Wednesday, August 29, 2018

Configuring Cisco SSL VPN AnyConnect (WebVPN) on Cisco IOS Routers

Our Web SSL VPN article written back in 2011 introduced this new wave of VPN services.  This article extends the topic by covering the installation and configuration of Cisco’s SSL AnyConnect VPN for Cisco IOS Routers.
Web SSL VPN delivers the following three modes of SSL VPN access:
Clientless - Clientless mode provides secure access to private web resources and will provide access to web content. This mode is useful for accessing most content that you would expect to access in a web browser such as Internet access, web-based intranet, webmail etc.
Thin Client (port-forwarding Java applet) - Thin client mode extends the capability of the cryptographic functions of the web browser to enable remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access protocol (IMAP), Telnet and Secure Shell (SSH).
Tunnel Mode (AnyConnect Secure Mobility Client) - Full tunnel client mode offers extensive application support through its dynamically downloaded Cisco AnyConnect VPN Client (next-generation SSL VPN Client) for SSL VPN. Full tunnel client mode delivers a lightweight, centrally configured and easy-to-support SSL VPN tunneling client that provides network layer access to virtually any application.
The advantage of SSL VPN comes from its accessibility from almost any Internet-connected system without needing to install additional desktop software.

 

Introducing Cisco SSL AnyConnect VPN - WebVPN

Cisco SSL AnyConnect VPN is a real trend these days – it allows remote users to access enterprise networks from anywhere on the Internet through an SSL VPN gateway using a web browser. During the establishment of the SSL VPN with the gateway, the client downloads and installs the AnyConnect VPN client from VPN gateway. This feature allows easy access to services within the company’s network and simplifies the VPN configuration on the SSL VPN gateway, reducing dramatically the administrative overhead for system administrators.

The Cisco secure WebVPN router login screen
The Cisco SSL AnyConnect VPN client was introduced in Cisco IOS 12.4(15)T and has been in development since then. Today, Cisco SSL AnyConnect VPN client supports all Windows platforms, Linux Redhat, Fedora, CentOS, iPhones, iPads and Android mobile phones.
Regardless of the client (PC, smartphone etc), the router configuration remains the same, while the appropriate VPN client software is downloaded by the client connecting to the VPN gateway (router).
Smartphones such as iPhones (iPAD included) and Android can download the Cisco VPN AnyConnect Secure Mobility Client directly from iTunes (Apple) or the Google Play store respectively (android phones).  To download it, connect to your store and search for ‘Cisco AnyConnect’.
IOS version 15.1.4(M7) or greater is required to correctly support Anyconnect Secure Mobility Client for Smartphone clients (Android, iPhone, etc). For Windows Anyconnect clients, it is highly recommended to use IOS 12.4(20)T or greater. Also keep in mind that IOS 12.4 does not require any license activation for the Webvpn service.
This article will use a Windows 7 workstation and Samsung Galaxy SII running Ice Cream Sandwich (4.0.4), as mobile clients.
To download VPN AnyConnect Secure Mobility Client packages files for Windows, MacOS X and Linux platforms, free, simply visit our Cisco Download section. The latest version of the client was made available at the time of writing this article.
Once our client is downloaded and installed on our Windows 7 workstation it will be ready to initiate the VPN connection to our VPN Gateway:

Steps to Configure and Enable SSL AnyConnect VPN Secure Mobility Client

  •  Upload AnyConnect Secure Mobility Client to our Cisco Router
  • Generate RSA Keys
  • Declare the Trustpoint & Create Self-Signed Certificate
  • Configure WebVPN Pool IP addresses assigned to the VPN Users
  • Enable and Configure AAA Authentication for SSL VPN & Create User Accounts
  • Enable WebVPN License
  • Configure and enable WebVPN Gateway
  • Configure and enable SSL VPN Context
  • Configure default group policy, authentication list and final parameters for WebVPN
Note: The complete working configuration for WebSSL VPN AnyConnect can be found at the end of this article.

