Configuring AnyConnect WebVPN on Cisco Router

  • Agregar a Technorati
  • Agregar a
  • Agregar a DiggIt!
  • Agregar a Yahoo!
  • Agregar a Google
  • Agregar a Meneame
  • Agregar a Furl
  • Agregar a Reddit
  • Agregar a Magnolia
  • Agregar a Blinklist
  • Agregar a Blogmarks

Configuring AnyConnect WebVPN on Cisco Router

Configuring AnyConnect WebVPN on Cisco Router

Posted: 02 Apr 2011 12:19 PM PDT

In this post I will explain how to configure WEB VPN (or sometimes called SSL VPN) using the Anyconnect VPN client on a Cisco 870 router.

Web Based VPN has three Remote Access modes:

Clientless – You connect to a web page portal from which you can have access to web based applications, File Sharing and Outlook Web Access (OWA) inside the corporate network .

Thin client – This mode allows TCP Port- Forwarding on applications, such as Telnet, SSH, SMTP POP3, Remote Desktop Connection (RDP). It uses a Java applet. This mode may be used only on TCP Based Applications.

Tunnel Mode or AnyConnect VPN client – almost same as an Easy VPN Client (IPSEC VPN client). In this mode you must have Administrator permissions on your remote access laptop/PC and any IP based Application can be used through this mode. A Java client is downloaded to the user's PC and facilitates the security and encryption from the remote user towards the termination device (router or firewall).

Both ASA and Cisco IOS Routers support web vpn technologies. On ASA an extra license is required if you want to have more than two users for your remote access web vpn. Without purchasing any license it provides support for only two users.

We will be using the following Network diagram in our example:

anyconnect vpn on cisco router

Requirements for Anyconnect VPN:

  • Java runtime 1.4 or later.
  • Cisco IOS 12.4(15)T7 (supports ONLY clientless Web Based VPN)
  • CISCO IOS 12.4(20)T (supports all web vpn modes, both clientless and anyconnect Client VPN).

Used in Lab for this tutorial:

  • Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
  • ANY Connect Client: anyconnect-win-2.3.2016-k9.
  • FireFox 3.6.8 and IE 8
  • Windows XP SP2 and Windows Server Ultimate 32 bit


!Configure Certificate

crypto pki trustpoint local
enrollment selfsigned
revocation-check crl
rsakeypair my_key 1024 1024

!Generate Certificate and turn on HTTPS Service

crypto pki enroll local
ip http secure-server

!Before starting the actual configuration of Web Vpn, first we configure Gateway, on which IP address we shall terminate the Anyconnect VPN, which certificates to use, on which port we shall run the VPN and any redirections necessary ( i.e. if request comes on port 80 port, it will redirect the user to port 443). All these are configured under the webvpn mode.

! enable webvpn gateway configuration mode to configure SSL VPN Gateway. ONLY one Gateway is configured in an SSL VPN Network
webvpn gateway soho

! configure hostname for SSL VPN; in our example hostname is home
hostname home

!configure IP address and port on which SSL VPN will connect.
ip address port 443

!Configure SSL Certificate; in our Example this Certificate is Self-signed
ssl trustpoint local

!configure Redirect. If somebody connects to TCP port 80 it will be redirected to port 443

http-redirect port 80

! Enable WebVPN Gateway

!turn on AAA and for authentication we use local database
aaa new-model
aaa authentication login webvpn local

!Create Local address pool, from which we'll assign IP addresses to anyconnect clients.
ip local pool webvpn1

!Create loopback interface, if we want to announce this network in any dynamic protocol.
interface Loopback2
ip address

!Create access list, which  later will be used to control what the webvpn client will be allowed to access. This is not access list for Split Tunneling. Split Tunnel is created in context configuration mode.
ip access-list extended webvpn-acl
permit tcp host eq 3389

!After this we need to create a profile context.
!  Create Webvpn context; same as profile on easy vpn
webvpn context

! change default Title
title "IP Networks Training and Tutorials"

! Verify SSL Certificate.
ssl authenticate verify all

! Change default login message displayed on login page before user login.
login-message "Enter your credentials"

!Configure policy for this group with name networkstraining
policy group  networkstraining

!configure banner to be displayed after successful login
banner "authentication success"

! enable tunnel support for the remote user. If the Cisco AnyConnect VPN Client software package fails to install, the remote user can continue to use clientless mode or thin-client mode.
functions svc-enabled

! Below we configure an SSL VPN tunnel access filter which uses the ACL we have created above. Gives us the opportunity to control which type of traffic must allow or block via access list. In our example we created  webvpn-acl access list, which permits access from network to TCP 3389 ( Remote Desktop Protocol )  of host and all the rest are blocked.

filter tunnel webvpn-acl

! Configure IP address pool.  When client is connected via anyconnect client an IP will be assigned from this pool.
svc address-pool webvpn1

! Configures the domain for a policy group.
svc default-domain ""

! To install Cisco any connect client on User's PC.  When this feature is not turned on, when user is disconnected then Cisco anyconnect client will be automatically uninstalled.

svc keep-client-installed

!In case of successful authorization it will show us URL below
svc homepage ""

!Configures the tunnel key to be refreshed by initiating a new tunnel connection
svc rekey method new-tunnel

! Below is the split tunnel configuration which specifies the destination network to permit access within the tunnel when the user connects via Cisco anyconnect client.  If we don't indicate this parameter, then there will be Full Tunnel, meaning that all traffic will pass through the Cisco web VPN Server
svc split include

!Default group
default-group-policy one

!The name of authentication group. We've already created AAA group named webvpn and here this group will be used
aaa authentication list webvpn

!  Bind this context to Gateway created above

gateway soho

! Activate created context.

After the above we need to install anyconnect client to the flash memory of the router. The version of anyconnect client must support the operating system of the users that will be using the anyconnect service.

webvpn#copy tftp:// flash
webvpn(config)#webvpn install svc flash:anyconnect-win-2.3.2016-k9.pkg

After this we check if anyconnect cliet installation was successful in our configuration.

webvpn install svc flash:/webvpn/svc_1.pkg sequence 1

Bank customers warned after breach at Epsilon marketing firm

Posted: 01 Apr 2011 03:57 AM PDT

JP Morgan Chase and the Kroger supermarket chain are warning customers that their names and e-mail addresses may have fallen into the wrong hands after someone broke into computer systems at e-mail marketing giant Epsilon.

Rogue Android app sent personal info to legit version's developer, claims AVAST

Posted: 01 Apr 2011 12:08 AM PDT

A malicious Android app that shamed users for pirating software transmitted personal information to a URL controlled by the legitimate app's developer, a security company said today.

UberSocial fixes direct-message privacy bug

Posted: 31 Mar 2011 10:45 PM PDT

UberSocial has fixed a bug in its Twitter software for mobile phones that put some users' privacy at risk.

Bank of America to further ramp up security with new CISO

Posted: 31 Mar 2011 10:00 PM PDT

Bank of America has hired a new CISO as it continues its effort to bolster security after WikiLeaks claimed to have obtained sensitive internal documents from an unnamed major U.S. bank.

Comodo compromise expands, hacker talks

Posted: 01 Apr 2011 08:49 AM PDT

The attacker who breached the certificate authority speaks, prompting Comodo to acknowledge that two more of its partners were breached.


Post a Comment