05-27-2024 03:11 PM - edited 05-27-2024 03:13 PM
We are planning to get remote access connectivity but we are having this issue, currently, we are using Cisco ISR 4661 with a securityk9 evaluation license. after the configuration of the SSL VPN, we get.
-The router work as a turst ca, and local certificate is created.
-since webvpn commands doesn't appear in the cli we used the crypto ssl options.
boot system bootflash:isr4400v2-universalk9.17.07.01a.SPA.bin
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
!
!
crypto pki server CA
no database archive
issuer-name CN=CA-ISR.mmm.sd
grant auto
!
crypto pki trustpoint LOCAL-CA
enrollment url http://our-puplic-ip:80
serial-number
ip-address our-puplic-ip
revocation-check none
!
crypto ssl proposal ssl-proposal
protection rsa-3des-ede-sha1 rsa-aes128-sha1
!
crypto ssl authorization policy ssl-auth-polict
rekey time 1110
client profile ssl-isr
mtu 1000
module gina
keepalive 500
dpd-interval client 1000
netmask 255.255.255.0
pool SSLVPN_POOL
dns 8.8.8.8
banner SSL-VPN
route set access-list NET
timeout disconnect 10000
!
crypto ssl policy ssl-policy
ssl proposal ssl-proposal
pki trustpoint LOCAL-CA sign
ip address local our-public-ip port 443
!
crypto ssl profile ssl-profile
match policy ssl-policy
aaa authentication user-pass list default
aaa authorization user user-pass list sslvpn
aaa accounting user-pass list sslvpn
authentication remote user-pass
virtual-template 2
!Profile Incomplete (MUST have a policy matched and ssl authorization policy configured)
!
!
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.6.04056-webdeploy-k9.pkg sequence 1
!
crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml
crypto vpn anyconnect profile ssl-isr bootflash:/ssl-isr.xml
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface GigabitEthernet0/0/0.1
description ***ISP***
encapsulation dot1Q xx
ip address 1our-public-ip 255.255.255.240
ip nat outside
crypto map VPN
interface Virtual-Template2 type vpn
ip unnumbered GigabitEthernet0/0/0.1
ip mtu 1400
ip tcp adjust-mss 1300
!
interface Vlan1
no ip address
!
ip local pool SSLVPN_POOL 172.250.250.1 172.250.250.200
no ip http server
no ip http secure-server
ip forward-protocol nd
!
ip access-list extended NET
10 permit ip host 10.10.10.10 any
20 permit ip host 10.20.10.17 any
!
!
!
-when try to connect anyconnect it aaccept the user and the passowrd and then give the pop-up messages. the log of the router show:
*May 17 08:39:06.466: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: ssl-profile vw_gw: ssl-policy remote_ip: xx.xx.137.32 user_name: syber, Authentication successful, user logged in
*May 17 08:39:15.507: %SSLVPN-5-SESSION_TERMINATE: vw_ctx: ssl-profile vw_gw: ssl-policy remote_ip: xx.xx.137.32 user_name: xxxxx-local-user reason: session expired
*May 17 08:43:30.703: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: ssl-profile vw_gw: ssl-policy remote_ip: xx.xx.137.32 user_name: xxxxx-local-user, Authentication successful, user logged in
*May 17 08:43:39.812: %SSLVPN-5-SESSION_TERMINATE: vw_ctx: ssl-profile vw_gw: ssl-policy remote_ip: xx.xx.137.32 user_name: xxxxx-local-user reason: session expired
*May 17 08:51:02.179: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: ssl-profile vw_gw: ssl-policy remote_ip: xx.xx..137.32 user_name: xxxxx-local-user, Authentication successful, user logged in
Anyhelp will be appricated.
Solved! Go to Solution.
05-28-2024 05:19 AM - edited 05-28-2024 05:20 AM
the issue was solved by editing the ssl profile the authorization part as this,
#crypto ssl profile ssl-profile
#aaa authorization user user-pass list default ssl-auth-polict
https://www.cisco.com/c/en/us/support/docs/security/ios-ssl-vpn/220267-configure-anyconnect-ssl-vpn-for-isr4k-w.html
thanks for helping
05-27-2024 03:31 PM
05-28-2024 02:11 AM
All of the commands of webvpn gateway are not available.
05-27-2024 11:38 PM
-since webvpn commands doesn't appear in the cli we used the crypto ssl options.
what webvpn commands not found ? can you provide what License you using ?
SSL VPN should work since you are using 17.7 X code .
05-28-2024 02:13 AM
All of them,
webvpn gateway SSLVPN_GATEWAY
webvpn context SSLVPN_CONTEXT
policy group SSLVPN_POLICY
05-28-2024 05:19 AM - edited 05-28-2024 05:20 AM
the issue was solved by editing the ssl profile the authorization part as this,
#crypto ssl profile ssl-profile
#aaa authorization user user-pass list default ssl-auth-polict
https://www.cisco.com/c/en/us/support/docs/security/ios-ssl-vpn/220267-configure-anyconnect-ssl-vpn-for-isr4k-w.html
thanks for helping
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide