SSL VPN (Webvpn) on Cisco 800 series router

SSL VPN (Webvpn) on Cisco 800 series router

I needed to get a VPN setup for a test case and after spending a considerable amount of time ironing out all the bugs (including the infamous Microsoft patch KB258554) which caused unnecessary headaches, I thought I’d just post it here if someone else can use it.

Two things, I’ll suggest, One, make sure that you have a newer version of IOS and two don’t forget to explicitly specify ‘SSL Encryption type’ under your gateway configuration, So, here is the final configuration.

!
! Last configuration change at 15:29:42 UTC Wed Dec 12 2018
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Yourhostname
!
boot-start-marker
boot-end-marker
!
!
enable secret yourpassword
!
aaa new-model
!
!
aaa authentication login SSLVPN_AAA local
!
!
!
aaa session-id common
memory-size iomem 15
!
crypto pki trustpoint SSLVPN_CERT
enrollment selfsigned
subject-name CN=192.168.80.118 (Or your FQDN)
!I used the IP address of the port so that I’d have less of a hassle with SSL Cert
revocation-check crl
rsakeypair SSLVPN_KEYPAIR
!
!
crypto pki certificate chain SSLVPN_CERT
certificate self-signed 02
3082035C 30820244 A0030201 02020102 300D0609 2A864886 F70D0101 05050030 …….. don’t copy and paste this section.

!
!
ip dhcp excluded-address 172.16.16.1 172.16.16.25
!
ip dhcp pool vlan1pool
network 172.16.16.0 255.255.254.0
default-router 172.16.16.1
dns-server 8.8.8.8
!

!
ip cef
no ipv6 cef
!

multilink bundle-name authenticated
!

!
!
username youruser password 0 Yourpassword
!
redundancy
!
crypto vpn anyconnect flash:/webvpn/anyconnect-macos-4.7.00136-webdeploy-k9.pkg sequence 1
!
crypto vpn anyconnect flash:/webvpn/anyconnect-win-4.7.00136-webdeploy-k9.pkg sequence 2
!

!
interface Loopback0 (Optional, if you’d like to use it to point for routing needs)
!This subnet is essentially from the IP addresses assigned to the VPN Clients
ip address 192.168.16.1 255.255.255.0
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
ip address 172.16.16.1 255.255.254.0
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
!
ip local pool webvpn 192.168.16.100 192.168.16.150
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
!
ip access-list extended webvpn-acl
permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.31 eq 22
permit ip 192.168.16.0 0.0.0.255 any
!
ipv6 ioam timestamp
!
!
access-list 1 permit 172.16.16.0 0.0.1.255
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
line con 0
line 1
speed 115200
line aux 0
line vty 0 4
transport input none
!
!
!
webvpn gateway gateway_name
ip interface GigabitEthernet0 port 443
http-redirect port 80
ssl encryption 3des-sha1 aes128-sha1 rc4-md5 aes256-sha1
ssl trustpoint SSLVPN_CERT
inservice
!
webvpn context context_name
title “Your Company’s WebVPN”
login-message “Enter your credentials”
aaa authentication list SSLVPN_AAA
gateway gateway_name
max-users 10
!
ssl authenticate verify all
!
url-list “Internal Resources”
heading “YourHeadingSystem”
url-text “YourURLDescription” url-value “http://172.16.16.31”
inservice
!
policy group group_name
functions svc-enabled
banner “Welcome to yourcompan’s Network”
filter tunnel webvpn-acl
svc address-pool “webvpn” netmask 255.255.255.0
svc keep-client-installed
svc homepage “http://yourwebsite.org”
svc rekey method new-tunnel
svc split include 172.16.16.0 255.255.254.0
url-list “Internal Resources”
default-group-policy group_name
!
end

Leave a Reply

Your email address will not be published. Required fields are marked *

*