Friday, 7 June 2013

Cisco IOS SSL VPN Configuration Guide


The Cisco SSL VPN (also known as WebVPN) is a remote access solution which enables a remote user to access his corporate network from anywhere on the Internet. Remote access is provided through a Secure Socket Layer (SSL) enabled SSL VPN gateway. The SSL VPN gateway allow remote users to establish a secure Virtual Private Network (VPN) tunnel using a web browser.

SSL VPN provides the following three mode of access:

1. Clientless  - Clientless mode provides secure access to private web resources. You can access all the resources in your company which uses a web interface.

2. Thin-client - Thin-client mode extend the capability by enabling us to access TCP-based applications such as POP3, SMTP, IMAP, SSH.

3. Full-tunnel - Full-tunnel mode provide access to virtually any application inside your company. Here the remote user will download a Cisco AnyConnect VPN client (next-generation VPN client) from the IOS router to use SSL.

Clientless SSL VPN Vs Easy VPN

Clientless SSL VPNEasy VPN
Doesn't require any client software on end user but a web browser.Require VPN client software to be installed on client machine.
Users doesn't have access to all network resources.Full access to all network resources.
Support mostly web based services.Support virtually all services.
It can transverse firewall and NAT configuration.Require to change firewall and NAT configuration.
It won't support low-latency application.Support low-latency application.

SSL VPN Session Establishment

Step-by-step IOS SSL VPN Configuration

This document will show you how to configure a SSL VPN in full tunnel and clientless mode on an IOS device. Configuration is based on a Cisco 2900 Integrated Service Router running with 15.0(1)M3 code.

Network Diagram

Configuration Tasks

1. Enable and configure AAA.

2. Generate RSA Keypair and Configure Trustpoint.

3. Configure SSL VPN IP pool.

4. Setup SSL VPN Gateway.

5. Upload & Install AnyConnect VPN Software (SVC) on Router.

6. Setup SSL VPN Context and Configure Group policy

1. Configuring AAA for SSL VPN authentication

Enable AAA in router for client authentication. VPN users have to be authenticated with either a local database or an authentication server like RADIUS  or TACACS+. In this example I used local database to authenticate VPN users.

CORPORATE(config)#aaa new-model
CORPORATE(config)#aaa authentication login SSL_AUTHEN local

Create  username and password in local database:

CORPORATE(config)#username administrator privilege 15 password mypassword
CORPORATE(config)#username tony  password cisco123

2. Generating RSA Keypair and Configuring Trustpoint.

We have to create a RSA keypair using the crypto key generate rsa command. Before that you have to make sure that you have set a host name and domain name on your router.

CORPORATE(config)#crypto key generate rsa general-keys label RSA-KEY mod 4096
The name for the keys will be: RSA-KEY

% The key modulus size is 4096 bits
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 71 seconds)

Configuring the Trustpoint:

Now we have to declare the trust point that the router should use. To do so type the below commands in global configuration mode.

CORPORATE(config)#crypto pki trustpoint MY-TRUSTPOINT
CORPORATE(ca-trustpoint)#enrollment selfsigned
CORPORATE(ca-trustpoint)#subject-name CN=my-certificate
CORPORATE(ca-trustpoint)#rsakeypair RSA-KEY

Enrolling Certificate:

The next step is to enroll the self signed certificate that you have just created. If you have already created a certificate you can either use that or overwrite it by typing yes.

CORPORATE(config)#crypto pki enroll MY-TRUSTPOINT
% Include the router serial number in the subject name? [yes/no]: y
% Include an IP address in the subject name? [no]: n
Generate Self Signed Router Certificate? [yes/no]: y

Router Self Signed Certificate successfully created

3. Configuring SSL VPN pool IP address

CORPORATE(config)#ip local pool SSL-POOL

4. Setting up SSL VPN Gateway

The WebVPN Gateway is used to terminate the SSL connection from the user. The basic configuration requires an IP address on the same subnet as one of the public network interfaces; this could be the same address used on the public network interface, or another address in the same subnet. Alternately, you can define a loopback interface, and use an address in that subnet, just as long as the address is reachable on the public network.

CORPORATE(config)#webvpn gateway SSLVPNGW
Activation  of the  software command line interface will be evidence of
your acceptance of this agreement.

