Cisco_SDM使用方法

14.2.4 Cisco SDM安装配置（1）14.2.4 Cisco SDM安装配置（1）用户可以使用Cisco SDM快速容易地部署Cisco路由器，实现WAN接入和网络安全特性。

Cisco客户可以通过Cisco SDM降低Cisco路由器的所有成本，因为可以使用由Cisco工程师进行过端到端测试并已经过Cisco TAC批准的由Cisco SDM生成的配置。

内置于Cisco SDM中的配置检查有助于减少配置出错机会。

1．安装接口卡和连接路由器电缆在使用SDM配置路由器前必须先安装路由器适用的所有必需的硬件附件，如用来连接网络的WAN接口卡（WIC）、“网络模块”（NM）或高级接口模块（AIM）卡。

2．配置计算机并将其连接到路由器在使用SDM配置路由器前必须设置计算机使其与SDM实现通信。

SDM出厂时随附有默认配置文件，它会为路由器上的LAN接口分配一个IP地址，此时必须将计算机配置为与路由器的LAN接口位于同一子网中。

首先，确定是否将路由器配置为DHCP服务器。

如表14-1所示为已经配置为DHCP 服务器的路由器，此时，只需配置计算机以自动获取IP地址和DNS服务器IP地址，并将计算机上的以太网端口与路由器的LAN端口相连接即可。

14.2.4 Cisco SDM安装配置（2）14.2.4 Cisco SDM安装配置（2）表14-2所示为未配置DHCP服务器的路由器，此时，必须为计算机分配静态IP地址，可选的IP地址范围为10.10.10.2 ~ 10.10.10.6，子网掩码255.255.255.248，将“默认网关”和“DNS服务器”字段为空，然后将计算机连接至路由器相应端口。

表14-2 未配置为DHCP服务器的路由器14.2.4 Cisco SDM安装配置（3）14.2.4 Cisco SDM安装配置（3）3．登录路由器SDM在Windows XP、Windows 2000、Windows 2003、Windows Me、Windows NT 4.0（安装Service Pack4）或Windows 98的计算机上的Internet Explorer 5.5（或更高版本）和Netscape7.1下运行，同时支持1.4.2_05或更高版本的Java插件。

CISCO设备的基本操作网络设备交换机、路由器、防火墙、VPN……..共同特性有智能，能识别数据报文中的控制信息，对数据进行定向转发。

交换机能识别数据帧中的MAC地址信息，在同一网段转发数据。

效率比集线器高。

默认工作在第二层。

主要用于组建局域网。

路由器能识别数据报文中的第三层信息（IP地址），在不同网段转发数据。

主要用于连接局域网和广域网。

路由器的内部组件：主板 CPU 存贮系统接口存贮系统ROM 只读存贮器基本的引导文件 1 →FLASH 闪存操作系统IOS 2 → RAM 随机存贮器 NV RAM 非易失内存配置文件 3→启动顺序寄存器的值( 注册表)正常 1 2 3 0X2102特殊 1 2 0X2142 跳过配置文件（用于密码的恢复）路由器的接口类型：Router>sh ip int briefInterface IP-Address OK? Method Status ProtocolFastEthernet0/0 unassigned YES unset administratively down downFastEthernet0/1 unassigned YES unset administratively down downSerial0/0 unassigned YES unset administratively down downSerial0/1 unassigned YES unset administratively down downSerial0/2 unassigned YES unset administratively down downSerial1/0 unassigned YES unset administratively down downSerial1/1 unassigned YES unset administratively down downSerial1/2 unassigned YES unset administratively down downSerial1/3 unassigned YES unset administratively down down一、局域网接口RJ－45 （以太网接口）100M F0/0 F0/1 fast ethernet 模块化设备2600以上1000M G0/0 G0/110G Ten3/1二、广域网接口异步串行口（用于异步拨号网络，淘汰）同步串行口( 用于DDN和帧中继网络)（铜缆）2Mserial S0 S1 S0/0 S0/1V.24 最大支持64K 淘汰V.35 可支持64k-2MPOS接口（packet over SDH）POS 1/0/0 POS 1/0/1 SDH专线（光纤）155M插槽/模块/接口2M、4M、8M、10M…. 155M…622M …2.5G…10G…40G设备的登录在网络管理中，希望这些网络设备按我们的要求去工作→指令（相关参数）控制台console 命令行网络 1. telnet 命令行2. SDM WEB页面一．控制台方式登录。

问题与解答CISCO IOS 软件版本 12.3T问题：什么类型的客户会对部署 Cisco IOS®软件版本 12.3T 感兴趣？解答：思科建议需要实现以下目标的“企业”、“接入”和“服务提供商集团”客户使用版本 12.3T：• 通过增强安全性、提高分支机构的语音质量和功能性以及增强“服务质量”(QoS) 提高企业的生产率• 部署或升级 IPv6、NetFlow 以及相关管理功能• 部署需要安全互联网接入和企业网络连接的小型远程办公室和远程工作者• 实现新的内容分发功能、网络语音增强功能、改进的安全性以及有效的管理与部署工具问题：客户可以从哪里下载版本 12.3T？解答：访问 上的软件中心以下载任何版本的产品。

