[c-nsp] OT: Cisco Anyconnect Client with IOS SSL

Felix Nkansah felixnkansah at gmail.com
Tue Mar 31 17:36:36 EDT 2009 

Hi Team,
I am trying to setup the Cisco IOS SSL to support Anyconnect client.

Much as I have entered all the required commands, the configuration doesn't
work. My IOS is (C2800NM-ADVIPSERVICESK9-M), Version 12.4(22)T.

I would appreciate if any in this team with experience setting up anyconnect
with IOS can draw my attention to any caveats.

I have selected the necessary portion of my router config for your review,
if necessary.

Many thanks.

*
aaa new-model
!
aaa authentication login VPN local
aaa authorization network VPN local

crypto pki trustpoint TP-self-signed-2613188008
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2613188008
 revocation-check none
 rsakeypair TP-self-signed-2613188008

username remote secret 5 $1$86qN$CJ2uc1l7PYy7a5sNMrPK2/

ip local pool WEBVPN 192.168.250.11 192.168.250.111

webvpn gateway SSL
 hostname CIS-EDGE1
 ip address 80.87.77.18 port 443
 http-redirect port 80
 ssl encryption 3des-sha1 aes-sha1
 ssl trustpoint TP-self-signed-2613188008
 inservice
 !
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
 !
webvpn install svc flash:/webvpn/svc_2.pkg sequence 2
 !
webvpn install svc flash:/webvpn/svc_3.pkg sequence 3
 !
webvpn context SSL
 ssl authenticate verify all
 !
 !
 policy group SSL
   functions svc-enabled
   svc address-pool "WEBVPN"
   svc default-domain "cisghana.com"
   svc keep-client-installed
   svc dpd-interval gateway 30
   svc keepalive 300
   svc split dns "cisghana.com"
   svc split include 192.168.1.0 255.255.255.0
   svc split include 192.168.3.0 255.255.255.0
   svc split include 192.168.4.0 255.255.255.0
   svc split include 192.168.21.0 255.255.255.0
   svc dns-server primary 192.168.21.17
   svc dns-server secondary 192.168.21.18
 default-group-policy SSL
 aaa authentication list VPN
 aaa authorization list VPN
 gateway SSL domain cisghana.com
 logging enable
 inservice

interface Loopback1
 description For SSL VPN Use
 ip address 192.168.250.250 255.255.255.0

interface GigabitEthernet0/0.80
 encapsulation dot1Q 80
 ip address 80.87.77.18 255.255.255.248
 ip access-group OUTSIDE in //this acl permits ports 80 and 443 to the
interface
 no ip unreachables
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly*

More information about the cisco-nsp mailing list