Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2053
Views
0
Helpful
2
Replies

AnyConnect VPN configuration on a 2921 router ?

pfrancis3
Level 1
Level 1

‎05-22-2015 10:27 PM - edited ‎02-21-2020 08:14 PM

Hello, I am in the process of installing AnyConnect to my 2921 router.

I have come to the step which involves creating a virtual template interface. The reference I am using uses the command 'interface virtual-interface 1' however this command is not available on my 2921 running ios 15.0.

Can someone please advise how I create a virtual interface for AnyConnect on the Cisco 2921 router ?

 

Thank you kindly for any help.

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎05-23-2015 04:01 AM

The command is "interface Virtual-Template1". Here is an example-config:

aaa authentication login VPN local
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet0/0
 ip virtual-reassembly in
!
webvpn gateway VPN
 ip address 192.0.2.1 port 443
 http-redirect port 80
 ssl trustpoint SSL-VPN-2015
 inservice
 !
webvpn context CTX1
 virtual-template 1
 aaa authentication list VPN
 !
 ssl authenticate verify all
 inservice
 !
 policy group USER
   functions svc-enabled
   svc address-pool "VPN-ADMIN-POOL" netmask 255.255.255.255
   svc dpd-interval client 30
   svc dpd-interval gateway 30
   svc split dns "example.net"
   svc split include 10.10.10.0 255.255.255.0
 default-group-policy USER

 

0 Helpful

pfrancis3
Level 1
Level 1
In response to Karsten Iwen

‎05-23-2015 04:07 PM

Hello Karsten, thank you very much for that help. However I still cannot get AnyConnect to work.

Can anyone see what I am doing wrong ?

I can connect my Cisco 2921 https server, initiate a secure connection, however then I get:

Page cannot be displayed:

Technical Information (for support personnel)

  • Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

Here is my config:

version 15.2

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 128000 informational
logging rate-limit 50
no logging console
enable secret 4 xxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
aaa authentication login sslvpn local
!
aaa session-id common
clock timezone NZST 12 0
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
!
ip cef

!
ip flow-cache timeout active 1
no ip domain lookup
ip domain name xxxxx
ip inspect udp idle-time 120
ip inspect name IN tcp
ip inspect name IN udp
ip inspect name IN icmp
ip inspect name IN ftp
ip inspect name IN dns
ip inspect name IN ntp
ip inspect name OUT ftp
ip inspect name OUT tcp
ip inspect name OUT dns
ip inspect name OUT udp
ip inspect name OUT icmp
ip inspect name OUT ntp
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki trustpoint my-trustpoint
 enrollment selfsigned
 serial-number
 subject-name CN=firewallcx-certificate
 revocation-check crl
 rsakeypair my-rsa-keys
!
crypto pki certificate chain my-trustpoint
 certificate self-signed 01
  30820289 308201F2 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  xxxxxxxxxx

      quit
license udi pid CISCO2921/K9 sn FGL18101098
!
archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
object-group service EVERYONE
 tcp eq ftp
 tcp eq ftp-data
!
object-group service LYNC
 tcp range 50040 50059
 tcp eq 5223
 udp range 50000 50039
 tcp eq 5721
 icmp
 udp eq 3478
!
object-group network OFFICE365-SERVERS
x
!
object-group network SERVERS
 range xxx
!
username xxx secret 4 xxxxxxxxx
username xxx
username xxx
username remote-vpn secret 4 xxxxxxxx
!
redundancy
!
ip ssh logging events
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
crypto isakmp keepalive 10
!
crypto ipsec client ezvpn ez
 connect auto
 group ROSEBANK-UFB key xxxx
 local-address GigabitEthernet0/0
 mode network-extension
 peer xxxxx
 username xxxxxxx
 xauth userid mode local
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description INTERNET-SNAP-UFB
 ip address 123.255.x.x 255.255.255.254
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect IN in
 ip inspect OUT out
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto ipsec client ezvpn ez
!
interface GigabitEthernet0/1
 description xxxxx
 ip address x.x.x.x
 ip access-group INSIDE in
 ip flow ingress
 ip flow egress
 ip nat inside
 ip inspect IN in
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto ipsec client ezvpn ez inside
!
interface GigabitEthernet0/1.25
 encapsulation dot1Q 25
 ip address xxxxxxxx
 ip access-group MNZ_WLAN in
 ip helper-address xx.x.xx
 ip flow ingress
 ip flow egress
 ip nat inside
 ip inspect IN in
 ip virtual-reassembly in
!
interface GigabitEthernet0/2
 description ROUTED DMZ VLAN55
 ip address xxxxxx
 ip access-group DMZ in
 ip flow ingress
 ip flow egress
 ip nat inside
 ip inspect IN in
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip address 10.1.20.1 255.255.255.0
!
router bgp 65414
 bgp router-id x.x.x.x
 bgp log-neighbor-changes
 neighbor x.x.x.x remote-as 65414
 neighbor x.x.x.x timers 10 30
 !
 address-family ipv4
  network xxxx
  maximum-paths 4
  auto-summary
 exit-address-family
!
ip local pool webvpn-pool 10.1.20.2 10.1.20.254
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http secure-trustpoint my-trustpoint
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export version 5 origin-as
ip flow-export destination x.x.x.x
ip flow-top-talkers
 top 10
 sort-by bytes
!
ip nat inside source list NAT_ALLOWED interface GigabitEthernet0/0 overload
ip nat inside source static tcp x.x.x.x extendable
ip route 0.0.0.0 0.0.0.0 x.x.x.x
permanent
!
logging history size 250
logging history errors
logging trap notifications
logging origin-id hostname
logging facility local6
logging host x.x.x.x
snmp-server community ssdc-customer RO 11
snmp-server ifindex persist
snmp-server enable traps entity-sensor threshold
!
control-plane
!
line con 0
 exec-timeout 0 0
 password 7 xxxxxx
 logging synchronous
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 9 in
 exec-timeout 15 0
 privilege level 15
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
ntp server x.x.x.x
!
webvpn gateway Cisco-WebVPN-Gateway
 ip address 123.255.x.x port 443  
 http-redirect port 80
 ssl encryption rc4-md5
 ssl trustpoint my-trustpoint
 inservice
 !
webvpn gateway Methven-AnyConnect-Gateway
 ssl trustpoint my-trustpoint
 no inservice
 !
webvpn context Cisco-WebVPN
 title "Methven AnyConnect VPN"
 !
 acl "ssl-acl"
   permit ip 10.1.20.0 255.255.255.0 x.x.x.x 255.255.255.0
    login-message "WebVPN login"
 virtual-template 1
 aaa authentication list sslvpn
 gateway Cisco-WebVPN-Gateway
 !
 ssl authenticate verify all
 !
 url-list "rewrite"
 inservice
 !
 policy group webvpnpolicy
   functions svc-enabled
   filter tunnel ssl-acl
   svc address-pool "webvpn-pool" netmask 255.255.255.0
   svc keep-client-installed
   svc rekey method new-tunnel
   svc split include 10.1.20.0 255.255.255.0
 default-group-policy webvpnpolicy
!
end

0 Helpful
Customers Also Viewed These Support Documents