SSL VPN for remote access is something Iíve always wanted to get going at home, but never could because I donít own an ASA. Somewhat recently, this feature was added to regular old IOS 12.4T. The configuration guide for this feature can be found here:
SSL VPN can be configured to work in three different modes, only one of which I was extremely interested in and will be covered in this article.
1) Clientless Mode ó The basic idea with clientless mode is that you can have people hit a web portal. Upon logging in they can have access to certain resources that are hard coded via things like bookmarksÖ.kind of neat, but fairly boring
2) Thin Client Mode ó From what I gather thus far thin client mode is basically a way to do port forwarding for certain applications. In other words, you could have it setup so that if you hit a certain TCP/UDP port on your local machine, it would be forwarded over the secure tunnel to some application.
3) Full Tunnel Mode ó This is the crown jewel I had been looking for. In full tunnel mode you get full IP connectivity. You are assigned an IP address from a pool you create, and you are basically on the remote network. No portals or port forwarding ó full IP connectivity. This is what we will focus on on this article.
Step 1 ó Download and install the AnyConnect client package on the router
The idea with full tunnel mode is that a remote client hits the router via HTTPS and logs into a web portal. Upon logging in, the Cisco AnyConnect client gets ìpushedî down to the client and installed on their machine. In order to do this, we need to download the Cisco AnyConnect VPN client to the flash of our router, and install the package. This is operating system dependent. There are currently versions for Windows, Linux, Mac, and even some mobile platforms. If you have a router that will run 12.4(20)T or higher, you can download multiple packages and have it service multiple OSí. I personally have a 3725 which tops out at 12.4(15)T so I am limited to a single operating system. I will be using windows mostly, so that is what we will configure.
Downloading the AnyConnect client requires CCO accessÖyou will want to head over to the download area and head to the security section. The file we will be working with tonight is anyconnect-win-2.5.1025-k9.pkg. Go ahead and download this file into flash via tftp or whatever method you want, then issue the following command on the router from global config mode
webvpn install svc flash:/anyconnect-win-2.5.1025-k9.pkg
Once it crunches some numbers it should tell you it was installed successfully. To validate this, we can run the below command.
Bono#show webvpn install status svc
SSLVPN Package SSL-VPN-Client version installed:
CISCO STC win2k+
Mon 08/16/2010 12:31:49.08 v
Step 2 ó Configure the SSL VPN Gateway
Now that we have the package we want to push down to clients installed, we can begin the actual configuration. The first part is configuring the gateway, which is pretty self explanatory.
webvpn gateway SSLVPN
ip interface FastEthernet0/1 port 443
ssl trustpoint local
We simply give our VPN gateway a name, tell it what interface and port to run on, and put it in service. In this case, Fa0/1 is my internet facing outside interface. The SSL trustpoint stuff could get a bit trickyÖbasically it is referring to your locally generated PKI crypto key used for SSL communication. You MAY need to regenerate those keys to get it working properly. In my case, I recreated those keys and called them ìlocalî
Step 3 ó Configuring the SSL VPN Context
webvpn context SSLVPN
ssl authenticate verify all
policy group default
svc address-pool ìsvc-poolî
svc default-domain ìrfc791.ORGî
svc split dns ìrfc791.ORGî
svc dns-server primary 10.1.10.7
There are many different options you can configure. This is just a basic setup that has worked for me. We define a default policy, which is tied to the VPN context. This policy requires that full tunnel mode be used. It also hands out some things to the VPN client. Namely, it hands out the primary DNS server, and domain name, gives the user an IP address from the pool ìsvc-poolî , and instructs the remote client to leave the AnyConnect VPN client software installed after termination. We then tie the context to our gateway configuration, and put the context in service.
letís take a look at a few more things to tie this together
Bono#sh run | i ip local
ip local pool svc-pool 10.1.100.50 10.1.100.100
Bono#sh ip int brie | exc unass
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0††††††††† 10.1.19.5††† YES††† NVRAM††† up up
FastEthernet0/1 † † † †† 71.238.x.y† YES††† DHCP†††††††† up up
NVI0†††††††††††††††††††††††††††††††† 10.1.19.5†††† YES††† unset†††††††† up up
Loopback0†††††††††††††††††††† 10.1.1.1††††††† YES††† NVRAM†† up up
Loopback1†††††††††††††††††††† 10.1.100.1†† YES†† manual††† up up
Tunnel0††††††††††††††††††††††††† 10.0.10.2††††† YES† NVRAM††† up up
Bono#sh run int lo1
Current configuration : 154 bytes
ip address 10.1.100.1 255.255.255.0
ip nat inside
ip ospf network point-to-point
So there are a few important pieces here. First, you can see the local pool we created. This is the pool that users will get their IP address from when they connect to the VPN. Next, you see we created a loopback1 interface and threw the IP address of that loopback into the same subnet as the pool. This is because the router must have a directly connected interface in the same subnet as the pool of addresses it is handing out. When a remote user connects, the directly connected interface will be the users default gateway over the tunnel. Without that, nothing would work. Also noticed we enabled ìip nat insideî on that loopback. This is so that when a user comes in over VPN they can hairpin out and go out to the internet.
Some more verificationÖ
Bono#show webvpn gateway
Gateway Name††† Admin †† Operation
óóóóóñóóó††† óóñó†††† ó óóóó
SSLVPN † † † † † † † † †† up††††††††††† up
Bono#show webvpn context
Codes: AS ñ Admin Status, OS ñ Operation Status
VHost ñ Virtual Host
Context Name††† Gateway††† Domain/VHost††† VRF††† AS††† OS
óóóó óó- óóóó óó- ó- óóñ
SSLVPN†††††††††††††††† SSLVPN††††††† -†††††††††††††††††††††††††††††††† -†††††††††† up††† up
That should basically be it! As far as usernames and passwords, it will fall back to the default authentication method. In my case, I already have a TACACS+ server running, so that is how I get authenticated to the VPN. Now, all you have to do is https://youroutsideIP and login to the SSL VPN. Once you do that, the AnyConnect client should be installed and then it will connect. If you have done everything properly, you should get a 10.1.100.x address and be ready to go!
There are obviously many many more options and configuration scenarios. Hopefully, this has been helpful to some people out there in getting a basic full tunnel configuration going!
Joe Astorino, CCIE #24347