Guest

Support

SSL VPN Configuration Guide, Cisco IOS XE Release 3S

  • Viewing Options

  • PDF (1.4 MB)
  • Feedback
SSL VPN

SSL VPN

SSL VPN provides support in the Cisco IOS software for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided through a Secure Socket Layer (SSL)-enabled SSL VPN gateway. The SSL VPN gateway allows remote users to establish a secure VPN tunnel. The XE SSL VPN Support feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTP over SSL (HTTPS) browser support through the full-tunnel client support.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for SSL VPN

To securely access resources on a private network behind an SSL VPN gateway, the remote user of an SSL VPN service must have the following:

  • An account (login name and password).
  • Support for full tunnel mode using Cisco AnyConnect Client.
  • Operating system support. For more information, see the “AnyConnect Secure Mobility Client 3.1 Computer OSs Supported” section in the Supported VPN Platforms, Cisco ASA 5500 Series document.
  • Administrative privileges to install Cisco AnyConnect client.

Restrictions for SSL VPN

  • SSL VPN does not support stateful route processor (RP) switchover.
  • Embedded Services Processors (ESP)-to-ESP switchover is not stateful in SSL VPN.

Information About SSL VPN

SSL VPN Overview

Cisco IOS SSL VPN is a router-based solution offering Secure Sockets Layer (SSL) VPN remote-access connectivity integrated with industry-leading security and routing features on a converged data, voice, and wireless platform. The security is transparent to the end user and easy to administer. With Cisco IOS SSL VPN, end users gain access securely from home or any Internet-enabled location such as wireless hotspots. Cisco IOS SSL VPN also enables companies to extend corporate network access to offshore partners and consultants, keeping corporate data protected all the while. Cisco IOS SSL VPN in conjunction with the dynamically downloaded Cisco AnyConnect VPN Client provides remote users with full network access to virtually any corporate application.

SSL VPN delivers the following three modes of SSL VPN access, of which only tunnel mode is supported in Cisco IOS XE software:

  • Clientless—Clientless mode provides secure access to private web resources and will provide access to web content. This mode is useful for accessing most content that you would expect to access in a web browser, such as Internet access, databases, and online tools that employ a web interface.
  • Thin Client (port-forwarding Java applet)—Thin client mode extends the capability of the cryptographic functions of the web browser to enable remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access protocol (IMAP), Telnet, and Secure Shell (SSH).
  • Tunnel Mode—Full tunnel client mode offers extensive application support through its dynamically downloaded Cisco AnyConnect VPN Client (next-generation SSL VPN Client) for SSL VPN. Full tunnel client mode delivers a lightweight, centrally configured and easy-to-support SSL VPN tunneling client that provides network layer access to virtually any application.

Licensing

SSL VPN supports the following types of licenses:

  • Permanent licenses—No usage period is associated with these licenses. All permanent licenses are node locked and validated during installation and usage.
  • Evaluation licenses—These are metered licenses that are valid for a limited period. The usage period of a license is based on a system clock. The evaluation licenses are built into the image and are not node locked. The evaluation licenses are used only when there are no permanent, extension or grace period licenses available for a feature. An end-user license agreement (EULA) has to be accepted before using an evaluation license.
  • Extension licenses—Extension licenses are node-locked metered licenses. These licenses are installed using the management interfaces on the device. A EULA has to be accepted as part of installation.
  • Grace-rehost licenses—Grace period licenses are node locked metered licenses. These licenses are installed on the device as part of the rehost operation. A EULA has to be accepted as a part of the rehost operation.

For all the license types, except the evaluation license, a EULA has to be accepted during the license installation. This means that all the license types except the evaluation license are activated after installation. In the case of an evaluation license, a EULA is presented during an SSL VPN policy configuration or an SSL VPN profile configuration.

An SSL VPN session corresponds to a successful login of a user to the SSL VPN service. An SSL VPN session is created when a valid license is installed and the user credentials are successfully validated. On a successful user validation, a request is made to the licensing module to get a seat. An SSL VPN session is created only when the request is successful. If a valid license is not installed, the SSL VPN policy configuration and SSL VPN profile configuration can be successful, but the user cannot log in successfully. When multiple policies and profiles are configured, the total number of sessions are equal to the total sessions allowed by the license. A seat count is released when a session is deleted. A session is deleted because of reasons such as log out by the user, session idle timeout or Dead Peer Detection (DPD) failure.


