For this lab you'll need 12.4T image. I'm using:
c7200-advsecurityk9-mz.124-22.T
We have to configure this on 3 main steps:
- Configure WebVPN gateway (hostname, IP, certificate)
- Configure WebVPN context (URL lists, Port forwarding, acl, nbns list..)
- Configure WebVPN group policy (Look and feel on the web interface, access to the resources)
To be sure that I'll be tunneled and not routed, I've applied an access list on the router A. I was very surprised when I logged in on the web server on win2003 host, for which I had a url-list added, and just from modifying the URL from: https://192.168.1.1/http/0/server.mydomain.com/
to:
https://192.168.1.1/http/0/10.10.4.70/ , I was able to reach the Monkey Web Server on the DSL Linux box. After that I've found out that we can apply an ACL to the policy itself, and I got this syslog message:
*Nov 29 23:27:58.883: %SSLVPN-6-WEBVPN_APP_ACL_NET: The request( source ip: 192.168.1.2, destion ip : 10.10.4.70 ) from user cisco is denied by ACL, and also:
*Nov 30 00:37:03.803: %SSLVPN-6-WEBVPN_APP_ACL_NET: The request( source ip: 192.168.1.2, destion ip : 10.10.4.60 ) from user cisco is permitted by ACL
All the syntax:
webvpn gateway VPN-SSL default-group-policy SSL-Policy |
For some reason the port forwarding was recognized as local port 25 instead of 25555 as it is in the config. Also I haven't tested the windows file shares, because my win2003 and my laptop were in different workgroups, and I was too lazy to reboot :-)