Cisco IOS SSL VPN Example

NetCraftsmen®
I wanted to show an example of using clientless and thin client features in this blog entry. Before going into the example, I wanted to point out the general methodology for implementing the IOS SSL VPN. The “webvpn context” command is the container that houses the individual parameters for the VPN. The “webvpn gateway” and “policy group” provide the parameters that are added to the “webvpn context”.
The example is based on the diagram below

For this example, the router needs to provide a user on the 192.168.137.x network secure access to R1 through an SSL web portal. HTTP acccess, to R1, is provided through a URL link. HTTPS and SSH access, to R1, is provided by port forwarding. In a real world example, this type of access could allow emergency access for a network administrator from any computer.

The first step is to set up the authentication method for the user. The IOS SSL VPN uses the default AAA method by default. For this example, we will use local authentication with the commands below

aaa new-model
aaa authentication login default local
username cisco password cisco

The next step is to setup the IP and port information for connectivity to the SSL VPN. The IOS SSL VPN allows the IP to be based on the interface IP of the router or a virtual IP address. Additionally, the port can be the standard 443/tcp or it can be another manually assigned port. For this example, we will use the fa1/0 interface of the router and port 8000/tcp. This is shown below.

webvpn gateway SSL1
hostname SSL1
ip address 192.168.137.100 port 8000
ssl trustpoint TP-self-signed-4294967295
inservice

Notice the “ssl trustpoint” in the configuration. This is automatically created when the “inservice” command is added to active the configuration.

The next step is to create the “webvpn context”. As stated earlier, this is the container for the VPN parameters. Within the “webvpn context” container, there are number of parameters that are defined and applied. For example:

  1. A URL can be defined
  2. The URL can be applied to a policy group
  3. The policy group can then be applied to the context

This is all within the “webvpn context” container. An example is shown below

webvpn context SSL
url-list “R1”
heading “R1”
url-text “R1-http” url-value “http://192.168.1.2”
policy group default
url-list “R1”
default-group-policy default

This shows the URL list, R1, being defined and then applied to the policy group, default. The policy group, default, is then applied to the context with the “default-group-policy” command.

In a similar manner, the IOS SSL VPN can support port forwarding. This is shown below.

webvpn context SSL
port-forward “R1”
local-port 5000 remote-server “192.168.1.2” remote-port 443 description “R1 HTTPS”
local-port 5001 remote-server “192.168.1.2” remote-port 22 description “R1 SSH”
policy group default
port-forward “R1” auto-download
default-group-policy default

This portion shows how to forward ports. When a user uses a web browser to access https://127.0.0.1:5000, they are redirected to https://192.168.1.2 through the SSL connection. Similarly, when a users uses an SSH client to access 127.0.0.1 on port 5001, they are redirected to 192.168.1.2 on port 22. In the “port-forward” command, notice the “auto-download” parameter. This causes the port forward connectivity to launch automatically, instead of requiring the user to click on the “thin client” start button shown below

The screenshots below show the GUI experience based on the configuration above.

1. The user accesses the web portal at https://192.168.137.100:8000

2. The user logs in and is presented with the web portal

3. At the same time as step 2, the port forwarding window appears with the setting for port forwarding

Below is the full relevant config for the example above

aaa new-model
!
!
aaa authentication login default local
username cisco password 0 cisco
no ip http server
no ip http secure-server
webvpn gateway SSL1
hostname SSL1
ip address 192.168.137.100 port 8000
ssl trustpoint TP-self-signed-4294967295
inservice
!
webvpn context SSL
ssl authenticate verify all
!
url-list “R1”
heading “R1”
url-text “R1-http” url-value “http://192.168.1.2”
!
!
port-forward “R1”
local-port 5000 remote-server “192.168.1.2” remote-port 443 description “R1 HTTPS”
local-port 5001 remote-server “192.168.1.2” remote-port 22 description “R1 SSH”
!
policy group default
url-list “R1”
port-forward “R1” auto-download
banner “Welcome to the IOS SSL Lab”
default-group-policy default
gateway SSL1
inservice

5 responses to “Cisco IOS SSL VPN Example

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.