Uploading AnyConnect Secure Mobility Client Package to Our Cisco Router

The first step is to upload the Cisco AnyConnect client to the router’s flash memory.  Depending on the type of clients you might need to upload more than one VPN AnyConnect client package.  For our article, we will be using the latest VPN AnyConnect client for Windows, which at the time of writing was version 3.1.00495 (anyconnect-win-3.1.00495-k9.pkg). This client is available for download in our Cisco Download Section.
R1# copy tftp flash:
Address or name of remote host []? 192.168.9.74
Source filename []? anyconnect-win-3.1.00495-k9.pkg
Destination filename [anyconnect-win-3.1.00495-k9.pkg]?
Accessing tftp://192.168.9.74/anyconnect-win-3.1.00495-k9.pkg...
Loading anyconnect-win-3.1.00495-k9.pkg from 192.168.9.74 (via Virtual-Access3): !!!!!!!!!!!!!!!!!!!!!
[OK - 29806775 bytes]
29806775 bytes copied in 325.852 secs (90 kbytes/sec)


Generate RSA Keys

The next step is to generate our RSA 1024bit keys. The crypto key generate rsa command depends on the hostname and ip domain-name commands. This crypto command generates a Rivest, Shamir, Adleman (RSA) key pair, which includes one public RSA key and one private RSA key, with a key modulus size of 1024 (usually):
R1(config)# crypto key generate rsa label my-rsa-keys modulus 1024        
The name for the keys will be: my-rsa-keys
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
  

Note: The crypto key generate rsa command will not appear in the router’s running or startup configuration


Declare the Trustpoint & Create Self-Signed Certificate

Once complete, we need to declare the trustpoint that the router should use by using the command crypto pki trustpoint command in global configuration mode. When declaring a trustpoint, we can specify certain characteristics in its subcommands as shown in our configuration:
crypto pki trustpoint my-trustpoint
enrollment selfsigned
subject-name CN=firewallcx-certificate
rsakeypair my-rsa-keys
!
crypto pki enroll my-trustpoint
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created

Configure WebVPN Pool IP Addresses

WebVPN users will need to be assigned a LAN IP address so they can communicate with our network. The following command specifies the pool of ip addresses that will be assigned to our users. This can be either part of our LAN network or a completely different network. Since we have plenty of spare IP addresses, we’ll be using a small portion of them:
ip local pool webvpn-pool 192.168.9.80 192.168.9.85
Note we have named this pool webvpn-pool.

Enable and Configure AAA Authentication for SSL VPN - Create User VPN Accounts

AAA stands for Authentication, Authorization and Accounting. We need to enable AAA in order to use it for our user authentication. 
aaa new-model
aaa authentication login sslvpn local
username chris secret firewall.cx
It could be that AAA is already enabled on the router, in which case we only need to define an authentication list (we named it ‘sslvpn’) to use the router’s local user database for user authentication. 

Enable WebVPN License

When the WebVPN service is enabled for the first time on an ISR Generation 2 Cisco router (1900, 2900 & 3900 series), with the 15.x version IOS software or newer, the router will prompt us to accept the End-User License Agreement (EULA) before enabling and activating the service.
It is imperative to accept the EULA in order to proceed:
R1(config)# webvpn gateway Cisco-WebVPN-Gateway PLEASE  READ THE  FOLLOWING TERMS  CAREFULLY. INSTALLING THE LICENSE OR
LICENSE  KEY  PROVIDED FOR  ANY CISCO  PRODUCT  FEATURE  OR  USING SUCH
PRODUCT  FEATURE  CONSTITUTES  YOUR  FULL ACCEPTANCE  OF  THE FOLLOWING
TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO  BE BOUND
BY ALL THE TERMS SET FORTH HEREIN.
……. Output omitted
Activation  of the  software command line interface will be evidence of
your acceptance of this agreement.
ACCEPT? [yes/no]: yes


