user manual

ManualsBrandsCisco Systems ManualsNetwork RouterNetwork Router 2.5

521

522

523

524

525

526

527

528

529

530

21-47

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Chapter 21 Cisco IOS SSL VPN

Additional Help Topics

When the client's browser connects to the gateway router, a portal applet is

downloaded to the client PC. This applet contains the server's IP address and static

port number, and the port number that the client PC is to use. The applet does the

following:

• Creates a mapping on the client PC that maps traffic for port 23 on 10.0.0.100

to the PC's loopback IP address 127.0.0.1, port 3001.

• Listens on port 3001, IP address 127.0.0.1

When the user runs an application that connects to port 23 on 10.0.0.100, the

request is sent to 127.0.0.1 port 3001. The portal applet listening on that port and

IP address gets this request and sends it over the Cisco IOS SSL VPN tunnel to

the gateway. The gateway router forwards it to the server at 10.0.0.100, and sends

return traffic back to the PC.

Learn More About Group Policies

Cisco IOS SSL VPN group policies define the portal and links for the users

included in those policies. When a remote user enters the Cisco IOS SSL VPN

URL they have been given, the router must determine which policy the user is a

member of so that it can display the portal configured for that policy. If only one

Cisco IOS SSL VPN policy is configured on the router, it can authenticate users

locally or using a AAA server, and then display the portal.

However, if more than one policy is configured, the router must rely on a AAA

server to determine which policy to use each time a remote user attempts to log

in. If you have configured more than one Cisco IOS SSL VPN group policy, you

must configure at least one AAA server for the router, and you must configure a

policy on that server for each group of users for which you created a Cisco IOS

SSL VPN policy. The policy names on the AAA server must be the same as the

names of the group policies configured on the router, and they must be configured

with the credentials of the users who are members of the group.

For example, if a router has been configured with local authentication for Bob

Smith, and only the group policy Sales has been configured, there is only one

portal available to display when Bob Smith attempts to log in. However, if there

are three Cisco IOS SSL VPN group policies configured, Sales, Field, and

Manufacturing, the router cannot, by itself, determine which policy group Bob

Smith is a member of. If a AAA server is configured with the proper information