要下载版本 12.3T，请登录至 并访问：/kobayashi/library/12.3/index.shtml该网站还提供了 Cisco IOS 软件的软硬件兼容性与订购过程方面的有用信息。

请确保您已具备有效的 SMARTnet 合同或购买功能许可授权，以便访问和下载版本。

问题：部署版本 12.3T 有任何相关的特殊内存需求吗？解答：在安装 12.3T 之前，请咨询“Cisco IOS 升级规划人员”，了解内存需求。

因为内存需求取决于硬件产品和选择的映像特性集。

/go/iosplannerCisco IOS 软件版本的类型问题：版本 12.3T 是哪类版本？解答：版本 12.3T 是一个新技术版本 (T)，综合了主版本 12.3的功能、新功能、硬件支持以及特定应用版本。

问题：主版本与新技术版本之间有什么关系？解答：主版本合并了自前一版本系列后推出的所有新技术版本。

例如，主版本 12.3 合并了版本 12.2T 系列的所有功能和硬件支持。

主版本定期进行软件缺陷修复，但不加入新功能或硬件支持。

新技术版本派生于主版本，并使用相同的编号。

例如，版本 12.3T 派生于主版本 12.3。

WEB界面配置路由器的命令目前市场上很多思科路由器或者交换机都可以通过WEB方式配置了！尽管很多功能还是只能通过CLI配置，但是一些功能还是很有用的，例如端口的流量监控功能！要想使用WEB管理思科设备，要具备下列条件：一、设备的IOS要支持WEB管理功能Router(config)#ip http server //如果这条命令可以用，说明IOS支持WEB管理Router(config)#ip http secure-server //如果这条命令可以用，说明你的IOS还支持HTTPS，安全连接通过上面命令开启WEB管理功能后还要使用下面命令设置WEB管理口令：Router(config)#ip http authentication local //设置口令验证方式是本地验证Router(config)#username cisco privilege 15 password 0 cisco //在本地添加用户名cisco和密码ciscorouter(config)#line vty 0 4router(config-line)login local//设置telnet本地用户登入。

（在登入时第一次出现的ssh登入方式，第二次出现的才是telnet登入）router(config)#interface fastEthernet 0/0router(config-if)#ip address x.x.x.x x.x.x.x.router(config-if)#no shutdown//配置接口ip地址二、要在管理设备的机器上安装思科SDM，或者可安装在设备上，但设备的存储空间相对小些，所以安装在管理PC上要好些，看具体的环境，你要是常换管理机，就安到设备上。

有两个文件需要下载JRE和SDM，都下载回来后先安装JRE再安装SDM注意SDM安装好后如果打不开管理界面有可能是下面的问题：在安装目录中找到下面的子目录Cisco Systems\Cisco SDM_zh\common\common 在这个目录下面有个runAPP.shtml文件，问题就是它，将它改成runAPP.html；改了这个文件后还要将该目录下launchTask.html文件用记事本打开找到runAPP.shtml也将之改成runAPP.html这样就可以成功进入管理界面了！给一张管理界面的图：。

cisco路由器设置页面要想使用WEB管理思科设备，要具备下列条件：一、设备的IOS要支持WEB管理功能Router(config)#ip http server//如果这条命令可以用，说明IOS支持WEB管理Router(config)#ip http secure-server//如果这条命令可以用，说明你的IOS还支持HTTPS，安全连接通过上面命令开启WEB管理功能后还要使用下面命令设置WEB管理口令：Router(config)#ip http authentication local//设置口令验证方式是本地验证Router(config)#username cisco privilege 15 password 0 cisco//在本地添加用户名cisco和密码cisco 做完上面的在设置的配置就算完成了!当然还有IP相关信息不能忘记配置。

二、要在管理设备的机器上安装思科SDM，或者可安装在设备上，但设备的存储空间相对小些，所以安装在管理PC上要好些，看具体的环境，要是常换管理机，就安到设备上。

1/ 3三、安装完成打开如下设置界面：----- cisco设置网关命令Cisco路由器默认路由的命令为：ip route 0.0.0.0 0.0.0.0 X.X.X.X其中0.0.0.0 0.0.0.0匹配所有路由条目，X.X.X.X 应配置为下一跳ip地址。

默认路由后面还可以加很多参数设置，如下一跳接口，优先值等，在命令后键入?可以查看具体参数命令。

网关设置命令为：default gateway IP地址以上命令均需config t 进入全局模式后键入。

怎么给路由器配置IP?router(config)#interface fastethernet 0/1router(config-if)#ip address 192.168.1.100 255.255.255.0router(config-if)#no shutdown怎么给交换机配置IP?switch(config)#interface vlan 1switch(config-if)#ip address 192.168.1.100 255.255.255.0switch(config-if)#no shutdown静态路由配置方式：router(config)#ip route 192.168.1.0 255.255.255.0192.168.10.12/ 3默认路由配置方式：router(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.1浮动路由配置：router(config)#ip route 192.168.1.0 255.255.255.0 192.168.10.1 50router(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.1 50给交换机配置默认网关，方便管理switch(config)#ip default-gateway 192.168.2.254辅助地址配置：switch(config-if)#ip address 192.168.1.1 255.255.255.0 secondary3/ 3。