After accepting the EULA, we can verify the WebSSL VPN service is activated by issuing the show license all command. Usually StoreIndex 4 contains the WebSSL VPN reference:
R1# show license all
License Store: Primary License Storage
StoreIndex: 0   Feature: ipbasek9                          Version: 1.0
        License Type: Permanent
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Medium
StoreIndex: 1   Feature: securityk9                        Version: 1.0
        License Type: Permanent
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Medium
License Store: Built-In License Storage
StoreIndex: 0   Feature: securityk9                        Version: 1.0
        License Type: EvalRightToUse
        License State: Inactive
            Evaluation total period: 8  weeks 4  days
            Evaluation period left: 8  weeks 4  days
            Period used: 0  minute  0  second 
        License Count: Non-Counted
        License Priority: None
StoreIndex: 4   Feature: SSL_VPN                           Version: 1.0
        License Type: EvalRightToUse
        License State: Active, In Use
            Evaluation total period: 8  weeks 4  days
            Evaluation period left: 8  weeks 3  days
            Period used: 0  minute  1  second 
            Transition date: Nov 18 2012 22:14:16
        License Count: 100/0  (In-use/Violation)
        License Priority: Low

Notice the License Type mention: EvalRightToUse.  This means that this is an evaluation license, a license to evaluate. At the end of the 8 ½ week evaluation period, the ISRG2 Cisco router license will not terminate the Web SSL_VPN license, and it will continue to work.

License Activation applies only to IOS 15.x version.  The 12.4 series IOS does not require license activation

 

 

Configure and Enable WebVPN Gateway

After taking care of the licensing it’s time to begin working on the WebVPN Virtual Gateway configuration. The WebVPN Virtual Gateway enables the interface or IP address and port number to which the WebVPN service will ‘listen’ for incoming connections and also determines the encryption that will be used. 
webvpn gateway Cisco-WebVPN-Gateway
 ip address 74.200.90.5 port 443 
 ssl encryption rc4-md5
 ssl trustpoint my-trustpoint
 inservice
Note: If the interface the WebVPN will be running on has a dynamic IP address, for example Dialer0 (ATM ADSL Interface), the ip address 74.200.90.5 port 443  command can be replaced with ip interface Dialer0 port 443, where ‘Dialer0’ is the dynamic interface.

Note: There is a big bug that causes Windows clients browser to report errors such as ""The page isn't redirecting properly"" when trying to connect to the SSL WebVPN Gateway.  According to Cisco, this bug surfaces as a Windows machine gets updated with security update KB2585542. Cisco's workaround solution is to use the rc4-md5 encryption instead, as shown above.

For those interested in reading up on this bug, Cisco has assigned bug ID: CSCtx38806 with the description "IOS SSL VPN fails to connect after microsoft security update KB258554".

Configure and Enable SSL VPN Context

The SSL VPN context is used to configure a number of parameters for our Web VPN server, these include:
  • Gateway and domain associated
  • AAA user authentication method
  • Group policy associated
  • The remote user portal (web page)
  • Limit number of WebVPN SSL user sessions
Most of these parameters are configured in our group policy. This group policy is then set as the default-group policy for our Web SSL VPN.
webvpn context Cisco-WebVPN
 title "Firewall.cx WebVPN - Powered By Cisco"
 !
 acl "ssl-acl"
   permit ip 192.168.9.0 255.255.255.0 192.168.9.0 255.255.255.0
 login-message "Cisco Secure WebVPN"
 !
 policy group webvpnpolicy
   functions svc-required
   functions svc-enabled
   filter tunnel ssl-acl
   svc address-pool "webvpn-pool" netmask 255.255.255.0
   svc rekey method new-tunnel
   svc split include 192.168.9.0 255.255.255.0
Let’s explain what all the above commands do:
The webvpn context command is used to create a context named which we have named Cisco-WebVPN. The title command sets the text that will be displayed at the web browser’s Page Title and at the top of the login screen.
The acl “ssl-acl” command configures the access lists for this context. It basically governs what the web vpn users will have access to.  We’ve provided our webVPN users full access to the 192.168.9.0 network.
Our webvpn users' IP addresses have already been defined in the webvpn-pool (192.168.9.80 to 192.168.0.85). Instead of typing each IP address within that range into our ACL list we simply configure the router to allow the 192.168.9.0 network as a source and destination in our VPN tunnel. This ensures any IP in the 192.168.9.0 range assigned to our vpn clients will have access to our LAN (192.168.9.0)
The login-message command defines the text that will be shown in the login section of the webvpn webpage. These messages are also visible in our WebVPN login screen at the beginning of our article.
Since our webvpn pool is part of the same network we just set the 192.168.9.0 network as the source and destination IP address.
Next, we define a group policy. The group policy configures a number of important parameters. We named our group policy webvpnpolicy.
The functions svc-enabled & svc-required commands ensure tunnel-mode is enabled and required. The combination of these two commands will force the VPN user’s PC to start downloading the AnyConnect software client as soon as he authenticates successfully. This is called tunnel-mode operation.
Alternatively, without the svc-required command, a webpage will be presented from which the user can directly launch any configured web service in our webvpn portal or selectively initiate tunnel-mode and start downloading the AnyConnect software client. 
Note: The acronym SVC stands for SSL VPN Client
The screenshot below shows the AnyConnect Secure Mobility Client installation process. Keep in mind that these screenshots apply after the complete configuration of our router's SSL WebVPN service:

