Escolar Documentos
Profissional Documentos
Cultura Documentos
Contents
Excellent
Good
Average
Introduction
Prerequisites
Requirements
Components Used
Conventions
Network Diagram
Preconfiguration Tasks
Configure Anyconnect VPN on IOS
Step 1. Install and Enable the Anyconnect VPN Software on the IOS
Router
Step 2. Configure a SSLVPN Context and SSLVPN Gateway with
the CCP Wizard
Step 3. Configure the User Database for Anyconnect VPN Users
Step 4. Configure the Anyconnect Full Tunnel
CLI Configuration
Establish the AnyConnect VPN Client Connection
Verify
Commands
Troubleshoot
SSL Connectivity Issue
Troubleshooting Commands
NetPro Discussion Forums - Featured Conversations
Related Information
Fair
Poor
This document solved
my problem.
Yes
No
Just browsing
Suggestions for
improvement:
Send
Introduction
This document describes how to set up a Cisco IOS router to perform SSL VPN on a stick with Cisco
AnyConnect VPN client using Cisco Configuration Professional (CCP). This setup applies to a specific
case where the Router does not allow split tunneling, and users connect directly to the Router before
they are permitted to go to the Internet.
SSL VPN or WebVPN technology is supported on these IOS router platforms:
CCP is a GUI-based device management tool that allows you to configure Cisco IOS-based access
routers, including Cisco integrated services routers, Cisco 7200 series routers, and the Cisco 7301
router. CCP is installed on a PC and simplifies router, security, unified communications, wireless,
WAN, and basic LAN configuration through GUI-based, easy-to-use wizards.
Routers that are ordered with CCP are shipped with Cisco Configuration Professional Express (CCP
Express) installed in router flash memory. CCP Express is a lightweight version of CCP. You can use
CCP Express to configure basic security features on the router's LAN and WAN interfaces. CCP
Express is available on the router flash memory.
Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
Web Browser with SUN JRE 1.4 or later or an ActiveX controlled browser
Components Used
The information in this document is based on these software and hardware versions:
Note: The information in this document was created from devices in a specific lab environment. All of
the devices used in this document started with a cleared (default) configuration. If your network is live,
make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Network Diagram
This document uses this network setup:
Preconfiguration Tasks
1. You must configure the router for CCP.
Routers with the appropriate security bundle license already have the CCP application loaded in
flash. Refer to Cisco Configuration Professional Quick Start Guide to obtain and configure the
software.
2. Download a copy of the Anyconnect VPN .pkg file to your management PC.
Step 1. Install and Enable the Anyconnect VPN Software on the IOS Router
To install and enable the Anyconnect VPN software on the IOS router, complete these steps:
1. Open the CCP application, go to Configure > Security, and then click VPN.
2. Expand SSLVPN, and choose Packages.
If the Cisco Anyconnect VPN client image is in the router's flash, click the Router File
System radio button dialog box, and click Browse.
If the Cisco Anyconnect VPN client image is not in the router's flash, click the My
Computer radio dialog box, and click Browse.
5. Select the client image that you want to install, and click OK.
6. Once you specify the location of the client image, click Install.
7. Click Yes, and then click OK.
8. Once the client image is successfully installed, you receive this message:
9. Click OK to continue.
Step 2. Configure a SSLVPN Context and SSLVPN Gateway with the CCP Wizard
Complete these steps in order to configure a SSL VPN context and SSL VPN gateway:
1. Go to Configure > Security > VPN, and then click SSL VPN.
2. Click SSL VPN Manager, and click the Create SSL VPN tab.
3. Check the Create a New SSL VPN radio button, and then click Launch the selected task.
The SSL VPN Wizard dialog box appears.
4. Click Next.
5. Enter the IP Address of the new SSL VPN gateway, and enter a unique name for this SSL VPN
context.
You can create different SSL VPN contexts for the same IP address (SSL VPN gateway), but each
name must be unique. This example uses this IP address: https://172.16.1.1/
6. Click Next, and continue to Step 3.
This dialog box allows you to add users to the local database.
2. Click Add, and enter user information.
3. Create a pool of IP addresses that clients of this SSL VPN context can use.
The pool of addresses must correspond to addresses available and routable on your Intranet.
4. Click the ellipses (...) next to the IP Address Pool field, and choose Create a new IP Pool.
5. In the Add IP Local Pool dialog box, enter a namefor the pool (for example, new), and click Add.
6. In the Add IP address range dialog box, enter the address pool range for the Anyconnect VPN
clients, and click OK.
Note: Before 12.4(20)T, the IP address pool should be in a range of an interface directly
connected to the router. If you want to use a different pool range, you can create a loopback
address associated with your new pool to satisfy this requirement. .
