Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2290
Views
0
Helpful
4
Replies

How do I create a SSL VPN with a Cisco 881

jsandau
Level 1
Level 1

‎05-16-2014 07:16 AM

I want to create a SSL VPN on a cisco 881 (version 15.4) that will work with the anyconnect client. I try to upload the anyconnect-win-3.1.05160-k9.pkg and install it but I get the error "You have entered an invalid full tunnel client package. Please specify a valid file".  I have a feeling that this version of annyconnect isn't compatible with version 15.4 of the 881, but I don't have a support contract to upgrade the 881 to the latest version. 

What version of anyconnect should I be using? 

 

Also when I set up an SSL vpn on an ASA 5510 a few years ago I remember I needed to buy an extra license so that anyconnect would work with the ASA, do I still need to do this for the 881?

 

Thanks.

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-16-2014 10:28 AM

So you've copied the pkg file and are trying to use the "crypto vpn anyconnect <filename>" command?

That is supported from 15.2(1)T per the command reference.

The IOS SSL VPN is generally used in clientless mode which requires both the SEC and SSLVPN feature license on the ISR G2 family. That doesn't require AnyConnect.

An IKEv2 IPsec VPN can be used with AnyConnect. I believe the SEC license suffices in that case.

 

0 Helpful

jsandau
Level 1
Level 1
In response to Marvin Rhoads

‎05-16-2014 10:37 AM

I'm using CCP to upload and install the package, that's when I get the error message.

 

The licenses I have installed on the 881 are:

Advipservices

Advsecurity

 

The advsecurity license states that it is not deployed and that it is active, but not in use.

 

Are these licenses enough to do what I want?

 

Do I even need to install the .pkg file is the clients who will be using the VPN already have the any connect client software installed on them?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jsandau

‎05-16-2014 11:00 AM

CCP lags behind what you can do with the ISR G2. Also, they only build in the most commonly deployed scenarios. AnyConnect client-based IPsec VPN is not among the CCP-supported configurations.

For AnyConnect SSL VPN, CCP should give you an indicator as to whether or not your router supports AnyConnect, you should be able to add packages via the Configure > Security > VPN > SSL VPN > Packages screen. as you note, deploying the package from the router is not required. They can be manually deployed or sent out separately via a 3rd party software delivery tool.

0 Helpful

jsandau
Level 1
Level 1
In response to Marvin Rhoads

‎05-16-2014 12:45 PM

I won't bother with trying to upload the package then. All the clients who will be using it already have annyconnect installed on their computers. 

 

I went ahead and created the SSL VPN but I couldn't connect. Here is my config:

 

 

Building configuration...

 

Current configuration : 10075 bytes

!

! Last configuration change at 18:58:18 UTC Fri May 16 2014 by admin

!

version 15.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco881

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-350405548

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-350405548

 revocation-check none

 rsakeypair TP-self-signed-350405548

!

!

crypto pki certificate chain TP-self-signed-350405548

 certificate self-signed 01

  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33353034 30353534 38301E17 0D313430 34303632 32313534

  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3335 30343035

  35343830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  96BD1C8D 19D75452 CC1AA424 8B2E02F6 90B3DD06 7AF25293 E31BE71D E5D178D1

  8B52CC44 60859F76 6B1CCA7C 99DC5C99 31C3F0F9 7F561620 BBCA5F1A CF7AE4E2

  65062E3E 458F2883 7E738649 5F9B44FF 109AB9D8 4A708DD1 60943813 EA1889E1

  9839AE0A 96BB78AC 68D87FC8 46D171F3 B266DE5C C52DD80C AD470F7C 9296E91D

  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D

  23041830 16801426 8F229D22 43E6574C DA95AE99 932C0F05 81395430 1D060355

  1D0E0416 0414268F 229D2243 E6574CDA 95AE9993 2C0F0581 3954300D 06092A86

  4886F70D 01010505 00038181 00399765 8803B99F B8F1889A 7B59989E 4432296D

  3505CB8C 0E3D1659 5198E653 E2A35C77 6DB46CC9 63BB12AA 9B8B1023 97B770EE

  E48D3635 C344EDC8 BBD018DE 42708920 7AFDEF84 5EF9BB47 8855B6FE CB41588C

  BEF59FC3 134179CB 837D5846 702E0394 2B139C6F 2239CFE5 CA6FF509 6DCFA4CA

  015BD765 C5A9ABB4 0B20B721 2D

                quit

!

!

!

!

!

!

!

!

 

 

!

ip dhcp excluded-address 10.10.10.1

!

!

!

no ip domain lookup

ip domain name

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn FGL171923S0

!

!

username **** privilege 15 secret 4 lYvhHsFV7A5BvGuqvsNLuxtcA5voCJ5VRI2GIs3zEbU

username ***** secret 5 $1$/IF.$/CArlmMtxGo7qUAmqsMdO0

!

!

!

!

no cdp run

!

