un cisco Q AnyConnect VPN (SSL) Client on |OS Router with CCP Configuration Example Updated: January 12,2015 Document ID: 110608 Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram Preconfiguration Tasks Configurations Step 1: Set up the CCP and Discover the Cisco IOS Router Step 2: install and Enable the Anyconnect VPN Software on the IOS Router Step 3: Configure a SSLVPN Context and SSLVPN Gateway with the CCP Wizard Step 4: Configure the User Database for Anyconnect VPN Users. Step 5. Configure the Anyconnect Tunnel CLI Configuration Establish the AnyConnect VPN Client Connection Verify Commands show webvnp session context all show webvpn session user user context Test show webvpn stats Troubleshoot Troubleshooting Commands Related Information Introduction This document describes how to set up a Cisco |OS® router to perform Secure Sockets Layer (SSL) VPN on a stick with Cisco AnyConnect VPN client using Cisco Configuration Professional (CCP). This setup applies to a specific case where AnyConnect on the Router is configured with split tunneling, and it allows the client secure access to corporate resources and also provides unsecured access to the Internet. SSL VPN or WebVPN technology is supported on most router platforms such as the Integrated Services Router (ISR) Generation 1, Generation 2 (Refer ISR Products for the list of ISR products). Customers are hilps:ihww.cisco.com/len/usleuppordocsirouters/3200-series-intograled-srvices-routers/110608-seLios-00.him! 1196248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco advised to refer the feature navigator guide in order to obtain a complete list of Cisco IOS platforms that support the AnyConnect VPN (SSL) client (or any other feature/ technology for that matter). This information is available in the Feature Navigator. CCP is a GUI-based device management tool that allows you to configure Cisco IOS-based access routers. CCP is installed on a PC and simplifies router, security, unified communications, wireless, WAN, and basic LAN configurations through GUI-based, easy-to-use wizards. Prereq les Requirements Ensure that you meet these requirements before you attempt this configuration: + Suitable client operating system. Refer the AnyConnect Release Notes for the supported operating systems. + Web Browser with SUN JRE Version 1.4 or later or an ActiveX controlled browser + Local administrative privileges on the client + Cisco IOS Router with Advanced Security image -12.4(20)T or later + Cisco Configuration Professional Version 1.3 or later If the Cisco Configuration Professional is not already loaded on your computer, you can obtain a free copy of the software and install the .exe (cisco-config-pro-k9-pkg-2_8-en.zip) file from Software Download. For detailed information on the installation and configuration of CCP, refer to Cisco Configuration Professional Quick Start Guide Components Used ‘The information in this document is based on these software and hardware versions: + Cisco IOS Series CISCO2811 Router with Software Version 15.1(4)M8 + CCP Version 2.8 + Cisco AnyConnect SSL VPN Client Version for Windows 3.1.05160 The information in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command, Configure Network Diagram This document uses this network setup: hilps:ihww.cisco.com/len/usleuppordocsirouters/3200-series-intograled-srvices-routers/110608-seLios-00.him! 2138248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco Inside Network 1006.44.81 110.405.130.449 5 Poo! 192.168.1.10 -192.160.4.15 Preconfiguration Tasks 1. Configure the router for CCP. Routers with the appropriate security bundle license already have the CCP application loaded in the Flash. Refer to Cisco Configuration Professional Quick Start Guide in order to obtain and configure the software. 2. Download a copy of the Anyconnect VPN .pkg file to your management PC, Configurat ns In this section, you are presented with the steps necessary in order to configure the features described in this document. This example configuration uses the CCP Wizard in order to enable the operation of the Anyconnect VPN on the IOS router. Complete these steps in order to configure Anyconnect VPN on the Cisco IOS router: 1, Set up the CCP and discover the Cisco IOS router. 2. Install and enable the Anyconnect VPN Software on the Cisco IOS Router. 