Catalyst 6500 Series WebVPN Services Module Configuration Guide, 1.1 - Initial Configurations [Cisco Catalyst 6500 Series Switches]

Table Of Contents

Initial Configurations

Using the CLI

Initial Catalyst 6500 Series Switch Configuration

Configuring VLANs on the Switch

Configuring a LAN Port for Layer 2 Switching

Adding the WebVPN Services Module to the Corresponding VLAN

Initial WebVPN Services Module Configuration

Configuring Interfaces on the WebVPN Services Module

Configuring the Default Route

Configuring Authentication for Administrators

Verifying the Initial Configuration

Recovering a Lost Password

Initial Configurations

This chapter describes how to initially configure the WebVPN Services Module and contains these sections:

• Using the CLI

• Initial Catalyst 6500 Series Switch Configuration

• Initial WebVPN Services Module Configuration

• Verifying the Initial Configuration

• Recovering a Lost Password

Using the CLI

The software interface for the WebVPN Services Module is the Cisco IOS CLI. To understand the Cisco IOS CLI and Cisco IOS command modes, refer to Chapter 2, "Command-Line Interfaces," in the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide.

Unless your switch is located in a fully trusted environment, we recommend that you configure the WebVPN Services Module through a direct connection to the module's console port or through an encrypted session using Secure Shell (SSH). See the "Configuring Authentication for Administrators" section for information on configuring SSH on the module.

Note The initial WebVPN Services Module configuration must be made through a direct connection to the console port on the module.

Initial Catalyst 6500 Series Switch Configuration

This section describes how to configure the following tasks on the Catalyst 6500 series switch:

• Configuring VLANs on the Switch

• Configuring a LAN Port for Layer 2 Switching

• Adding the WebVPN Services Module to the Corresponding VLAN

Configuring VLANs on the Switch

VLAN IDs must be the same for the switch and the module. Refer to the "Configuring VLANs" chapter in the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide for details.

Note The WebVPN software supports only the normal-range VLANs (2 through 1005). Limit the WebVPN Services Module configuration to the normal-range VLANs.

To configure VLANs on the switch, perform this task:
Command

Purpose
Step 1
Router# configure terminal 
Enters configuration mode, selecting the terminal option.
Step 2
Router(config)# vlan vlan_ID 
Enters VLAN configuration mode and adds a VLAN. The valid range is 2 through 1001.

Note Do not add an external VLAN.
Step 3
Router(config-vlan)# end 
Updates the VLAN database and returns to privileged EXEC mode.
This example shows how to configure VLANs on the switch:
Router> enable
Router# configure terminal
Router(config)# vlan 100
VLAN 100 added:
     Name: VLAN100
Router(config-vlan)# end 
Configuring a LAN Port for Layer 2 Switching

To configure a LAN port for Layer 2 switching, perform this task:
Command

Purpose
Step 1
Router(config)# interface type¹ mod/port 
Selects the LAN port to configure.
Step 2
Router(config-if)# switchport 
Configures the LAN port for Layer 2 switching.

Note You must enter the switchport command once without any keywords to configure the LAN port as a Layer 2 port before you can enter additional switchport commands with keywords.
Step 3
Router(config-if)# switchport mode access 
Puts the LAN port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The LAN port becomes a nontrunk port even if the neighboring LAN port does not agree to the change.
Step 4
Router(config-if)# switchport access vlan 
vlan_ID 
Configures the default VLAN, which is used if the interface stops trunking.
Step 5
Router(config-if)# no shutdown
Activates the interface.
¹type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet
This example shows how to configure a LAN port for Layer 2 switching:
Router(config)# interface gigabitethernet 1/1
Router(config-if)# switchport 
Router(config-if)# switchport mode access
Router(config-if)# switchport access vlan 100
Router(config-if)# no shutdown
Router(config-if)# exit
Adding the WebVPN Services Module to the Corresponding VLAN

To add the WebVPN Services Module to the corresponding VLAN, perform this task:
Command

Purpose
Router (config)# webvpn module mod 
allowed-vlan vlan_ID
Configures the VLANs allowed over the trunk to the WebVPN Services Module.

Note One of the allowed VLANs must be the admin VLAN.
This example shows how to add a WebVPN Services Module that is installed in slot 3 to a specific VLAN:
Router>
Router> enable
Router# configure terminal
Router (config)# webvpn module 3 allowed-vlan 100
Router (config)# end 
Initial WebVPN Services Module Configuration

Note You are required to make the following initial WebVPN Services Module configurations through a direct connection to the WebVPN Services Module console port. After the initial configurations, you can make an SSH or Telnet connection to the module to further configure the module.

The initial WebVPN Services Module configuration consists of the following tasks:

• Configuring Interfaces on the WebVPN Services Module

• Configuring the Default Route

• Configuring Authentication for Administrators

Configuring Interfaces on the WebVPN Services Module

Note The WebVPN0 interface is enabled by default and should not be shut down or otherwise configured.

