基本Cisco Configuration Professional(CCP)配置已在以下链接之前发布:

这篇文章将演示如何使用CCP在IOS路由器上配置SSL 虚拟专用网 。

1.确认已安装SSL-VPN许可证

您可以查看 另一个帖子 关于如何将Cisco许可证添加到路由器中。

从命令行:

 虚拟专用网 -1#show license detail
Index: 1 Feature: NtwkEssSuitek9 Version: 1.0
License Type: EvalRightToUse
License State: Active, Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
Store Index: 2
Store Name: Built-In License Storage
Index: 2 Feature:
SSL_VPN Version: 1.0
License Type: Permanent
License State: Active, Not in Use
License Count: 10/0/0 (Active/In-use/Violation)
License Priority: Medium
Store Index: 1
Store Name: Primary License Storage
Index: 3 Feature: datak9 Version: 1.0
License Type: EvalRightToUse
License State: Active, Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
Store Index: 1
Store Name: Built-In License Storage
Index: 4 Feature: ios-ips-update Version: 1.0
License Type: EvalRightToUse
License State: Active, Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
Store Index: 3
Store Name: Built-In License Storage
Index: 5 Feature: ipbasek9 Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Store Index: 0
Store Name: Primary License Storage
Index: 6
Feature: securityk9 Version: 1.0
License Type:
Permanent
License State:
Active, In Use
License Count: Non-Counted
License Priority: Medium
Store Index: 2
Store Name: Primary License Storage
Index: 7 Feature: securityk9 Version: 1.0
License Type: EvalRightToUse
License State: Inactive
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
Store Index: 0
Store Name: Built-In License Storage

2.启动SSL-VPN配置向导

3.配置向导:
3.1配置IP地址和名称

3.2配置用户身份验证方法

3.配置IP地址池

3.4 SSL 虚拟专用网 隧道接口

3.5 SSL 虚拟专用网 门户页面

3.6配置总结

SSL  虚拟专用网  Service Name : Rogers-SSL-1
SSL 虚拟专用网 Policy Name : policy_1
SSL 虚拟专用网 Gateway Name : gateway_1

Virtual Template IP Address: Un-numbered to GigabitEthernet0/0

User Authentication Method List : Local

Intranet websites: Disabled

Full Tunnel Configuration
SVC Status : Yes
IP Address Pool : 192.168.5.0-x
Split Tunneling : Disabled
Split DNS : Disabled
Install Full Tunnel Client : Disabled

发送到路由器的配置:


aaa authentication login ciscocp_vpn_xauth_ml_1 local
ip local pool 192.168.5.0-x 192.168.5.50 192.168.5.200
interface Virtual-Template1
exit
default interface Virtual-Template1
interface Virtual-Template1
no shutdown
ip unnumbered GigabitEthernet0/0
exit
webvpn gateway gateway_1
ip address 158.106.98.166 port 443
http-redirect port 80
inservice
ssl trustpoint TP-self-signed-3017776587
exit
webvpn context Rogers-SSL-1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
virtual-template 1
max-users 75
inservice
secondary-color white
title-color #669999
text-color black
policy group policy_1
svc keep-client-installed
functions svc-enabled
svc address-pool 192.168.5.0-x netmask 255.255.255.255
exit
default-group-policy policy_1
exit

4.上传AnyConnect 4.x程序包
最新版本是4.3.01095。可以从思科网站下载。

可以从CCP配置–安全– 虚拟专用网 – SSL-VPN –软件包将下载的软件包导入路由器:

从命令行检查软件包:

 虚拟专用网 -1#dir flash:
Directory of usbflash0:/

1 -rw- 75608148 Jun 3 2016 14:13:10 -04:00 c1900-universalk9-mz.SPA.154-3.M3.bin
2 -rw- 3066 Jun 3 2016 14:24:04 -04:00 cpconfig-19xx.cfg
3 -rw- 1160 Jul 24 2016 10:58:00 -04:00 1.lic.txt
4 drw- 0 Jun 3 2016 14:24:34 -04:00 ccpexp
374 -rw- 22737 Jun 3 2016 14:27:22 -04:00 home.html
382 -rw- 1154 Aug 1 2016 10:34:22 -04:00 2.lic
388 drw- 0 Aug 1 2016 14:56:12 -04:00 webvpn
395 -rw-
25162392 Aug 1 2016 15:07:34 -04:00 anyconnect-win-4.3.01095-k9.pkg

251371520 bytes total (113504256 bytes free)

注意:选择我计算机的语言环境文件作为客户端软件的位置时出现问题。它总是说“您输入了无效的完整隧道客户端程序包。请指定一个有效文件”。这显然是CPE上的错误。选项方法是直接将pkg上传到路由器的闪存卡。然后在路由器的闪存中选择文件并安装。

或按照以下过程从命令行安装它:

a.-将.pkg复制到ROOT Flash目录中:
 #copy ftp: flash:

b.-确保有足够的空间容纳安装包。可用空间至少与上一步中复制的.pkg文件的实际大小相同。原因是发出以下命令时,IOS将文件复制到flash:/ webvpn目录。

c.-安装.pkg(从配置模式运行它,尽管不存在该命令,但键入完整命令以运行它)
#webvpn安装svc flash:anyconnect-win-3.1.05160-k9.pkg seq 1
(等待几秒钟……)
SSLVPN软件包SSL-VPN-Client(seq:1):已成功安装

R1(config)#webvpn install svc flash:anyconnect-macosx-i386-4.3.02039-k9.pkg seq 2
SSLVPN Package SSL-VPN-Client (seq:2): installed successfully


5.验证

来自浏览器的Lauch网页:

登录到SSLVPN服务门户后,选择“启动应用程序访问”:

将打开另一个网页,以尝试加载AnyConnect安全移动客户端。它还提供了指向手动安装AnyConnect 虚拟专用网 客户端的链接,该客户端已在步骤4上传到路由器。

思科公司 AnyConnect安全移动客户端启动:

 

参考:

通过 约翰

发表评论