3. Configure a SSL VPN Context and SSL VPN Gateway with the CCP Wizard. 4, Configure the User Database for Anyconnect VPN Users. 5. Configure the AnyConnect Full Tunnel. Each of these steps is described in more detail in the next sections of this document. Step 1: Set up the CCP and Discover the Cisco IOS Router 1. Click Router Status on the CCP window in order to view the router device information. hilps:hww.cisco.comi/clen/uslsupportdocsirouters/3800-series-intograled-srvices-routers/110608-eLios-00.him! 196248.2017 ‘AnyConnact VPN (SSL) Client on 10S Roular with CCP Configuration Example - Cisco 8B isco 2001. - Hardware oetalls Model Type: cisco 2013 Avalable / Total Memor(Me): 512 Me ‘ota flash Copsctr aoe | 108 venion asaya [08 ta 200m adseecarityk9-re 255-4.M3 bin Feature Availabilty: @ 1° @ Frovsl @ ven @ wes @ Nac Close 2. Click Configure in order to begin the configuration, Step 2: Install and Enable the Anyconnect VPN Software on the IOS Router Complete these steps in order to install and enable the Anyconnect VPN software on the IOS router: 1. Open the CCP application, navigate to Configure > Security, and then click VPN. 2. Expand SSLVPN, and choose Packages. i*@2@ Cleco configuration Professional trance areca nt toe hilps:hww.cisco.comilen/usleuppordocsirouters/3200-series-intograled-services-routers/110608-eLios-00.him! 4938248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco Ensure that the SSL VPN Feature license is installed on the device, otherwise you might get the warning shown in the previous image. Refer Feature License link in order to view the Ordering Information section 3, In the Cisco SSLVPN client software, click Browse. The Select SVC location dialog box appears. Specify the location of installation bundle. © Router File Syste Browse. © My Computer Erowee. 9K Cancel Help 4. Specify the location of the Cisco Anyconnect VPN client image (choose either of the two options available). « If the Cisco Anyconnect VPN client image is in the router flash, click the Router File System radio button dialog box, and click Browse. ‘nani Sen Baa Saeinloeioralescanonbsie Fromrieseen | Curtinate: [Eo eae [ar wean 2027130 la = forthe enlad come saa tee 9024 0Pst 6 neiconia moins |e reson | comet | ra Biomentecamenes enna Soke ans TT a re as toasts ine 2-120-U8N4 “eae19 anna ast ‘Catone C,ar2072. AMET iooomaiaiee oat saree teaatesb ae Foam: (aVaneomaten ST Toe ok | sheet | es hilps:hww.cisco.comi/clen/uslsupportdocsirouters/3800-series-intograled-srvices-routers/110608-eLios-00.him!248.2017 ‘AnyConnact VPN (SSL) Client on 10S Roular with CCP Configuration Example - Cisco ‘leo $9 VPH Chen Seta ‘wan ou ntl tate mated ico Sree Destop Sotrare ‘You nuslnstallciscoSeture Deskopsotwae fer SSL YPN clon ouse a + Ifthe Cisco Anyconnect VPN client image is not in the router flash, click the My Computer radio dialog box, and click Browse. 5. Select the client image that you want to install and click OK. 6. Once you specify the location of the client image, click Install. 7. Click Yes and then click OK. 8. Once the client image is successfully installed, you receive the success message. Click OK in order to continue, 9. Once installed, view the installed package details under Security > VPN > SSL VPN > Packages. Confiqure > Security > VPN > $51 VPN > Packages rai | Cisco S8LVPN Client Software ‘Yeu mustinstall Cisco SSL VPN sliert sotware for clents to establish afulllunrel SSLVPN session ‘this route. Incl Statue: motatled Step 3: Configure a SSLVPN Context and SSLVPN Gateway with the CCP Wizard Complete these steps in order to configure a SSL VPN context and the SSL VPN gateway: hilps:hww.cisco.comilen/usleuppordocsirouters/3200-series-intograled-services-routers/110608-eLios-00.him! 238248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco 1. Go to Configure > Security > VPN, and then click SSL VPN. 2. Click the SSL VPN Manager and then click the Create SSL VPN tab. ——— 5 [ape cain outa iteeceenven Baise en samo ise wn oer htm ne (ss. weraeeons Boece a sat ote rot, Yor mor one 8 sutieann tute oats rome We tection eae var aeecraes miles seme eee are ete Seeman catenins en _. Pent ore SS ee a SS amc soca 3. Follow the prompts in order to enable Authentication, Authorization, and Accounting (AAA) if it is not already enabled. SSL VPN requires the following pre-requisite configuration tasks to be