remote ssl vpn with cisco “anyconnect” client and a 1841 router

Hello everybody.
Here I am going to show how to configure a SSL VPN with the usage of the cisco anyconnect client.

Intention:
– Get access to my devices at home lab, even through internet connections that have a proxy and only allow port 80 and 443.

Setup:
– Cisco 1841 that is connected to my LAN (like a router on a stick) with IOS 12.4(24)T6 (c1841-advsecurityk9-mz.124-24.T6.bin) and Advanced Security Feature set.

What to do?:
– Setup SSL VPN configuration in the 1841
– Allow the VPN clients to get access to the dynamips server and/or resources you like
– Setup Cisco Anyconnect client in a windows machine

So here is the drawing of my home lab again as then you might get a better understanding in the usage of my SSL VPN router:

Lets begin with the configuration:
I will only take care of the configuration regarding to the SSL VPN itself. Keep in mind that my router has an ip address (192.168.1.5), its connected to my LAN and it has a default route to my internet router. I have configured a portforwarding on my home router so that port 443 is forwarded directly from the internet to my ssl/vpn-router.

1) As SSL VPN is using https/ssl we need to generate a certificate for that. To do that for free we need to generate a self-signed certificate:

## configure a domain-name
ip domain name ccie.lab.mwirth

## setup the properties of a local used certificate (trustpoint), usage is selfsigned, the certificate revocation list (CRL) is checked to make sure that the certificate has not been revoked, 1024 bit RSA is used
crypto pki trustpoint CERTIFICATE_NAME
enrollment selfsigned
revocation-check crl
rsakeypair KEY_SSL 1024 1024

## after doing this, this should also be configured in the config
crypto pki certificate chain CERTIFICATE_NAME
certificate self-signed 01 nvram:SSL-GATEccie#1.cer

## create the certificate you just configured the properties for
crypto pki enroll CERTIFICATE_NAME

## we need ssl(443)/https to run the vpn
ip http secure-server

## configure a user authentication list that the vpn users can be authenticated against the local database, radius or tacacs+
aaa new-model
aaa authentication login AAA_LOGIN local

NOTE: When enabling aaa new-model, keep in mind that you should set an enable secret and configure “login authentication AAA_LOGIN” under con0 and vty

## configure an access-list to define to which resources the vpn clients shall have access to (in my case the network of the vpn clients is the same as the destination network), I give access to my whole network, you can do this the way you like
ip access-list extended ACL_SSL
permit ip any 192.168.1.0 0.0.0.255

## configure a local address pool from which the vpn clients get their vpn ip addresses
ip local pool POOL_SSL 192.168.1.20 192.168.1.29

## configure a webvpn/sslvpn gateway entry
webvpn gateway WEBVPN_GATE
hostname SSL-GATE
ip address 192.168.1.5 port 443 //thats where the router is reachable at for the SSL connections
http-redirect port 80 //when a user comes at port 80 he will be redirected to 443
ssl trustpoint CERTIFICATE_NAME
inservice //activate the gateway

## configure a webvpn/sslvpn context entry
webvpn context CONTEXT_SSL
title “Welcome to my SSL-VPN – http://chasingmyccie.wordpress.com”
ssl authenticate verify all

!
login-message “Welcome to my SSL-VPN – Enter User/Pass now!”
!
policy group PG_SSL
functions svc-enabled
banner “User credentials have been accepted! Have fun! – http://chasingmyccie.wordpress.com”

