Cisco Configuration Professional (CCP) Configure IOS SSL VPN (AnyConnect SSL VPN)

Basic Cisco Configuration Professional (CCP) configuration has been posted before at following link:

• Cisco CCP Installation and Basic Configuration

This Post will demonstrate how to use CCP to configure SSL VPN on an IOS Router.

1. Confirm SSL-VPN License Installed

You can reviewanother post regarding how to add Cisco license into a router.

From Command Line:

VPN-1#show license detail
Index: 1        Feature: NtwkEssSuitek9                    Version: 1.0
        License Type: EvalRightToUse
        License State: Active, Not in Use, EULA not accepted
            Evaluation total period: 8  weeks 4  days
            Evaluation period left: 8  weeks 4  days
            Period used: 0  minute  0  second
        License Count: Non-Counted
        License Priority: None
        Store Index: 2
        Store Name: Built-In License Storage
Index: 2        Feature: SSL_VPN                           Version: 1.0
        License Type: Permanent
        License State: Active, Not in Use
        License Count: 10/0/0  (Active/In-use/Violation)
        License Priority: Medium
        Store Index: 1
        Store Name: Primary License Storage
Index: 3        Feature: datak9                            Version: 1.0
        License Type: EvalRightToUse
        License State: Active, Not in Use, EULA not accepted
            Evaluation total period: 8  weeks 4  days
            Evaluation period left: 8  weeks 4  days
            Period used: 0  minute  0  second
        License Count: Non-Counted
        License Priority: None
        Store Index: 1
        Store Name: Built-In License Storage
Index: 4        Feature: ios-ips-update                    Version: 1.0
        License Type: EvalRightToUse
        License State: Active, Not in Use, EULA not accepted
            Evaluation total period: 8  weeks 4  days
            Evaluation period left: 8  weeks 4  days
            Period used: 0  minute  0  second
        License Count: Non-Counted
        License Priority: None
        Store Index: 3
        Store Name: Built-In License Storage
Index: 5        Feature: ipbasek9                          Version: 1.0
        License Type: Permanent
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Medium
        Store Index: 0
        Store Name: Primary License Storage
Index: 6        Feature: securityk9                        Version: 1.0
        License Type: Permanent
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Medium
        Store Index: 2
        Store Name: Primary License Storage
Index: 7        Feature: securityk9                        Version: 1.0
        License Type: EvalRightToUse
        License State: Inactive
            Evaluation total period: 8  weeks 4  days
            Evaluation period left: 8  weeks 4  days
            Period used: 0  minute  0  second
        License Count: Non-Counted
        License Priority: None
        Store Index: 0
        Store Name: Built-In License Storage

2. Launch SSL-VPN Configuration Wizard

3. Configuration Wizard：
3.1 Configure IP Address and Name

3.2 Configure User Authentication Methods


3. Configure IP Address Pool




3.4 SSL VPN Tunnel Interface



3.5 SSL VPN Portal Page


3.6 Summary of the Configuraiton

SSL VPN Service Name : Rogers-SSL-1
SSL VPN Policy Name : policy_1
SSL VPN Gateway Name : gateway_1

Virtual Template IP Address: Un-numbered to GigabitEthernet0/0

User Authentication Method List :  Local

Intranet websites:  Disabled

Full Tunnel Configuration
 SVC Status : Yes
 IP Address Pool : 192.168.5.0-x
 Split Tunneling : Disabled
 Split DNS : Disabled
 Install Full Tunnel Client : Disabled

Configuration which sent to the router:

aaa authentication login ciscocp_vpn_xauth_ml_1 local
ip local pool 192.168.5.0-x 192.168.5.50 192.168.5.200
interface Virtual-Template1
 exit
default interface Virtual-Template1
interface Virtual-Template1
 no shutdown
 ip unnumbered GigabitEthernet0/0
 exit
webvpn gateway gateway_1
 ip address 158.106.98.166 port 443
 http-redirect port 80
 inservice
 ssl trustpoint TP-self-signed-3017776587
 exit
webvpn context Rogers-SSL-1
 aaa authentication list ciscocp_vpn_xauth_ml_1
 gateway gateway_1
 virtual-template 1
 max-users 75
 inservice
 secondary-color white
 title-color #669999
 text-color black
 policy group policy_1
  svc keep-client-installed
  functions svc-enabled
  svc address-pool 192.168.5.0-x netmask 255.255.255.255
  exit
 default-group-policy policy_1
 exit

4. Upload AnyConnect 4.x Package
Latest version is 4.3.01095. It can be downloaded from Cisco Website.

The downloaded package can be imported into Router from CCP Configuration - Security - VPN - SSL-VPN - Package:

Check the package from command line:

VPN-1#dir flash:
Directory of usbflash0:/

    1  -rw-    75608148   Jun 3 2016 14:13:10 -04:00  c1900-universalk9-mz.SPA.154-3.M3.bin
    2  -rw-        3066   Jun 3 2016 14:24:04 -04:00  cpconfig-19xx.cfg
    3  -rw-        1160  Jul 24 2016 10:58:00 -04:00  1.lic.txt
    4  drw-           0   Jun 3 2016 14:24:34 -04:00  ccpexp
  374  -rw-       22737   Jun 3 2016 14:27:22 -04:00  home.html
  382  -rw-        1154   Aug 1 2016 10:34:22 -04:00  2.lic
  388  drw-           0   Aug 1 2016 14:56:12 -04:00  webvpn
  395  -rw-    25162392   Aug 1 2016 15:07:34 -04:00  anyconnect-win-4.3.01095-k9.pkg

251371520 bytes total (113504256 bytes free)

5. Verify

Lauch web page from broswer:

After log into SSLVPN Service portal, choose Start for Application Access:

Another Web page will be opened to try to load AnyConnect Secure Mobility Client. It also provide link to manual Installation for AnyConnect VPN client which has been uploaded into Router at step 4.

Cisco AnyConnect Secure Mobility Client launched:
 



Reference:

• AnyConnect VPN (SSL) Client on IOS Router with CCP Configuration Example