AnyConnect VPN (SSL) Client on IOS Router with CCP Configuration Example

Document ID: 110608

Contents
Introduction Prerequisites Requirements Components Used Conventions Network Diagram Preconfiguration Tasks Configure Anyconnect VPN on IOS Step 1. Install and Enable the Anyconnect VPN Software on the IOS Router Step 2. Configure a SSLVPN Context and SSLVPN Gateway with the CCP Wizard Step 3. Configure the User Database for Anyconnect VPN Users Step 4. Configure the Anyconnect Full Tunnel CLI Configuration Establish the AnyConnect VPN Client Connection Verify Commands Troubleshoot SSL Connectivity Issue Error: SSLVPN Package SSL−VPN−Client : installed Error: Disk Troubleshooting Commands Related Information

Introduction
This document describes how to set up a Cisco IOS® router to perform SSL VPN on a stick with Cisco AnyConnect VPN client using Cisco Configuration Professional (CCP). This setup applies to a specific case where the Router does not allow split tunneling, and users connect directly to the Router before they are permitted to go to the Internet. SSL VPN or WebVPN technology is supported on these IOS router platforms: • 870, 1811, 1841, 2801, 2811, 2821, 2851 • 3725, 3745, 3825, 3845, 7200, and 7301 CCP is a GUI−based device management tool that allows you to configure Cisco IOS−based access routers, including Cisco integrated services routers, Cisco 7200 series routers, and the Cisco 7301 router. CCP is installed on a PC and simplifies router, security, unified communications, wireless, WAN, and basic LAN configuration through GUI−based, easy−to−use wizards. Routers that are ordered with CCP are shipped with Cisco Configuration Professional Express (CCP Express) installed in router flash memory. CCP Express is a lightweight version of CCP. You can use CCP Express to configure basic security features on the router's LAN and WAN interfaces. CCP Express is available on the router flash memory.

Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration: • Microsoft Windows 2000 or XP • Web Browser with SUN JRE 1.4 or later or an ActiveX controlled browser • Local administrative privileges on the client • Cisco IOS Router with Advanced Security image −12.4(20)T or later • Cisco Configuration Professional 1.3 If the Cisco Configuration Professional is not already loaded on your computer, you can obtain a free copy of the software and install the .exe (cisco−config−pro−k9−pkg−1_3−en.zip) file from Software Download. For detailed information on the installation and configuration of CCP, refer to Cisco Configuration Professional Quick Start Guide.

Components Used
The information in this document is based on these software and hardware versions: • Cisco IOS Series 1841 Router with software version 12.4(24)T • Cisco Configuration Professional (CCP) 1.3 • Cisco AnyConnect SSL VPN Client version for Windows 2.3.2016 Note: The information in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Network Diagram
This document uses this network setup:

Preconfiguration Tasks
1. You must configure the router for CCP.

go to Configure > Security. The Install SSL VPN Client Package dialog box appears.Routers with the appropriate security bundle license already have the CCP application loaded in flash. click Browse. complete these steps: 1. Expand SSLVPN. 2. Configure the Resources to Expose to Users Step 1. Refer to Cisco Configuration Professional Quick Start Guide to obtain and configure the software. and choose Packages. and then click VPN. Configure a SSL VPN Context and SSL VPN Gateway with the CCP Wizard 3.pkg file to your management PC. Download a copy of the Anyconnect VPN . Configure the User Database for Anyconnect VPN Users 4. 2. Complete these steps in order to configure Anyconnect VPN on the Cisco IOS router: 1. This example configuration uses the CCP Wizard to enable the operation of the Anyconnect VPN on the IOS router. Open the CCP application. In the Cisco SSLVPN client software. you are presented with the steps necessary to configure the features described in this document. Configure Anyconnect VPN on IOS In this section. Install and Enable the Anyconnect VPN Software on the IOS Router To install and enable the Anyconnect VPN software on the IOS router. 3. Install and Enable the Anyconnect VPN Software on the Cisco IOS Router 2. .

and click OK. and click Browse. ♦ If the Cisco Anyconnect VPN client image is not in the router's flash. click the Router File System radio button dialog box. Specify the location of the Cisco Anyconnect VPN client image. 5. . Select the client image that you want to install. and click Browse.4. The File Selection dialog box appears. click the My Computer radio dialog box. ♦ If the Cisco Anyconnect VPN client image is in the router's flash.