7. Click OK.
8. Make sure to check the Install Full Tunnel Client check box.
9. Configure advanced tunnel options, such as split tunneling, split DNS, browser proxy settings, and
DNS and WNS servers.
Note: Cisco recommends you configure at least DNS and WINS servers.
To configure advanced tunnel options, complete these steps:
a. Click the Advanced Tunnel Options button.
b. Click the DNS and WINS Servers tab, and enter the primary IP addresses for the DNS and
WINS servers.
The ability to transmit both secured and unsecured traffic on the same interface is known as
split tunneling. Split tunneling requires that you specify exactly which traffic is secured and
what the destination of that traffic is, so that only the specified traffic enters the tunnel
while the rest is transmitted unencrypted across the public network (Internet).
For example, refer to ASA 8.x : Allow Split Tunneling for AnyConnect VPN Client on the
12. After you customize the SSL VPN portal page, click Next.
13. Click Finish.
14. Click Deliver in order to save your configuration, and then click OK.
The SSL VPN Wizard submits tour commands to the router.
Note: If you receive an error message, the SSL VPN license may be incorrect. A sample error
message is shown in the image in step 19 above.
To correct a license issue, complete these steps:
a. Go to Configure > Security > VPN, and then click SSL VPN.
b. Click SSL VPN Manager, and then click the Edit SSL VPN tab in the right hand side.
c. Highlight your newly created context, and click the Edit button.
d. In the Maximum Number of users field, enter the correct number of users for your license.
e. Click OK, and then click Deliver.
Your commands are written to the configuration file.
CLI Configuration
CCP creates these command-line configurations:
Router
Router#show run
Building configuration...
Current configuration : 4110 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable password cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1951692551
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1951692551
revocation-check none
rsakeypair TP-self-signed-1951692551
!
!
crypto pki certificate chain TP-self-signed-1951692551
certificate self-signed 02
3082023E 308201A7 A0030201 02020102 300D0609 2A864886
31312F30 2D060355 04031326 494F532D 53656C66 2D536967
69666963 6174652D 31393531 36393235 3531301E 170D3039
33345A17 0D323030 31303130 30303030 305A3031 312F302D
4F532D53 656C662D 5369676E 65642D43 65727469 66696361
39323535 3130819F 300D0609 2A864886 F70D0101 01050003
8100CD40 156E21C4 4F84401A F5674319 CC05B708 72A79C69
F70D0101
6E65642D
30383037
06035504
74652D31
818D0030
90997D30
04050030
43657274
31303538
03132649
39353136
81890281
6F556A37
67C20847
79B83814
1B6F5744
FF040530
1D230418
551D0E04
864886F7
EB6745FC
B7BB03E2
A3D8BB08
ADC3D589
4F0BC7B0
5008EBF6
282E4EA5
030101FF
30168014
16041405
0D010104
533A8C08
F3D65A62
5507C574
F4D74659
715F0518
169FA897
A0840385
30110603
05F279A9
F279A9C5
05000381
FEF2C007
B0EE050A
18F2F48F
A5CEA30F 1A9C
no ip address
shutdown
no atm ilmi-keepalive
!
interface Vlan1
no ip address
!
ip local pool new 192.168.10.1 192.168.10.10
ip forward-protocol nd
ip route 10.20.10.0 255.255.255.0 172.16.1.2
ip route 10.77.233.0 255.255.255.0 10.77.241.65
ip http server
ip http authentication local
ip http secure-server
!
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
transport input telnet ssh
transport output telnet
!
scheduler allocate 20000 1000
!
webvpn gateway gateway_1
ip address 172.16.1.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-1951692551
inservice
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
!
webvpn context sales
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "new"
svc dns-server primary 10.1.1.1
svc wins-server primary 10.1.1.2
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
max-users 10
inservice
!
end
OR
https://<IP address of the Router WebVPN interface>
3. Click the start button to initiate the Anyconnect VPN Tunnel Connection.
Note: ActiveX software must be installed in your computer before you download the Anyconnect
VPN.
The Connection Established message appears once the client successfully connects.
6. Click Details.
The Cisco AnyConnect VPN Client: Statistics Detail dialog box appears.
The Statistics Details dialog box displays detailed connection statistical information, including the
tunnel state and mode, the duration of the connection, the number of bytes and frames sent and
received, address information, transport information, and Cisco Secure Desktop posture
assessment status. The Reset button on this tab resets the transmission statistics. The Export
button allows you to export the current statistics, interface, and routing table to a text file. The
AnyConnect client prompts you for a name and location for the text file. The default name is
AnyConnect-ExportedStats.txt, and the default location is on the desktop.