ACCEPT? [yes/no]: yes
CORPORATE(config-webvpn-gateway)#ip address port 443
CORPORATE(config-webvpn-gateway)#ssl trustpoint MY-TRUSTPOINT

5. Upload & Install AnyConnect VPN Software (SVC) on Router

Now upload the Cisco AnyConnect VPN client to the router's flash memory. You can use a TFTP server to do this. In this example we are uploading 'anyconnect-win-3.1.00495-k9.pkg' to router's flash using a TFTP server.

CORPORATE(config)#copy tftp flash:
Address or name of remote host []?
Source filename []? anyconnect-win-3.1.00495-k9.pkg
Destination filename [anyconnect-win-3.1.00495-k9.pkg]?
Accessing tftp://
Loading anyconnect-win-3.1.00495-k9.pkg from (via GigabitEthernet0/0): !!!!!!!!!!!!!!!!!!!!!

[OK - 29806775 bytes]

29806775 bytes copied in 50.70 secs (587858 bytes/sec)

Verify the upload using 'show flash' in global configuration command.

Installing SVC (AnyConnect) package:

Install the SSL VPN Client (SVC) on your router. To do so type the below command in global configuration mode.

CORPORATE(config)#webvpn install svc flash://anyconnect-win-3.1.00495-k9.pkg
SSLVPN Package SSL-VPN-Client (seq:1): installed successfully

6. Setup SSL VPN Context and Configure Group policy

The WebVPN context is where the SSL VPN is terminated, and the user's VPN session is established. The context also contains all of the policies that can be applied to a user, including authentication, authorization, and accounting (AAA), virtual routing and forwarding instances (VRFs), and group policies. This is where the user authentication takes place, and group policies are applied to the user session.

Furthermore, the context can define the way the SSL VPN Web portal will appear to the user by specifying the colors and the images. The context is basically a container for user sessions. The WebVPN context uses a WebVPN gateway for the SSL session termination endpoint IP address. Multiple contexts can use one WebVPN gateway by using the domain keyword, and specifying a label.

Type the below commands to setup a context named 'VPN1' and a group policy called 'MYPOLICY'.

CORPORATE(config)#webvpn context VPN1
CORPORATE(config-webvpn-context)#ssl authenticate verify all
CORPORATE(config-webvpn-context)#url-list "WebServers"
CORPORATE(config-webvpn-url)#heading "Intranet Websites"
CORPORATE(config-webvpn-url)#url-text "FTPServer" url-value ""
CORPORATE(config-webvpn-url)#url-text "AbcServer" url-value ""
CORPORATE(config-webvpn-context)#policy group MYPOLICY
CORPORATE(config-webvpn-group)#banner "Welcome to Tony's SSL VPN Services"
CORPORATE(config-webvpn-group)#functions svc-enabled
CORPORATE(config-webvpn-group)#url-list "WebServers"
CORPORATE(config-webvpn-group)#svc address-pool "SSL-POOL" netmask
CORPORATE(config-webvpn-group)#svc keep-client-installed
CORPORATE(config-webvpn-group)#svc dns-server primary
CORPORATE(config-webvpn-context)#default-group-policy MYPOLICY
CORPORATE(config-webvpn-context)#aaa authentication list SSL_AUTHEN
CORPORATE(config-webvpn-context)#gateway SSLVPNGW
CORPORATE(config-webvpn-context)#max-users 20

There we finish the configuration of Cisco SSL VPN on an IOS Router.

Now enter the address of your WebVPN gateway '' on a SSL enabled web browser and you will be presented with a SSL VPN login page.

Login with your credentials that you have created in the local database.

Now you will be presented with your home page.This is the SSL VPN clientless mode from which the user can launch any web services from the WebVPN portal.

SSL VPN Full Tunnel Mode

Click the 'Start' tab, which you find on the right pane of your home page, to start downloading AnyConnect secure mobility client on your PC. The below screenshot shows the AnyConnect client installation process.

After the installation you will get the Cisco AnyConnect Secure Mobility Client on your PC and you can click 'Connect' to establish the secure VPN connection using full tunnel. In full tunnel mode you can access virtually any application in your corporate network.

IOS SSL VPN Portal Customization (Optional)

You can customize the SSL VPN portal by changing the color, banner, adding your company logo etc.