Note


Rarely a few sessions which do not have active connections may appear to be consuming licenses. This typically denotes that this is a transition state and the session will get expired soon.


The same user can create multiple sessions and for each session a seat count is reserved. The seat reservation does not happen in the following cases:

  • Full-tunnel session creation from a browser session.
  • Full-tunnel session is up and a crypto rekey is done.

When the total active sessions are equal to the maximum license count of the current active license, no more new sessions are allowed.

The reserved seat count or session is released when the following occurs:

  • a user logs out.
  • a DPD failure happens.
  • a session timeout occurs.
  • an idle timeout occurs.
  • a session is cleared administratively using the clear crypto ssl session command.
  • a user is disconnected from the tunnel.
  • a profile is removed even when there are active sessions.

New Cisco IOS SSL VPN licenses that are generated are cumulative. Therefore the old licenses become inactive when a new license is applied. For example, when you are upgrading your license from 10 counts to 20 counts (an increase of 10 counts on the current 10 counts), Cisco provides a single 20 count license. The old license for 10 counts is not required when a permanent license for a higher count is available. However, the old license will exist in an inactive state as there is no reliable method to clear the old license.

Modes of Remote Access in Cisco IOS XE

Tunnel Mode

In a typical clientless remote access scenario, remote users establish an SSL tunnel to move data to and from the internal networks at the application layer (for example, web and e-mail). In tunnel mode, remote users use an SSL tunnel to move data at the network (IP) layer. Therefore, tunnel mode supports most IP-based applications. Tunnel mode supports many popular corporate applications (for example, Microsoft Outlook, Microsoft Exchange, Lotus Notes E-mail, and Telnet).

SSL VPN support provided by full tunnel mode is as follows:

  • Works like “clientless” IPsec VPN
  • Tunnel client loaded through Java or ActiveX
  • Application agnostic—supports all IP-based applications
  • Scalable
  • Local administrative permissions required for installation

Full tunnel client mode offers extensive application support through its dynamically downloaded Cisco AnyConnect VPN Client (next-generation SSL VPN Client) for SSL VPN. Full tunnel client mode delivers a lightweight, centrally configured and easy-to-support SSL VPN tunneling client that provides network layer access to virtually any application. The advantage of SSL VPN comes from its accessibility from almost any Internet-connected system without needing to install additional desktop software. Cisco SSL AnyConnect VPN allows remote users to access enterprise networks on the Internet through an SSL VPN gateway. During the establishment of the SSL VPN with the gateway, the Cisco AnyConnect VPN Client is downloaded and installed on the remote user equipment (laptop, mobile, PDA, etc. ), and the tunnel connection is established when the remote user logs into the SSL VPN gateway. The tunnel connection is determined by the group policy configuration. By default, the Cisco AnyConnect VPN Client is removed from the client PC after the connection is closed. However, you have the option to keep the Cisco AnyConnect VPN Client installed on the client equipment.

Cisco SSL AnyConnect VPN easy access to services within the company’s network and simplifies the VPN configuration on the SSL VPN gateway, reducing the overhead for system administrators.

SSL VPN CLI Constructs

SSL Proposal

SSL proposal specifies the cipher suites that are supported. Each cipher suite defines a key exchange algorithm, a bulk encryption algorithm, a MAC algorithm. One of the cipher suites configured would be chosen from the client's proposal during SSL negotiation. If the intersection between the client proposed suites and configured suites is a null set, the negotiation terminates. Ciphers are currently selected based on the client's priority.

The SSL proposal is used in SSL handshake protocol for negotiating encryption and decryption. The default SSL proposal is used with SSL policy in the absence of any user-defined proposal. The default proposal has ciphers in the order as show below:
protection rsa-aes256-sha1 rsa-aes128-sha1 rsa-3des-ede-sha1 rsa-3des-ede-sha1

SSL Policy

SSL policy defines the cipher suites to be supported and the trust point to be used during SSL negotiation. SSL policy is a container of all the parameters used in the SSL negotiation. The policy selection would be done by matching the session parameters against the parameters configured under the policy. There is no default policy. Every policy is associated with a proposal and a trustpoint.

SSL Profile

The SSL VPN profile defines authentication and accounting lists. Profile selection depends on policy and URL values. Profile may, optionally, be associated with a default authorization policy.