SDM Installation实验目的：掌握SDM安装实验说明：使用SDM进行管理时，用户到路由器之间使用加密的HTTP连接及SSH v2协议，安全可靠。

目前Cisco的大部分中低端路由器包括800、1700、1800、2600XM、2800、3600、3700、3800、7200vxr等系列都支持SDM。

SDM程序既可以安装在PC上，也可以安装在路由器上。

安装在PC上能节约路由器的内存并且可以用它来管理其他支持SDM管理的路由器（本实验使用此方法），但是由于IE默认禁止网页访问本机资源，需要修改IE的安全设置。

安装到路由器时基本安装需要大约4M Flash空间。

实验拓扑图：基本配置：hostname Cipon-R1ip http serverip http secure-server% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]ip http authentication localusername cipon privilege 15 secret cipon123line vty 0 4login localtransport input telnet ssh实验步骤：1. 安装好JVM(Java Virtual Machine)，JVM版本号取决于SDM的要求。

2. 从cisco网站下载SDM安装文件。

3. 打开SDM-V25.rar文件，双击setup.exe进行安装：点击“Next”进行基本软件安装设定:接受软件授权许可，点击“next”:选择安装目录，点击“Next”:点击“Finish”完成安装。

4. 安装完成后，如果SDM是安装本地PC上，则在PC的IE浏览器上做如下修改：IE浏览器→工具→ Internet选项→高级“允许活动内容在我的计算机上的文件中运行”前面的选项框打勾并重启IE浏览器。

5.2.3使用CiscoSDME...CCNA Discovery在中小型企业或 ISP 工作实验 5.2.3 使用 SDM Express 配置 ISR目标使用 Cisco SDM Express 配置基本路由器全局设置，如路由器名称、用户和登录口令。

使用 Cisco SDM Express 在 Cisco ISR 上配置 LAN 和 Internet 连接。

背景/准备工作Cisco Router and Security Device Manager (SDM) 是一款基于Java 的 Web 应用程序和设备管理工具，适用于采用 Cisco IOS 软件的路由器。

Cisco SDM 带有智能向导，可协助不了解命令行界面 (CLI) 的用户部署、配置和监视Cisco 路由器，从而简化了路由器配置和安全配置工作。

许多 Cisco 路由器和 Cisco IOS 软件版本都支持 Cisco SDM。

许多型号较新的Cisco 路由器在出厂时便预装了SDM。

如果您使用的是1841 路由器，则设备上预装有SDM（以及SDM Express）。

本实验以 Cisco 1841 路由器为例进行说明。

您也可使用其它支持SDM 的路由器型号。

如果您使用的路由器支持SDM，但没有安装该工具，那么您可从以下位置免费下载最新版的 SDM：/doc/add0f34633687e21af45a9a5.ht ml /pcgi-bin/tablebuild.pl/sdm点进上面的URL，查看或下载文档“D ownloading and Installing Cisco Router and Security Device Manager”（《下载并安装Cisco Router and Security DeviceManager》）。