Example of Portal customization :

webvpn context VPN1
title "The Diary of a Networker SSL VPN Services"
logo file flash:/networker.gif
title-color 255,0,255
secondary-color 222,184,135
title-color 205,41,144
ssl authenticate verify all

 policy group MYPOLICY
 banner "Welcome to Tony's SSL VPN Services"

Below screenshot shows a customized portal of SSL Clientless VPN.

For more info about customization visit SSL VPN Portal Customization.

Allow SSL VPN through Zone Based Firewall

Refer Allow SSL WebVPN through Zone Based Firewall for more information and configuration.

Verification and Troubleshooting

Verification Command List :
  • show webvpn gateway 
  • show webvpn context
  • show webvpn install package svc
  • show webvpn install status svc
  • show webvpn policy group MYPOLICY context
  • show webvpn session context all
  • show webvpn stats detail context all
Troubleshooting Command List :
      SSL VPN Clear Commands :
  • clear webvpn nbns - Clears the NBNS cache on an SSL VPN gateway.
  • clear webvpn session - Clears SSL VPN remote user sessions.
  • clear webvpn stats - Clears SSL VPN application and access counters.
      SSL VPN Debug Commands :
  •  debug webvpn [verbose] [aaa | acl | cifs | citrix [verbose] | cookie [verbose] | count | csd | data | dns | emweb [state] | entry context-name [source ip [network-mask] | user username] | http [authentication | trace | verbose] | package | sdps [level number] | sock [flow] | sso | timer | trie | tunnel [traffic acl-number | verbose] | url-disp | webservice [verbose]]
         Example : debug webvpn

Useful Links


  1. Hello,

    Thank you for interesting article. I set my Cisco 1941 as you said, but I have problem with downloading the AnyConnect Client. I can reach my WEBVPN page, login and start the client, but it is not succesfully downloaded - as you can on attached screens. Do you know what Im doing wrong? I can post you the router config. I will be very glad for any help.

    Thank you in advice.




  2. I post debug info, when i try to connect the client with the public IP on which is the router set:

    *Apr 1 13:47:29.891: WV: sslvpn process rcvd context queue event
    *Apr 1 13:47:29.895: WV: sslvpn process rcvd context queue event
    *Apr 1 13:47:30.179: WV: sslvpn process rcvd context queue event
    *Apr 1 13:47:30.179: WV: sslvpn process rcvd context queue event
    *Apr 1 13:47:30.199: WV: sslvpn process rcvd context queue event
    *Apr 1 13:47:30.199: WV: Entering APPL with Context: 0x27F07A08,
    Data buffer(buffer: 0x27F72120, data: 0xE9F6558, len: 203,
    offset: 0, domain: 0)
    *Apr 1 13:47:30.199: WV: http request: / with no cookie
    *Apr 1 13:47:30.199: WV: validated_tp : cert_username : matched_ctx :
    *Apr 1 13:47:30.199: WV: failed to get sslvpn appinfo from opssl

    *Apr 1 13:47:30.199: WV: Client side Chunk data written..
    buffer=0x27F72520 total_len=186 bytes=186 tcb=0x3145CC78
    *Apr 1 13:47:30.199: WV: sslvpn process rcvd context queue event
    *Apr 1 13:47:42.527: WV: sslvpn process rcvd context queue event
    *Apr 1 13:47:42.527: WV: sslvpn process rcvd context queue event
    *Apr 1 13:47:42.531: WV: sslvpn process rcvd context queue event
    *Apr 1 13:47:42.531: WV: Entering APPL with Context: 0x27F06AB8,
    Data buffer(buffer: 0x27F72120, data: 0xE9F6558, len: 238,
    offset: 0, domain: 0)
    *Apr 1 13:47:42.531: WV: Fragmented App data - buffered
    *Apr 1 13:47:42.531: WV: Entering APPL with Context: 0x27F06AB8,
    Data buffer(buffer: 0x27F72520, data: 0xDD9DF58, len: 210,
    offset: 0, domain: 0)
    *Apr 1 13:47:42.531: WV: Appl. processing Failed : 2
    *Apr 1 13:47:42.531: WV: server side not ready to send.

    1. Hi,

      Could you work through and let me know if that helps?

      Also try downloading the client from a different machine, Win 8.1 possibly.


  3. how do you install Package for WEBVPN, and without package how can we work on GNS3