The following rules apply:

  • The policy and URL must be unique for an SSL VPN profile.
  • At least one authorization method must be specified to bring up the session.
  • The three authorization types namely user, group and cached may coexist.
  • There is no default authorization.
  • The order of precedence for authorization is user authorization, cache authorization, and group authorization. If group authorization override is configured the order of precedence is group authorization, user authorization, and cache authorization.

SSL Authorization Policy

The SSL authorization policy is a container of authorization parameters that are pushed to the remote client and are applied either locally on the virtual-access interface or globally on the device. The authorization policy is referred from the SSL VPN profile.

How to Configure SSL VPN

Configuring SSL Proposal

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    crypto ssl proposal proposal-name

    4.    protection

    5.    end

    6.    show crypto ssl proposal [proposal name]


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3crypto ssl proposal proposal-name


    Example:
    Device(config)# crypto ssl proposal proposal1
     

    Defines an SSL proposal name, and enters crypto SSL proposal configuration mode.

     
    Step 4protection


    Example:
    Device(config-crypto-ssl-proposal)# protection rsa-3des-ede-sha1 rsa-aes128-sha1
     

    Specifies one or more cipher suites that are as follows:

    • rsa-3des-ede-sha1
    • rsa-aes128-sha1
    • rsa-aes256-sha1
    • rsa-rc4128-md5
     
    Step 5end


    Example:
    Device(config-crypto-ssl-proposal)# end
     

    Exits SSL proposal configuration mode and returns to privileged EXEC mode.

     
    Step 6show crypto ssl proposal [proposal name]


    Example:
    Device# show crypto ssl proposal
     

    (Optional) Displays the SSL proposal.

     
    What to Do Next

    After configuring the SSL proposal, configure the SSL policy. For more information, see the “Configuring SSL Policy” section.

    Configuring SSL Policy

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    crypto ssl policy policy-name

      4.    ip address local ip-address [vrf vrf-name] [port port-number] [standby redundancy-name]

      5.    ip interface local interface-name [vrf vrf-name] [port port-number] [standby redundancy-name]

      6.    pki trustpoint trustpoint-name sign

      7.    ssl proposal proposal-name

      8.    no shut

      9.    end

      10.    show crypto ssl policy [policy-name]


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3crypto ssl policy policy-name


      Example:
      Device(config)# crypto ssl policy policy1
       

      Defines an SSL policy name and enters SSL policy configuration mode.

       
      Step 4ip address local ip-address [vrf vrf-name] [port port-number] [standby redundancy-name]


      Example:
      Device(config-crypto-ssl-policy)# ip address local 10.0.0.1 port 446
       

      Specifies the local IP address to start the TCP listener.

      Note    Either this command or the ip interface local command is mandatory.
       
      Step 5ip interface local interface-name [vrf vrf-name] [port port-number] [standby redundancy-name]


      Example:
      Device(config-crypto-ssl-policy)# ip interface local FastEthernet redundancy1
       

      Specifies the local interface to start the TCP listener.

      Note    Either this command or the ip address local command is mandatory.
       
      Step 6pki trustpoint trustpoint-name sign


      Example:
      Device(config-crypto-ssl-policy)# pki trustpoint tp1 sign
       

      (Optional) Specifies the trustpoint to be used to send server certificate during an SSL handshake.

      Note    If this command is not specified, a default self-signed trustpoint is used. If there is no default self-signed trustpoint, the system creates a default self-signed certificate.
       
      Step 7ssl proposal proposal-name


      Example:
      Device(config-crypto-ssl-policy)# ssl proposal pr1
       

      (Optional) Specifies the cipher suites to be selected during an SSL handshake.

      Note    If a proposal is not specified, the default proposal is used.
       
      Step 8no shut


      Example:
      Device(config-crypto-ssl-policy)# no shut
       

      Starts the TCP listener based on the configuration.

       
      Step 9end


      Example:
      Device(config-crypto-ssl-policy)# end
       

      Exits SSL policy configuration mode and returns to privileged EXEC mode.

       
      Step 10show crypto ssl policy [policy-name]


      Example:
      Device# show crypto ssl policy
       

      (Optional) Displays the SSL policies.

       
      What to Do Next

      After configuring the SSL policy, configure the SSL profile to match the policy. For more information, see the “Configuring SSL Profile” section.