7. In the Cisco AnyConnect VPN Client dialog box, click the About tab.
This tab displays the Cisco AnyConnect VPN Client Version information.
Verify
Use this section to confirm that your configuration works properly.
Commands
Several show commands are associated with WebVPN. You can execute these commands at the
command-line interface (CLI) to show statistics and other information. For detailed information about
show commands, refer to Verifying WebVPN Configuration.
Note: The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use
the OIT to view an analysis of show command output.
Last_Use
00:02:56
1
2
0
0
0
0
0
108
589
76
0
0
0
: 0
: 0
Mangling statistics:
Relative urls
:
Non-http(s) absolute urls:
Interesting tags
:
Interesting attributes
:
Embedded script statement:
Inline scripts
:
HTML comments
:
HTTP/1.1 requests
:
GET requests
:
CONNECT requests
:
Through requests
:
Pipelined requests
:
Processed req hdr bytes :
HTTP/1.0 responses
:
HTML responses
:
XML responses
:
Other content type resp :
Resp with encoded content:
Close after response
:
Processed resp hdr size :
0
0
0
0
0
0
0
9
9
0
0
0
2475
0
0
0
0
0
0
0
:
:
:
:
:
:
SSLVPN eng
bufs inuse
0
00:00
2
1
0
0
0
0
0
0
0
0
: 0
Absolute urls
:
Non-standard path urls
:
Uninteresting tags
:
Uninteresting attributes :
Embedded style statement :
Inline styles
:
HTTP/1.0 requests
:
Unknown HTTP version
:
POST requests
:
Other request methods
:
Gateway requests
:
Req with header size >1K :
Processed req body bytes :
HTTP/1.1 responses
:
CSS responses
:
JS responses
:
Chunked encoding resp
:
Resp with content length :
Resp with header size >1K:
Processed resp body bytes:
0
0
0
0
0
0
0
0
0
0
9
0
0
0
0
0
0
0
0
0
: 0
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
:
:
:
:
:
:
:
:
0
0
0
UDP VC's
Active Contexts
: 0
: 0
0
0
0
Name Replies
: 0
NB DGM Replies
: 0
NB Name Resolution Fails : 0
0
0
0
0
0
0
Mbufs in use
Active VC's
Browse Errors
NetServEnum Errors
NBNS Config Errors
:
:
:
:
:
0
0
0
0
0
0
0
33
0
Request Bytes RX
Response Bytes TX
Active Connections
Requests Dropped
:
:
:
:
0
26286
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
1
0
0
0
0
0
Sock
Sock
Sock
Sock
Sock
Sock
Sock
:
:
:
:
:
:
:
1
0
0
0
0
0
12
0
0
0
0
0
0
0
0
:
:
:
:
0
0
0
0
Server
proc pkts
proc bytes
cef pkts
cef bytes
:
:
:
:
0
0
0
0
Packets in
Packets out
Bytes in
Bytes out
:
:
:
:
Server
0
0
0
0
Client
0
0
0
0
ACL statistics:
Permit web request
Permit cifs request
Permit without ACL
Permit with match ACL
:
:
:
:
0
0
0
0
Deny
Deny
Deny
Deny
:
:
:
:
:
0
0
0
0
0
:
:
:
:
:
0
1
3
0
0
:
:
:
:
:
:
:
:
:
:
:
:
32
5
27
1176
4
0
4
32
0
0
0
0
web request
cifs request
without match ACL
with match ACL
:
:
:
:
0
0
0
0
:
:
:
:
0
0
0
0
Redirect request
: 0
Peak time
Connect failed
Reconnect failed
: 00:34
: 0
: 0
Server
out IP pkts
: 5
out IP bytes
in IP pkts
: 805
: 0
in
cef
cef
cef
cef
:
:
:
:
:
IP bytes
out forwarded pkts
out forwarded bytes
in forwarded pkts
in forwarded bytes
0
0
0
0
0
In CCP, choose Monitoring > Security > VPN Status > SSL VPN > Users in order to view the
current SSL VPN user lists in the router.
Choose Monitoring > Security > VPN Status > SSL VPN > Sales in order to view the current
SSL VPN session information in the router.
Troubleshoot
Use this section to troubleshoot your configuration.
Troubleshooting Commands
Several clear commands are associated with WebVPN. For detailed information about these commands,
refer to Using WebVPN Clear Commands.
Several debug commands are associated with WebVPN. For detailed information about these
commands, refer to Using WebVPN Debug Commands.
Note: The use of debug commands can adversely impact your Cisco device. Before you use debug
commands, refer to Important Information on Debug Commands.
Related Information