System)”
local-port 222 remote-server “192.168.1.200” remote-port 22 description “Ubuntu TCP/22 (Management)”
!
policy group policy1
url-list “WebServers”
port-forward “Port Forwarding”
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
hide-url-bar
svc address-pool “sslvpn”
svc keep-client-installed
svc split include 192.168.1.0 255.255.255.0
default-group-policy policy1
aaa authentication list sslvpn
gateway gateway_1 domain home
max-users 2
inservice
I like for SMB solutions the IOS SSL VPN feature, because it is powerful and works over SSL, but it is also flexible and can almost publish every service.
René Jorissen
Latest posts by René Jorissen (see all)
- MacOS Big Sur and SSLKEYFILELOG - November 23, 2021
- ClearPass, Azure AD, SSO and Object ID - August 12, 2021
- ClearPass – custom MPSK - July 20, 2021
Nice article, but that wouldn’t appear to make use of my router ip address, any ideas?
Hello, is there a way to have a Cisco IOS router be the Anyconnect client so I can make the router connects and the host in the router’s LAN are on the vpn?
Hey Nick,
This is not an option. You can use the router as Easy VPN client. This is another way of VPN configuration. The router would be a remote access client, which connects to a Easy VPN server. The Easy VPN server could be another Cisco router or a Cisco ASA firewall. There is tons of information about the configuration of Easy VPN on the internet. I hope this works for you.
René
Hello, I found cisco router on this web site http://hardware.nl/cisco and i bought it but now i have one unsolved task: the SSL VPN client can’t connect to the router. Is anybody can help me?