remote ssl vpn with cisco “anyconnect” client and a 1841 router

Hello everybody.
Here I am going to show how to configure a SSL VPN with the usage of the cisco anyconnect client.

Intention:
– Get access to my devices at home lab, even through internet connections that have a proxy and only allow port 80 and 443.

Setup:
– Cisco 1841 that is connected to my LAN (like a router on a stick) with IOS 12.4(24)T6 (c1841-advsecurityk9-mz.124-24.T6.bin) and Advanced Security Feature set.

What to do?:
– Setup SSL VPN configuration in the 1841
– Allow the VPN clients to get access to the dynamips server and/or resources you like
– Setup Cisco Anyconnect client in a windows machine

So here is the drawing of my home lab again as then you might get a better understanding in the usage of my SSL VPN router:

Lets begin with the configuration:
I will only take care of the configuration regarding to the SSL VPN itself. Keep in mind that my router has an ip address (192.168.1.5), its connected to my LAN and it has a default route to my internet router. I have configured a portforwarding on my home router so that port 443 is forwarded directly from the internet to my ssl/vpn-router.

1) As SSL VPN is using https/ssl we need to generate a certificate for that. To do that for free we need to generate a self-signed certificate:

## configure a domain-name
ip domain name ccie.lab.mwirth

## setup the properties of a local used certificate (trustpoint), usage is selfsigned, the certificate revocation list (CRL) is checked to make sure that the certificate has not been revoked, 1024 bit RSA is used
crypto pki trustpoint CERTIFICATE_NAME
enrollment selfsigned
revocation-check crl
rsakeypair KEY_SSL 1024 1024

## after doing this, this should also be configured in the config
crypto pki certificate chain CERTIFICATE_NAME
certificate self-signed 01 nvram:SSL-GATEccie#1.cer

## create the certificate you just configured the properties for
crypto pki enroll CERTIFICATE_NAME

## we need ssl(443)/https to run the vpn
ip http secure-server

## configure a user authentication list that the vpn users can be authenticated against the local database, radius or tacacs+
aaa new-model
aaa authentication login AAA_LOGIN local

NOTE: When enabling aaa new-model, keep in mind that you should set an enable secret and configure “login authentication AAA_LOGIN” under con0 and vty

## configure an access-list to define to which resources the vpn clients shall have access to (in my case the network of the vpn clients is the same as the destination network), I give access to my whole network, you can do this the way you like
ip access-list extended ACL_SSL
permit ip any 192.168.1.0 0.0.0.255

## configure a local address pool from which the vpn clients get their vpn ip addresses
ip local pool POOL_SSL 192.168.1.20 192.168.1.29

## configure a webvpn/sslvpn gateway entry
webvpn gateway WEBVPN_GATE
hostname SSL-GATE
ip address 192.168.1.5 port 443 //thats where the router is reachable at for the SSL connections
http-redirect port 80 //when a user comes at port 80 he will be redirected to 443
ssl trustpoint CERTIFICATE_NAME
inservice //activate the gateway

## configure a webvpn/sslvpn context entry
webvpn context CONTEXT_SSL
title “Welcome to my SSL-VPN – http://chasingmyccie.wordpress.com”
ssl authenticate verify all

!
login-message “Welcome to my SSL-VPN – Enter User/Pass now!”
!
policy group PG_SSL
functions svc-enabled
banner “User credentials have been accepted! Have fun! – http://chasingmyccie.wordpress.com”

filter tunnel ACL_SSL //here the ACL is connected to the vpn users, allowing or forbidding resources
 svc address-pool POOL_SSL //the addresses for the vpn clients we configured
 svc default-domain http://chasingmyccie.wordpress.com //thats the domain name (suffix) a logged in client will have on the virtual vpn interface of the anyconnect client
svc keep-client-installed
 svc homepage http://chasingmyccie.wordpress.com  //logged in user will be kicked to that page in the browser
svc rekey method new-tunnel //when keys are need to be renegotiated, a reconnect is required
svc split include 192.168.1.4 255.255.255.255 //those entries are configured for the split tunneling, the anyconnect user will get those entries as routes pushed to his operating system, effect is that the user is still able to use his own internet connection and the tunnel for the vpn resources
svc split include 192.168.1.3 255.255.255.255
svc split include 192.168.1.5 255.255.255.255
svc split include 192.168.1.1 255.255.255.255
svc split include 192.168.1.2 255.255.255.255

default-group-policy PG_SSL //define this group for all users that come into the vpn
aaa authentication list AAA_LOGIN //authenticate all users that want to connect to the vpn against this authentication method
gateway WEBVPN_GATE //associate the formerly configured gateway to this context
inservice //activate the context

## download the sslvpn/webvpn packages for users that want to connect with the browser or anyconnect client  and copy them into flash with ftp/tftp, then install them (config mode)
webvpn install svc flash:anyconnect-win-2.5.3055-k9.pkg sequence 1

webvpn install svc flash:anyconnect-macosx-i386-2.5.3055-k9.pkg sequence 2
webvpn install svc flash:anyconnect-linux-2.5.3055-k9.pkg sequence 3

Save the config and reboot the router to be sure everthing has been accepted.

NOTE:
When the router is rebooted, on osme IOS version the upper 3 “webvpn install” files are missing. One has to re-enter them, because the webvpn probably is not working correctly then! 

