21-47
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Chapter21 Cisco IOS SSL VPN
Additional Help Topics
When the client's browser connects to the gateway router, a portal applet is
downloaded to the client PC. This applet contains the server's IP address and static
port number, and the port number that the client PC is to use. The applet does t he
following:
Creates a mapping on the client PC that maps traffic for port 23 on 10.0. 0.100
to the PC's loopback IP address 127.0.0.1, port 3001.
Listens on port 3001, IP address 127.0.0.1
When the user runs an application that connects to po rt 23 on 10.0.0.100, the
request is sent to 127.0.0.1 port 3001. The portal applet listening on that port and
IP address gets this request and sends it over the CiscoIOS SSL VPN tunnel to
the gateway. The gateway router forwards it to the server at 10.0.0.100, and sends
return traffic back to the PC.
Learn More About Group Policies
Cisco IOS SSLVPN group policies define the portal an d links for the users
included in those policies. When a remote user enters the CiscoIOS SSL VPN
URL they have been given, the router must determine which policy the user is a
member of so that it can display the portal configured for that policy. If only one
CiscoIOS SSL VPN policy is configured on the router, it can authenticate users
locally or using a AAA server, and then display the portal.
However, if more than one policy is configured, the router must rely on a AAA
server to determine which policy to use each time a remote user attempts to log
in. If you have configured more than one Cisco IOS SSL VPN group policy, you
must configure at least one AAA server for the router, and you must configure a
policy on that server for each group of users for which you created a Cisco IOS
SSLVPN policy. The policy names on the AAA server must be the same as the
names of the group policies configured on the router, and they must be configured
with the credentials of the users who are members of the group.
For example, if a router has been configured with local authentication for Bob
Smith, and only the group policy Sales has been configured, there is on ly one
portal available to display when Bob Smith attempts to log in. However, if there
are three CiscoIOS SSLVPN group policies configured, Sales, Field, and
Manufacturing, the router cannot, by itself, determine whic h policy group Bob
Smith is a member of. If a AAA server is configured with the proper information