The Cisco SSL VPN supports on working on full-tunnel mode. In full-tunnel mode, an SSL tunnel is used to move data to and from the internal networks at the network (IP) layer. When the user logs into the SSLVPN gateway, the SSL VPN client (SVC) is automatically downloaded and installed at the end user’s PC, and the tunnel connection is established. Once the connection is established, the user has full VPN access to the corporate network.1. Preparing for Cisco Web VPN. (the same as part 1)
c7206(config)# int fa0/0c7206(config-if)# ip add 198.1.1.1 255.255.255.0

c7206(config-if)# no shutdown

c7206(config-if)# exit

!

c7206(config)# int fa1/0

c7206(config-if)# ip add 10.10.1.1 255.255.255.0

c7206(config-if)# no shutdown

c7206(config-if)# exit

!

c7206(config)# aaa new-model

c7206(config)# aaa authentication login default local

!define the default aaa authentication list, allow the administrator to login this router, this configuration is foreign to the Web VPN.
!

c7206(config)# aaa authentication login aaa-webvpn local

c7206(config)# username steve6307 password cisco

!define the WebVPN authentication list.
!

c7206(config)# webvpn gateway mygateway

c7206(config-webvpn-gateway)# ip address 198.1.1.1 port 443

c7206(config-webvpn-gateway)# inservice

!define the WebVPN gateway address and port, usually the port is 443.
!

c7206(config)# webvpn context mywebvpn-context1

c7206(config-webvpn-context)# gateway mygateway domain group1

c7206(config-webvpn-context)# aaa authentication list aaa-webvpn

c7206(config-webvpn-context)# inservice

!define a WebVPN context. You must select a gateway and a aaa authentication list for each context. The domain name is very important to the configuration, because the end user will select the context by this domain name in the future.
2. Configure Cisco SSL VPN.
First of all, format the dynamips 7200 router disk0.
c7206# format disk0:Then, copy the SVC(SSL VPN Client) package to the 7200 disk0.
Note: the dynamips works on low efficiency, so I suggest to use FTP to copy the SVC.
c7206(config)# ip ftp username ciscoc7206(config)# ip ftp password cisco

!

c7206# copy ftp disk0:

Address or name of remote host []? 10.10.1.2

Source filename []? sslclient-win-1.1.2.169.pkg

Destination filename [sslclient-win-1.1.2.169.pkg]?

Accessing ftp://10.10.1.2/sslclient-win-1.1.2.169.pkg…

Loading sslclient-win-1.1.2.169.pkg !!

[OK - 415090/4096 bytes]

415090 bytes copied in 22.900 secs (18126 bytes/sec)Install the SVC.
c7206(config)# webvpn install svc disk0:/sslclient-win-1.1.2.169.pkgSSLVPN Package SSL-VPN-Client : installed successfully

c7206(config)# ip local pool ssl-user 192.168.10.1 192.168.10.99!define the SSL VPN user address pool.
!

c7206(config)# int loopback0

c7206(config-if)# ip address 192.168.10.254 255.255.255.0

c7206(config-if)# exit

!In Cisco IOS, if the SSL VPN user pool doesn’t have the save range with your inside network, you should define a loopback interface.
!In my lab, my inside network range is 10.10.1.0/24, and my address pool range is 192.168.10.1~99, so I need to define a loopback interface with the address 192.168.10.254.
!

c7206(config)# webvpn context mywebvpn-context1

c7206(config-webvpn-context)# policy group context1-policy

c7206(config-webvpn-group)# functions svc-enabled

c7206(config-webvpn-group)# svc address-pool ssl-user

c7206(config-webvpn-group)# exit

!define the group policy, allow the user to use the SSL VPN function.
!

c7206(config-webvpn-context)# default-group-policy context1-policy

!assign the policy as the default group policy.
3. Configure the SSL VPN split tunneling. (optional)
c7206(config)# webvpn context mywebvpn-context1c7206(config-webvpn-context)# policy group context1-policy

c7206(config-webvpn-group)# svc split include 10.10.1.0 255.255.255.0

!In the split tunnel list, I configured the inside network range. This means the WebVPN service will notify the SSL VPN Client to modify there local routing table, and then the client can access inside network and Internet at the same time.
4. Feature test.
Login WebVPN , and then I saw the page as follow:

Then the WebVPN started the SVC install program.

After the installation, the SVC started successfully, and then I have unrestricted permission of the inside network accessing.

Now, I can see the SSL VPN Client info.

The Cisco copyright info is as follow, aha, this is so cool!

Flickr : , ccie, cisco certification, cisco exam, cisco simulator, dynagen, dynamips, ssl vpn

Related Posts

• dynamips lab:CCIE topo (0)
• dynamips lab:Cisco L2TP over IPSec With windows client (2)
• dynamips lab:Cisco IPSec EasyVPN & DMVPN on dynamips (1)
• dynamips lab:Cisco ADSL PPPOE on dynamips (1)
• dynamips lab:Cisco ADSL PPPOA on dynamipsI have completed this lab on Dynamips 7200 (3)
• dynamips lab:ccnp lab for dynamips (1)
• dynamips lab:CCIE Security Home Lab with dynamips (0)
• dynamips lab:CCIE Practice LAB Dynamips (0)
• CBT CCIE practice lab (0)
• dynamips basic:ccie##Become a CCIE with Simulator (1)