Cisco Anyconnect SSL WebVPN
WebVPN is outdated so you shouldn't use this unless you really have to.
Below is an example configuration for a router with a self signed certificate.
Configuration
enable AAA:
aaa new-model aaa authentication login SSLVPN local
Set hostname and domain:
hostname R1 ip domain-name NETWORKLESSONS.COM
Generate RSA keypair:
crypto key generate rsa label my-rsa-keys modulus 1024
Set client username:
username VPN_USER secret MY_PASSWORD
Set anyconnect package for Windows clients:
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.10.06079-k9.pkg sequence 1
Configure trustpoint and generate self signed certificate:
crypto pki trustpoint MY_TRUSTPOINT enrollment selfsigned subject-name CN=WEBVPN-NETWORKLESSONS rsakeypair MY_RSA_KEYPAIR
Configure a webpool for clients:
ip local pool WEBVPN_POOL 192.168.10.10 192.168.10.100
Configure webvpn gateway (you can also specify interface instead of ip address):
webvpn gateway WEBVPN_GATEWAY ip address 1.2.3.4 port 443 ssl encryption aes128-sha1 ssl trustpoint MY_TRUSTPOINT inservice
Configure WebVPN context:
webvpn context WEBVPN_CONTEXT title "WEBVPN NETWORKLESSONS FOR REMOTE USERS" login-message "ONLY FOR AUTHORIZED USERS" aaa authentication list SSLVPN gateway WEBVPN_GATEWAY ! ssl authenticate verify all inservice ! policy group WEBVPN_POLICY functions svc-enabled functions svc-required svc address-pool "WEBVPN_POOL" netmask 255.255.255.0 svc rekey method new-tunnel
Verification
Once configured, I see this:
Line protocol on Interface Virtual-Access1, changed state to up
And I see the port is listening:
R1#show control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:22 *:0 SSH-Server LISTEN tcp *:23 *:0 Telnet LISTEN tcp *:443 *:0 TCP Listener LISTEN
You can use some show webvpn commands to check specifics about anyconnect.