So now it is time to setup the vpn client. I used this image to install the client: “anyconnect-win-2.5.3055-pre-deploy-k9.msi” on my windows machine.


Hit next.


Accept EULA.


Install it (needs administrator rights)


Its installing the files.


A new vpn adapter is created.


Finish the installation. Then start the client.


Enter the ip address or dns name of your ssl gateway e.g. under what is is reachable


User Login/Password should be asked now. Enter it.


The screen will show the login banner. Accept it.


The SSL certificate will show up and you need to accept it.


Client is connected. And as soon as the client authentication is complete, the user is kicked to the homepage you defined in your browser.


Network resources can be reached. Looks good!

If you have further questions, just leave a comment or email me.
Have fun with it!
Regards!

About these ads

About markus.wirth

Living near Limburg in Germany, working as a Network Engineer around Frankfurt am Main.
This entry was posted in Security, SSL VPN with Cisco anyconnect and tagged , , , , , , , , , , , , , , , , . Bookmark the permalink.

22 Responses to remote ssl vpn with cisco “anyconnect” client and a 1841 router

  1. ds says:

    Thanks for sharing your experience.
    I concur that AnyConnect is a nice, if vendor-proprietary, solution for accessing one’s home network. Just out of curiosity: Why didn’t you go with v3 (aka of AnyConnect Secure Mobility Client)? License issues?

    On a side note, you blacken the “Connect to” field but later on reveal “VPN session established to . What changed your mind about securing that piece of information? ;)

  2. markus.wirth says:

    Hi!
    Yep license reasons thats why I use the old one.
    Thanks for the info with the url :). Could you edit your comment plz to grey it out :).
    Just fixed it in the picture.

    Regards!
    Markus.

  3. ds says:

    Hm, could you give me a hint where to edit?
    I guess your powers as a site admin are needed here. :)

  4. Great article! That is the kind of info that are
    supposed to be shared around the internet. Shame on Google for not positioning this submit upper!
    Come on over and talk over with my site . Thank you =)

  5. A person necessarily help to make severely posts I would state.
    This is the first time I frequented your web page and up to now?
    I amazed with the research you made to make this actual put up incredible.
    Magnificent process!

  6. If some one desires to be updated with latest technologies
    therefore he must be go to see this website and be up to date daily.

  7. Heya i’m for the primary time here. I came across this board and I find It really helpful & it helped me out much. I am hoping to give something back and aid others like you aided me.

  8. Dylan says:

    Hi, I think your website might be having browser compatibility issues.

    When I look at your blog site in Safari, it looks fine but when opening in Internet Explorer, it has some overlapping.
    I just wanted to give you a quick heads up! Other then that,
    wonderful blog!

  9. Madonna says:

    Hello, I read your blogs regularly. Your story-telling style is witty,
    keep up the good work!

  10. Great post. I used to be checking constantly this blog
    and I am inspired! Very useful info particularly the last part :) I handle such information much. I used to be seeking this
    certain information for a very long time. Thanks and best of luck.

  11. web page says:

    It’s remarkable to go to see this website and reading the views of all friends on the topic of this piece of writing, while I am also eager of getting know-how.

  12. Lyndon says:

    Valuable info. Fortunate me I found your website by accident, and I am stunned
    why this twist of fate didn’t took place in advance! I bookmarked it.

  13. After checking out a handful of the articles on your site, I honestly appreciate your technique of writing a blog.
    I bookmarked it to my bookmark website list and will be checking back in
    the near future. Take a look at my website as well and let me know how
    you feel.

  14. xoops.bz says:

    Apart from out-of-pocket expense, the average cost of annual health insurance premiums in 2010 for single
    coverage was $5049. However, with a good insurance
    plan you can recewive the main advantages of costly diagnosis and treatment to get a reasonable monthly fee.
    This however, depends on the amount that the person iis insured for.

  15. They attend to critical medical situations ssuch as unexpected childbirth or heart attacks.
    Create a litle brochure or a one-page-publication about wwhy you’re special.
    Basically, people are using more expensive health care at a
    faster clip (that’s the Utilization piece) and the Health Reform is mandating richer coverage (think maternity coverage on every plan, preventative, etc).

  16. The health care programs thazt are enveloprd by Minnesota – Care include the
    following:. Even though you have an indoor pet, yyou should have family pet insurance coverage.

    A PPO health plan includes a health care provider
    network called a PPO network.

  17. Our company says:

    Right here is the perfect site for anyone who really wants to understand this topic.
    You realize so much its almost hard to argue with you (not
    that I actually would want to…HaHa). You certainly put a brand new spin on a subject that’s been written about for a
    long time. Excellent stuff, just great!

  18. Howdy! This is kind of off topic but I need some guidance from
    an established blog. Is it tough to set up your own blog?
    I’m not very techincal but I can figure things out pretty quick.
    I’m thinking about creating my own but I’m not sure where to start.
    Do you have any tips or suggestions? With thanks

  19. What’s up, yeah this article is really nice and I have learned lot of things from it on the topic of blogging.
    thanks.

  20. Good post. I learn something new and challenging on websites I stumbleupon every day.
    It will always be interesting to read through articles from other authors and
    practice something from other websites.

  21. Thanks for your personal marvelous posting! I definitely enjoyed reading it, you may be a great author.I will
    ensure that I bookmark your blog and will eventually come
    back very soon. I want to encourage one to continue your great job, have a
    nice weekend!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s