During the installation, the user will receive a number of prompts & security warnings about the publisher and website’s certificate verification. Administrators and engineers should instruct their VPN users to accept/allow the installation of the certificates and software client when prompted.
Shortly after the acceptance of certificates and confirming to the web browser to allow the installation of the client, the AnyConnect Secure Mobility Client Downloader will begin:



The filter tunnel ssl-acl command instructs the webvpn gateway to use ssl-acl access list to define the access vpn users will have.
The svc address-pool command defines the pool that will be used to assign IP addresses to our vpn users.
The svc rekey method new-tunnel specifies that the SVC establishes a new tunnel during SVC rekey.
The svc split command enables split tunneling, instructing which network traffic will be sent through the vpn tunnel. If this command is not included, vpn users will not be allowed to access the Internet while connected to the vpn.
 

Configure Default Group Policy, Authentication List and Final Parameters

Now we will configure the policy we just created as the default policy, set the aaa authentication list (sslvpn) to be used for user authentication and maximum users for the service. Lastly, we enable our webvpn context:
default-group-policy webvpnpolicy
 aaa authentication list sslvpn
 gateway Cisco-WebVPN-Gateway
 max-users 2
 !
 ssl authenticate verify all
 !
 url-list "rewrite"
 inservice
The ssl authenticate verify all command enables SSL configurations for backend server connections. While we are not using any such backend services, it’s a good option to always have enabled.

Supporting Multiple Group Policies on AnyConnect

Administrators and engineers who have worked with the classic Cisco IPSec VPN client will wonder how they can support multiple groups with different access rights using AnyConnect.  The fact is that AnyConnect does support multiple groups, however it requires a radius server at the backend.
AnyConnect on a Cisco router without a radius server will only allow support for one group policy.

Complete WebVPN SSL AnyConnect Configuration

Finally, below is the complete Web VPN SSL AnyConnect configuration of our router:
aaa new-model
aaa authentication login sslvpn local
!
username chris secret firewall.cx
!
crypto key generate rsa label my-rsa-keys modulus 1024 
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.00495-k9.pkg sequence 1
!
ip local pool webvpn-pool 192.168.9.80 192.168.9.85
!
webvpn gateway Cisco-WebVPN-Gateway
 ip address 74.200.90.5 port 443 
 ssl encryption rc4-md5
 ssl trustpoint my-trustpoint
 inservice
 !
webvpn context Cisco-WebVPN
 title "Firewall.cx WebVPN Gateway"
 !
 acl "ssl-acl"
   permit ip 192.168.9.0 255.255.255.0 192.168.9.0 255.255.255.0
 login-message "Cisco Secure WebVPN"
 !
 policy group webvpnpolicy
   functions svc-required
   functions svc-enabled
   filter tunnel ssl-acl
   svc address-pool "webvpn-pool" netmask 255.255.255.0
   svc rekey method new-tunnel
   svc split include 192.168.9.0 255.255.255.0
 default-group-policy webvpnpolicy
 aaa authentication list sslvpn
 gateway Cisco-WebVPN-Gateway
 max-users 2
 !
 ssl authenticate verify all
 !
 url-list "rewrite"
 inservice

This concludes our Cisco SSL VPN AnyConnect configuration for Cisco IOS Routers.

No comments:

Post a Comment