filter tunnel ACL_SSL //here the ACL is connected to the vpn users, allowing or forbidding resources
 svc address-pool POOL_SSL //the addresses for the vpn clients we configured
 svc default-domain http://chasingmyccie.wordpress.com //thats the domain name (suffix) a logged in client will have on the virtual vpn interface of the anyconnect client
svc keep-client-installed
 svc homepage http://chasingmyccie.wordpress.com  //logged in user will be kicked to that page in the browser
svc rekey method new-tunnel //when keys are need to be renegotiated, a reconnect is required
svc split include 192.168.1.4 255.255.255.255 //those entries are configured for the split tunneling, the anyconnect user will get those entries as routes pushed to his operating system, effect is that the user is still able to use his own internet connection and the tunnel for the vpn resources
svc split include 192.168.1.3 255.255.255.255
svc split include 192.168.1.5 255.255.255.255
svc split include 192.168.1.1 255.255.255.255
svc split include 192.168.1.2 255.255.255.255

default-group-policy PG_SSL //define this group for all users that come into the vpn
aaa authentication list AAA_LOGIN //authenticate all users that want to connect to the vpn against this authentication method
gateway WEBVPN_GATE //associate the formerly configured gateway to this context
inservice //activate the context

## download the sslvpn/webvpn packages for users that want to connect with the browser or anyconnect client  and copy them into flash with ftp/tftp, then install them (config mode)
webvpn install svc flash:anyconnect-win-2.5.3055-k9.pkg sequence 1

webvpn install svc flash:anyconnect-macosx-i386-2.5.3055-k9.pkg sequence 2
webvpn install svc flash:anyconnect-linux-2.5.3055-k9.pkg sequence 3

Save the config and reboot the router to be sure everthing has been accepted.

NOTE:
When the router is rebooted, on osme IOS version the upper 3 “webvpn install” files are missing. One has to re-enter them, because the webvpn probably is not working correctly then! 

So now it is time to setup the vpn client. I used this image to install the client: “anyconnect-win-2.5.3055-pre-deploy-k9.msi” on my windows machine.


Hit next.


Accept EULA.


Install it (needs administrator rights)


Its installing the files.


A new vpn adapter is created.


Finish the installation. Then start the client.


Enter the ip address or dns name of your ssl gateway e.g. under what is is reachable


User Login/Password should be asked now. Enter it.


The screen will show the login banner. Accept it.


The SSL certificate will show up and you need to accept it.


Client is connected. And as soon as the client authentication is complete, the user is kicked to the homepage you defined in your browser.


Network resources can be reached. Looks good!

If you have further questions, just leave a comment or email me.
Have fun with it!
Regards!

About these ads

About markus.wirth

Living near Limburg in Germany, working as a Network Engineer around Frankfurt am Main.
This entry was posted in Security, SSL VPN with Cisco anyconnect and tagged , , , , , , , , , , , , , , , , . Bookmark the permalink.

47 Responses to remote ssl vpn with cisco “anyconnect” client and a 1841 router

  1. ds says:

    Thanks for sharing your experience.
    I concur that AnyConnect is a nice, if vendor-proprietary, solution for accessing one’s home network. Just out of curiosity: Why didn’t you go with v3 (aka of AnyConnect Secure Mobility Client)? License issues?

    On a side note, you blacken the “Connect to” field but later on reveal “VPN session established to . What changed your mind about securing that piece of information? ;)

  2. markus.wirth says:

    Hi!
    Yep license reasons thats why I use the old one.
    Thanks for the info with the url :). Could you edit your comment plz to grey it out :).
    Just fixed it in the picture.

    Regards!
    Markus.

  3. ds says:

    Hm, could you give me a hint where to edit?
    I guess your powers as a site admin are needed here. :)

  4. Great article! That is the kind of info that are
    supposed to be shared around the internet. Shame on Google for not positioning this submit upper!
    Come on over and talk over with my site . Thank you =)

  5. A person necessarily help to make severely posts I would state.
    This is the first time I frequented your web page and up to now?
    I amazed with the research you made to make this actual put up incredible.
    Magnificent process!

  6. If some one desires to be updated with latest technologies
    therefore he must be go to see this website and be up to date daily.

  7. Heya i’m for the primary time here. I came across this board and I find It really helpful & it helped me out much. I am hoping to give something back and aid others like you aided me.