completed hefore proceeding, * Enable AAA ok Cancel hilps:hww.cisco.comi/clen/uslsupportdocsirouters/3800-series-intograled-srvices-routers/110608-eLios-00.him! 1198248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco | Cisco CP will perform the follewing precautionary tasks while A enabling AMA to prevent loss cf access to the device. * Configure authentication and authorization for vi lines. The local database will he used for both authentication anc authorizetion * Configure authentication for he console line. The local database will be used for authentication Do you want to enabie AAA? Yes No | Deliver Configuration to ~ Deliver cals commands tothe device's running contig Preview commends that wil be delivered tothe device's running configuration, 8 new-nodel authorization exec deraut coal 3 authentication login default cal ine vy 04 login authentication cefaut futhorizaton exec derault ext The differences between the running configuration and the startup configuration are lost whenever the device is turned of. F Save running config. to device's startup config. This operation can take several minutes. Daler cmos! | Saveto te ee hilps:hwww.cisco.comilen/usleuppordocsirouters/3200-series-intograled-srvices-routers/110608-eLios-00.him! 8135248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco fei 4, Check the Create a New SSL VPN radio button and then click Launch the selected task. The SSL VPN Wizard dialog box appears. ‘Welcome to the Create SSL PH Wizerd The New S3L VPN wizard lets you to do the following: * Speciy an IP adcress, name and digital certificate forthe SSL VPN. * Create users locally, and speciyhow these users should be authenticated. * Enable the router to download fu-tunnel S8L VPN client soRwareto cert PCs, for ful tunnel connectivity. * Specly the corporate intranet sites users are alowed to visit, and orovide a link to their e-mail * Customize the 88LVPN poral page. <8cci| New> | Finish | Cancel] Helo 5. Click Next. hilps:hww.cisco.comilen/usleuppordocsirouters/3200-series-intograled-services-routers/110608-eLios-00.him!248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco aa “This ete IP slr user wl enrte access the SEL YPN portal page matin BEL VPN. series are configured in this router, the unique nar i uses to sisbnguish te service IPadémss: 105 19018 [¥] name: [Fest F Enable sacue Cisco CP access trough 1.405.190:14 UPLtoaccessine S6LVPNgateway [SS Dot conte ‘rhenusers cect hs digital cerca wi be sent to er wob browse’ o authenticate the URL log toms SSL VPN sevice, mtpssro.105 130.1491 pack] note | rics | comet] vee | Note: If the SSL VPN is configured under the interface through which Cisco CP is invoked, it might cause Cisco CP to disconnet from the router. As a better practice, you can access the Cisco IOS router via CCP from the internal interface (in this example, 10.106.44.141) or any other interface, while the SSL VPN is configured under the external interface Fastéthernet0/0 (in this example, 10.105.130.149) ‘You are trying to configure SSLVPN under the interface through which Cisca CP was invoked. This may cause Cisco CP to disconnectfrom the router. Da you still wantto proceed? 6. Enter the IP address of the new SSL VPN gateway and enter a unique name for this SSL VPN context. hilps:hwww.cigco.comilen/usleupportdocsirouters/3800-series-intograled-services-routers/110608-seLios-00.him! 10186248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco You can create different SSL VPN contexts for the same IP address (SSL VPN gateway), but each name must be unique. This example uses this IP address: https://10.105.130.149/ 7. Click Next, and continue to the next section, Step 4: Configure the User Database for Anyconnect VPN Users. For authentication, you can use an AAA Server, local users, or both. This configuration example uses locally-created users for authentication. Complete these steps in order to configure the user database for Anyconnect VPN users: 1. After you complete Step 3, click the Locally on this router radio button located in the SSL VPN. Wizard User Authentication dialog box. User Autentetion ‘You can configure user secounts locally on this outer: You can configure use acourts ona |AxA senior so hat the our can conte! he sarverto suthenieats Users whan ey 1065 (on. Speciynow 35L VPN should authontcatethe users when