      Configuring an SSL Profile

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    crypto ssl profile profile-name

        4.    aaa accounting list list-name

        5.    aaa authentication list list-name

        6.    aaa authorization group [override] list aaa-listname aaa-username

        7.    aaa authorization user {cached | list aaa-listname aaa-username}

        8.    match policy policy-name

        9.    match url url-name

        10.    no shut

        11.    end

        12.    show crypto ssl profile [profile-name]


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 crypto ssl profile profile-name


        Example:
        Device(config)# crypto ssl profile profile1
         

        Defines an SSL profile and enters SSL profile configuration mode.

         
        Step 4 aaa accounting list list-name


        Example:
        Device(config-crypto-ssl-profile)# aaa accounting list list1
         

        Specifies authentication, authorization, and accounting (AAA) accounting method list.

         
        Step 5 aaa authentication list list-name


        Example:
        Device(config-crypto-ssl-profile)# aaa authentication list list2
         

        Specifies the AAA authentication method list.

         
        Step 6aaa authorization group [override] list aaa-listname aaa-username


        Example:
        Device(config-crypto-ssl-profile)# aaa authorization group override list list1 user1
         

        Specifies the AAA method list and username for group authorization.

        • group—Specifies group authorization.
        • override—(Optional) Specifies that attributes from group authorization should take precedence while merging attributes. By default, user attributes take precedence.
        • aaa-listname—AAA method list name.
        • aaa-username—Username that must be used in the AAA authorization request. Refers to SSL authorization policy name defined on the device.
         
        Step 7aaa authorization user {cached | list aaa-listname aaa-username}


        Example:
        Device(config-crypto-ssl-profile)# aaa authorization user list list1 user1
         

        Specifies the AAA method list and username for user authorization.

        • user—Specifies user authorization.
        • cached—Specifies that the attributes received during EAP authentication or obtained from the AAA preshared key must be cached.
        • aaa-listname—AAA method list name.
        • aaa-username—Specifies the username that must be used in the AAA authorization request.
         
        Step 8 match policy policy-name


        Example:
        Device(config-crypto-ssl-profile)# match address policy policy1
         

        Uses match statements to select an SSL profile for a peer based on the SSL policy name.

         
        Step 9 match url url-name


        Example:
        Device(config-crypto-ssl-profile)# match url www.abc.com
         

        Uses match statements to select an SSL profile for a peer based on the URL.

         
        Step 10 no shut


        Example:
        Device(config-crypto-ssl-profile)# no shut
         
        Specifies the profile cannot be shut until the policy specified in the match policy command is in use.  
        Step 11 end


        Example:
        Device(config-crypto-ssl-profile)# end
         
        Exits SSL profile configuration mode and returns to privileged EXEC mode.  
        Step 12show crypto ssl profile [profile-name]


        Example:
        Device# show crypto ssl profile
         

        (Optional) Displays the SSL profile.

         

        Configuring the SSL Authorization Policy

        Perform this task to configure the SSL authorization policy.

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    crypto ssl authorization policy policy-name

          4.    banner banner-text

          5.    client profile profile-name

          6.    def-domain domain-name

          7.    dns primary-server [secondary-server]

          8.    dpd-interval {client | server} interval

          9.    homepage homepage-text

          10.    include-local-lan

          11.    keepalive seconds

          12.    module module-name

          13.    msie-proxy exception exception-name

          14.    msie-proxy option {auto | bypass | none}

          15.    msie-proxy server {ip-address | dns-name}

          16.    mtu bytes

          17.    netmask mask

          18.    pool name

          19.    rekey time seconds

          20.    route set access-list acl-name

          21.    smartcard-removal-disconnect

          22.    split-dns string

          23.    timeout {disconnect seconds | idle seconds | session seconds}

          24.    wins primary-server [secondary-server]

          25.    end

          26.    show crypto ssl authorization policy [policy-name]


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Device> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.
           
          Step 2 configure terminal


          Example:
          Device# configure terminal
           

          Enters global configuration mode.

           
          Step 3 crypto ssl authorization policy policy-name


          Example:
          Device(config)# crypto ssl authorization policy policy1
           

          Specifies the SSL authorization policy and enters SSL authorization policy configuration mode.

           
          Step 4banner banner-text


          Example:
          Device(config-crypto-ssl-auth-policy)# banner This is SSL VPN tunnel. NOTE: DO NOT dial emergency response numbers (e.g. 911,112) from
          software telephony clients. Your exact location and the appropriate emergency response agency may not be easily identified.  
           