  8. Dylan says:

    Hi, I think your website might be having browser compatibility issues.

    When I look at your blog site in Safari, it looks fine but when opening in Internet Explorer, it has some overlapping.
    I just wanted to give you a quick heads up! Other then that,
    wonderful blog!

  9. Madonna says:

    Hello, I read your blogs regularly. Your story-telling style is witty,
    keep up the good work!

  10. Great post. I used to be checking constantly this blog
    and I am inspired! Very useful info particularly the last part :) I handle such information much. I used to be seeking this
    certain information for a very long time. Thanks and best of luck.

  11. web page says:

    It’s remarkable to go to see this website and reading the views of all friends on the topic of this piece of writing, while I am also eager of getting know-how.

  12. Lyndon says:

    Valuable info. Fortunate me I found your website by accident, and I am stunned
    why this twist of fate didn’t took place in advance! I bookmarked it.

  13. After checking out a handful of the articles on your site, I honestly appreciate your technique of writing a blog.
    I bookmarked it to my bookmark website list and will be checking back in
    the near future. Take a look at my website as well and let me know how
    you feel.

  14. xoops.bz says:

    Apart from out-of-pocket expense, the average cost of annual health insurance premiums in 2010 for single
    coverage was $5049. However, with a good insurance
    plan you can recewive the main advantages of costly diagnosis and treatment to get a reasonable monthly fee.
    This however, depends on the amount that the person iis insured for.

  15. They attend to critical medical situations ssuch as unexpected childbirth or heart attacks.
    Create a litle brochure or a one-page-publication about wwhy you’re special.
    Basically, people are using more expensive health care at a
    faster clip (that’s the Utilization piece) and the Health Reform is mandating richer coverage (think maternity coverage on every plan, preventative, etc).

  16. The health care programs thazt are enveloprd by Minnesota – Care include the
    following:. Even though you have an indoor pet, yyou should have family pet insurance coverage.

    A PPO health plan includes a health care provider
    network called a PPO network.

  17. Our company says:

    Right here is the perfect site for anyone who really wants to understand this topic.
    You realize so much its almost hard to argue with you (not
    that I actually would want to…HaHa). You certainly put a brand new spin on a subject that’s been written about for a
    long time. Excellent stuff, just great!

  18. Howdy! This is kind of off topic but I need some guidance from
    an established blog. Is it tough to set up your own blog?
    I’m not very techincal but I can figure things out pretty quick.
    I’m thinking about creating my own but I’m not sure where to start.
    Do you have any tips or suggestions? With thanks

  19. What’s up, yeah this article is really nice and I have learned lot of things from it on the topic of blogging.
    thanks.

  20. Good post. I learn something new and challenging on websites I stumbleupon every day.
    It will always be interesting to read through articles from other authors and
    practice something from other websites.

  21. Thanks for your personal marvelous posting! I definitely enjoyed reading it, you may be a great author.I will
    ensure that I bookmark your blog and will eventually come
    back very soon. I want to encourage one to continue your great job, have a
    nice weekend!

  22. Clyde says:

    I don’t even understand how I stopped up here, but I believed this publish was once great.

    I don’t recognize who you are however definitely you are going
    to a well-known blogger should you are not already.

    Cheers!

  23. Derick says:

    Every weekend i used to visit this web page, for the reason that
    i want enjoyment, as this this web page conations in fact pleasant
    funny information too.

  24. Dirk says:

    Hey are using WordPress for your site platform?
    I’m new to the blog world but I’m trying to get started and set up my own. Do
    you need any html coding knowledge to make your own blog?
    Any help would be really appreciated!

  25. Georgianna says:

    Great post. I used to be checking constantly this weblog and I’m impressed!
    Extremely useful info specially the last phase :) I deal with such information a
    lot. I was looking for this certain info for a very long
    time. Thanks and best of luck.

