Configuration Tasks 1. Enable and configure AAA.
2. Generate RSA Keypair and Configure Trustpoint.
3. Configure SSL VPN IP pool.
4. Setup SSL VPN Gateway.
5. Upload & Install AnyConnect VPN Software (SVC) on Router.
6. Setup SSL VPN Context and Configure Group policy
1. Configuring AAA for SSL VPN authentication
Enable AAA in router for client authentication. VPN users have to be authenticated with either a local database or an authentication server like RADIUS or TACACS+. In this example I used local database to authenticate VPN users.
CORPORATE(config)#aaa new-model
CORPORATE(config)#aaa authentication login SSL_AUTHEN local
Create username and password in local database:
CORPORATE(config)#username administrator privilege 15 password mypassword
CORPORATE(config)#username tony password cisco123
2. Generating RSA Keypair and Configuring Trustpoint.
We have to create a RSA keypair using the crypto key generate rsa command. Before that you have to make sure that you have set a host name and domain name on your router.
CORPORATE(config)#crypto key generate rsa general-keys label RSA-KEY mod 4096
The name for the keys will be: RSA-KEY
% The key modulus size is 4096 bits
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 71 seconds)
Configuring the Trustpoint: Now we have to declare the trust point that the router should use. To do so type the below commands in global configuration mode.
CORPORATE(config)#crypto pki trustpoint MY-TRUSTPOINT
CORPORATE(ca-trustpoint)#enrollment selfsigned
CORPORATE(ca-trustpoint)#subject-name CN=my-certificate
CORPORATE(ca-trustpoint)#rsakeypair RSA-KEY
CORPORATE(ca-trustpoint)#exit
CORPORATE(config)#crypto pki trustpoint MY-TRUSTPOINT
CORPORATE(ca-trustpoint)#enrollment selfsigned
CORPORATE(ca-trustpoint)#subject-name CN=my-certificate
CORPORATE(ca-trustpoint)#rsakeypair RSA-KEY
CORPORATE(ca-trustpoint)#exit
Enrolling Certificate: The next step is to enroll the self signed certificate that you have just created. If you have already created a certificate you can either use that or overwrite it by typing yes.
CORPORATE(config)#crypto pki enroll MY-TRUSTPOINT
% Include the router serial number in the subject name? [yes/no]: y
% Include an IP address in the subject name? [no]: n
Generate Self Signed Router Certificate? [yes/no]: y
Router Self Signed Certificate successfully created
CORPORATE(config)#crypto pki enroll MY-TRUSTPOINT
% Include the router serial number in the subject name? [yes/no]: y
% Include an IP address in the subject name? [no]: n
Generate Self Signed Router Certificate? [yes/no]: y
Router Self Signed Certificate successfully created
3. Configuring SSL VPN pool IP address CORPORATE(config)#ip local pool SSL-POOL 172.17.0.114 172.17.0.122
4. Setting up SSL VPN Gateway The WebVPN Gateway is used to terminate the SSL connection from the user. The basic configuration requires an IP address on the same subnet as one of the public network interfaces; this could be the same address used on the public network interface, or another address in the same subnet. Alternately, you can define a loopback interface, and use an address in that subnet, just as long as the address is reachable on the public network.
CORPORATE(config)#webvpn gateway SSLVPNGW
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR
LICENSE KEY PROVIDED FOR ANY CISCO PRODUCT FEATURE OR USING SUCH
PRODUCT FEATURE CONSTITUTES YOUR FULL ACCEPTANCE OF THE FOLLOWING
TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO BE BOUND
BY ALL THE TERMS SET FORTH HEREIN.
......................................................................................................................................
...................................................................
Activation of the software command line interface will be evidence of
your acceptance of this agreement.
ACCEPT? [yes/no]: yes
CORPORATE(config-webvpn-gateway)#ip address 172.17.0.5 port 443
CORPORATE(config-webvpn-gateway)#ssl trustpoint MY-TRUSTPOINT
CORPORATE(config-webvpn-gateway)#inservice
CORPORATE(config-webvpn-gateway)#exit
CORPORATE(config)#webvpn gateway SSLVPNGW
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR
LICENSE KEY PROVIDED FOR ANY CISCO PRODUCT FEATURE OR USING SUCH
PRODUCT FEATURE CONSTITUTES YOUR FULL ACCEPTANCE OF THE FOLLOWING
TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO BE BOUND
BY ALL THE TERMS SET FORTH HEREIN.
......................................................................................................................................
...................................................................
Activation of the software command line interface will be evidence of
your acceptance of this agreement.
ACCEPT? [yes/no]: yes
CORPORATE(config-webvpn-gateway)#ip address 172.17.0.5 port 443
CORPORATE(config-webvpn-gateway)#ssl trustpoint MY-TRUSTPOINT
CORPORATE(config-webvpn-gateway)#inservice
CORPORATE(config-webvpn-gateway)#exit
5. Upload & Install AnyConnect VPN Software (SVC) on Router Now upload the Cisco AnyConnect VPN client to the router's flash memory. You can use a TFTP server to do this. In this example we are uploading 'anyconnect-win-3.1.00495-k9.pkg' to router's flash using a TFTP server.