          Specifies the banner. The banner is displayed on successful tunnel set up.

           
          Step 5client profile profile-name


          Example:
          Device(config-crypto-ssl-auth-policy)# client profile profile1
           

          Specifies the client profile. The profile must already be specified using the crypto ssl profile command.

           
          Step 6def-domain domain-name


          Example:
          Device(config-crypto-ssl-auth-policy)# def-domain example.com
           

          Specifies the default domain. This parameter specifies the default domain that the client can use.

           
          Step 7 dns primary-server [secondary-server]


          Example:
          Device(config-crypto-ssl-auth-policy)# dns 198.51.100.1 198.51.100.100
           

          Specifies the IP addresses of primary and secondary Domain Name Service (DNS) servers.

          • primary-server—IP address of the primary DNS server.
          • secondary-server—(Optional) IP address of the secondary DNS server.
           
          Step 8 dpd-interval {client | server} interval


          Example:
          Device(config-crypto-ssl-auth-policy)# dpd-interval  client 1000
           

          Configures Dead Peer Detection (DPD).globally for the client or server.

          • client—DPD for the client mode. The default value is 300 (five minutes).
          • server—DPD for the server mode. The default value is 300.
          • interval—Interval, in seconds. The range is from 5 to 3600.
           
          Step 9homepage homepage-text


          Example:
          Device(config-crypto-ssl-auth-policy)# homepage http://www.abc.com
           

          Specifies the SSL VPN home page URL.

           
          Step 10include-local-lan


          Example:
          Device(config-crypto-ssl-auth-policy)# include-local-lan
           

          Permits the remote user to access resources on a local LAN, such as a network printer.

           
          Step 11 keepalive seconds


          Example:
          Device(config-crypto-ssl-auth-policy)# keepalive 500
           

          Enables setting the minimum, maximum, and default values for keepalive, in seconds.

           
          Step 12module module-name


          Example:
          Device(config-crypto-ssl-auth-policy)# module gina
           

          Enables the server gateway to download the appropriate module for VPN to connect to a specific group.

          • dart—Downloads the AnyConnect Diagnostic and Reporting Tool (DART) module.
          • gina—Downloads the Start Before Logon (SBL) module.
           
          Step 13msie-proxy exception exception-name


          Example:
          Device(config-crypto-ssl-auth-policy)# msie-proxy exception 198.51.100.2
           

          The DNS name or the IP address specified in the exception-name argument that must not be sent via the proxy.

           
          Step 14msie-proxy option {auto | bypass | none}


          Example:
          Device(config-crypto-ssl-auth-policy)# msie-proxy option bypass
           

          Specifies the proxy settings for the Microsoft Internet Explorer browser. The proxy settings are required to specify an internal proxy server and to route the browser traffic through the proxy server when connecting to the corporate network.

          • auto—Browser is configured to auto detect proxy server settings.
          • bypass—Local addresses bypass the proxy server.
          • none—Browser is configured to not use the proxy server.
           
          Step 15msie-proxy server {ip-address | dns-name}


          Example:
          Device(config-crypto-ssl-auth-policy)# msie-proxy server 198.51.100.2
           

          The IP address or the DNS name, optionally followed by the port number, of the proxy server.

          Note   

          This command is required if the msie-proxy option bypass command is specified.

           
          Step 16mtu bytes


          Example:
          Device(config-crypto-ssl-auth-policy)# mtu 1000
           

          (Optional) Enables setting the minimum, maximum, and default MTU value.

          Note   

          The value specified in this command overrides the default MTU specified in Cisco AnyConnect Secure client configuration. If not specified, the value specified Cisco AnyConnect Secure client configuration is the MTU value. If the calculated MTU is less than the MTU specified in this command, this command is ignored.

           
          Step 17 netmask mask


          Example:
          Device(config-crypto-ssl-auth-policy)# netmask 255.255.255.0
           

          Specifies the netmask of the subnet from which the IP address is assigned to the client.

          • mask—Subnet mask address.
           
          Step 18 pool name


          Example:
          Device(config-crypto-ssl-auth-policy)# pool abc
           

          Defines a local IP address pool for assigning IP addresses to the remote access client.

          • name—Name of the local IP address pool.
          Note    The local IP address pool must already be defined using the ip local pool command.
           