该文档说明了如何在路由器上安装 SDM。

其中详细列出了支持SDM 的机型的编号和IOS 版本，以及所需的内存大小。

思科交换机模拟软件使用教程第二步：启动思科交换机模拟软件安装完成后，您可以在计算机上的应用程序菜单中找到并启动思科交换机模拟软件。

第三步：创建虚拟网络拓扑在思科交换机模拟软件的主界面上，您将看到一个拓扑设计器。

您可以使用拓扑设计器来创建您所需的虚拟网络拓扑。

您可以通过拖动和放置不同的交换机、路由器和主机设备来构建您的拓扑。

第四步：配置设备一旦您创建了虚拟网络拓扑，您可以点击相应的设备来对其进行进一步的配置。

这包括设置IP地址、子网掩码、网关、VLAN等。

您可以通过双击设备或右键单击设备并选择“配置”选项来进行配置。

第五步：建立连接在配置每个设备时，您还需要建立设备之间的连接。

您可以使用拓扑设计器上的连接工具来建立连接。

只需点击连接工具并拖动鼠标到另一个设备上，然后释放鼠标即可建立连接。

第六步：执行命令一旦设备之间建立了连接，您可以通过命令行界面（CLI）来执行命令。

您可以打开每个设备的命令行界面，并在该界面中输入命令。

您可以使用一些常见的命令，例如ping、tracert、show ip interface等来测试设备之间的连接和配置。

第七步：保存和加载拓扑第八步：实验和学习现在，您可以开始进行实验和学习了。

尝试不同的配置和命令，熟悉交换机的运行和功能。

您可以使用思科交换机模拟软件来模拟各种场景，例如VLAN配置、故障排除、网络拓扑优化等。

总结：思科交换机模拟软件是一种非常有用的工具，可以帮助用户在虚拟环境中进行网络交换机的实验和学习。

通过按照上述步骤创建虚拟网络拓扑、配置设备、建立连接并执行命令，用户可以模拟各种场景，并通过实验和学习更好地理解交换机的工作原理和功能。

希望本教程可以帮助您更好地使用思科交换机模拟软件。

在CISCO路由器上配置NAT功能随着internet的网络迅速发展，IP地址短缺已成为一个十分突出的问题。

为了解决这个问题，出现了多种解决方案。

下面几绍一种在目前网络环境中比较有效的方法即地址转换(NAT)功能。

一、NAT简介NAT(Network Address Translation)的功能，就是指在一个网络内部，根据需要可以随意自定义的IP地址，而不需要经过申请。

在网络内部，各计算机间通过内部的IP地址进行通讯。

而当内部的计算机要与外部internet网络进行通讯时，具有NAT功能的设备（比如：路由器）负责将其内部的IP地址转换为合法的IP地址（即经过申请的IP地址）进行通信。

二、NAT的应用环境情况1：一个企业不想让外部网络用户知道自己的网络内部结构，可以通过NAT将内部网络与外部Internet隔离开，则外部用户根本不知道通过NAT设置的内部IP地址。

