Currently I’m busy to find out how to optimize a Cisco SSL VPN Configuration. First I needed to know how I should configure my router. I knew some former colleagues made such configuration for a customer which I knew that worked.
So now I’m posting one of my own. Which I now can use easier during my work.
interface Loopback252
description Cisco SSL VPN Client for WebVPN
ip address < loopback addres / subnetmask >
ip flow ingress
ip route-cache same-interface
ip route-cache policy
ip local pool ILP_WVPN_CLIENT < dhcp pool for the ssl vpn client >
webvpn gateway WVG_WEBVPN
ip address < external router ip address > port 443
http-redirect port 80
ssl trustpoint < your certificate >
inservice
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
!
webvpn context webvpn
title “Site Title”
logo file flash://webvpn/Logo file.jpg or .gif
color Black
secondary-color Black
title-color Black
ssl authenticate verify all
!
url-list “URL_<name>”
!
nbns-list “NBL_<name>”
nbns-server < your dns server > master
nbns-server < your second dns server > timeout 10 retries 5
login-message “< Sign in message >”
!
policy group PGR_WEBVPN
url-list “URL_<name>”
nbns-list “NBL_<name>”
functions svc-enabled
banner “< you welcome banner text>”
hide-url-bar
svc address-pool “ILP_WVPN_CLIENT”
svc default-domain “<your domain name>”
svc keep-client-installed
svc split dns “< your domain name> ”
svc split include < internal LAN addres / subnet addres>
svc dns-server primary < your dns server >
svc dns-server secondary < your secondary dns server >
svc wins-server primary < your wins server >
svc wins-server secondary < your secondary wins server >
default-group-policy PGR_WEBVPN
aaa authentication list WVPN
gateway WVG_WEBVPN domain webvpn
logging enable
inservice
ip http server
ip http secure-server
and if you use IPS signatures you should deny the inspect on you vpn traffic!