Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

My Problem: Cisco Anyconnect Client with IOS SSL

Hi Team,

I am trying to setup the Cisco IOS SSL to support Anyconnect client.

Much as I have entered all the required commands, the configuration doesn't work. My IOS is (C2800NM-ADVIPSERVICESK9-M), Version 12.4(22)T.

I would appreciate if any in this team with experience setting up anyconnect with IOS can draw my attention to any caveats.

I have selected the necessary portion of my router config for your review, if necessary.

Many thanks.

aaa new-model

!

aaa authentication login VPN local

aaa authorization network VPN local

crypto pki trustpoint TP-self-signed-2613188008

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2613188008

revocation-check none

rsakeypair TP-self-signed-2613188008

username remote secret 5 $1$86qN$CJ2uc1l7PYy7a5sNMrPK2/

ip local pool WEBVPN 192.168.250.11 192.168.250.111

webvpn gateway SSL

hostname CIS-EDGE1

ip address 80.87.77.18 port 443

http-redirect port 80

ssl encryption 3des-sha1 aes-sha1

ssl trustpoint TP-self-signed-2613188008

inservice

!

webvpn install svc flash:/webvpn/svc_1.pkg sequence 1

!

webvpn install svc flash:/webvpn/svc_2.pkg sequence 2

!

webvpn install svc flash:/webvpn/svc_3.pkg sequence 3

!

webvpn context SSL

ssl authenticate verify all

!

!

policy group SSL

functions svc-enabled

svc address-pool "WEBVPN"

svc default-domain "cisghana.com"

svc keep-client-installed

svc dpd-interval gateway 30

svc keepalive 300

svc split dns "cisghana.com"

svc split include 192.168.1.0 255.255.255.0

svc split include 192.168.3.0 255.255.255.0

svc split include 192.168.4.0 255.255.255.0

svc split include 192.168.21.0 255.255.255.0

svc dns-server primary 192.168.21.17

svc dns-server secondary 192.168.21.18

default-group-policy SSL

aaa authentication list VPN

aaa authorization list VPN

gateway SSL domain cisghana.com

logging enable

inservice

interface Loopback1

description For SSL VPN Use

ip address 192.168.250.250 255.255.255.0

interface GigabitEthernet0/0.80

encapsulation dot1Q 80

ip address 80.87.77.18 255.255.255.248

ip access-group OUTSIDE in //this acl permits ports 80 and 443 to the interface

no ip unreachables

ip nat outside

ip inspect CBAC out

ip virtual-reassembly

2 REPLIES
New Member

Re: My Problem: Cisco Anyconnect Client with IOS SSL

what does not work, specifically? what errors are you seeing? what client are you testing, win-mac-linux?

did you try without the ACL and the NAT?

New Member

Re: My Problem: Cisco Anyconnect Client with IOS SSL

Thanks Pedrulesall,

I am testing the Win client.

When I direct my browser to the outside interface of my router (https://80.87.77.18), it only warns me of an unknown certificate, and when I agree to proceed, nothing appears in my browser or I get 'the webpage cannot be found' error depending on the browser in use.

If I access using http, the redirect to https works fine but nothing appears in my browser.

I receive no errors besides the certificate warnings, for which I always proceed affirmatively.

I have also manually installed the anyconnect client on my Vista laptop for testing. When I connect using this client, it only prompts me of an unknown certificate. After accepting to continue, nothing more happens. It remains 'Contacting 80.87.77.18' forever.

I get a similar outcome even when the ACL is removed.

I hope the information provided above is sufficient. Thanks in advance.

414
Views
0
Helpful
2
Replies