8. Click Yes. 7. and then click OK. click Install. Step 2. Once the client image is successfully installed. Go to Configure > Security > VPN. Check the Create a New SSL VPN radio button. Click SSL VPN Manager. Click OK to continue. and click the Create SSL VPN tab. 3. and then click SSL VPN. The SSL VPN Wizard dialog box appears. you receive this message: 9. 2. Configure a SSLVPN Context and SSLVPN Gateway with the CCP Wizard Complete these steps in order to configure a SSL VPN context and SSL VPN gateway: 1. and then click Launch the selected task.6. . Once you specify the location of the client image.

Click Next.4. 5. and enter a unique name for this SSL VPN context. . Enter the IP Address of the new SSL VPN gateway.

. Complete these steps in order to configure the user database for Anyconnect VPN users: 1. and enter user information.1. Click Next. This dialog box allows you to add users to the local database. Configure the User Database for Anyconnect VPN Users For authentication. This configuration example uses locally created users for authentication. you can use an AAA Server.1/ 6. Step 3. and continue to Step 3. but each name must be unique. or both. This example uses this IP address: https://172.16. 2. After you complete Step 2. local users. Click Add. click the Locally on this router radio button located in the SSL VPN Wizard User Authentication dialog box.You can create different SSL VPN contexts for the same IP address (SSL VPN gateway).

3. and add additional users as necessary. 4. and continue to Step 4. the URL list is not needed to configure. After you add the necessary users. click Next. As Anyconnect gives the direct access to corporate intranet resources. Click the Next button located in the Configure Intranet Websites dialog box. Step 4. Click OK. . Configure the Anyconnect Full Tunnel Complete these steps in order to configure the Anyconnect full tunnel and pool of ip addresses for the users: 1.

and choose Create a new IP Pool. Click the ellipses (.2.. Create a pool of IP addresses that clients of this SSL VPN context can use. The pool of addresses must correspond to addresses available and routable on your Intranet..) next to the IP Address Pool field. Verify that the Enable Full Tunnel check box is checked. 3. 4. .

Click OK. and click OK. If you want to use a different pool range.5. 8. .4(20)T. new). enter the address pool range for the Anyconnect VPN clients. and click Add. Note: Before 12. you can create a loopback address associated with your new pool to satisfy this requirement. 6. 7. the IP address pool should be in a range of an interface directly connected to the router. enter a namefor the pool (for example. In the Add IP Local Pool dialog box. . Make sure to check the Install Full Tunnel Client check box. In the Add IP address range dialog box.

9. Note: Cisco recommends you configure at least DNS and WINS servers. and DNS and WNS servers. Click the DNS and WINS Servers tab. complete these steps: a. split DNS. b. Click the Advanced Tunnel Options button. browser proxy settings. such as split tunneling. . and enter the primary IP addresses for the DNS and WINS servers. To configure advanced tunnel options. Configure advanced tunnel options.

The ability to transmit both secured and unsecured traffic on the same interface is known as split tunneling.0.c. click Next. so that only the specified traffic enters the tunnel while the rest is transmitted unencrypted across the public network (Internet). For example. Split tunneling requires that you specify exactly which traffic is secured and what the destination of that traffic is. Customize the SSL VPN Portal Page or select the default values. 11. refer to ASA 8. After you configure the necessary options. The Customize SSL VPN Portal Page allows you to customize how the SSL VPN Portal Page appears to your customers. To configure split tunneling. 10. click the Split Tunneling tab.x : Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration Example which provides step−by−step instructions on how to allow Cisco AnyConnect VPN client access to the Internet while they are tunneled into a Cisco Adaptive Security Appliance (ASA) 8.2. .

