This config assumes you are using the ASA to static nat and ACL http/https traffic to the router that will be hosting the SSL VPN (WebVPN). The router will need an Advanced IP Service IOS (I am using c3825-advipservicesk9-mz.124-22.T1.bin).
This configuration will create a persistent self-signed SSL certificate. If your router is configured with a hostname of ROUTER and configured with a default domain of MYDOMAIN.COM the cert will include an alternate DNS name entry of ROUTER.MYDOMAIN.COM -- add a hosts file line to your system like...
Code:
<Public IP> ROUTER.MYDOMAIN.COM #Company VPN Address
...and you can just browse to "router.mydomain.com" without http:// or https:// (because my config redirects from 80 to 443), import the cert to the Trusted Root Certification Authorities certificate store (requires admin rights) and every user of the system will not be nagged by the untrusted cert.
This is a down and dirty working solution and can be made much more elegant with AD/RADIUS authentication and group membership to limit who can authenticate through the WebVPN.
Be careful, the things that will trip you up are the names - you may not be able to use the ASA "access-list outside..." line if your access list for outside traffic coming in is called "outside_to_inside" -or- if your router already has "loopback0" configured, then you have to use "loopback1", etc. you will have to find these and change them. I hope that makes sense as I did not <> those entries.
ASA Configuration - remember, we have to forward both http and https to the router for the redirect to work and make it easy on the user):
Code:
access-list outside extended permit tcp any host <Public IP> eq http
access-list outside extended permit tcp any host <Public IP> eq https
static (inside,outside) <Public IP> <Router SSL Gateway IP - 10.10.20.1> netmask 255.255.255.255
Before you begin configuring the router you will need to get the WebVPN package copied to flash. This can be downloaded from (
here...) Cisco's website (requires a logon). Review of the code below tells you where to put the package once you get it.
Lines below that contain entries like <Name - something here> indicate something YOU must provide make this work. To the left of the "-" is the description of what's needed and to the right is an example for you. If you just see <SOMETHING> without a "-" it means I thought it was self explanatory.
ROUTER Configuration:
Code:
aaa authentication login VPN-XAUTH local
ip local pool SSLVPN-POOL <Start IP - 10.10.10.200> <End IP - 10.10.10.254>
interface Loopback0
description <SSLVPN INTERFACE>
ip address <Subnet IP - 10.10.10.1> <Subnet Mask - 255.255.255.0>
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
webvpn gateway <Name - GW-SSLVPN>
ip address <ASA NAT IP - 10.10.20.1) port 443
!---below, so users do not have to remember [URL unfurl="true"]https://!!![/URL]
http-redirect port 80
inservice
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
!
webvpn context vpn
ssl authenticate verify all
!
!
policy group SSLVPN_POLICY
functions svc-required
svc address-pool "SSLVPN-POOL"
svc default-domain "<your FQDN - mydomain.com>"
svc keep-client-installed
svc split dns "<default-domain from above>"
!---below, access all internal networks (adjust to your needs, of course)
svc split include 10.0.0.0 255.0.0.0
svc split include 172.16.0.0 255.240.0.0
svc split include 192.168.0.0 255.240.0.0
svc dns-server primary <Primary Internal DNS IP>
svc dns-server secondary <Secondary Internal DNS IP>
svc wins-server primary <Internal WINS IP - if needed>
default-group-policy SSLVPN_POLICY
aaa authentication list VPN-XAUTH
gateway <Name (same as web gateway above) - GW-SSLVPN>
inservice
!
ip http secure-server
ip http server
Here is a link to something (
here...) I thought may help you but it is a little different since it is using a REAL SSL certificate instead of a persistent self-signed one like in my example. Look for the dropdown menu to take you to the following sections, page 2 has the good stuff!
As promised, I hope this helps you and I hope even more it helps you understand what I did. I LOVE it when people take the time to not only help (or just point you to a link, leaving you to figure it out), but TEACH. If not, I am sorry I missed the mark.
DigiMahn
![[smile]](/data/assets/smilies/smile.gif "[smile] [smile]")
, may I suggest a call after 5PM PST? I never believed it, but the support from Austrailia (Asia team) is pretty outstanding - WAKE UP SAN JOSE!
it's been a long day and I got this done, but I have an issue I am dealing with.