!

class-map type inspect match-all CCP_SSLVPN

 match access-group name SDM_IP

class-map type inspect match-any SDM_AH

 match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

 match protocol skinny

class-map type inspect match-any SDM_IP

 match access-group name SDM_IP

class-map type inspect match-any SDM_WEBVPN

 match access-group name SDM_WEBVPN

class-map type inspect match-any ccp-h323nxg-inspect

 match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

 match protocol h225ras

class-map type inspect match-any SDM_ESP

 match access-group name SDM_ESP

class-map type inspect match-any ccp-h323annexe-inspect

 match protocol h323-annexe

class-map type inspect match-any ccp-cls-insp-traffic

 match protocol dns

 match protocol ftp

 match protocol https

 match protocol icmp

 match protocol imap

 match protocol pop3

 match protocol netshow

 match protocol shell

 match protocol realmedia

 match protocol rtsp

 match protocol smtp

 match protocol sql-net

 match protocol streamworks

 match protocol tftp

 match protocol vdolive

 match protocol tcp

 match protocol udp

class-map type inspect match-any ccp-h323-inspect

 match protocol h323

class-map type inspect match-all ccp-invalid-src

 match access-group 100

class-map type inspect match-any ccp-sip-inspect

 match protocol sip

class-map type inspect match-all ccp-protocol-http

 match protocol http

class-map type inspect match-all SDM_WEBVPN_TRAFFIC

 match class-map SDM_WEBVPN

 match access-group 101

class-map type inspect match-all ccp-insp-traffic

 match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

 match protocol isakmp

 match protocol ipsec-msft

 match class-map SDM_AH

 match class-map SDM_ESP

class-map type inspect match-all ccp-icmp-access

 match class-map ccp-cls-icmp-access

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

 match class-map SDM_EASY_VPN_SERVER_TRAFFIC

!

policy-map type inspect ccp-inspect

 class type inspect ccp-invalid-src

  drop log

 class type inspect ccp-protocol-http

  inspect

 class type inspect ccp-insp-traffic

  inspect

 class type inspect ccp-h323-inspect

  inspect

 class class-default

  drop

policy-map type inspect sdm-permit-ip

 class type inspect SDM_IP

  pass

 class class-default

  drop log

policy-map type inspect ccp-permit

 class type inspect SDM_WEBVPN_TRAFFIC

  inspect

 class type inspect SDM_EASY_VPN_SERVER_PT

  pass

 class class-default

  drop

policy-map type inspect ccp-sslvpn-pol

 class type inspect CCP_SSLVPN

  pass

 class class-default

  drop

policy-map type inspect ccp-permit-icmpreply

 class type inspect ccp-icmp-access

  inspect

 class class-default

  pass

!

zone security in-zone

zone security ezvpn-zone

zone security out-zone

zone security sslvpn-zone

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

 service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-out-self source out-zone destination self

 service-policy type inspect ccp-permit

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

 service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-self-out source self destination out-zone

 service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

 service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-in-out source in-zone destination out-zone

 service-policy type inspect ccp-inspect

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

 service-policy type inspect sdm-permit-ip

zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone

 service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone

 service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-ezvpn-zone-sslvpn-zone source ezvpn-zone destination sslvpn-zone

 service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone

 service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-sslvpn-zone-ezvpn-zone source sslvpn-zone destination ezvpn-zone

 service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone

 service-policy type inspect ccp-sslvpn-pol

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp client configuration group vpn

 key *********

 pool SDM_POOL_1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

 mode tunnel

!

!

!

!

!

!

!

interface FastEthernet0

 no ip address

!

interface FastEthernet1

 no ip address

!

interface FastEthernet2

 no ip address

!

interface FastEthernet3

 no ip address

!

interface FastEthernet4

 description $FW_OUTSIDE$

 ip address 184.71.**.** 255.255.255.252

 ip nat outside

 ip virtual-reassembly in

 zone-member security out-zone

 duplex auto

 speed auto

!

interface Virtual-Template1 type tunnel

 ip unnumbered Vlan1

 zone-member security sslvpn-zone

!

interface Vlan1

 description $ETH_LAN$$FW_INSIDE$

 ip address 192.168.3.253 255.255.254.0

 ip nat inside

 ip virtual-reassembly in

 zone-member security in-zone

 ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 192.168.254.250 192.168.254.254

ip local pool VPN_Pool 192.168.254.50 192.168.254.60

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 199 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 FastEthernet4

ip route 192.168.4.0 255.255.254.0 Vlan1

ip route 192.168.6.0 255.255.254.0 Vlan1

ip route 192.168.8.0 255.255.254.0 Vlan1

ip route 192.168.10.0 255.255.254.0 Vlan1 192.168.3.254

ip route 192.168.12.0 255.255.254.0 Vlan1 192.168.3.254

ip route 192.168.14.0 255.255.254.0 Vlan1 192.168.3.254

ip route 192.168.16.0 255.255.254.0 Vlan1 192.168.3.254

!

ip access-list extended SDM_AH

 remark CCP_ACL Category=1

 permit ahp any any

ip access-list extended SDM_ESP

 remark CCP_ACL Category=1

 permit esp any any

ip access-list extended SDM_IP

 remark CCP_ACL Category=1

 permit ip any any

ip access-list extended SDM_WEBVPN

 remark CCP_ACL Category=1

 permit tcp any any eq 443

!

!

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 184.71.34.32 0.0.0.3 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any host 184.71.**.**

access-list 199 permit ip any any

!

!

!

control-plane

!

!

!

line con 0

 no modem enable

line aux 0

line vty 0 4

 transport input telnet ssh

line vty 5 15

 access-class 23 in

 transport input telnet ssh

!

!

!

webvpn gateway gateway_1

 ip address 184.71.**.** port 443 

 http-redirect port 80

 ssl trustpoint TP-self-signed-350405548

 inservice

 !

webvpn context LethVPN

 secondary-color white

 title-color #669999

 text-color black

 aaa authentication list ciscocp_vpn_xauth_ml_2

 gateway gateway_1

 !

 ssl authenticate verify all

 inservice

 !

 policy group policy_1

   functions svc-enabled

   svc address-pool "VPN_Pool" netmask 255.255.255.255

   svc keep-client-installed

   svc split include 192.168.2.0 255.255.254.0

   svc dns-server primary 192.168.2.2

 default-group-policy policy_1

!

end

 

0 Helpful
Customers Also Viewed These Support Documents