ey login © Btomar Ma saner & Local on bisroutr © Frten anedenalAsa sever ang ten aly on his ower © Use te A#a authentication metnod Ist | detaut Create user accounts local on tis roster. Username seo Lecal lnwanotwebstes Disables Jur Tunnet Connguraton SvCSiaus Yes PaAgaress Pool IP-Poa SpltTunmeling - Enablos BpltONS “Disabled Primary ONSSener: 101084410, PrimanyWNG Gower: 10108-4412 Install FullTunneiCllent Enabled a [DS is nat enables on yourrousr As seme SSL VPN Senices require DNS to work it recommendeethalyouenaole ONS, 3, Click Deliver in order to save your configuration and then click OK. The SSL VPN Wizard submits your commands to the router. Deter deta commen othe devee'sranng can review corer tat le deere tothe devising crtiguien steal igh Sscanp_yp_ au oe cal pl Poot 9a te 40122188 195 “he diteranose tet the runing configuration and the ett configuration ars loc whanevar the device isturred ef FF Save running congo tees startup con, “Tis coerton can te sever mints. oat cwed_| _swetone | __ tb hilps:hww.cisco.comilen/usleuppordocsirouters/3200-series-intograled-services-routers/110608-eLios-00.him! 17198248.2017 ‘AnyConnact VPN (SSL) Client on 10S Roular with CCP Configuration Example - Cisco Delver cetta commands fo the device's running contig, Preview commands thet wil be deliveredto the device's running configuration (wenven Gateway geteway_t ip address 10.105 130.189 port 443 hp-resrect port €0 seltrustpoint TP-sef-sioned1 878971143, ext |webvon context Test ‘60 authentication lit sisoaep_vpn_xauth ml 4 gateway gateway 1 virtual tompeto 4 maxcusers 1000 we ‘The differences betwsen the running configuration and the startup configuration are lost whenever the device is turned off, T Save running conng, to device's startup conng, This operation can take several minutes Delver detta commands fa the device's running contig, Preview commands that wile deliveredto the device's runnirg configuration, SSC ROR OTT RTE functions sve-enebled SC atldress-pool P_Pcol netmask 285,255,256, 255 sve detault-domain Gisco.con se dhs-server primary 10:106.4410 see wins-server primary 10,108.44 12 ext dlefaut-grourpolicy pony 4 ext IP sclareos fuser account commarel lusername usert priiege 1 secret ose zl ‘Tho differences between the running configuration ard tho startup configuration are lost whenaver the device is turned off, [- Save runring config to device's startup contig, Thio operation can teke oeveral minusos. Deliver cancel saveto tle Help Basically these are the commands that are delivered from CCP to the router: AAA commands line login authentic hilps:hwww.cisco.comilen/usleuppordocsirouters/3200-series-inlograled-services-routers/110608-eLios-00.him! 18195248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco Remaining commands aaa authentication login ciscocp_vpn_xauth ml 1 local -1.10 192.168.1.15 ip local pool IP_Pool 192.16) interface Virtual-Template’ default interface Virtual-Templat interface Virtual-Template > shutdown ip unnumb -149 port 443 80 581 trustpoint TP-self-signed-1878971148 webvpn context Test aaa authenticat gateway gateway 1 virtual-template 1 max-users 1000 ry-color white tle-color #FF9900 y iey_1 sve split include 10.106.44.0 2 sve keep-client-installed functions sve-enabled sve address-pool IP Pool netmask 255.255.255.255 sve default-domain cisco.com sve das-server primary 06.44.10 sve wins-server primary 10.106.44.12 default~ olicy policy_1 ess / user account command 1 privilege 1 secret 0 t#eesee* Note: If you receive an error message, the SSL VPN license might be incorrect. Complete these steps in order to correct a license issue: 1. Go to Configure > Security > VPN, and then click SSL VPN. hilps:hww.cisco.comilen/usleuppordocsirouters/3200-series-intograled-services-routers/110608-eLios-00.him! 19195248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco 2. Click SSL VPN Manager and then click the Edit SSL VPN tab in the right-hand side, (ote Scety> WIN > SL VPN> 55101 anager ena Glen (own @ cme | | eats soouten vw cone Test Ten ane [rena URLeerpsedio Users ‘nove 3. Highlight your newly created context and click the Edit button. ‘Group Polkiee an HTML Display Setngs Ne108 Name Sener Uy Port Fomerd Lets Lurtuste ;—-ciscoSecire bestop || aumontcaton ist AD ACL -adlonURLTimeRange | | Auerticaten Domain Ascociled Gatoway. Deman: | Enable conte Moamumumeeratusers: [TOUT RF Name: “None Derau Group Foy potey IP agiress: ‘subnet mask: ok | _cancoi_| Helo IP Features ike NAT Frewat tna need ibe assoviatea to data passing trough SEL VPN tune! shouldbe associate tots tunnel nrface Use P Adstess atthe interface: Fastener Use folowing IPAddiess (Static IP adress) «+f 8 4, In the Maximum Number of Users field, enter the correct number of users for your license. 