12. Click Finish. Click Deliver in order to save your configuration. . The SSL VPN Wizard submits tour commands to the router. 13. and then click OK. click Next. 14. After you customize the SSL VPN portal page.

and click the Edit button. b. Click SSL VPN Manager. . the SSL VPN license may be incorrect. and then click the Edit SSL VPN tab in the right hand side. To correct a license issue. c. complete these steps: a. Highlight your newly created context.Note: If you receive an error message. Go to Configure > Security > VPN. and then click SSL VPN.

and then click Deliver.4 service timestamps debug datetime msec service timestamps log datetime msec no service password−encryption ! hostname Router ! boot−start−marker boot−end−marker ! logging message−counter syslog no logging buffered enable password cisco ! aaa new−model ! . CLI Configuration CCP creates these command−line configurations: Router Router#show run Building configuration. Your commands are written to the configuration file.d. In the Maximum Number of users field. Current configuration : 4110 bytes ! version 12. enter the correct number of users for your license. Click OK. e...

! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization exec default local ! ! aaa session−id common ! crypto pki trustpoint TP−self−signed−1951692551 enrollment selfsigned subject−name cn=IOS−Self−Signed−Certificate−1951692551 revocation−check none rsakeypair TP−self−signed−1951692551 ! ! crypto pki certificate chain TP−self−signed−1951692551 certificate self−signed 02 3082023E 308201A7 A0030201 02020102 300D0609 2A864886 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 69666963 6174652D 31393531 36393235 3531301E 170D3039 33345A17 0D323030 31303130 30303030 305A3031 312F302D 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 39323535 3130819F 300D0609 2A864886 F70D0101 01050003 8100CD40 156E21C4 4F84401A F5674319 CC05B708 72A79C69 75FC53DA AB0B43AF 70E7DBC2 C9416C4B 009C3695 67C20847 5E558DFC 13A20167 5D169C47 3BC083C9 A2B66790 79B83814 6D955F46 2BDADBB0 5275F07E C124CCF3 64DD9CE1 1B6F5744 5FD90203 010001A3 66306430 0F060355 1D130101 FF040530 551D1104 0A300882 06526F75 74657230 1F060355 1D230418 C556AF46 C5F7A1F0 2ADD2D22 F75BF7B7 301D0603 551D0E04 56AF46C5 F7A1F02A DD2D22F7 5BF7B730 0D06092A 864886F7 81004886 D666121E 42862509 CA7FDACC 9C57C8BE EB6745FC 274374EE 803823FB 79CFD135 2B116544 88B5CFB1 B7BB03E2 924D3168 98357A5B E1F15449 5C9C22D0 577FB036 A3D8BB08 0694F21C 0983F254 6620FCD7 8E460D29 B09B87E8 ADC3D589 quit dot11 syslog ip source−route ! ! ! ! ip cef ! multilink bundle−name authenticated ! ! ! username test privilege 15 password 0 test username tsweb privilege 15 password 0 tsweb ! ! ! archive log config hidekeys ! ! ! ! ! ! interface FastEthernet0/0 ip address 10.111 255.241.255.255.77.192 duplex auto speed auto F70D0101 6E65642D 30383037 06035504 74652D31 818D0030 90997D30 4F0BC7B0 5008EBF6 282E4EA5 030101FF 30168014 16041405 0D010104 533A8C08 F3D65A62 5507C574 F4D74659 04050030 43657274 31303538 03132649 39353136 81890281 6F556A37 715F0518 169FA897 A0840385 30110603 05F279A9 F279A9C5 05000381 FEF2C007 B0EE050A 18F2F48F A5CEA30F 1A9C .

