Cisco IOS: Thin-Client SSL VPN (WebVPN) IOS Configuration Example with SDM

Thin-Client SSL VPN (WebVPN) IOS Configuration Example with SDM

Network Diagram

This document uses this network setup:

Configure the Thin-Client SSL VPN


Building configuration...

Current configuration : 4343 bytes
! Last configuration change at 15:55:38 UTC Thu Jul 27 2006 by ausnml
! NVRAM config last updated at 21:30:03 UTC Wed Jul 26 2006 by ausnml
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ausnml-3825-01
boot system flash c3825-adventerprisek9-mz.124-9.T.bin
no logging buffered
enable secret 5 $1$KbIu$5o8qKYAVpWvyv9rYbrJLi/
aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local 
aaa session-id common
resource policy
ip cef
ip domain name
voice-card 0
 no dspfarm

!--- Self-Signed Certificate Information

crypto pki trustpoint ausnml-3825-01_Certificate
 enrollment selfsigned
 serial-number none
 ip-address none
 revocation-check crl
 rsakeypair ausnml-3825-01_Certificate_RSAKey 1024
crypto pki certificate chain ausnml-3825-01_Certificate
 certificate self-signed 02
  30820240 308201A9 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
!--- cut for brevity

username ausnml privilege 15 password 7 15071F5A5D292421
username fallback privilege 15 password 7 08345818501A0A12
username austin privilege 15 secret 5 $1$3xFv$W0YUsKDx1adDc.cVQF2Ei0
username sales_user1 privilege 5 secret 5 $1$2/SX$ep4fsCpodeyKaRji2mJkX/
username admin0321 privilege 15 secret 5 $1$FxzG$cQUJeUpBWgZ.scSzOt8Ro1
interface GigabitEthernet0/0
 ip address
 duplex auto
 speed auto
 media-type rj45
interface GigabitEthernet0/1
 ip address
 duplex auto
 speed auto
 media-type rj45
ip route
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 100
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 40 0
 privilege level 15
 password 7 071A351A170A1600
 transport input telnet ssh
line vty 5 15
 exec-timeout 40 0
 password 7 001107505D580403
 transport input telnet ssh
scheduler allocate 20000 1000

!--- the WebVPN Gateway 

webvpn gateway gateway_1
 ip address port 443 
 http-redirect port 80
 ssl trustpoint ausnml-3825-01_Certificate

!--- the WebVPN Context

webvpn context webvpn
 title-color #CCCC66
 secondary-color white
 text-color black
 ssl authenticate verify all

!--- resources available to the thin-client

 port-forward "portforward_list_1"
   local-port 3002 remote-server "" remote-port 110 description "Pop3 Email"
   local-port 3001 remote-server "" remote-port 23 description "Router1"
   local-port 3000 remote-server "" remote-port 25 description "Email"
   local-port 3003 remote-server "" remote-port 22 description "Router2 SSH"

!--- the group policy

 policy group policy_1
   port-forward "portforward_list_1" 
 default-group-policy policy_1
 aaa authentication list sdm_vpn_xauth_ml_2
 gateway gateway_1 domain webvpn
 max-users 2


Verify Your Configuration

Use this section to confirm that your configuration works properly.

  1. Use a client computer to access the WebVPN gateway at https://gateway_ip_address. Remember to include the WebVPN domain name if you create unique WebVPN contexts. For example, if you have created a domain called sales, enter https://gateway_ip_address/sales.

  2. Login and accept the certificate offered by the WebVPN gateway. Click Start Application Access.

  3. An Application Access screen displays. You can access an application with the local port number and your local loopback IP address. For example, to Telnet to Router 1, enter telnet 3001. The small Java applet sends this information to the WebVPN gateway, which then ties the two ends of the session together in a secure fashion. Successful connections can cause the Bytes Out and Bytes In columns to increase.


Several show commands are associated with WebVPN. You can execute these commands at the command-line interface (CLI) to show statistics and other information. To see the use of show commands in detail, refer to Verifying WebVPN Configuration.

This entry was posted in Cisco WebVPN. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s