5. Click OK, and then click Deliver. hilps:hww.cisco.comilen/usleuppordocsirouters/3200-series-intograled-services-routers/110608-eLios-00.him! 20138248.2017 ‘AnyConneet VPN (SSL) Glen on 10S Router with CCP Configuration Example - Cisco The commands are written to the configuration file. CLI Configuration CCP creates these command-line configurations: Routerf#show running-config Building configuration. current configur. | Last configu Nov 29 jon change at 06:30:34 UTC s version 15 service timestamps debug datetime msec service tinestamps log datetime msec no service password-encryption hostname Router start-marker marker authentication legin default local authentication login ciscoc; )_vpn_xauth_mi_1 local authorization exec default local multilink bundle-name authenticated hilps:hwww.cigco.comilen/usleupportdocsirouters/3800-series-intograled-services-routers/110608-seLios-00.him! 21098248.2017 ‘AnyConneet VPN (SSL) Glen on 10S Rouler with CCP Configuration Example - Cisco crypto pki token default removal timeout 0 crypto pki trustpoint TP-self-signed-1878971148 enrollment selfsigned subject-name cn=T0S-Selt-Signed-Certificate-1878971148 revocation-check none rsakeypair TP-self-signed-1878971148, crypto pki certificate chain TP-self-signed-1878971148 certificate self-signed 0 30820228 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 20060358 04031326 494F532D 53656C66 2D536967 6RE5642D 43657274 69666963 6174652D 31383738 39373131 3438301F 170D3134 31313239 30353537 32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4P532053 656C662D 5369676H 65642043 65727469 66696361 74652031 38373839 37313134 3830819F 30000609 2A864886 F70D0101 01050003 8180030 81890281 8100C77D FI35BBCA 8A84DB7D A3330085 36948C3B 9BAEZF94 AFIOCAEC 89A4AAGA DC098301 ACS9ECA7 BELC6AB2 BF4745F4 91189812 97BCLAIF 15D1AFDO 384878C6 8781D8A7 3BFCFCFF 5626BF1A BCF73C78 BO7E4587 T1OR6F18 BAEOO1TF 8076063A 03E398B0 A2DEOGRE 2D39B122 32D82E1B 7AES5554 63D8BDD6 222CF8e4 C9D5570D 74800203 010001A3 53305130 OF060355 10130101 FFO40530 030101FF 30170603 55102304 18301680 1455F1A2 00753895 O4BBOABE 13273REF DASDB6C6 84301006 03551008 04160414 S5F1A200 75389504 EBO4BE13 273BEFD4 BD86C684 30000609 24864886 F70D0101 05050003 81810013 B72A0SAR E7816FB7 377FC3B3 BER7D2AC 9211B78D SB6A604A DA7DS71F 62083878 279FOEB1 95BSADC8 79572616 5352890 IBFIA39B 46F8CBBC 3335F498 EZCFSABC 5D942A23 7DE35239 O4DSO9EF 88E60201 SB111BD6 FES2E159 67E0SA62 O3BFBCAG ESSEAICE DAS2F66A SCE502C1 BOFAAGSS 8A5B022A 3003F718 BSELCECC 2EB03C gait license udi pid CISCO2811 sn PHK1404P3x2 username username privilege 15 secret 5 $1$hPnV$2wQ6MMWLATHUC/NIRCMyt- username userl secret 5 $19X3Vu$h5/xHipon7Fym16c2scrz1 redundancy hilps:ihwww.cisco.comi/len/uslsupportdocsirouters/3200-series-integraled-services-routers/110608-seLios-00.him! 2213248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco erface Fastfthernet0/0 ip address di duplex auto speed auto interface FastEthernet0/ ip address dhep duplex auto interface Virtual-Templat dF: hernet0/0 ip unnumb ip local pool 68.1.10 192.168.1.15 > Pool 192 ip forward-protocel nd ip http server ip http authentication loca ip http secure-server line con 0 line aux 0 line vty 04 transport input all schedule! ss] trustpoint TP-self-signed-1878971148 webvpn install sve flash: /wek /anyconnect-win-3.1.051 hilps:ihwww.cisco.comi/len/uslsupportdocsirouters/3200-series-integraled-services-routers/110608-seLios-00.him! 2a38248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco webvpn context Test color white #EF9900 policy group policy_1 functions svc-enabled “IP_Pool" netmask 255.255.255.2 t-domain "cisco.com" insta include 10. erver prima -106.44.12 virtual-template 1 default-group-pelicy polic ion list ciscoe; aaa authent gateway gateway 1 Virtual-Access2 configuration description SSLVEN co: Test*** mtu 1406 Establish the AnyConnect VPN Client Connection Complete these steps in order to establish an AnyConnect VPN connection with the router. Note: Add a router to the list of trusted sites in Internet Explorer. For more information, refer to Adding a Security Appliance/Router to the List of Trusted Sites (IE). 