After many revisions and test I have finally setup a SSL-VPN with Cisco AnyConnect. There are steps to set this up.

STEP 1: Setting up the Webserver Function

These are simple commands that will turn on the HTTP and HTTPS servers and make the authentication for the HTTPS server to be local.

ip http server
ip http authentication local
ip http secure-server

STEP 2: Setting up Authentication

The first command makes a simple username and password to log into the VPN, this is used if you do not use a radius server.  The next commands creates the authentication is local.

username test password test

aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local

STEP 3: Setting up the IP Pool

This is a simple command to create a local pool for the VPN to use for the clients accessing it.


STEP 4: Setting up the Authentication Trustpoint

This set makes the SSL cert and makes it a self-assigned one that is created here on the router and not through a CA server.

crypto pki trustpoint <CERT_NAME>
enrollment selfsigned
crypto pki enroll <CERT_NAME>

STEP 5: Setting up the VPN

The first portion of commands are setting up the gateway, which defines three main things. First, gateway name.  Second, the IP or interface that is going to be the internet facing side.  Third, binding the gateway to the SSL certification made in step 4.

webvpn gateway <GATEWAY>
ip interface <OUTBOUND_INTERFACE OR IP_ADDRESS> port 443
ssl trustpoint <CERT_NAME>

This portion defines where the anyconnect client is stored on router.  If you don’t have it uploaded you need to.

webvpn install svc flash:/webvpn/anyconnect-version#.pkg sequence 1

This portion just defines the website’s side of things.  It makes the color and the SSL authentication is needed.

webvpn context <VPN_NAME>
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all

This is the final piece and it creates the policies to be used.  It wraps up the IP address pool to be used, the domain name, and the internal DNS server used.  The line split includes tells the VPN what IPs to send through the VPN and what to use the client’s normal IP methods.  Finally it attaches to the gateway that is defined at the top of this step.

policy group <POLICY_NAME>

functions svc-enabled
svc address-pool “<POOL_NAME>” netmask
svc default-domain “<DOMAIN_NAME>”
svc keep-client-installed
svc split include
svc dns-server primary <DNS_IP>
default-group-policy <POLICY_NAME>
gateway <GATEWAY>


I had to test this project for many months as there was a bug in the Cisco IOS version 151-3.T that when the router was rebooted it would replace the SSL certificate even if there was an existing one.  The work around was either upgrade IOS versions or make a CA server.  I upgraded.

Enjoy and if you have any questions comment or send me a message on the contact me page


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.