Cisco Cisco AnyConnect Secure Mobility Client v2.x Manual Técnica
AnyConnect headend, as well as the SSL encryption algorithm and PKI certificate which will be
presented to the clients. By default, the Gateway will support all possible encryption algorithms,
which vary depending on the IOS version on the router.
presented to the clients. By default, the Gateway will support all possible encryption algorithms,
which vary depending on the IOS version on the router.
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface Virtual-Template 1
ip unnumbered Loopback0
Step 9. Configure WebVPN Context and Group Policy
The WebVPN Context and Group Policy define some additional parameters which will be used for
the AnyConnect client connection. For a basic AnyConnect configuration, the Context simply
serves as a mechanism used to call the default Group Policy which will be used for AnyConnect.
However, the Context can be used to further customize the WebVPN splash page and WebVPN
operation. In the defined Policy Group, the SSLVPN_AAA list is configured as the AAA
authentication list which the users are a member of. The functions svc-enabled command is the
piece of configuration which allows users to connect with the AnyConnect SSL VPN Client rather
than just WebVPN through a browser. Lastly, the additional SVC commands define parameters
which are relevant only to SVC connections: svc address-pool tells the Gateway to handout
addresses in the ACPool to the clients, svc split include defines the split tunnel policy per ACL 1
defined above, and svc dns-server defines the DNS server which will be used for domain name
resolution. With this configuration, all DNS queries will be sent to the specified DNS server. The
address which is received in the query response will dictate whether or not the traffic is sent
across the tunnel.
the AnyConnect client connection. For a basic AnyConnect configuration, the Context simply
serves as a mechanism used to call the default Group Policy which will be used for AnyConnect.
However, the Context can be used to further customize the WebVPN splash page and WebVPN
operation. In the defined Policy Group, the SSLVPN_AAA list is configured as the AAA
authentication list which the users are a member of. The functions svc-enabled command is the
piece of configuration which allows users to connect with the AnyConnect SSL VPN Client rather
than just WebVPN through a browser. Lastly, the additional SVC commands define parameters
which are relevant only to SVC connections: svc address-pool tells the Gateway to handout
addresses in the ACPool to the clients, svc split include defines the split tunnel policy per ACL 1
defined above, and svc dns-server defines the DNS server which will be used for domain name
resolution. With this configuration, all DNS queries will be sent to the specified DNS server. The
address which is received in the query response will dictate whether or not the traffic is sent
across the tunnel.
webvpn context SSL_Context
gateway SSLVPN_Gateway
inservice
policy group SSL_Policy
aaa authentication list SSLVPN_AAA
functions svc-enabled
svc address-pool "SSLVPN_POOL" netmask 255.255.255.0
svc split include acl 1
svc dns-server primary 8.8.8.8
virtual-template 1
default-group-policy SSL_Policy
Step 10 (Optional). Configure a Client Profile
Unlike on ASAs, Cisco IOS does not have a built-in GUI interface that can assist admins in
creating the client profile. The AnyConnect client profile needs to be created/edited separately
with the
creating the client profile. The AnyConnect client profile needs to be created/edited separately
with the
.
Tip: Look for anyconnect-profileeditor-win-3.1.03103-k9.exe
Follow these steps to have the Router deploy the profile:
Upload it to IOS Flash using ftp/tftp
1.
Use this command to identify the profile that was just uploaded:
2.
webvpn context SSL_Context
gateway SSLVPN_Gateway
inservice
policy group SSL_Policy
1.