1. Enter the URL or IP address of the router WebVPN interface in your web browser in the format as shown. https: // OR https:// hilps:ihww.cisc0.comiclen/usleuppordocsirouters/3200-series-intograled-services-routers/110608-seLios-00.him! 24198248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco 2. Enter your user name and password. ultale — ssuven s ‘cisco’ Welcome to Cisco Systems SSLVPN Service 3. Click Start in order to initiate the Anyconnect VPN Tunnel Connection. ‘SSLVEN Service root 2 Sees © This window appears before the SSL VPN connection is established. hilps:hww.cisco.comilen/usleuppordocsirouters/3200-series-intograled-services-routers/110608-eLios-00.him! 25198248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco AnyConnect Secure Mobility Client © webtaunen Attoptig fe ea foc etal Launching Cisco AtyConnect Secure Mobilly Client _ Platform Detection Itthe software does notstart properly, Click here to end ; ‘the session cleanky, O- Actwex | - Java Detection og Java Download Connected oo AnyCor Ene gy [eee em ‘AnyConne:t Downloader isperferming update checks... = / Note: ActiveX software must be installed on your computer before you download the Anyconnect VPN. hilps:hww.cisco.comilen/usleuppordocsirouters/3200-series-intograled-services-routers/110608-eLios-00.him! 26138248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco Ayre cisco AnyConnect Secure Mobility Client & weoraunen Attompting to uso Java for instalation Launching Cisco AnyConnedt Secure Mabilly Clent Platform | Detection Inthe software does notstartproperly, Click here ta end the session cleanly CO -activex (| - Java Detection 0 - Java Download ‘AnyConnect Secure | e 2a __ [Dowrleating anyConnect Secure Nbity Cent 3.1.(5160. = Please wat Tine Left: 2 secs (1.83 MB of 2.82 6B coped) 3 4. Once the connection is successfully established, click the Statistics tab, The Statistics tab displays information about the SSL connection. hilps:hwww.cigco.comi/len/usleupportdocsirouters/3200-series-integraled-servces-routers/110608-seLios-00.him! 278248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco Connection Information State Connected Tunnel Mode (IPv4}: split clude Tunnel Mode (IPv8): Drop all Traffic Duration co:o0:07 Address Information — lent (teva 192,168.1.11 ‘Gent Pv} Not Avallable Server 10.206430.189 Bytes Sent 1570 Received: 00 Frames “Export Stats. The Statistics Details dialog box displays detailed connection statistical information, which includes the tunnel state and mode, the duration of the connection, the number of bytes and frames sent and received, address information, transport information, and the Cisco Secure Desktop posture assessment status. The Reset button on this tab resets the transmission statistics. The Export Stats button allows you to export the current statistics, interface, and routing table to a text file. The ‘AnyConnect client prompts you for a name and location for the text file. The default name is AnyConnect-ExportedStats.txt and the default location is on the desktop. 5. Check the route details (based on split tunnel configuration) under the Route Details tab. hilps:hww.cisco.comi/clen/uslsupportdocsirouters/3800-series-intograled-srvices-routers/110608-eLios-00.him! 203s248.2017 6. In the Cisco AnyConnect VPN Client dialog box, click the About tab in order to display the Cisco ‘AnyConnact VPN (SSL) Client on 10S Router with CCP Configuration Example - Cisco Pr eteana R Route Details Non-Secured Routes (Pv) o.0.0.0/0 Secured Routes (Pv) 10.205.48.0/28 ‘AnyConnect VPN Client Version information. Cisco AnyConnect Secure Mobility Client Version 3.1.05160 © Copyright 2004 - 2013 Cisco Systems, Inc. All Rights Reserved ‘isco, the Circo Loge, Cisco AnyConnect, AnyConnect and the AryConnect go are registered Urademarte or tradertrls of Ceca snore affitosin tio Unie States and certain thor counts: Instaled Modes: ‘tual Private Network (VPN), Customer Experience Feedback ‘hie product ncladas coftware develepedby the OperSSi Project for ucein the OpenSSL Toot: http. openssh.org ‘This product nciuies cryptographic software written by Enc Young (eay@cryptsoft.com) This