2 ip route 10.pkg sequence 1 ! webvpn context sales secondary−color white title−color #CCCC66 text−color black ssl authenticate verify all ! .65 ip http server ip http authentication local ip http secure−server ! ! ! ! ! ! ! ! control−plane ! ! line con 0 line aux 0 line vty 0 4 password cisco transport input telnet ssh transport output telnet ! scheduler allocate 20000 1000 ! webvpn gateway gateway_1 ip address 172.10 ip forward−protocol nd ip route 10.! interface FastEthernet0/1 description $ES_LAN$ ip address 172.1.233.241.0 255.10.0 10.16.255.1 192.16.255.255.255.255.255.168.0 255.1.168.16.1 255.1 port 443 http−redirect port 80 ssl trustpoint TP−self−signed−1951692551 inservice ! webvpn install svc flash:/webvpn/svc_1.0 172.20.1.10.10.0 ip virtual−reassembly duplex auto speed auto ! interface FastEthernet0/1/0 ! interface FastEthernet0/1/1 ! interface FastEthernet0/1/2 ! interface FastEthernet0/1/3 ! interface ATM0/0/0 no ip address shutdown no atm ilmi−keepalive ! interface Vlan1 no ip address ! ip local pool new 192.77.77.

Note: Add a router to the list of trusted sites in the Internet Explorer. For more information.1. 1.1. Enter the URL or IP address of the router's WebVPN interface in your web browser in the format as shown.2 default−group−policy policy_1 aaa authentication list ciscocp_vpn_xauth_ml_1 gateway gateway_1 max−users 10 inservice ! end Establish the AnyConnect VPN Client Connection Complete these steps in order to establish an AnyConnect VPN connection with Router.! policy group policy_1 functions svc−enabled svc address−pool "new" svc dns−server primary 10.1. refer to Adding a Security Appliance/Router to the List of Trusted Sites (IE).1 svc wins−server primary 10. https://<url> OR https://<IP address of the Router WebVPN interface> .1.

3. Click the start button to initiate the Anyconnect VPN Tunnel Connection. . Enter your user name and password.2.

The Connection Established message appears once the client successfully connects.4. Note: ActiveX software must be installed in your computer before you download the Anyconnect VPN. This window appears before the SSL VPN connection is established. .

Once the connection is successfully established. The Statistics tab displays information about the SSL connection. Click Details. click the Statistics tab.5. . 6.

This tab displays the Cisco AnyConnect VPN Client Version information. The Statistics Details dialog box displays detailed connection statistical information. transport information. the number of bytes and frames sent and received. . including the tunnel state and mode.The Cisco AnyConnect VPN Client: Statistics Detail dialog box appears. The default name is AnyConnect−ExportedStats. and the default location is on the desktop. and routing table to a text file. the duration of the connection. 7. The Reset button on this tab resets the transmission statistics. address information. In the Cisco AnyConnect VPN Client dialog box. interface.txt. The AnyConnect client prompts you for a name and location for the text file. The Export button allows you to export the current statistics. and Cisco Secure Desktop posture assessment status. click the About tab.

10. context = sales No of connections: 0 Created 00:26:05. refer to Verifying WebVPN Configuration. You can execute these commands at the command−line interface (CLI) to show statistics and other information.20.Verify Use this section to confirm that your configuration works properly. Use the OIT to view an analysis of show command output.2 3 00:03:10 00:02:56 Router#show webvpn session user test context sales WebVPN user name = test . • Router#show webvpn session context all WebVPN context name: sales Client_Login_Name Client_IP_Address No_of_Connections Created Last_Used test 10. Note: The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. IP address = 10. Commands Several show commands are associated with WebVPN.10. Last−used 00:25:24 User Policy Parameters Group name = policy_1 Group Policy Parameters url list name = "webserver" idle timeout = 2100 sec session timeout = Disabled functions = mask−urls svc−enabled • .2 .20. For detailed information about show commands.

