Cisco Cisco AnyConnect Secure Mobility Client v2.x Manual Técnico
enter in the CN, it helps reduce the number of certificate errors that are prompted at login.
Note: Rather than using a self-signed certificate generated by the router, it is possible to use
a certificate issued by a third-party CA. This can be done via a few different methods as
discussed in this document:
a certificate issued by a third-party CA. This can be done via a few different methods as
discussed in this document:
.
After the trustpoint has been correctly defined, the router must generate the certificate by using the
crypto pki enroll command. With this process, it is possible to specify a few other parameters
such as serial number and IP address. However, this is not required. The certificate generation
can be confirmed with the show crypto pki certificates command.
crypto pki enroll command. With this process, it is possible to specify a few other parameters
such as serial number and IP address. However, this is not required. The certificate generation
can be confirmed with the show crypto pki certificates command.
Step 5. Configure Local VPN User Accounts
While it is possible to use an external Authentication, Authorization, and Accounting (AAA) server,
for this example local authentication is used. These commands will create a user name VPNUSER
and also create an AAA authentication list named SSLVPN_AAA.
for this example local authentication is used. These commands will create a user name VPNUSER
and also create an AAA authentication list named SSLVPN_AAA.
Step 6. Define Address Pool and Split Tunnel Access List to be Used by
Clients
Clients
A local IP address pool must be created in order for AnyConnect client adapters to obtain an IP
address. Ensure you configure a large enough pool to support the maximum number of
simultaneous AnyConnect client connections.
address. Ensure you configure a large enough pool to support the maximum number of
simultaneous AnyConnect client connections.
By default, AnyConnect will operate in full tunnel mode which means that any traffic generated by
the client machine will be sent across the tunnel. As this is typically not desirable, it is possible to
configure an Access Control List (ACL) which then defines traffic which should or should not be
sent across the tunnel. As with other ACL implementations, the implicit deny at the end eliminates
the need for an explicit deny; therefore, it is only necessary to configure permit statements for the
traffic which should be tunneled.
the client machine will be sent across the tunnel. As this is typically not desirable, it is possible to
configure an Access Control List (ACL) which then defines traffic which should or should not be
sent across the tunnel. As with other ACL implementations, the implicit deny at the end eliminates
the need for an explicit deny; therefore, it is only necessary to configure permit statements for the
traffic which should be tunneled.
Step 7. Configure the Virtual-Template Interface (VTI)
provide an on-demand separate Virtual-Access interface for each VPN session that
allows highly secure and scalable connectivity for remote-access VPNs. The DVTI technology
replaces dynamic crypto maps and the dynamic hub-and-spoke method that helps establish
tunnels. Because DVTIs function like any other real interface they allow for more complex Remote
Accesss deployment because they support QoS, firewall, per-user attribtues and other security
services as soon as the tunnel is active.
replaces dynamic crypto maps and the dynamic hub-and-spoke method that helps establish
tunnels. Because DVTIs function like any other real interface they allow for more complex Remote
Accesss deployment because they support QoS, firewall, per-user attribtues and other security
services as soon as the tunnel is active.
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface Virtual-Template 1
ip unnumbered Loopback0
Step 8. Configure WebVPN Gateway
The WebVPN Gateway is what defines the IP address and port(s) which will be used by the