CORPORATE(config)#copy tftp flash:
Address or name of remote host []? 172.17.0.84
Source filename []? anyconnect-win-3.1.00495-k9.pkg
Destination filename [anyconnect-win-3.1.00495-k9.pkg]?
Accessing tftp://172.17.0.84/anyconnect-win-3.1.00495-k9.pkg...
Loading anyconnect-win-3.1.00495-k9.pkg from 172.17.0.84 (via GigabitEthernet0/0): !!!!!!!!!!!!!!!!!!!!!
[OK - 29806775 bytes]
29806775 bytes copied in 50.70 secs (587858 bytes/sec)
Verify the upload using 'show flash' in global configuration command.
CORPORATE(config)#copy tftp flash:
Address or name of remote host []? 172.17.0.84
Source filename []? anyconnect-win-3.1.00495-k9.pkg
Destination filename [anyconnect-win-3.1.00495-k9.pkg]?
Accessing tftp://172.17.0.84/anyconnect-win-3.1.00495-k9.pkg...
Loading anyconnect-win-3.1.00495-k9.pkg from 172.17.0.84 (via GigabitEthernet0/0): !!!!!!!!!!!!!!!!!!!!!
[OK - 29806775 bytes]
29806775 bytes copied in 50.70 secs (587858 bytes/sec)
Verify the upload using 'show flash' in global configuration command.
Installing SVC (AnyConnect) package: Install the SSL VPN Client (SVC) on your router. To do so type the below command in global configuration mode.
CORPORATE(config)#webvpn install svc flash://anyconnect-win-3.1.00495-k9.pkg
SSLVPN Package SSL-VPN-Client (seq:1): installed successfully
CORPORATE(config)#webvpn install svc flash://anyconnect-win-3.1.00495-k9.pkg
SSLVPN Package SSL-VPN-Client (seq:1): installed successfully
6. Setup SSL VPN Context and Configure Group policy The WebVPN context is where the SSL VPN is terminated, and the user's VPN session is established. The context also contains all of the policies that can be applied to a user, including authentication, authorization, and accounting (AAA), virtual routing and forwarding instances (VRFs), and group policies. This is where the user authentication takes place, and group policies are applied to the user session.
Furthermore, the context can define the way the SSL VPN Web portal will appear to the user by specifying the colors and the images. The context is basically a container for user sessions. The WebVPN context uses a WebVPN gateway for the SSL session termination endpoint IP address. Multiple contexts can use one WebVPN gateway by using the domain keyword, and specifying a label.
Type the below commands to setup a context named 'VPN1' and a group policy called 'MYPOLICY'.
CORPORATE(config)#webvpn context VPN1
CORPORATE(config-webvpn-context)#ssl authenticate verify all
CORPORATE(config-webvpn-context)#url-list "WebServers"
CORPORATE(config-webvpn-url)#heading "Intranet Websites"
CORPORATE(config-webvpn-url)#url-text "FTPServer" url-value "ftp://172.17.0.39"
CORPORATE(config-webvpn-url)#url-text "AbcServer" url-value "http://172.17.0.40"
CORPORATE(config-webvpn-url)#exit
CORPORATE(config-webvpn-url)#
CORPORATE(config-webvpn-context)#policy group MYPOLICY
CORPORATE(config-webvpn-group)#banner "Welcome to Tony's SSL VPN Services"
CORPORATE(config-webvpn-group)#functions svc-enabled
CORPORATE(config-webvpn-group)#url-list "WebServers"
CORPORATE(config-webvpn-group)#svc address-pool "SSL-POOL" netmask 255.255.0.0
CORPORATE(config-webvpn-group)#svc keep-client-installed
CORPORATE(config-webvpn-group)#svc dns-server primary 172.17.0.48
CORPORATE(config-webvpn-group)#exit
CORPORATE(config-webvpn-context)#default-group-policy MYPOLICY
CORPORATE(config-webvpn-context)#aaa authentication list SSL_AUTHEN
CORPORATE(config-webvpn-context)#gateway SSLVPNGW
CORPORATE(config-webvpn-context)#max-users 20
CORPORATE(config-webvpn-context)#inservice
Furthermore, the context can define the way the SSL VPN Web portal will appear to the user by specifying the colors and the images. The context is basically a container for user sessions. The WebVPN context uses a WebVPN gateway for the SSL session termination endpoint IP address. Multiple contexts can use one WebVPN gateway by using the domain keyword, and specifying a label.
Type the below commands to setup a context named 'VPN1' and a group policy called 'MYPOLICY'.