0 responses : HTML responses : XML responses : Other content type resp : Resp with encoded content: Close after response : Processed resp hdr size : Backend https response : HTTP Authentication stats : Successful NTLM Auth : Successful Basic Auth : Unsupported Auth : NTLM srv kp alive disabld: Oversize NTLM Type3 cred : Num 401 responses : Num Basic forms served : Num Basic Auth sent : CIFS statistics: SMB related Per Context: TCP VC's Active VC's 0 0 0 0 0 0 0 9 9 0 0 0 2475 0 0 0 0 0 0 0 0 Absolute urls : Non−standard path urls : Uninteresting tags : Uninteresting attributes : Embedded style statement : Inline styles : HTTP/1.1 responses : CSS responses : JS responses : Chunked encoding resp : Resp with content length : Resp with header size >1K: Processed resp body bytes: Chunked encoding requests: 0 0 0 0 0 0 0 0 0 0 9 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Failed NTLM Auth Failed Basic Auth Unsup Basic HTTP Method NTLM Negotiation Error Internal Error Num non−401 responses Num NTLM forms served Num NTLM Auth sent : : : : : : : : 0 0 0 0 0 0 0 0 : 0 : 0 UDP VC's Active Contexts : 0 : 0 .1 requests : GET requests : CONNECT requests : Through requests : Pipelined requests : Processed req hdr bytes : HTTP/1.• citrix disabled address pool name = "new" dpd client timeout = 300 sec dpd gateway timeout = 300 sec keepalive interval = 30 sec SSLVPN Full Tunnel mtu size = 1406 bytes keep sslvpn client installed = enabled rekey interval = 3600 sec rekey method = lease duration = 43200 sec Router#show webvpn stats User session statistics: Active user sessions : 1 AAA pending reqs : Peak user sessions : 2 Peak time : Active user TCP conns : 0 Terminated user sessions : Session alloc failures : 0 Authentication failures : VPN session timeout : 0 VPN idle timeout : User cleared VPN sessions: 0 Exceeded ctx user limit : Exceeded total user limit: 0 Client process rcvd pkts : 108 Server process rcvd pkts : Client process sent pkts : 589 Server process sent pkts : Client CEF received pkts : 76 Server CEF received pkts : Client CEF rcv punt pkts : 0 Server CEF rcv punt pkts : Client CEF sent pkts : 0 Server CEF sent pkts : Client CEF sent punt pkts: 0 Server CEF sent punt pkts: SSLVPN appl bufs inuse Active server TCP conns : 0 : 0 SSLVPN eng bufs inuse 0 00:00:52 2 1 0 0 0 0 0 0 0 0 : 0 Mangling statistics: Relative urls : Non−http(s) absolute urls: Interesting tags : Interesting attributes : Embedded script statement: Inline scripts : HTML comments : HTTP/1.0 requests : Unknown HTTP version : POST requests : Other request methods : Gateway requests : Req with header size >1K : Processed req body bytes : HTTP/1.

Aborted Conns : NetBIOS related Per Context: Name Queries : NB DGM Requests : NB TCP Connect Fails : SMB related Global: Sessions in use : Mbuf Chains in use : Active Contexts : Empty Browser List : Empty Server List : NetShareEnum Errors : HTTP related Per Context: Requests : Request Packets RX : Response Packets TX : Active CIFS context : HTTP related Global: Server User data : Net Handles : Authentication Fails : Timers Expired : Net Handles Pending SMB : Browse Network Ops : Browse Domain Ops : Browse Server Ops : Browse Share Ops : Browse Dir Ops : File Read Ops : File Write Ops : Folder Create Ops : File Delete Ops : File Rename Ops : URL List Access OK : Socket statistics: Sockets in use Sock Data Buffers in use Select timers in use Sock Tx Blocked Sock Rx Blocked Sock UDP Connects Sock Premature Close Sock Select Timeout Errs Port Forward statistics: Client proc pkts proc bytes cef pkts cef bytes WEBVPN Citrix statistics: Server 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 33 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Name Replies : 0 NB DGM Replies : 0 NB Name Resolution Fails : 0 Mbufs in use Active VC's Browse Errors NetServEnum Errors NBNS Config Errors : : : : : 0 0 0 0 0 Request Bytes RX Response Bytes TX Active Connections Requests Dropped CIFS User data Active CIFS context Operations Aborted Pending Close File Open Fails Browse Network Fails Browse Domain Fails Browse Server Fails Browse Share Fails Browse Network Fails File Read Fails File Write Fails Folder Create Fails File Delete Fails File Rename Fails URL List Access Fails : : : : : : : : : : : : : : : : : : : : 0 26286 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 : : : : : : : : 1 0 1 0 0 0 0 0 Sock Sock Sock Sock Sock Sock Sock Usr Blocks in use Buf desc in use Select Timeouts Tx Unblocked Rx Unblocked UDP Disconnects Pipe Errors : : : : : : : 1 0 0 0 0 0 12 : : : : 0 0 0 0 Server proc pkts proc bytes cef pkts cef bytes : : : : 0 0 0 0 Packets in Packets out Bytes in Bytes out : : : : Client 0 0 0 0 ACL statistics: Permit web request Permit cifs request Permit without ACL Permit with match ACL : : : : 0 0 0 0 Deny Deny Deny Deny web request cifs request without match ACL with match ACL : : : : 0 0 0 0 .

