Cisco IOS AnyConnect SSL VPN Configuration

15 September 2011

Cisco have been pushing the new versions of their AnyConnect client for some time now. They have also announced as End of Sale the traditional IPSEC based client which has been around for a number of years. This means that the IPSEC client will not be available on new OS platforms and is also not supported on 64 bit platforms.

The new client is the AnyConnect Secure Mobility Client which will be the platform to use moving forwards.

At the head end, both Cisco ASA Firewalls, and IOS based routers with the correct software image are supported. Licenses are required on both platforms – which is a change from Cisco as on the ASA platform in particular, the cost of IPSEC VPN was bundled into the unit cost.

Attached is a sample config for an IOS based router. You will need version 15 to get this to work properly.

ip http server enable
ip http secure-server enable
!
ip local pool client-pool 10.255.255.1 10.255.255.10
!
webvpn gateway SSLVPN
ip address X.X.X.X port 443
http-redirect port 80
ssl trustpoint TP-self-signed-3096684075
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-3.0.3054-k9.pkg sequence 1
!
webvpn context SSLVPN
ssl authenticate verify all
!
!
policy group SSLVPN_Policy
functions svc-required
svc address-pool “client-pool”
svc keep-client-installed
svc split include 10.1.200.0 255.255.255.0
svc split include 192.168.100.0 255.255.255.0
default-group-policy SSLVPN_Policy
gateway SSLVPN
max-users 10
inservice

Barry Hesk