情况2：一个企业申请的合法Internet IP地址很少，而内部网络用户很多。

可以通过NAT功能实现多个用户同时公用一个合法IP与外部Internet 进行通信。

三、设置NAT所需路由器的硬件配置和软件配置：设置NAT功能的路由器至少要有一个内部端口（Inside），一个外部端口（Outside）。

内部端口连接的网络用户使用的是内部IP地址。

一般来说内、外部端口可以为任意指定。

设置NAT功能的路由器的IOS应支持NAT功能(本文示例所用路由器为Ｃisco2811)。

四、关于NAT的几个概念：内部本地地址（Inside local address）：分配给内部网络中的计算机的内部IP地址。

内部合法地址（Inside global address）：对外进入IP通信时，代表一个或多个内部本地地址的合法IP地址。

需要申请才可取得的IP地址。

五、CISCO路由器NAT的设置方法：CISCO各种型号路由器NAT设置方法及命令基本相同。

NAT设置可以分为静态地址转换、动态地址转换、复用动态地址转换。

IntroductionClientless SSL VPN (WebVPN) allows a user to securely access resources on the corporate LAN from anywhere with an SSL-enabled Web browser. The user first authenticates with a WebVPN gateway which then allows the user access to pre-configured network resources. WebVPN gateways can be configured on Cisco IOS® routers, Cisco Adaptive Security Appliances (ASA), Cisco VPN 3000 Concentrators, and the Cisco WebVPN Services Module for the Catalyst 6500 and 7600 Routers.Secure Socket Layer (SSL) Virtual Private Network (VPN) technology can be configured on Cisco devices in three main modes: Clientless SSL VPN (WebVPN), Thin-Client SSL VPN (Port Forwarding), and SSL VPN Client (SVC) mode. This document demonstrates the configuration of theWebVPN on Cisco IOS routers.Note: Do not to change either the IP domain name or the host name of the router as this will trigger a regeneration of the self-signed certificate and will override the configured trustpoint. Regeneration of the self-signed certificate causes connection issues if the router has been configured for WebVPN. WebVPN ties the SSL trustpoint name to the WebVPN gateway configuration. Therefore, if a new self-signed certificate is issued, the new trustpoint name does not match the WebVPN configuration and users are unable to connect.Note: If you run the ip https-secure server command on a WebVPN router that uses a persistent self-signed certificate, a new RSA key is generated and the certificate becomes invalid. A new trustpoint is created, which breaks SSL WebVPN. If the router that uses the persistent self-signed certificate reboots after you run the ip https-secure server command, the same issue occurs.Refer to Thin-Client SSL VPN (WebVPN) IOS Configuration Example with SDM in order to learn more about the thin-client SSL VPN.Refer to SSL VPN Client (SVC) on IOS with SDM Configuration Example in order to learn more about the SSL VPN Client.SSL VPN runs on these Cisco Router platforms:Cisco 870, 1811, 1841, 2801, 2811, 2821 and 2851 series routersCisco 3725, 3745, 3825, 3845, 7200 and 7301 series routersPrerequisitesRequirementsEnsure that you meet these requirements before you attempt this configuration:An advanced image of Cisco IOS Software Release 12.4(6)T or laterOne of the Cisco router platforms listed in the IntroductionComponents UsedThe information in this document is based on these software and hardware versions:Cisco 3825 routerAdvanced Enterprise software image - Cisco IOS Software Release 12.4(9)TCisco Router and Security Device Manager (SDM) - version 2.3.1The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. The IP addresses used in this example are taken from RFC 1918 addresses which are private and not legal to use on the Internet.Network DiagramThis document uses this network setup:ConventionsRefer to the Cisco Technical Tips Conventions for more information on document conventions. Preconfiguration TasksBefore you begin, complete these tasks:Configure a host name and domain name.Configure the router for SDM. Cisco ships some routers with a preinstalled copy of SDM.If the Cisco SDM is not already loaded on your router, you can obtain a free copy of the software from Software Download ( registered customers only) . You must have a CCO account with a service contract. For detailed information on the installation and configuration of SDM, refer to Cisco Router and Security Device Manager.Configure the correct date, time, and time zone for your router.Configure WebVPN on Cisco IOSYou can have more than one WebVPN gateway associated with a device. Each WebVPN gateway is linked to only one IP address on the router. You can create more than one WebVPN context for a particular WebVPN gateway. To identify individual contexts, provide each context with a unique name. One policy group can be associated with only one WebVPN context. The policy group describes which resources are available in a particular WebVPN context.Complete these steps in order to configure WebVPN on Cisco IOS:Configure the WebVPN GatewayConfigure the Resources Allowed for the Policy GroupConfigure the WebVPN Policy Group and Select the ResourcesConfigure the WebVPN ContextConfigure the User Database and Authentication MethodStep 1. Configure the WebVPN GatewayComplete these steps in order to configure the WebVPN Gateway:Within the SDM application, click Configure, and then click VPN.Expand WebVPN, and choose WebVPN Gateways.Click Add.The Add WebVPN Gateway dialog box appears.Enter values in the Gateway Name and IP Address fields, and then check the Enable Gateway check box.Check the Redirect HTTP Traffic check box, and then click OK.Click Save, and then click Yes to accept the changes.Step 2. Configure the Resources Allowed for the Policy GroupIn order to make it easier to add resources to a policy group, you can configure the resources before you create the policy group.Complete these steps in order to configure the resources allowed for the policy group:Click Configure, and then click VPN.Choose WebVPN, and then click the Edit WebVPN tab.Note: WebVPN allows you to configure access for HTTP, HTTPS, Windows file browsing through the Common Internet File System (CIFS) protocol, and Citrix.Click Add.The Add WebVPN Context dialog box appears.Expand WebVPN Context, and choose URL Lists.Click Add.The Add URL List dialog box appears.Enter values in the URL List Name and Heading fields. Click Add, and choose Website.This list contains all the HTTP and HTTPS Web servers that you want to be available for this WebVPN connection.In order to add access for Outlook Web Access (OWA), click Add, choose E-mail, and then click OK after you have filled in all the desired fields.In order to allow Windows file browsing through CIFS, you can designate an NetBIOS Name Service (NBNS) server and configure the appropriate shares in the Windows domain in order. From the WebVPN Context list, choose NetBIOS Name Server Lists.Click Add.The Add NBNS Server List dialog box appears.Enter a name for the list, and click Add.The NBNS Server dialog box