• Choose Monitoring > Security > VPN Status > SSL VPN > Sales in order to view the current SSL VPN session information in the router. choose Monitoring > Security > VPN Status > SSL VPN > Users in order to view the current SSL VPN user lists in the router. .Single Sign On statistics: Auth Requests Successful Requests Retranmissions Connection Errors Unknown Responses : : : : : 0 0 0 0 0 Pending Auth Requests Failed Requests DNS Errors Request Timeouts : : : : 0 0 0 0 URL−rewrite splitter statistics: Direct access request : 0 Internal request : 0 Tunnel Statistics: Active connections Peak connections Connect succeed Reconnect succeed DPD timeout Client in CSTP frames in CSTP data in CSTP control in CSTP bytes out CSTP frames out CSTP data out CSTP control out CSTP bytes cef in CSTP data frames cef in CSTP data bytes cef out CSTP data frames cef out CSTP data bytes Redirect request : 0 : : : : : : : : : : : : : : : : : 0 1 3 0 0 32 5 27 1176 4 0 4 32 0 0 0 0 Peak time Connect failed Reconnect failed Server out IP pkts : 00:34:51 : 0 : 0 : 5 out IP bytes in IP pkts : 805 : 0 in cef cef cef cef IP bytes out forwarded pkts out forwarded bytes in forwarded pkts in forwarded bytes : : : : : 0 0 0 0 0 • In CCP.

Solution: This error can be resolved by reformatting the flash. refer to Using WebVPN Clear Commands. For detailed information about these commands. Note: The use of debug commands can adversely impact your Cisco device. Solution: Insufficient IP addresses in the IP address pool might cause this issue. . SSL Connectivity Issue Problem: SSL VPN clients are unable to connect the router. Before you use debug commands. For detailed information about these commands. For more information on Troubleshooting AnyConnect VPN Client. Error: SSLVPN Package SSL−VPN−Client : installed Error: Disk Problem: You receive this error when you install the SVC package on a router: SSLVPN Package SSL−VPN−Client : installed Error: Disk. Troubleshooting Commands Several clear commands are associated with WebVPN. refer to Important Information on Debug Commands. Increase the number of IP addresses in the pool of IP addresses on the router in order to resolve this issue. Several debug commands are associated with WebVPN. refer to AnyConnect VPN Client FAQ.Troubleshoot Use this section to troubleshoot your configuration. refer to Using WebVPN Debug Commands.

3 • SSL VPN − WebVPN • Clientless SSL VPN (WebVPN) on Cisco IOS with SDM Configuration Example • Thin−Client SSL VPN (WebVPN) IOS Configuration Example with SDM • WebVPN and DMVPN Convergence Deployment Guide • Technical Support & Documentation − Cisco Systems Contacts & Feedback | Help | Site Map © 2010 − 2011 Cisco Systems. Inc. 2009 Document ID: 110608 . Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of Cisco Systems.Related Information • Cisco IOS SSLVPN • AnyConnect VPN Client FAQ • Cisco AnyConnect VPN Client Administrator Guide. Updated: Aug 28. Release 2. All rights reserved. Inc.

Sign up to vote on this title
UsefulNot useful