To configure the WebVPN interface, perform this task:
Command

Purpose
Step 1
webvpn(config)# interfaces webvpnn 
interface-number.subinterface-number 
Selects a subinterface to configure.
Step 2
webvpn(config-subif)# encap dot1q 
vlan_id
Uses 802.1Q to send the Ethernet frames from the subinterface to the assigned vlan-id without any encapsulation.
Step 3
webvpn(config-subif)# ip address 
ip-address ip-address-mask 
Configures an IP address on the subinterface.
Step 4
webvpn(config-subif)# no shutdown
Enables WebVPN access on the subinterface.
This example shows how to configure the WebVPN interface:
webvpn(config)# interface webvpn 0.1
webvpn(config-subif)# encap dot1q 100
webvpn(config-subif)# ip address 10.10.1.10 
webvpn(config-subif)# no shutdown
webvpn(config-subif)# exit
webvpn(config)#
Configuring the Default Route

To configure the default route, perform this task:
Command

Purpose
webvpn(config)# ip route prefix mask 
ip-address
Configures a default route.
This example shows how to configure the default route:
webvpn(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.100
webvpn(config)#
Configuring Authentication for Administrators

To configure authentication, authorization, and accounting (AAA), perform this task:
Command

Purpose
Step 1
webvpn(config)# username username secret {0 
| 5} password
Enables enhanced password security for the specified, unretrievable username.
Step 2
webvpn(config)# enable password password
Specifies a local enable password, if not already specified.
Step 3
webvpn(config)# aaa new-model
Enables authentication, authorization, and accounting (AAA).
Step 4
webvpn(config)# aaa authentication login 
default local
Specifies the module to use the local username database for authentication.
Step 5
webvpn(config)# line vty line-number 
ending-line-number 
Identifies a range of lines for configuration and enters line configuration mode.
Step 6
webvpn(config-line)# transport input [ssh | 
telnet | all]
Configures the protocol used on the line.
This example shows how to configure AAA for the SSH connection to the WebVPN Services Module:
webvpn(config)# username admin secret admin-pass
webvpn(config)# enable password enable-pass
webvpn(config)# aaa new-model
webvpn(config)# aaa authentication login default local
webvpn(config)# line vty 0 4
webvpn(config-line)# transport input ssh
webvpn(config-line)# end
webvpn#
Verifying the Initial Configuration

This example shows how to verify that the VLAN information displayed matches the VLAN configuration:
Router# show webvpn mod 3 state
SSL-VPN module 3 data-port:2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: 2-1001
Pruning VLANs Enabled: 2-1001
Vlans allowed on trunk:100
Vlans allowed and active in management domain: 6-8,10-13,17-18,24,30,80,170,172,255
Vlans in spanning tree forwarding state and not pruned: 
   6-8,10-13,17-18,24,30,80,170,172,255
Allowed-vlan : 2-1001
Recovering a Lost Password

Note You must have access to the supervisor engine to perform the WebVPN Services Module password recovery procedures. To recover the enable password on the supervisor engine, refer to the software configuration guide for your software platform.

Note To run the password recovery script, the WebVPN Services Module must be in the application partition (AP).

Caution For security reasons, all private keys are unusable after password recovery.

To recover a lost password on the WebVPN Services Module, perform this task:
Command

Purpose
Step 1
Router> enable
Initiates enable mode.
Step 2
Router# copy tftp: pclc#mod-fs: 
Downloads the script to the specified module.
Step 3
webvpn# copy system:startup-config 
nvram:running-config
Saves the startup configuration into the running configuration.
Step 4
webvpn(config)# enable password password
Specifies a local enable password.
Step 5
webvpn(config)# line vty 
starting-line-number ending-line-number
Identifies a range of lines for configuration and enters line configuration mode.
Step 6
webvpn(config-line)# login
Enables password checking at login.
Step 7
webvpn(config-line)# password password 
Specifies a password on the line.
Step 8
webvpn(config-line)# end
Exits line configuration mode.
Step 9
webvpn# copy system:running-config 
nvram:startup-config
Saves the configuration to the NVRAM.
Step 10
Router# hw-module module mod reset
Resets the module.
The following example shows how to recover a lost password on the WebVPN Services Module installed in slot 4:

•From the supervisor engine, enter the following commands:
Router> enable
Password:
Router# copy tftp: pclc#4-fs: 
Address or name of remote host []? 10.1.1.100
Source filename []? images/c6svc-webvpn-pwr.1-1-1.bin
Destination filename [images/c6svc-webvnp-pwr.1-1-1.bin]? 
Accessing tftp://10.1.1.100/images/c6svc-webvpn-pwr.1-1-1.bin...
Loading images/c6svc-webvnp-pwr.1-1-1.bin from 10.1.1.100(via Vlan999): !
[OK - 435 bytes]
435 bytes copied in 0.092 secs (4728 bytes/sec)
2003 Nov 10 21:53:25 %SYS-3-SUP_ERRMSGFROMPC:MP upgrade/Password Recovery started.
2003 Nov 10 21:53:25 %SYS-3-SUP_ERRMSGFROMPC:Uncompress of the file succeeded.
Continuing upgrade/recovery.
2003 Nov 10 21:53:25 %SYS-3-SUP_ERRMSGFROMPC:This file appears to be a
PasswordRecovery image. Continuing.
2003 Nov 10 21:53:25 %SYS-3-SUP_ERRMSGFROMPC:Extraction of password recovery image
succeeded.
2003 Nov 10 21:53:25 %SYS-3-SUP_ERRMSGFROMPC:Continuing with password recovery.
2003 Nov 10 21:55:03 %SYS-3-SUP_ERRMSGFROMPC:System in password recovery mode.
2003 Nov 10 21:55:03 %SYS-3-SUP_ERRMSGFROMPC:Please recover configuration and reset 
board.
Router#
•From the WebVPN Services Module console port, enter the following commands:
webvpn# copy system:startup-config nvram:running-config
webvpn(config)# enable password cisco
webvpn(config)# line vty 0 4 
webvpn(config-line)# login 
webvpn(config-line)# password cisco
webvpn(config-line)# end
webvpn# copy system:running-config nvram:startup-config
•From the supervisor engine, enter the following commands:
Router# hw-module module 4 reset
•From the WebVPN Services Module console port, import the keys from the backup or regenerate the keys.

See the "Configuring Keys and Certificates" section on page 3-26 for information on generating keys and importing keys.