Configuring Cisco AnyConnect Tunnel with the CLI

One main capability of the AnyConnect client is that it provides a virtual private network (VPN) connection from a remote location to a second secured location. This capability of AnyConnect can be deployed from both Adaptive Security Appliances (ASA) and from a device running a supporting version of IOS (assuming the license has been purchased).

Take a look at the configuration that is required to get this up and running on a Cisco IOS device. To start off, the licensing of the Security and SSL VPN licenses have already been installed on the device.

The first thing that is required is that the AnyConnect package must be retrieved from the Cisco website. You can find the files on Cisco’s website. To download them, a Cisco service contract is required; if this is not the case you may be able to get it from already deployed devices or from other locations on the web which I will not link to here.

The specific filename for the most up-to-date (as of this writing) Windows web deployment package is called anyconnect-win-3.1.02040-k9.pkg.

Use a TFTP server and transfer this file over to the IOS device, for this demonstration I used a 2911. The steps to install the package are shown in the tables below.

1. Enter privileged EXEC mode router>enable
2. Enter global configuration mode router#configure terminal
3. Install the AnyConnect package to the device router(config)#crypto vpn anyconnect flash-location:anyconnect-win-3.1.02040-k9.pkg sequence 1

The next step is to enable AAA and create an authentication method list, for this example a local username database will be used for authentication.

4. Enable AAA router(config)#aaa new-model
5. Create a device authentication method list router(config)#aaa authentication login method-list-name local

The next step is to configure a user (or users) that will be able to access the web interface to start a VPN session.

6. Create a username router(config)#username username secret password

The next step involves creating a virtual template interface; this will act as the VPN gateway. The IP address that is assigned to this interface must be in the same range as the one pool of IP addresses that are given out to the VPN client device.

7. Create the Virtual Template interface router(config)#interface virtual-interface 1
8. Assign an IP address router(config-if)#ip address ip-address mask

The next step involves the creation of an address pool that will be used to assign addresses to the remote client, as stated above these IP addresses should be in the same range as the IP address assigned to the virtual interface just created.

9. Create a local VPN address pool router(config-if)#ip local pool pool-name beginning-IP-address ending-IP-address

The next step involves the creation of a WebVPN gateway; the gateway will act as a proxy between the VPN client and the network (or networks) with secured access.

10. Create a WebVPN gateway router(config)#webvpn gateway gateway_name
11. Configuring the VPN headend IP address, the default port used is 443.
Note: This is the address that the VPN client will connect to.
router(config-webvpn-gateway)#ip address ip-address
12. Configure an HTTP redirect; this will redirect clients which connect to port 80 to port 443 to ensure a secure connection. router(config-webvpn-gateway)#http-redirect port 80
13. Put the WebVPN gateway into service (this is the equivalent to the no shutdown command on interfaces) router(config-webvpn-gateway)#inservice
14. Configure an SSL trustpoint; this is used when a self signed certificate is being used.
Note: A self-signed certificate is issued when the webvpn gateway command is run, to obtain the name of the trustpoint perform the do show running-config command and look for the text that starts with crypto pki trustpoint.
router(config-webvpn-gateway)#ssl trustpoint trustpoint-name

The next step involves the creation of a WebVPN context and policy; the context is used to define the virtual configuration of the SSL VPN and the policy defines the presentation and permissions of the web interface used by the remote user.

15. Create a WebVPN context router(config-webvpn-gateway)#webvpn context context-name
16. Associate an authentication method list
Note: The method-list-name matches the list created in step 5.
router(config-webvpn-context)#aaa authentication list method-list-name
17. Associate a WebVPN gateway
Note: The gateway_name matches the gateway created in step 10.
router(config-webvpn-context)#gateway gateway_name
18. Limit the max number of users
Note: This depends on the platform and the license; a demo 100 user license can be retrieved from Cisco for 60 days.
router(config-webvpn-context)#max-users max-users
19. Associate a Virtual Template router(config-webvpn-context)#virtual-template template-number
20. Put the WebVPN context into service router(config-webvpn-context)#inservice
21. Create a WebVPN policy router(config-webvpn-context)#policy group group-name
22. Configure the use of AnyConnect Full tunnel mode (mandatory mode is used) router(config-webvpn-group)#functions svc-required
23. (Optional) Create a Split tunnel. By default, the configuration will tunnel all traffic from the client when the VPN is connected. Often only specific traffic needs to be tunneled and other traffic should be allowed to go through a separate gateway (typically an Internet connection). router(config-webvpn-group)#svc split {include network network-mask | exclude network network-mask}
24. Exit back into WebVPN context configuration mode router(config-webvpn-group)#exit
25. Configure the WebVPN context to use the WebVPN policy that was just created. Note: The group-name matches the policy group created in step 21. router(config-webvpn-context)#default-group-policy group_name

To try to bring these concepts together this section will show an example.

Figure 1: Topology

topology example

For this example we will use the 203.0.113.1 address as the gateway address and include the 192.0.2.0/24 and 198.51.100.0/24 networks to be tunneled. All other traffic will go directly out to the remote host’s Internet gateway. All the commands that are required to configure this are shown in Figure 2.

Figure 2

  • router#configure terminal
  • router(config)# crypto vpn anyconnect flash:anyconnect-win-3.1.02040-k9.pkg sequence 1
  • router(config)# username train secret signal
  • router(config)# username train secret signal
  • router(config)# aaa new-model
  • router(config)# aaa authentication login vpn-method-list local
  • router(config)# interface Virtual-Template1
  • router(config-if)# ip address 172.16.1.1 255.255.255.0
  • router(config-if)# exit
  • router(config-webvpn gateway gateway_1
  • router(config-webvpn-gateway)# ip address 203.0.113.1 port 443
  • router(config-webvpn-gateway)# http-redirect port 80
  • router(config-webvpn-gateway)# inservice
  • router(config-webvpn-gateway)# ssl trustpoint TP-self-signed-1753739988
  • router(config-webvpn-gateway)# exit
  • router(config)# ip local pool vpn-pool 172.16.1.10 172.16.1.20
  • router(config)# webvpn context 2911-1
  • router(config-webvpn-context)# aaa authentication list vpn-method-list
  • router(config-webvpn-context)# gateway gateway_1
  • router(config-webvpn-context)# max-users 10
  • router(config-webvpn-context)# virtual-template 1
  • router(config-webvpn-context)# inservice
  • router(config-webvpn-context)# policy group policy_1
  • router(config-webvpn-group)# svc split include 198.51.100.0 255.255.255.0
  • router(config-webvpn-group)# svc split include 192.0.2.0 255.255.255.0
  • router(config-webvpn-group)# functions svc-required
  • router(config-webvpn-group)# svc address-pool vpn-pool netmask 255.255.255.0
  • router(config-webvpn-group)# exit
  • router(config-webvpn-context)# default-group-policy policy_1
  • router(config-webvpn-context)# end
  • router#

There are certainly a number of different ways to set up a VPN both on Cisco equipment and on other vendor’s equipment. The AnyConnect tool is a nice package that combines a lot of different functionalities when used with the ASA platforms. Although these functions are limited to VPN when deploying from an IOS device, the interface is still the same and familiar if used across platforms.

Hopefully this article offered an overview of the configuration steps that are required to get this up and running on an IOS device, and will enable the successful configuration on the reader’s own equipment.

Ready to test your skills in CISCO? See how they stack up with this assessment from Smarterer, the newest addition to the Pluralsight family. Start this CISCO test now

0
 in Cisco

Comments