Are there any Cisco gurus who can help setup SSL VPN?

D

Deimos

[H]ard|Gawd
Joined
Aug 10, 2004
Messages
1,165
I had a go, followed a couple of online guides, tried using SDM but can't get the SSL VPN web page to load once configured and enabled.

I have a Cisco 2821 router, existing config: NAT is enabled and port 443 is forwarded to the internal network (mail server, RPC over HTTPS), I also have a working site to site VPN tunnel.

I setup the SSL VPN site to use port 10443, I used a cert signed by my own CA server since it is trusted implicitly by my domain laptops.

It didn't work so I wiped the config back to pre-ssl vpn attempt.
 
How many public IP's do you have? You could have one IP for SSL VPN, one for mail, etc etc, then you wouldn't have to change ports to a non-standard 10443.

Who will be connecting; only domain computers? I would think the simplicity of an SSL would lend itself to allowing all computers, even those off the domain, to connect and then those computers who aren't on the domain would get cert warnings.

From what I remember you upload a client package, say a MAC client or Windows client, and setup a homepage, and it all just worked. Don't remember any steps that I got hung up on other than taking awhile to figure out how to customize the login page. There is a web portal function where there is no client download but we went with the small client download to make it less like citrix homepage and more like a split-tunnel vpn.

So how far did you get? Nothing worked at all for you? I'll double check configs at work tomorrow to see if I can give you any more pointers. Are you doing the web portal clientless ssl vpn?
 
Captain Colonoscopy said:
I've only setup the SSL VPN on ASA5500 series firewalls. Didn't even know it was an option on the routers . . . .
Click to expand...

Yeah, I'll clarify that the code I was going to check was from an ASA. I've seen the GUI config for the 2800 series routers and they look similar to the ASA but I've never set up SSL on a 2800 series router. It looked pretty similar and easy, though.
 
DragonNOA1 said:
How many public IP's do you have? You could have one IP for SSL VPN, one for mail, etc etc, then you wouldn't have to change ports to a non-standard 10443.

Who will be connecting; only domain computers? I would think the simplicity of an SSL would lend itself to allowing all computers, even those off the domain, to connect and then those computers who aren't on the domain would get cert warnings.

From what I remember you upload a client package, say a MAC client or Windows client, and setup a homepage, and it all just worked. Don't remember any steps that I got hung up on other than taking awhile to figure out how to customize the login page. There is a web portal function where there is no client download but we went with the small client download to make it less like citrix homepage and more like a split-tunnel vpn.

So how far did you get? Nothing worked at all for you? I'll double check configs at work tomorrow to see if I can give you any more pointers. Are you doing the web portal clientless ssl vpn?
Click to expand...

Unfortunately I only have one public IP address, well, I have 2 of these routers, I could potentially use the one in te branch office but none of the servers are located there.

I used a guide online which had 2 methods, one with the console (half the commands were outdated) and the other with SDM, I tried the console first, and then SDM, the SSL VPN shows as up but the web interface does not come up.

I'm trying to set it up as clientless, our support agreement with Cisco lapsed and at the moment we can't afford to renew so I am unable to download a vpn client.

Thanks for your help.
 
You must log in or register to reply here.
Back
Top