Thursday, August 20, 2009

Remote Access VPNS: SSL VPNS

The SSL VPN (aka webvpn) is the most flexible kind of Remote access VPN connection. All you need is an SSL enabled browser - Internet Explorer, Mozilla, Safari etc. I would go right to the configuration.

Network Diagram:

Web Gateway Configuration:

-Configure AAA for authenticaton:

aaa new-model
aaa authentication login VPN local

Configure the webvpn gateway and put it INSERVCIE

! webvpn gateway GATE
ip address port 443

http-redirect port 80 !makes the router to listen on port 80

Immediately after a webvpn gateway command is entered, a self-signed certificate is generated. This CA can be changed using the ssl trustpoint command.
Next the webvpn context is created...

webvpn context SSL
secondary-color blue

secondary-text-color white


Next, a URL-List is created;
url-list "list1"
heading "Available Pages"

url-text "Home Page" url-value ""

For Thin client connection, a port-forwarding list is created.

port-forward "Ports"

local-port 3065 remote-server "TELNET" remote-port 23 description "telnet"


The pieces are tied together using the policy group command.
policy group SSLVPN
url-list "list1"
port-forward "Ports"
banner "Login Successful"
timeout idle 300
timeout session 3600


Next we set the default group policy, the AAA authentication list and add a gateway to the context.

default-group-policy SSLVPN
aaa authentication list VPN

gateway GATE



I prefer to test with the end user - Here are some snapshots.

After successful authentication, we have;

When you click start, you have;

Finally, lets try to telnet to localhost port 3065

Just as we want it :-)

Up Next: Anyconnect :-)




  1. I’ve found your blog today. I think you might be open to new software suggestions and I just want to mention that we have a new FREE small tool for desktop and application sharing:

    SupportSmith TeamUp! Lite

    It allows you to work with any other TeamUp! Lite user sharing a single application or the whole desktop in just three steps:

    1. Select item to share.
    2. Enter peer Domain\Name.
    3. Send invitation to share.


    I wish you could take a look on it.
    Have a nice day!

  2. You could also try RHUB, Remote Access appliance. Unlike online hosted solutions, it provides much more security for it provides the ultimate protection of your own firewall; in addition access is controlled by means of IP addresses too, which adds extra security. So, you don’t even need a VPN.