appears.If applicable, check the Make This the Master Server check box.Click OK, and then click OK.Step 3. Configure the WebVPN Policy Group and Select the ResourcesComplete these steps in order to configure the WebVPN policy group and select the resources: Click Configure, and then click VPN.Expand WebVPN, and choose WebVPN Context.Choose Group Policies, and click Add. The Add Group Policy dialog box appears.Enter a name for the new policy, and check the Make this the default group policy for context check box.Click the Clientless tab located at the top of the dialog box.Check the Select check box for the desired URL List.If your customers use Citrix clients that need access to Citrix servers, check the Enable Citrix check box.Check the Enable CIFS, Read, and Write check boxes.Click the NBNS Server List drop-down arrow, and choose the NBNS server list that you created for Windows file browsing in Step 2.Click OK.Step 4. Configure the WebVPN ContextIn order to link the WebVPN gateway, group policy, and resources together, you must configure the WebVPN context. In order to configure the WebVPN context, complete these steps:Choose WebVPN Context, and enter a name for the context.Click the Associated Gateway drop-down arrow, and choose an associated gateway.If you intend to create more than one context, enter a unique name in the Domain field to identify this context. If you leave the Domain field blank, users must access the WebVPN with https://IPAddress . If you enter a domain name (for example, Sales), users must connect with https://IPAddress/Sales.Check the Enable Context check box.In the Maximum Number of Users field, enter the maximum number of users allowed by the device license.Click the Default Group policy drop-down arrow, and select the group policy to associate with this context.Click OK, and then click OK.Step 5. Configure the User Database and Authentication MethodYou can configure Clientless SSL VPN (WebVPN) sessions to authenticate with Radius, the Cisco AAA Server, or a local database. This example uses a local database.Complete these steps in order to configure the user database and authentication method:Click Configuration, and then click Additional Tasks.Expand Router Access, and choose User Accounts/View.Click the Add button.The Add an Account dialog box appears.Enter a user account and a password.Click OK, and then click OK.Click Save, and then click Yes to accept the changes. ResultsUse this section to confirm that your configuration works properly.ProcedureComplete these procedures in order to confirm your configuration works properly:Test your configuration with a user. Enter https://WebVPN_Gateway_IP_Address into an SSL-enabled Web browser; where WebVPN_Gateway_IP_Address is the IP address of theWebVPN service. After you accept the certificate and enter a user name and password, a screen similar to this image should appear.Check the SSL VPN session. Within the SDM application, click the Monitor button, and then click VPN Status. Expand WebVPN (All Contexts), expand the appropriate context, and choose Users. Check error messages. Within the SDM application, click the Monitor button, click Logging, and then click the Syslog tab.View the running configuration for the device. Within the SDM application, click the Configure button, and then click Additional Tasks. Expand Configuration Management, and choose Config Editor.CommandsSeveral show commands are associated with WebVPN. You can execute these commands at the command-line interface (CLI) to show statistics and other information. For detailed information about show commands, refer to Verifying WebVPN Configuration.Note: The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.TroubleshootUse this section to troubleshoot your configuration.Note: Do not interrupt the Copy File to Server command or navigate to a different window while the copying is in progress. Interruption of the operation can cause an incomplete file to be saved on the server.Note: Users can upload and download the new files using the WebVPN client, but the user is not allowed to overwrite the files in the Common Internet File System (CIFS) on WebVPN using the Copy File to Server command. The user receives this message when the user attempts to replace a file on the server:Unable to add the fileProcedureComplete these steps in order to troubleshoot your configuration:Ensure clients disable pop-up blockers.Ensure clients have cookies enabled.Ensure clients use Netscape, Internet Explorer, Firefox, or Mozilla Web browsers.CommandsSeveral debug commands are associated with WebVPN. Refer to Using WebVPN Debug Commands for detailed information about these commands.Note: The use of debug commands can adversely impact your Cisco device. Before you use debug commands, refer to Important Information on Debug Commands.Cisco Support Community - Featured ConversationsCisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers. Below are just some of the most recent and relevant conversations happening right now.Want to see more? Join us by clicking hereSSL VPN (WebVPN) issues with IOS...hardarson4 Replies6 months, 1 day agoHello everyone... I need your help!I am having some weird issues with webvpn/anyconnect, please find the relevant information below;Symptoms:- AnyConnect Client prompts users with the following error:"The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."Debug:Mar 5 13:09:45:Mar 5 13:09:45: WV-TUNL: Tunnel CSTP Version recv use 1Mar 5 13:09:45: WV-TUNL: Allocating tunl_infoMar 5 13:09:45: WV-TUNL: Allocating stc_configMar 5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing tableMar 5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255) Mar 5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340Mar 5 13:09:45: HTTP/1.1 401 UnauthorizedMar 5 13:09:45:Mar 5 13:09:45:Mar 5 13:09:45:Mar 5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing tableMar 5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCPMar 5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:Mar 5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126) WV-TUNL: Severity ERROR Type USER_LOGOUTWV-TUNL: Text: HTTP response contained an HTTP error code.Mar 5 13:09:45: WV-TUNL: Call user logout functionMar 5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)When the error occurs, the "SVCIP install TCP failed" counter increments:VPN-Router1# show webvpn stats detail context CUSTOMER-VPN[snip]Tunnel Statistics:Active connections : 1Peak connections : 3 Peak time : 19:09:04Connect succeed : 