My Problem: Cisco Anyconnect Client with IOS SSL

Unanswered Question
Apr 1st, 2009

Hi Team,

I am trying to setup the Cisco IOS SSL to support Anyconnect client.

Much as I have entered all the required commands, the configuration doesn't work. My IOS is (C2800NM-ADVIPSERVICESK9-M), Version 12.4(22)T.

I would appreciate if any in this team with experience setting up anyconnect with IOS can draw my attention to any caveats.

I have selected the necessary portion of my router config for your review, if necessary.

Many thanks.

aaa new-model

!

aaa authentication login VPN local

aaa authorization network VPN local

crypto pki trustpoint TP-self-signed-2613188008

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2613188008

revocation-check none

rsakeypair TP-self-signed-2613188008

username remote secret 5 $1$86qN$CJ2uc1l7PYy7a5sNMrPK2/

ip local pool WEBVPN 192.168.250.11 192.168.250.111

webvpn gateway SSL

hostname CIS-EDGE1

ip address 80.87.77.18 port 443

http-redirect port 80

ssl encryption 3des-sha1 aes-sha1

ssl trustpoint TP-self-signed-2613188008

inservice

!

webvpn install svc flash:/webvpn/svc_1.pkg sequence 1

!

webvpn install svc flash:/webvpn/svc_2.pkg sequence 2

!

webvpn install svc flash:/webvpn/svc_3.pkg sequence 3

!

webvpn context SSL

ssl authenticate verify all

!

!

policy group SSL

functions svc-enabled

svc address-pool "WEBVPN"

svc default-domain "cisghana.com"

svc keep-client-installed

svc dpd-interval gateway 30

svc keepalive 300

svc split dns "cisghana.com"

svc split include 192.168.1.0 255.255.255.0

svc split include 192.168.3.0 255.255.255.0

svc split include 192.168.4.0 255.255.255.0

svc split include 192.168.21.0 255.255.255.0

svc dns-server primary 192.168.21.17

svc dns-server secondary 192.168.21.18

default-group-policy SSL

aaa authentication list VPN

aaa authorization list VPN

gateway SSL domain cisghana.com

logging enable

inservice

interface Loopback1

description For SSL VPN Use

ip address 192.168.250.250 255.255.255.0

interface GigabitEthernet0/0.80

encapsulation dot1Q 80

ip address 80.87.77.18 255.255.255.248

ip access-group OUTSIDE in //this acl permits ports 80 and 443 to the interface

no ip unreachables

ip nat outside

ip inspect CBAC out

ip virtual-reassembly

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pedrulesall Wed, 04/01/2009 - 13:49

what does not work, specifically? what errors are you seeing? what client are you testing, win-mac-linux?

did you try without the ACL and the NAT?

felixnkansah Wed, 04/01/2009 - 18:22

Thanks Pedrulesall,

I am testing the Win client.

When I direct my browser to the outside interface of my router (https://80.87.77.18), it only warns me of an unknown certificate, and when I agree to proceed, nothing appears in my browser or I get 'the webpage cannot be found' error depending on the browser in use.

If I access using http, the redirect to https works fine but nothing appears in my browser.

I receive no errors besides the certificate warnings, for which I always proceed affirmatively.

I have also manually installed the anyconnect client on my Vista laptop for testing. When I connect using this client, it only prompts me of an unknown certificate. After accepting to continue, nothing more happens. It remains 'Contacting 80.87.77.18' forever.

I get a similar outcome even when the ACL is removed.

I hope the information provided above is sufficient. Thanks in advance.

Actions

This Discussion