          Step 19rekey time seconds


          Example:
          Device(config-crypto-ssl-auth-policy)# rekey time 1110
           

          Specifies the rekey interval, in seconds. The default value is 3600.

           
          Step 20 route set access-list acl-name


          Example:
          Device(config-crypto-ssl-auth-policy)# route set access-list acl1
           

          Specifies the traffic that must be secured through tunnels.

          • acl-name—Access list name.
           
          Step 21smartcard-removal-disconnect


          Example:
          Device(config-crypto-ssl-auth-policy)# smartcard-removal-disconnect
           

          Enables smartcard removal disconnect and specifies that the client should terminate the session when the smart card is removed.

           
          Step 22split-dns string


          Example:
          Device(config-crypto-ssl-auth-policy)# split-dns example.com example.net
           

          Allows you to specify up to ten split domain names, which the client should use for private networks.

           
          Step 23timeout {disconnect seconds | idle seconds | session seconds}


          Example:
          Device(config-crypto-ssl-auth-policy)# timeout disconnect 10000
           

          Specifies the timeout, in seconds.

          • disconnect seconds—Specifies the retry duration, in seconds, for Cisco AnyConnect client to reconnect to the server gateway. The default value is 0.
          • idle seconds—Specifies the idle timeout, in seconds. The default value is 1800 (30 minutes).
          • session seconds—Specifies the session timeout, in seconds. The default value is 43200 (12 hours).
           
          Step 24 wins primary-server [secondary-server]


          Example:
          Device(config-crypto-ssl-auth-policy)# wins 203.0.113.1 203.0.113.115
           

          Specifies the internal Windows Internet Naming Service (WINS) server addresses.

          • primary-server—IP address of the primary WINS server.
          • secondary-server—(Optional) IP address of the secondary WINS server.
           
          Step 25 end


          Example:
          Device(config-crypto-ssl-auth-policy)# end
           

          Exits SSL authorization policy configuration mode and returns to privileged EXEC mode.

           
          Step 26 show crypto ssl authorization policy [policy-name]


          Example:
          Device(config-crypto-ssl-auth-policy)# show crypto ssl authorization policy
           

          (Optional) Displays the SSL authorization policy.

           

          Verifying SSL VPN Configurations

          This section describes how to use show commands to verify the SSL VPN configurations:

          SUMMARY STEPS

            1.    enable

            2.    show crypto ssl proposal [name]

            3.    show crypto ssl policy [name]

            4.    show crypto ssl profile [name]

            5.    show crypto ssl authorization policy [name]

            6.    show crypto ssl session {user user-name | profile profile-name}

            7.    show crypto ssl stats [profile profile-name] [tunnel] [detail]

            8.    clear crypto ssl session {profile profile-name| user user-name}


          DETAILED STEPS
            Step 1   enable


            Example:
            Device> enable

            Enables privileged EXEC mode.

            • Enter your password if prompted.
            Step 2   show crypto ssl proposal [name]


            Example:
            Device# show crypto ssl proposal
             
            SSL Proposal: sslprop
                Protection: 3DES-SHA1
            

            Displays the SSL proposal.

            Step 3   show crypto ssl policy [name]


            Example:
            Device# show crypto ssl policy 
             
             SSL Policy: sslpolicy
              Status     : ACTIVE
              Proposal   : sslprop
              IP Address : 10.78.106.23
              Port       : 443
              fvrf       : 0
              Trust Point: TP-self-signed-1183786860
              Redundancy : none

            Displays the SSL policies.

            Step 4   show crypto ssl profile [name]


            Example:
            Device# show crypto ssl profile 
             
            SSL Profile: sslprofile
             Status: ACTIVE
             Match Criteria:
               URL: none
               Policy: 
                sslpolicy
             AAA accounting List      : local
             AAA authentication List  :none
             AAA authorization cached  :true     
             AAA authorization user List   :default
             AAA authorization user name: sslauth
             AAA authorization group List   :none
             AAA authorization group name: none
             Authentication Mode      : user credentials
             Interface                : SSLVPN-VIF1
               Status: ENABLE
            

            Displays the SSL profile.