9 Connect failed : 5Reconnect succeed : 0 Reconnect failed : 0SVCIP install IOS succeed: 14 SVCIP install IOS failed : 0SVCIP clear IOS succeed : 18 SVCIP clear IOS failed : 0SVCIP install TCP succeed: 9 SVCIP install TCP failed : 5DPD timeout : 0[snip]IOS Version Details:Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme. Config:webvpn context CUSTOMER-VPNtitle "SSL VPN for Customer"ssl authenticate verify all!login-message "Enter username and passcode"!policy group CUSTOMER-VPNfunctions svc-requiredsvc keep-client-installedsvc split include 10.1.16.0 255.255.240.0svc split include 10.1.2.0 255.255.254.0vrf-name CUSTOMER-VPNdefault-group-policy CUSTOMER-VPNaaa authentication list AAA-LISTaaa authentication autoaaa accounting list AAA-LISTgateway vpn virtual-host logging enableinserviceThe error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!Subscribe ReplyRe: SSL VPN (WebVPN) issues with IOS...andreas.reimann6 months, 2 days agoWe encountered same issue very sporadically running IOS 12.4(24)T3 (ADV-IP-SERV) on 3825It matches quite close your configuration. Did you opened already a Cisco TAC Case?ReplyRe: SSL VPN (WebVPN) issues with IOS...hardarson6 months, 2 days agoHiDo you allocate the AnyConnect client's IP-adresses via IP pools on your ACS server? If so, you can consider switching it to a local ip pool on the router. This seemed to have solved the problem for us./AtleReplyRe: SSL VPN (WebVPN) issues with IOS...andreas.reimann6 months, 1 day agoYes, we allocate addresses through ACS. Local IP adress assignment i consider as a workaround only.ReplyRe: SSL VPN (WebVPN) issues with IOS...andreas.reimann6 months, 1 day agoHave you seen my post https:///message/2016069#2016069 ?At that point in time we were running with local pool definition.As the http 401 rc happens very sporadically we still gathering incident reports internally.Will open a case if you did not yet.cheers, AndyReplyCisco asa 5510 web vpn homepage...martinezloriente2 Replies4 days, 12 hours agohello, weare using ASA with clientless users with a customized portal, usint the post command on bookmarks, we can have "credentiales passthru" from the login page (asa is connected to AD domain) using post parameters.There are a group that needs the home page using the company intranet page (using the option homepage URL in the customization or the internal group policy.The problem is that is working ok but we cant use post commands, the user needs to login again, any idea?, using asdm 6.2(5) with ASA 8.2(2)Subscribe ReplyRe: Cisco asa 5510 web vpn homepage...m.schlienger5 days, 2 hours agoI have same kind of request (except on asa 5505, asa8.3, asdm6.3). We have successfully configured Exchange 2007 OW A Access with "SSO" thanks to POST bookmark.But we still have to use a bookmark, while it would be so elegant to have a straight redirection to OW A after logging in. Technically it should not be a problem, it is just a feature that seems not to appear with current versions. Let me know if you found any kind of...ReplyRe: Cisco asa 5510 web vpn homepage...hebaerte4 days, 12 hours agoYou can do this using the POST plugin:/en/US/docs/security/asa/asa83/asdm63/configuration_guide/vpn_web.html# wp1058342The latest version of the plugin is available here:ReplyCitrix Plug-in version 12 no good with...alicato435 Replies6 months, 1 day agoI thought I give the new version 12 of the Citrix Online Plug-in a try on my home PC, a Windows7 64-bit machine, but no go.I connect through a Cisco SSL VPN (ASA) to my place of work and try to launch apps from my citrix nfuse site, both Firefox (3.6.2) and IE 8 appear to download the launch file but then nothing happens at all.My first install was an update over an existing install of the 11.2 version of the Online Plug-In. I then removed version 12 and reinstalled it, no change in behavior. No go for me.Uninstalled 12 and reinstalled 11.2, and voila, back in business.Did anyone else experience problems with v. 12 on Windows 7 64bit? I saw a message on the Thin list of someone else who had issues with that environment but did not provide details.look like a problem with ver 12 of the client, but citrix aren't taking any blame for this and are blaming cisco. what can i dothe new citrix client doesnt use java anymore.see the link for more info /thread.jspa?threadID=261833&tstart=0 Subscribe ReplyRe: Citrix Plug-in version 12 no good...yleduc7 months, 1 week agoI got the same issue and I have a case open with Cisco about this.It is obvious that somehow the new Citrix client is handling the connection differently but where. I just sent one of the last post on the citrix site about the STA stuff to our Citrix Admin to see if he can decypher the information.regards.ReplyRe: Citrix Plug-in version 12 no good...florian.zahn6 months, 3 weeks agoHi,we have also the same issue....We also opened a Cisco-case regarding this...Best regardsFlorianReplyRe: Citrix Plug-in version 12 no good...nwlogical6 months, 1 week agoHas anyone got an update on this issue?ReplyRe: Citrix Plug-in version 12 no good...yleduc6 months, 6 days agoHello,At this point there is a bug ID on the problem:CSCtg81514 Bug DetailsTop of FormWebvpn with Citrix - Xenapp upgrade from 11.2 to...Bottom of FormReplyRe: Citrix Plug-in version 12 no good...yleduc6 months, 1 day agoHello,looks like Cisco found a solution on this issue....ReplyClientless SSL VPN and certificatesStanDamen1 Reply4 months, 2 weeks agoHi all,At our company we currently use the clientless SSL VPN Portal to grant users access to webmail and certain tools from the outside.Is there anyway to implement a check into the login process to check for a computer certificate we will place on company laptops/machines?I know that during the login process the access group is checked, as well as the group policy. But im not sure if certification checking is in any way possible.Thanks for your input!Subscribe ReplyRe: Clientless SSL VPN and certificatesrahgovin4 months, 2 weeks agoDo you mean authenticate using a certificate or just checking if a certificate is present during login?Certificate authentication can be done by selecting the authentication method for clientless as certificate instead of aaa. The client cert has to be installed in the browser store of the PC.For the second option, using endpoint assessment could be used I guess. You can check the following link if it helps:ReplyAudio With Clientless SSL/Web ne1 Reply1 month, 4 weeks agoI've successfully configured my ASA 5505 appliance to support the