CORPORATE(config)#webvpn context VPN1
CORPORATE(config-webvpn-context)#ssl authenticate verify all
CORPORATE(config-webvpn-context)#url-list "WebServers"
CORPORATE(config-webvpn-url)#heading "Intranet Websites"
CORPORATE(config-webvpn-url)#url-text "FTPServer" url-value "ftp://172.17.0.39"
CORPORATE(config-webvpn-url)#url-text "AbcServer" url-value "http://172.17.0.40"
CORPORATE(config-webvpn-url)#exit
CORPORATE(config-webvpn-url)#
CORPORATE(config-webvpn-context)#policy group MYPOLICY
CORPORATE(config-webvpn-group)#banner "Welcome to Tony's SSL VPN Services"
CORPORATE(config-webvpn-group)#functions svc-enabled
CORPORATE(config-webvpn-group)#url-list "WebServers"
CORPORATE(config-webvpn-group)#svc address-pool "SSL-POOL" netmask 255.255.0.0
CORPORATE(config-webvpn-group)#svc keep-client-installed
CORPORATE(config-webvpn-group)#svc dns-server primary 172.17.0.48
CORPORATE(config-webvpn-group)#exit
CORPORATE(config-webvpn-context)#default-group-policy MYPOLICY
CORPORATE(config-webvpn-context)#aaa authentication list SSL_AUTHEN
CORPORATE(config-webvpn-context)#gateway SSLVPNGW
CORPORATE(config-webvpn-context)#max-users 20
CORPORATE(config-webvpn-context)#inservice
LAB
enable password cisco123
!
aaa new-model
!
aaa authentication login sslvpn local
aaa authentication login SSL_AUTHEN local
!
crypto pki trustpoint MY-TRUSTPOINT
enrollment selfsigned
serial-number
subject-name CN=my-certificate
revocation-check crl
rsakeypair RSA-KEY
!
!
crypto pki certificate chain MY-TRUSTPOINT
certificate self-signed 03
30820258 308201C1 A0030201 02020103 300D0609 2A864886 F70D0101 04050030
40311730 15060355 0403130E 6D792D63 65727469 66696361 74653125 300F0609
2A864886 F70D0109 02160252 31301206 03550405 130B4654 58303934 3557304D
59301E17 0D313430 31313531 32303833 375A170D 32303031 30313030 30303030
5A304031 17301506 03550403 130E6D79 2D636572 74696669 63617465 3125300F
06092A86 4886F70D 01090216 02523130 12060355 0405130B 46545830 39343557
304D5930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BDB8C925 EFDE1843 8FCFC475 DC2C0521 4BE44C36 0491B2BB D1498761 6DDCB9C5
91EB10B7 EA9555C5 3B0C5DE1 AA96DF34 CCD4DAB8 18D56700 42D2FC00 FDDDED9B
FC4B9D44 945D88E9 9F661C1B F2D7CA59 D455E058 B1B14152 7D528D8E 557E9777
05F5B479 98D8BEC2 7A82EB49 F189B6AB AB66B205 0B101AFD 78A68185 A7A11AC9
02030100 01A36230 60300F06 03551D13 0101FF04 05300301 01FF300D 0603551D
11040630 04820252 31301F06 03551D23 04183016 8014F081 B81CFAEE F85CD65B
AF53F04A B8E4ED8C 6E9E301D 0603551D 0E041604 14F081B8 1CFAEEF8 5CD65BAF
53F04AB8 E4ED8C6E 9E300D06 092A8648 86F70D01 01040500 03818100 6733E2D1
FEF30A2B C91FAD1C E3718B68 94BE9CFB CDC3E0D2 687D3EE6 529C03EA 89C1E610
A4F7EC1D 95A78471 B1DABD1B 618582AA 36E505FB 4084232F 240469B1 A93B5F60
5E7E9779 69CD04F6 4E3F35A4 0D400FEE BA1E9B47 84FC6410 FAC4BBE1 8C0F2922
16AAD8AA A2E6463C D99EB330 E5F3A7B8 CED367C7 A7BEA7B5 3A9F2952
quit
!
!
username [ID] privilege 15 secret 5 $1$ikr3$P8AUYUsczjfJNC1i4M6Q/1
!
interface FastEthernet0/0
ip address 192.168.3.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
ip local pool SSL-POOL 10.1.1.2 10.1.1.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
webvpn gateway SSLVPNGW
ip address 10.1.1.1 port 443
ssl trustpoint MY-TRUSTPOINT
inservice
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context VPN1
ssl authenticate verify all
!
url-list "WebServers"
heading "Intranet Websites"
url-text "FTPServer" url-value "tftp://192.168.3.3"
url-text "AbcServer" url-value "http://192.168.3.4"
!
!
policy group MYPOLICY
url-list "WebServers"
functions svc-enabled
banner "Welcom to Mangab's SSL VPN Services"
svc address-pool "SSL-POOL"
svc keep-client-installed
default-group-policy MYPOLICY
aaa authentication list SSL_AUTHEN
gateway SSLVPNGW
max-users 20
inservice
!
RM
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!
no ip http server
no ip http secure-server
ip nat pool IPNAT 10.1.1.2 10.1.1.2 netmask 255.255.255.0
ip nat inside source list 1 pool IPNAT overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
Result
192.168.1.6 remote windows XP service pack3 에서 explorer 주소창에
https://10.1.1.1
No comments:
Post a Comment