            Step 5   show crypto ssl authorization policy [name]


            Example:
            Device# show crypto ssl authorization policy 
             
            SSL Auth Policy: sslauth
             V4 Parameter:
               Address Pool: SVC_POOL
               Netmask: 255.255.255.0
               Route ACL : split-include
             Banner                  : none
             Home Page               : none
             Idle timeout            : 300
             Disconnect Timeout      : 0
             Session Timeout         : 43200
             Keepalive Interval      : 0
             DPD Interval            : 300
             Rekey 
               Interval: 0
               Method  : none
             Split DNS               : none
             Default domain          : none
             Proxy Settings
                 Server: none
                 Option: NULL
                 Exception(s): none
             Anyconnect Profile Name : 
             SBL Enabled             : NO
             MAX MTU                 : 1406
             Smart Card
             Removal Disconnect      : NO
            

            Displays the SSL authorization policy.

            Step 6   show crypto ssl session {user user-name | profile profile-name}


            Example:
            Device# show crypto ssl session user LAB
            
            Session Type      : Full Tunnel
            Client User-Agent : AnyConnect Windows 3.0.08057
            
            Username          : LAB                  Num Connection : 1
            Public IP         : 72.163.209.245
            Profile           : sslprofile              Policy Group   : sslauth
            Last-Used         : 00:00:02           Created        : *00:58:44.219 PDT Thu Jul 25 2013
            Session Timeout   : 43200           Idle Timeout   : 300
            DPD GW Timeout    : 300           DPD CL Timeout : 300
            Address Pool      : sslvpn-pool     MTU Size       : 1406
            Rekey Time        : 0                     Rekey Method   :
            Lease Duration    : 43200
            Tunnel IP         : 50.1.1.2             Netmask        : 255.255.255.0
            Rx IP Packets     : 0                     Tx IP Packets  : 125
            CSTP Started      : 00:01:12        Last-Received  : 00:00:02
            CSTP DPD-Req sent : 0             Virtual Access : 0
            Msie-ProxyServer  : None          Msie-PxyPolicy : Disabled
            Msie-Exception    :
            Client Ports      : 34552
            
            Device# show crypto ssl session profile sslprofile
            
            SSL profile name: sslprofile
            Client_Login_Name  Client_IP_Address  No_of_Connections  Created  Last_Used
            LAB                72.163.209.245             1         00:00:33  00:00:00
            Error receiving show session info from remote cores
            
            

            Displays SSL VPN session information.

            Step 7   show crypto ssl stats [profile profile-name] [tunnel] [detail]


            Example:
            Device# show crypto ssl stats tunnel profile prf1
            SSLVPN Profile name : prf1
            Tunnel Statistics:
                Active connections       : 0
                Peak connections         : 0          Peak time                : never
                Connect succeed          : 0          Connect failed           : 0
                Reconnect succeed        : 0          Reconnect failed         : 0
                DPD timeout              : 0
              Client
                in  CSTP frames          : 0          in  CSTP control         : 0
                in  CSTP data            : 0          in  CSTP bytes           : 0
                out CSTP frames          : 0          out CSTP control         : 0
                out CSTP data            : 0          out CSTP bytes           : 0
                cef in  CSTP data frames : 0          cef in  CSTP data bytes  : 0
                cef out CSTP data frames : 0          cef out CSTP data bytes  : 0
              Server
                In  IP pkts              : 0          In  IP bytes             : 0
                Out IP pkts              : 0          Out IP bytes             : 0
            
            Step 8   clear crypto ssl session {profile profile-name| user user-name}


            Example:
            Device# clear crypto ssl session sslprofile

            Clears SSL VPN session.


            Configuration Examples for SSL VPN

            Example: Specifying the AnyConnect Image and Profile

            The following example shows how to specify the Cisco AnyConnect image and profile.

            Device> enable
            Device# configure terminal
            Device(config)# crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-3.1.04072-k9.pkg sequence 1
            Device(config)# crypto vpn anyconnect profile Employee bootflash:/Employee.xml
            Device(config)# end

            Example: Configuring SSL Proposal

            The following example shows how to configure the SSL proposal.

            Device> enable
            Device# configure terminal
            Device(config)# crypto ssl proposal proposal1
            Device(config-crypto-ssl-proposal)# protection rsa-3des-ede-sha1 rsa-aes128-sha1
            Device(config-crypto-ssl-proposal)# end

            Example: Configuring SSL Policy

            The following example shows how to configure an SSL policy.

