Step 1 |
enable
|
Enables
privileged EXEC mode.
|
Step 2 |
configure
terminal
Device# configure terminal
|
Enters global
configuration mode.
|
Step 3 |
crypto ssl authorization
policy
policy-name
Device(config)# crypto ssl authorization policy policy1
|
Specifies the
SSL authorization policy and enters SSL authorization policy configuration
mode.
|
Step 4 |
banner
banner-text
Device(config-crypto-ssl-auth-policy)# banner This is SSL VPN tunnel. NOTE: DO NOT dial emergency response numbers (e.g. 911,112) from
software telephony clients. Your exact location and the appropriate emergency response agency may not be easily identified.
|
Specifies
the banner. The banner is displayed on successful tunnel set up.
|
Step 5 |
client profile
profile-name
Device(config-crypto-ssl-auth-policy)# client profile profile1
|
Specifies the
client profile. The profile must already be specified using the
crypto ssl
profile command.
|
Step 6 |
def-domain
domain-name
Device(config-crypto-ssl-auth-policy)# def-domain example.com
|
Specifies
the default domain. This parameter specifies the default domain that the client
can use.
|
Step 7 |
Do one of
the following:
- dns
primary-server [secondary-server]
- ipv6
dns
primary-server [secondary-server]
Device(config-crypto-ssl-auth-policy)# dns 198.51.100.1 198.51.100.100
Device(config-crypto-ssl-auth-policy)# ipv6 dns 2001:DB8:1::1 2001:DB8:2::2
|
Specifies
an IPv4-or IPv6-based address for the primary and secondary Domain Name Service
(DNS) servers.
|
Step 8 |
dpd-interval {client |
server }
interval
Device(config-crypto-ssl-auth-policy)# dpd-interval client 1000
|
Configures
Dead Peer Detection (DPD).globally for the client or server.
-
client —DPD
for the client mode. The default value is 300 (five minutes).
-
server —DPD
for the server mode. The default value is 300.
-
interval —Interval, in seconds. The range is from 5
to 3600.
|
Step 9 |
homepage
homepage-text
Device(config-crypto-ssl-auth-policy)# homepage http://www.abc.com
|
Specifies
the SSL VPN home page URL.
|
Step 10 |
include-local-lan
Device(config-crypto-ssl-auth-policy)# include-local-lan
|
Permits the
remote user to access resources on a local LAN, such as a network printer.
|
Step 11 |
ipv6 prefix
prefix
Device(config-crypto-ssl-auth-policy)# ipv6 prefix 64
|
Defines the
IPv6 prefix for IPv6 addresses.
|
Step 12 |
keepalive
seconds
Device(config-crypto-ssl-auth-policy)# keepalive 500
|
Enables
setting the minimum, maximum, and default values for keepalive, in seconds.
|
Step 13 |
module
module-name
Device(config-crypto-ssl-auth-policy)# module gina
|
Enables the
server gateway to download the appropriate module for VPN to connect to a
specific group.
|
Step 14 |
msie-proxy
exception
exception-name
Device(config-crypto-ssl-auth-policy)# msie-proxy exception 198.51.100.2
|
The DNS name
or the IP address specified in the
exception-name argument that must not be sent via
the proxy.
|
Step 15 |
msie-proxy option
{auto |
bypass |
none }
Device(config-crypto-ssl-auth-policy)# msie-proxy option bypass
|
Specifies
the proxy settings for the Microsoft Internet Explorer browser. The proxy
settings are required to specify an internal proxy server and to route the
browser traffic through the proxy server when connecting to the corporate
network.
-
auto —Browser is configured to auto detect proxy
server settings.
-
bypass —Local addresses bypass the proxy server.
-
none —Browser is configured to not use the proxy
server.
|
Step 16 |
msie-proxy server
{ip-address |
dns-name}
Device(config-crypto-ssl-auth-policy)# msie-proxy server 198.51.100.2
|
The IP
address or the DNS name, optionally followed by the port number, of the proxy
server.
Note
|
This
command is required if the
msie-proxy option
bypass command is specified.
|
|
Step 17 |
mtu
bytes
Device(config-crypto-ssl-auth-policy)# mtu 1000
|
(Optional)
Enables setting the minimum, maximum, and default MTU value.
Note
|
The value
specified in this command overrides the default MTU specified in Cisco
AnyConnect Secure client configuration. If not specified, the value specified
Cisco AnyConnect Secure client configuration is the MTU value. If the
calculated MTU is less than the MTU specified in this command, this command is
ignored.
|
|
Step 18 |
netmask
mask
Device(config-crypto-ssl-auth-policy)# netmask 255.255.255.0
|
Specifies
the netmask of the subnet from which the IP address is assigned to the client.
|
Step 19 |
Do one of
the following:
Device(config-crypto-ssl-auth-policy)# pool abc
Device(config-crypto-ssl-auth-policy)# ipv6 pool ipv6pool
|
Defines a
local IPv4 or IPv6 address pool for assigning IP addresses to the remote access
client.
Note
|
The local
IP address pool must already be defined using the
ip local
pool command.
|
|
Step 20 |
rekey time
seconds
Device(config-crypto-ssl-auth-policy)# rekey time 1110
|
Specifies the
rekey interval, in seconds. The default value is 3600.
|
Step 21 |
Do one of the following:
-
route set access-list
acl-name
- ipv6
route set access-list
access-list-name
Device(config-crypto-ssl-auth-policy)# route set access-list acl1
Device(config-crypto-ssl-auth-policy)# ipv6 route set access-list acl1
|
Establishes IPv4 or IPv6 routes via the access list that must be
secured through tunnels.
|
Step 22 |
smartcard-removal-disconnect
Device(config-crypto-ssl-auth-policy)# smartcard-removal-disconnect
|
Enables
smartcard removal disconnect and specifies that the client should terminate the
session when the smart card is removed.
|
Step 23 |
split-dns
string
Device(config-crypto-ssl-auth-policy)# split-dns example.com example.net
|
Allows you
to specify up to ten split domain names, which the client should use for
private networks.
|
Step 24 |
timeout {disconnect
seconds |
idle
seconds |
session
seconds}
Device(config-crypto-ssl-auth-policy)# timeout disconnect 10000
|
Specifies the
timeout, in seconds.
-
disconnect
seconds —Specifies the retry duration, in seconds,
for Cisco AnyConnect client to reconnect to the server gateway. The default
value is 0.
-
idle
seconds —Specifies the idle timeout, in seconds.
The default value is 1800 (30 minutes).
-
session
seconds —Specifies the session timeout, in seconds.
The default value is 43200 (12 hours).
|
Step 25 |
wins
primary-server [secondary-server]
Device(config-crypto-ssl-auth-policy)# wins 203.0.113.1 203.0.113.115
|
Specifies
the internal Windows Internet Naming Service (WINS) server addresses.
|
Step 26 |
end
Device(config-crypto-ssl-auth-policy)# end
|
Exits SSL
authorization policy configuration mode and returns to privileged EXEC mode.
|
Step 27 |
show crypto ssl
authorization policy [policy-name]
Device(config-crypto-ssl-auth-policy)# show crypto ssl authorization policy
|
(Optional)
Displays the SSL authorization policy.
|