product ncludes software unittan by TimHudson (uh@eryptssFt com) End User License Agreement {isco Online Privacy Statement and the AnyConnect Supplement, hilps:hww.cisco.comi/clen/uslsupportdocsirouters/3800-series-intograled-srvices-routers/110608-eLios-00.him! 201382182017 ‘AnyConnact VPN (SSL) Client on 10S Router wih CCP Configuration Example - Cisco Verify Use this section in order to confirm that your configuration works properly. Commands Note: The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output Several show commands are associated with WebVPN. You can execute these commands at the CLI in order to show statistics and other information. For detailed information about show commands, refer to Verifying WebVPN Configuration show webvnp session context all Router#show webvpn session context all WebVEN context name: Test Client _Login } @ Client, Address No_of Connections 1 Last_Used userl 10.106.42 00 show webvpn session user user context Test Router#show webypn session user userl context Test detail Session Type : Pull Tunnel Client Us: AnyConnect Windows 3.1.05160 Username userl Num Connection : 1 Public IP 10.106.42.10 VRF Name context. : Test Policy Group 00:00:0 Nov 29 2014 Session Timeout Disabled die Timeout 2100 DNS primary serve : 10.106.44.10 WINS primary s : 10.106.44.12 DPD GW Timeout —: 300 D Ch Timeout + 300 Address Poo 1 TP_Poo MTU Size : 1199 Rekey Time 3600 Rekey Method Lease Duration Tunnel IP 1 19) +10 Netmask Rx IP Packets o Tx IP Packets cSTP started Last-Receive CSTP DPD-Req sent : 0 Virtual Access Msie ProxyServer : None Msie-PxyPolicy Msie-ExcepLion Split Include Client Ports CSTP Statistics Rx CSTP Frames: 618 x CSTP Frames: 0 hilps:hww.cisco.comi/clen/uslsupportdocsirouters/3800-series-intograled-srvices-routers/110608-eLios-00.him! 20138248.2017 RK Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx CRF Statistic Rx Rx csTP Bytes 46113 CSTP Data Fr: 617 STP CNIL Fr: 1 CSTP DPD Req CSTP DPD Res Addr Renew Req : corp Frames: corp Bytes : DTP Data Fr CDP CNTL Fr DTP DPD Req CDTP DPD Res IP Packets IP Bytes cSTP Data Pr CSTP Bytes show webvpn stats Routerishow webvpn stats User session statistics: Active user sessions Peak user sessions Active user TCP conns Session alloc failures VPN session timeout User cleared VPN sessions Exceeded total user limit: Client process reva pkts Client process sent pkts Client CEP received pkts Client CEF rev punt pkts Client CEF sent pkts Client CEF sent punt pkt SSLVPN appl bufs inuse Active server TCP conns Mangling statistics: Relative urls : Non-http(s) absolute urls: Interesting tags Interesting attributes Embedded script statemen Inline scripts Tx Tx 1 Tx 1% 1 1% t% 0x Tx Tx Tx 1 1% 2x 0x cstP csTP csTP csTe csTP Address Renew cre. core cpre. core csTP core. IP Packets IP Bytes csTP se Bytes =: 0 Data Fr cNTL Fr DPD Req DPD Res Frames Bytes bata Fr cNTL Fr DPD Req DPD Res Data Fr Bytes AAA pending reqs Peak time Terminated user sessions Authentication failures VPN idle timeout Exceeded ctx user limit Server process revd pkts Server process sent pkts Server CI received pkts Server CEF rev punt pkts Server CEF sent pkts Server CI sent punt pkt: SSLVEN eng bufs inuse Absolute urls Non-standard path urls Uninteresting tags Uninteresting attributes Embedded style statement Inline styles hilps:hww.cisco.comi/clen/uslsupportdocsirouters/3800-series-intograled-srvices-routers/110608-eLios-00.him! ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco 31138.248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco HTML comments HTTP/1.1 requests GET requests CONNECT requests Through requests Pipelined requests Processed req hdr bytes HPTP/1.0 responses HTML responses XML, responses Other content type resp Resp with encoded conten Close after response Processed resp hdr size Backend https response HTP Authentication stats Successful NTLM Auth Successful Basic Auth Unsupported Auth NTLM srv kp alive disabld: Oversize NTLM Type? cred Num 401 responses Num Basic forms served Num Basic Auth sent CIFS statistics: SMB related Per Context: TCP vets Active VC's Aborted Conns NetBIOS related Per Context: Name Queries NB DGM Requests NB TCP Connect Fails SMB related Global: Sessions in use Mbuf Chains in use Active Contexts Empty Browser List Empty Server List NetShareEnum Errors HOTP related Per Context Requests