How to Configure SSLVPN on Cisco CSR1000V (Cloud Services Router 1000V)?
How to configure a Cisco CSR1000V Router for terminating Anyconnect client based connections? Namita Sharma (A volunteer in Cisco Support Community) shared a guide of configuring a Cisco CSR1000V Router. What do you need to prepare before configuration. What are the detailed steps? Let’s see…
Firstly, you should ensure that you meet these requirements before you attempt this configuration:
Cisco Cloud Services Router 1000V running IOS XE 3.12 or higher
Cisco AnyConnect Secure Mobility Client 3.x or higher
Components Used:
Cisco Cloud Services Router 1000V running IOS XE 3.12
Cisco AnyConnect Secure Mobility Client 3.1.05160
Microsoft Windows 7 PC
Network Diagram-Configure SSLVPN on Cisco CSR1000V (The Figure)
Anyconnect Configuration:
1. Configure SSL Server Self-Signed Certificate
# Generate an Rivest-Shamir-Addleman (RSA) Key with a length of 2048 bytes: crypto key generate rsa general-keys label anyconnect modulus 2048 # Configure a trustpoint for the self-signed certificate, and apply this RSA Keypair: crypto pki trustpoint anyconnectvpn enrollment selfsigned subject-name CN=108.1.220.132 revocation-check none rsakeypair anyconnect # Once the trustpoint is configured, enroll the self-signed certificate crypto pki enroll anyconnectvpn % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created
2. Upload and Apply the Anyconnect client software
copy tftp://10.0.0.150/anyconnect-win-3.1.05160-k9.pkg flash Address or name of remote host [10.0.0.150]? Source filename [anyconnect-win-3.1.05160-k9.pkg]? Destination filename [anyconnect-win-3.1.05160-k9.pkg]? Accessing tftp://10.0.0.150/anyconnect-win-3.1.05160-k9.pkg...!!!!!!!!!!!!! Writing file disk0:/anyconnect-win-3.1.05160-k9.pkg... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 2635734 bytes copied in 4.480 secs (658933 bytes/sec) # Apply this Anyconnect client image to the configuration crypto vpn anyconnect flash:/anyconnect-win-3.1.05160-k9.pkg sequence 1
3. Configure the User Database
new-model aaa authentication login sslvpn local aaa authorization network sslvpn local username Anyconnect password Anyconnect123
4. Configure the VPN pool
# Define the local pool that is used in order to assign IP addresses to the clients when they connect ip local pool SSL_Client 192.168.10.1 192.168.100.20
5. Define the supported ciphers under SSL Proposal
crypto ssl proposal sslvpn-proposal protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
6. Create a split-tunnel access-list to be pushed out as a secure route to the Anyconnect clients
ip access-list standard sslvpn-tunnel permit 10.0.0.0 0.255.255.255
7. Configure an SSL Policy that defines the ciphers to be supported and the trustpoint to be used during SSL negotiation.
crypto ssl policy sslvpn-policy ssl proposal ssl_proposal pki trustpoint anyconnectvpn sign ip address local 108.1.220.132 port 443 no shut
8. Create an SSL Authorization Policy locally on the Router with the authorization parameters to be pushed out to the clients
crypto ssl authorization policy sslvpn-auth-policy pool SSL_Client dns 10.0.0.120 def-domain cisco.com route set access-list sslvpn-tunnel
9. Define the configured authentication and authorization lists under an SSL Profile
crypto ssl profile sslvpn-profile match policy sslvpn-policy aaa authentication list sslvpn aaa authorization group list sslvpn sslvpn-auth-policy authentication remote user-credentials max-users 100
10. Verify your connection
Once a Client connects, you can view the status using: show crypto ssl session user Anyconnect detail Session Type : Full Tunnel Client User-Agent : AnyConnect Windows 3.1.05160 Username : Anyconnect Num Connection : 1 Public IP : 173.36.240.173 Profile : ssl_profile Policy : ssl_policy Last-Used : 00:00:06 Created : *10:00:00.928 UTC Mon Apr 6 2014 Session Timeout : 43200 Idle Timeout : 1800 DNS primary : 10.0.0.120 DPD GW Timeout : 300 DPD CL Timeout : 300 Address Pool : SSL_Client MTU Size : 1406 Disconnect Time : 0 Rekey Time : 3600 Lease Duration : 43200 Keepalive : 30 Tunnel IP : 192.168.10.2 Netmask : 0.0.0.0 Rx IP Packets : 533 Tx IP Packets : 462 Virtual Access : 1 CSTP Started : 00:46:50 Last-Received : 00:00:06 CSTP DPD-Req sent : 0 Msie-ProxyServer : None Msie-PxyOption : Disabled Msie-Exception : None Split DNS : None ACL : sslvpn-tunnel Default Domain : cisco.com Client Ports : 49423 Detail Session Statistics for User:: Anyconnect ---------------------------------- CSTP Statistics:: Rx CSTP Frames : 322 Tx CSTP Frames : 0 Rx CSTP Bytes : 63453 Tx CSTP Bytes : 3423 Rx CSTP Data Fr : 643 Tx CSTP Data Fr : 233 Rx CSTP CNTL Fr : 36 Tx CSTP CNTL Fr : 0 Rx CSTP DPD Req : 0 Tx CSTP DPD Req : 0 Rx CSTP DPD Res : 0 Tx CSTP DPD Res : 0 Rx Addr Renew Req : 0 Tx Address Renew : 0 Rx Dropped Frames : 0 Tx Dropped Frame : 0 Rx IP Packets : 167 Tx IP Packets : 532 Rx IP Bytes : 8375 Tx IP Bytes : 18573 CEF Statistics:: Rx CSTP Data Fr : 0 Tx CSTP Data Fr : 0 Rx CSTP Bytes : 0 Tx CSTP Bytes : 0
Guide from https://supportforums.cisco.com/document/12470701/configure-sslvpn-cisco-cloud-services-router-1000vcsr1000v... More discussion you can read here…
More Topics Related to Cisco Routers you can visit here…