Cisco Anyconnect SSL WebVPN

WebVPN is outdated so you shouldn't use this unless you really have to.

Below is an example configuration for a router with a self signed certificate.


enable AAA:

aaa new-model aaa authentication login SSLVPN local

Set hostname and domain:

hostname R1 ip domain-name NETWORKLESSONS.COM

Generate RSA keypair:

crypto key generate rsa label my-rsa-keys modulus 1024

Set client username:

username VPN_USER secret MY_PASSWORD

Set anyconnect package for Windows clients:

crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.10.06079-k9.pkg sequence 1

Configure trustpoint and generate self signed certificate:

crypto pki trustpoint MY_TRUSTPOINT enrollment selfsigned subject-name CN=WEBVPN-NETWORKLESSONS rsakeypair MY_RSA_KEYPAIR

Configure a webpool for clients:

ip local pool WEBVPN_POOL

Configure webvpn gateway (you can also specify interface instead of ip address):

webvpn gateway WEBVPN_GATEWAY ip address port 443 ssl encryption aes128-sha1 ssl trustpoint MY_TRUSTPOINT inservice

Configure WebVPN context:

webvpn context WEBVPN_CONTEXT title "WEBVPN NETWORKLESSONS FOR REMOTE USERS" login-message "ONLY FOR AUTHORIZED USERS" aaa authentication list SSLVPN gateway WEBVPN_GATEWAY ! ssl authenticate verify all inservice ! policy group WEBVPN_POLICY functions svc-enabled functions svc-required svc address-pool "WEBVPN_POOL" netmask svc rekey method new-tunnel


Once configured, I see this:

Line protocol on Interface Virtual-Access1, changed state to up

And I see the port is listening:

R1#show control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:22 *:0 SSH-Server LISTEN tcp *:23 *:0 Telnet LISTEN tcp *:443 *:0 TCP Listener LISTEN

You can use some show webvpn commands to check specifics about anyconnect.