Request Packets RX Response Packets TX Active CIFS context RTTP/1.0 requests Unknown HTTP version POST requests Other request methods Gateway requests Req with header size >1K Processed req body bytes HDTP/1.1 responses CSS responses US responses Chunked encoding resp Resp with content length Resp with header size >1 Processed resp body byte: Chunked encoding request: Failed NTIM Auth Failed Basic Auth Unsup Basic KTTP Method NILM Negotiation Error Internal Brror Num non-401 responses Num NTLM forms served Num NTLM Auth sent upp ve's Active Contexts Name Replies NB DGM Replies NB Name Resolution Fails Moufs in use Active VC's Browse Errors NetServEnum 5: NBNS Config &: Request Bytes aX Response Bytes TX Active Connections Requests Dropped hilps:hww.cisco.comi/clen/uslsupportdocsirouters/3800-series-intograled-srvices-routers/110608-eLios-00.him! a3248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco HOTP related Global: Server User data Net Handles Authentication Fails Timers Expired Net Handles Pending SMB Browse Network Ops Browse Domain Ops Browse Server Ops Browse Share Ops Browse Dir Ops File File Read Ops Write ops Folder Create Ops File File Delete ops Rename Ops URL List Access OK Socket statistics: Sockets in use Sock Data Buffers in use Select timers in use Sock Sock Sock Sock sock Tx Blocked Rx Blocked UDP Connects Premature Close Select Timeout Errs Smart Tunnel statistics: Client proc proc cof cet pkts bytes pkts bytes Port Forward statistics: Client proc proc pkts bytes cef pkts cef bytes WEBVPN Citrix statistics: Server Packets in : 0 Packets out : 0 cIFs Active C: Operations Ab User data context ed Pending Close File open Fails Browse Network Fails Browse Domain Fails Browse Server Fails Browse Share Fails Browse Network Fails File File Read Fails Write Fails Folder Create Fails File Pile Delete Fails Rename Fails URL List Access Fails Sock Sock Sock Sock Sock Sock Sock Server proc proc cof cer Server proc proc Usr Blocks in use Buf desc in use Select Timeouts ‘Tx Unblocked Rx Unblocked UDP Disconnects Pipe Rrrors pkts bytes pkts bytes pkts bytes cef pkts cef bytes Client ° ° hilps:hwww.cigco.comilen/usleupportdocsirouters/3800-series-intograled-services-routers/110608-seLios-00.him! a3248.2017 ‘AnyConnact VPN (SSL) Client on 10 Roular with CCP Configuration Example - Cisco Bytes in 0 Bytes out 0 ACL statisti Permit web request Permit cifs reques jt Permit without ACL Permit with match ACL Single Auth Requests Successful Requests Ret Connection inknown Responses URL-rewrite sp r statist Direct access request Internal request Tunnel Statistics Active connections Peak connections Connect succeed Reconnect succeed DPD timeout In IP pkts out IP pkts Deny Deny web request cifs request with) ut match AC with mateh AC! Failed Requests Ds Requ Redi Errors Timeouts rect reques' STP con P contro P bytes cSTP bytes DTP control cpre bytes DTP contro corp bytes in CSTP data byt out CSTP data in CDTP data out CDTP data IP bytes IP bytes quests In CCP, choose Monitoring > Security > VPN Status > SSL VPN (All Contexts) in order to view the current SSL VPN user lists in the router. hilps:hwww.cigco.comilen/usleupportdocsirouters/3800-series-intograled-services-routers/110608-seLios-00.him! 34138248.2017 Troubleshoot This section provides information you can use in order to troubleshoot your configuration. Troubleshooting Commands Several clear commands are associated with WebVPN. For detailed information about these commands, refer to Using WebVPN Clear Commands. Several debug commands are associated with WebVPN. For detailed information about these commands, refer to Using WebVPN Debug Commands. Note: The use of debug commands can adversely impact your Cisco device. Before you use debug commands, refer to Important Information on Debug Commands. Related Informa + Cisco 10S SSLVPN + AnyConnect VPN Client FAQ + Cisco AnyConnect VPN Client Admi + SSL VPN - WebVPN + Clientless SSL VPN (WebVPN) on Cisco IOS with SDM Configuration Example + Thin-Client SSL VPN (WebVPN) IOS Configuration Example with SDM + WebVPN and DMVPN Convergence Deployment Guide trator Guide + Technical Support & Documentation - Cisco Systems © 2017 Cisco and/or its affiliates, All rights reserved, hilps:hww.cisco.comi/clen/uslsupportdocsirouters/3800-series-intograled-srvices-routers/110608-eLios-00.him! 36138