clientless SSL/Web VPN. The ASA has Version 8.3(2) software release. The clients are able to connect without a problem to internal servers and PCs but the sounds the PC generates are not audible on the remote computer. If I use the client based VPN and Microsoft's RDP Client, the sounds are audible. I've looked online in both Cisco's web site and a general web search and haven't found any information on the issue. I've also looked through the ASDM configuration (Version 6.3) and haven't found any setting for audio or sound.Is audio (bells, beeps, etc) not supported through the clientless SSL/Web VPN? If it is, how do I enable it?Subscribe ReplyRe: Audio With Clientless SSL/Web VPNmlatosie1 month, 4 weeks agoBenny,What sort of application are we talking about?In general we recommend DTLS to be enabled (and in used) you might want to look into disabling compression.Can you check vpn-sessiondb for me to see if DTLS is in use and check if compression is enabled or not.ReplyClientless SSL WebVPNmax.pierson7 Replies3 weeks, 4 days agoDoes anyone know how to inject HTTP POST if you choose to bypass the portal page via the Optional Homepage URL?? It seems as though you dont have any options to pass credentials unless you use the portal and bookmarks.Subscribe ReplyRe: Clientless SSL WebVPNtopula6 months, 3 weeks agoOne option would be to use the POST plug-in along with a customization page. On the customization portal page you can define a homepage URL which will have the post and macros included. You will then associate this customization to the group policy so that it loads after successful authentication. A sample POST URL may look something like...ReplyRe: Clientless SSL WebVPNnwlogical1 month, 4 weeks agoIs there another way to do this other than the POST command? It is my understanding that the POST command will not allow you to enable, "Use Smart Tunnel for Homepage" since it is not an HTTP(S) protocol.ReplyRe: Clientless SSL WebVPNtopula1 month, 4 weeks agoThe ASA 8.4 code release will include enhancements for auto sign-on capabilities using POST with smart tunneling.ReplyRe: Clientless SSL WebVPNnwlogical1 month, 4 weeks agoAny idea when this will be released?ReplyRe: Clientless SSL WebVPNnwlogical1 month, 3 weeks agoAnother question. If I have the home page set to an http or an https site and smart-tunnel enabled on the site I get this error is the smart tunnel is not installed on the system. WebVPN Relay loader is taking a long time to start. Jave must be installed and enabled in the browser. I know Java is enabled and I can go to another ASA site that does not have the home page set and smart-tunnel installs fine and works. Why is it not...ReplyRe: Clientless SSL WebVPNnwlogical1 month, 3 weeks agoOkay figured this one out. In IE you have to have the setting set in Intranet security to enable, allow previously unused activex controls to run without prompt. In Firefox you need to make sure Java is installed.ReplyRe: Clientless SSL WebVPNnwlogical3 weeks, 4 days agoJust so I understand. Having smart tunnel enabled on the home page by checking the enable button on "Use smart tunnel for Hompage:" is only for Windows systems. This will not work on a Mac since the docs say that you can only fire smart tunnel on a Mac from a bookmark, is this correct or is there a work around? If not is this being looked at to be fixed in the future?ReplyASA clientless SSL VPN (WebVPN) and...baskokken4 Replies2 months, 2 weeks agoCan anyone tell me if ASA (5505 on 8.04) supports using Ajax web applications through the WebVPN portal?Specifics : I am trying to use the management pages of a Synology NAS running Disk Station 2 software. This management page uses Ajax.It looks like the ASA cannot handle this.Subscribe ReplyRe: ASA clientless SSL VPN (WebVPN) and...brispin1 year, 8 months agoYou may try configuring the thin-client SSL VPN (port forwarding). A remote client must download a small, Java-based applet for secure access of TCP applications that use static port numbers. UDP is not supported. Examples include access to POP3, SMTP, IMAP, SSH, and Telnet. The user needs local administrative privileges because changes are made to files on the local machine. This method of SSL VPN does not work with applications that...ReplyRe: ASA clientless SSL VPN (WebVPN) and...baskokken1 year, 8 months agoThanks for this great suggestion, made me change focus.I will try asap.ReplyRe: ASA clientless SSL VPN (WebVPN) and...https:///people/ronnie.lebi%40tdsb.on.ca?referring_site=kapi2 months, 3 weeks agoIs AJAX truly incompatible with the ASA?? Using the smart-tunneled approach doesn't work for us.ReplyRe: ASA clientless SSL VPN (WebVPN) and...simonslater2 months, 2 weeks agoI has this working with an ASA5505 using clienless SSL and my Synology CS407 using DSM2.3-1157 but Synology have now upgraded the DSM software to DSM v3.0 which seems to be broken when using an SSL clientless connection through the ASA.is these anything I can do to stop the ASA SSL screwing up AJAX and allow me to actually see the default logon panel of the CS407?ReplyClientless SSL VPN QuestionsDJCanuck11 Reply3 years, 1 month agoWhen using a Clientless SSL VPN, is it possible to have the MAC address of the remote client pass through to an internal application? We are using a specific app that queries the connecting computer for it's MAC address before it will set up a session. The application runs fine when I connect the remote client via a full SSL VPN tunnel, but I'd prefer to go clientless SSL VPN with a published application link using Smart tunnels.Subscribe ReplyRe: Clientless SSL VPN Questionsvkapoor53 years, 1 month agoClientless SSL VPN (WebVPN) allows a user to securely access resources on the corporate LAN from anywhere with an SSL-enabled Web browser. The user first authenticates with a WebVPN gateway which then allows the user access to pre-configured network resources. WebVPN gateways can be configured on Cisco IOS routers, Cisco Adaptive Security Appliances (ASA), Cisco VPN 3000 Concentrators, and the Cisco WebVPN Services Module for the...Reply1841 IOS for Web Vpnimranraheel1 Reply3 years, 12 months agoI have a cisco 1841 router and i want to use web vpn on it i mean ssl vpn which ios is needed for ssl vpn as well as plz tell me the ssl vpn licence cost . I have heard that 2 SSL VPN Client Licence are free on but SDM doesnt allow me to do thatSubscribe ReplyRe: 1841 IOS for Web VpnMaseBarnes3 years, 12 months ago12.3.14T6 with Advanced Security should be the smallest ...。