[AusNOG] Cisco SSL VPN \w AnyConnect on 891-F

Beeson, Ayden abeeson at csu.edu.au
Mon Jan 20 17:24:17 EST 2020


Hey Rhys,

Sorry it’s a bit late, I’ve been off for a few days. Hopefully this is still helpful.

We’ve got SSL VPN’s running on a couple of 887’s we use for OOB management, we are running 15.9 on them and it seems to function and IIRC we had 15.6 before, so you should be ok with 15.7.x.

With that said, there are a few caveats I am aware of:

  1.  You have to have a valid cert, they don’t seem to like self-signed certs at all. Not sure if this is 100% a showstopper or can be worked around, but I never had any luck getting a 1941 to run the same VPN config, and that was the only difference I could find. Don’t ask me why, AnyConnect had verify off etc, and yet it would just throw a generic error and die, and I never got around to troubleshooting it further as it was just for home and it wasn’t critical.
  2.  You need access to the anyconnect client software to load onto the router, which needs to be done beforehand or some of these commands won’t run. It’ll take it from the flash, and then install it into a folder in the flash (at which point you are safe to delete the original file if you want / need the space)
  3.  Depending on your exact code version YMMV. This is not an exhaustive or conclusive list of caveats or requirements

Looking at your config below, your functions svc-enabled is given after you have left the policy group. The AAA auth list is just in the webvpn context, which is pulling you out of the policy group. Our config we run looks like this:
webvpn gateway Remote_VPN
ip interface Ethernet0 port 443
ssl trustpoint Remote_VPN_Trustpoint
inservice
!
webvpn context Remote_VPN
title "Remote VPN"
!
acl "Remote_ACL"
   permit ip REDACTED
login-message "REDACTED"
aaa authentication list VPN_Users
gateway Remote_VPN
!
ssl authenticate verify all
inservice
!
policy group Remote_VPN
   functions svc-enabled
   functions svc-required
   filter tunnel Remote_ACL
   svc address-pool "VPN_Users" netmask REDACTED
   svc rekey method new-tunnel
   svc split include REDACTED
default-group-policy Remote_VPN
!

Obviously you need your cert as well (Remote_VPN_Trustpoint in our case), your AAA auth list and your anyconnect packages as well which are all specified outside this block, and you might need to change the bound interface in the gateway etc (we had a dialer before so I know it works there too)

Cheers,
Ayden


From: AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Chris Jones <chrisj at aprole.com>
Date: Thursday, 16 January 2020 at 8:02 pm
To: Rhys Hanrahan <rhys at nexusone.com.au>
Cc: "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] Cisco SSL VPN w AnyConnect on 891-F

Don’t know where the 891s sit, but Cisco has killed AnyConnect on ISRs. It’s now an ASA only feature

It’s still supported on 1941-era hardware, but possibly not on more recent code.
Regards,

Chris Jones


On 16 Jan 2020, at 18:53, Rhys Hanrahan <rhys at nexusone.com.au> wrote:
Hi Everyone,

I was hoping that I could find some quick guidance here. We have a customer who has been using Cisco AnyConnect with an ASA. We are deploying a newer Cisco 891F for them, and it seemed like it would be straight-forward to setup an SSL VPN on there for use with AnyConnect, and from my reading it seemed like we would at least be able to eval this for a while with no problem. We’re due to cutover tomorrow and I am trying to get AnyConnect working first.

Does anyone know if anything special is required to allow us to configure the WebVPN component on an 891-F?

I am following this guide: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html#anc8<http://antispam.csu.edu.au:32224/?dmVyPTEuMDAxJiY2MDAyMmFiMjIzMTY1MjI3Mj01RTIwMjZCRF85MDI4M18xMDU2OV8xJiZmNjljOTNkM2UwYjJjM2E9MTMzMyYmdXJsPWh0dHBzJTNBJTJGJTJGd3d3JTJFY2lzY28lMkVjb20lMkZjJTJGZW4lMkZ1cyUyRnN1cHBvcnQlMkZkb2NzJTJGc2VjdXJpdHklMkZhbnljb25uZWN0LXNlY3VyZS1tb2JpbGl0eS1jbGllbnQlMkYyMDA1MzMtQW55Q29ubmVjdC1Db25maWd1cmUtQmFzaWMtU1NMVlBOLWZvci1JJTJFaHRtbCUyM2FuYzg=>

Everything worked as expected up to step 9 – it seems the functions and svc commands for the webvpn policy are missing/incomplete. Unsure if this a licensing issue, or if I’m using the wrong commands for our IOS version (we’re on IOS 15.7(3)M5)

router(config)#webvpn context SSL_Context
router(config-webvpn-context)#gateway SSLVPN_Gateway
Configure gateway SSLVPN_Gateway using "webvpn gateway" command before associating to context

router(config-webvpn-context)#inservice
router(config-webvpn-context)#policy group SSL_Policy
router(config-webvpn-group)#aaa authentication list SSLVPN_AAA
router(config-webvpn-context)#functions svc-enabled
                                                                  ^
% Invalid input detected at '^' marker.

router(config-webvpn-context)#svc ?
  platform  Client Operating System Type

Appreciate any guidance. Thanks!

Rhys Hanrahan
Chief Information Officer
Nexus One Pty Ltd

E: support at nexusone.com.au<mailto:support at nexusone.com.au>
P: +61 2 9191 0606
W: http://www.nexusone.com.au/<http://antispam.csu.edu.au:32224/?dmVyPTEuMDAxJiY2NzFiNzFhMTM2NWMxMzdmMj01RTIwMjZCRF85MDI4M18xMDU2OV8xJiZkNmRjODIwMmUwMzI5MjY9MTMzMyYmdXJsPWh0dHAlM0ElMkYlMkZ3d3clMkVuZXh1c29uZSUyRWNvbSUyRWF1JTJG>
M: PO Box A356 Sydney South, NSW 1235
A: Suite 12.03, Level 12, 227 Elizabeth Street, Sydney NSW 2000

[http://quintus.nexusone.com.au/~rhys/nexus1-email-sig.jpg]
The information in this email and or any of the attachments may contain; a. Confidential information of Fusion Technology Solutions Pty Ltd, Nexus One Pty Ltd, or third parties; and or b. Legally privileged information of Fusion Technology Solutions Pty Ltd, Nexus One Pty Ltd, or third parties; and or c. Copyright material Fusion Technology Solutions Pty Ltd, Nexus One Pty Ltd or third parties.
If you are not an authorised recipient of this email, please contact the sender immediately by return email or by telephone on 02 91910600 and delete the email from your system.
We do not accept any liability in connection with any computer virus, data corruption, interruption or any damage generally as a result of transmission of this email.



_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


More information about the AusNOG mailing list