            Device> enable
            Device# configure terminal
            Device(config)# crypto ssl policy policy1
            Device(config-crypto-ssl-policy)# ip address local 10.0.0.1 port 443
            Device(config-crypto-ssl-policy)# pki trustpoint tp1 sign
            Device(config-crypto-ssl-policy)# ssl proposal proposal1
            Device(config-crypto-ssl-policy)# no shut
            Device(config-crypto-ssl-policy)# end

            Example: Configuring SSL Profile

            The following example shows how to configure an SSL profile.

            Device> enable
            Device# configure terminal
            Device(config)# crypto ssl profile profile1
            Device(config-crypto-ssl-profile)# aaa accounting list list1
            Device(config-crypto-ssl-profile)# aaa authentication list list2
            Device(config-crypto-ssl-profile)# aaa authorization group override list list1 user1
            Device(config-crypto-ssl-profile)# aaa authorization user list list1 user1
            Device(config-crypto-ssl-profile)# match address policy policy1
            Device(config-crypto-ssl-profile)# match url www.abc.com
            Device(config-crypto-ssl-profile)# no shut
            Device(config-crypto-ssl-profile)# end

            Example: Configuring SSL Authorization Policy

            The following example shows how to configure an SSL authorization policy.

            Device> enable
            Device# configure terminal
            Device(config)# crypto ssl authorization policy policy1
            Device(config-crypto-ssl-auth-policy)# banner This is SSL VPN tunnel.
            Device(config-crypto-ssl-auth-policy)# client profile profile1
            Device(config-crypto-ssl-auth-policy)# def-domain cisco
            Device(config-crypto-ssl-auth-policy)# dns 198.51.100.1 198.51.100.100
            Device(config-crypto-ssl-auth-policy)# dpd client 1000
            Device(config-crypto-ssl-auth-policy)# homepage http://www.abc.com
            Device(config-crypto-ssl-auth-policy)# include-local-lan
            Device(config-crypto-ssl-auth-policy)# keepalive 500
            Device(config-crypto-ssl-auth-policy)# module gina
            Device(config-crypto-ssl-auth-policy)# msie-proxy exception 198.51.100.2
            Device(config-crypto-ssl-auth-policy)# msie-proxy option bypass
            Device(config-crypto-ssl-auth-policy)# msie-proxy server 198.51.100.2
            Device(config-crypto-ssl-auth-policy)# mtu 1000
            Device(config-crypto-ssl-auth-policy)# netmask 255.255.255.0
            Device(config-crypto-ssl-auth-policy)# pool abc
            Device(config-crypto-ssl-auth-policy)# rekey interval 1110
            Device(config-crypto-ssl-auth-policy)# route set access-list acl1
            Device(config-crypto-ssl-auth-policy)# smartcard-removal-disconnect
            Device(config-crypto-ssl-auth-policy)# split-dns abc1
            Device(config-crypto-ssl-auth-policy)# timeout disconnect 10000
            Device(config-crypto-ssl-auth-policy)# wins 203.0.113.1 203.0.113.115
            Device(config-crypto-ssl-auth-policy)# end

            Additional References for SSL VPN

            Technical Assistance

            Description

            Link

            The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

            http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

            Feature Information for SSL VPN

            The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

            Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

            Table 1 Feature Information for SSL VPN

            Feature Name

            Release

            Feature Information

            XE SSL VPN Support

            Cisco IOS XE Release 3.12S

            SSL VPN provides support in the Cisco IOS software for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided through a Secure Socket Layer (SSL)-enabled SSL VPN gateway. The SSL VPN gateway allows remote users to establish a secure VPN tunnel. The XE SSL VPN Support feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTP over SSL (HTTPS) browser support through the full-tunnel client support.

            In Cisco IOS XE Release 3.12.1S, this feature supported Cisco CSR 1000V Series Cloud Services Router.

            The following commands were introduced by this feature: aaa accounting list, aaa authentication list, aaa authorization, banner, client profile, crypto ssl authorization policy, crypto ssl policy, crypto ssl profile, crypto ssl proposal, def-domain, dns, dpd, homepage, include-local-lan, ip address local, ip interface local, keepalive, match policy, match url, module, msie-proxy, mtu, netmask, pki trustpoint, pool, protection, rekey interval, route set access-list, show crypto ssl authorization policy, show crypto ssl policy, show crypto ssl profile, show crypto ssl proposal, shut, smartcard-removal-disconnect, split-dns, ssl proposal, timeout, wins.