Tuesday, April 20, 2010

Misc 19

WebVPN is Cisco's implementation of a web HTTP/S proxy. What WebVPN does is that it proxies any requests from the client through SSL layer security. WebVPN is typically used to access intranet sites from the internet. Clients would typically be presented with a page similar to this:

After they log on, they would be able to access intranet sites through the page. An intranet site accessed through WebVPN would look like this:

Notice the URL of the page.

Typically WebVPN would be applied in a scenario like this:

In this scenario, the client would have to first establish a WebVPN session with the WebVPN router before using the interface to access the Internal Application Server.

Right now we'll use a topology like this. This isn't what you'd typically encounter in a production network, but you would be able to learn the basic configuration of WebVPN with minimal equipment.

In this case, some form of security can be applied to the Gateway router, such as only allowing the WebVPN Router to go through. Since all traffic through the WebVPN site would appear to be from the WebVPN Router, this would effectively force everyone to use the WebVPN for surfing.

First off, we'll need some form of authentication. This is done through AAA. However, a real RADIUS server is not required for this exercise. We can fall back to the local database for authentication. We'll set up AAA like this:
aaa new-model
aaa authentication login default local

We'll add in some test user accounts:
user cisco pass cisco

Next, we'll need a certificate to support the SSL security associations during connection. To do this, we can either import one from a TFTP server or create a self-signed certificate. To do a self-signed certificate, enter the following commands:
crypto pki trust LOCAL
enroll selfsigned
crypto pki enroll LOCAL

Next, we'll set up some connectivity information:
ip name-server
ip domain name syraxius.ath.cx

Now we're done with the initial configuration. We can now focus on configuring WebVPN itself. To do this, we'll have to first set up the gateway address. This address would be your outside interface address. Set it up as follows:
webvpn enable gateway-addr

Now we'll be able to customize how the WebVPN interface would look. To do this, go into the WebVPN prompt through:

Things that typically are changed that can be changed are:
title "Kelvin's WebVPN"
login-message "Please enter the correct credentials!"
title-color white
secondary-color white
text-color black
secondary-text-color black
idle-timeout 180
ssl encryption 3des-sha1
ssl trustpoint LOCAL

No comments :

Post a Comment