  26. Lillian says:

    wonderful publish, very informative. I wonder why the opposite experts of this sector do not realize this.
    You must proceed your writing. I’m sure, you have a huge readers’ base already!

  27. I do not know whether it’s just me or if everybody
    else experiencing problems with your site.
    It appears as though some of the written text in your content are running off the screen. Can somebody else please
    comment and let me know if this is happening to them too?

    This might be a problem with my browser
    because I’ve had this happen before. Thank you

  28. Howdy would you mind letting me know which web host you’re working with?
    I’ve loaded your blog in 3 completely different internet
    browsers and I must say this blog loads a lot faster then most.

    Can you recommend a good hosting provider at a reasonable price?
    Thanks a lot, I appreciate it!

  29. Shalanda says:

    This design is steller! You most certainly know how to keep a
    reader entertained. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Wonderful job.
    I really enjoyed what you had to say, and more than that, how
    you presented it. Too cool!

  30. Nice response in return of this issue with solid arguments and
    describing everything regarding that.

  31. Courtney says:

    Thank you a bunch for sharing this with all of us you really know what you’re talking about!
    Bookmarked. Please also consult with my web
    site =). We can have a hyperlink change contract between us

  32. With havin so much content do you ever run into any issues of plagorism or copyright violation? My website has a lot of unique content I’ve either created myself or outsourced
    but it seems a lot of it is popping it up all over the
    internet without my agreement. Do you know any
    solutions to help reduce content from being ripped off?
    I’d really appreciate it.

  33. Yolanda says:

    This site was… how do I say it? Relevant!! Finally
    I’ve found something which helped me. Thanks a lot!

  34. Deon says:

    If some one needs to be updated with most up-to-date
    technologies afterward he must be visit this web page and
    be up to date all the time.

  35. Following the matching principle. D in Managerial Accounting Havee Different acct PurposesFinancial accounting
    involves setting up payments on their efficiency, but the company to the DGCA to renew for another.
    This is because the cash clients had in their stocks.
    Expert accounting providers will take into account, an independent
    director, corporate business IT infrastructure. Microsoft Moves
    to Small Business Manager/Small acct Business Financials is Great Plains
    to gain the best option.

  36. My brother recommended I might like this website.

    He was totally right. This post truly made my day.
    You cann’t imagine simply how much time I had spent for this information! Thanks!

  37. Modesto says:

    Hey There. I found your blog using msn. This is an extremely well written article.
    I’ll make sure to bookmark it and come back to read more of your useful information. Thanks
    for the post. I will definitely comeback.

  38. I’m impressed, I must say. Rarely do I come across a
    blog that’s both equally educative and entertaining, and without a doubt, you have hit the nail on the
    head. The problem is something not enough men and women are speaking
    intelligently about. I am very happy I found this during my search for something regarding this.

  39. Hello to all, the contents present at this
    web site are in fact amazing for people knowledge, well, keep up
    the nice work fellows.

  40. She deserves to be hurt by a resoectful attitude. I midsummer celebrations uk believe in then this thing called Dryad, or the Democrats need the money back.
    Erica Jong’s novel” Fanny,” I am now. He’s got good news one
    after another and ause the precipitation of just under 15, and ultimately extremely moving.

  41. It’s nearly impossible to find experienced people about this subject, but you sound like you know
    what you’re talking about! Thanks

  42. Hmm is anyone else having problems with the pictures on this blog loading?
    I’m trying to figure out if its a problem on my
    end or if it’s the blog. Any suggestions would be
    greatly appreciated.

  43. Frozen toy says:

    excellent submit, very informative. I wonder why the other experts of this sector do not notice this.
    You should proceed your writing. I am confident, you have a great readers’ base already!

  44. Nice replies in return of this question with solid arguments and explaining
    the whole thing concerning that.

  45. It’s impressive that you are getting ideas from
    this paragraph as well as from our discussion made at this time.

  46. If you are going for best contents like me, only pay a visit this website everyday since it presents quality contents, thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s