Tag Archives: IOS


After many revisions and test I have finally setup a SSL-VPN with Cisco AnyConnect. There are steps to set this up.

STEP 1: Setting up the Webserver Function

These are simple commands that will turn on the HTTP and HTTPS servers and make the authentication for the HTTPS server to be local.

ip http server
ip http authentication local
ip http secure-server

STEP 2: Setting up Authentication

The first command makes a simple username and password to log into the VPN, this is used if you do not use a radius server.  The next commands creates the authentication is local.

username test password test

aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local

STEP 3: Setting up the IP Pool

This is a simple command to create a local pool for the VPN to use for the clients accessing it.


STEP 4: Setting up the Authentication Trustpoint

This set makes the SSL cert and makes it a self-assigned one that is created here on the router and not through a CA server.

crypto pki trustpoint <CERT_NAME>
enrollment selfsigned
crypto pki enroll <CERT_NAME>

STEP 5: Setting up the VPN

The first portion of commands are setting up the gateway, which defines three main things. First, gateway name.  Second, the IP or interface that is going to be the internet facing side.  Third, binding the gateway to the SSL certification made in step 4.

webvpn gateway <GATEWAY>
ip interface <OUTBOUND_INTERFACE OR IP_ADDRESS> port 443
ssl trustpoint <CERT_NAME>

This portion defines where the anyconnect client is stored on router.  If you don’t have it uploaded you need to.

webvpn install svc flash:/webvpn/anyconnect-version#.pkg sequence 1

This portion just defines the website’s side of things.  It makes the color and the SSL authentication is needed.

webvpn context <VPN_NAME>
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all

This is the final piece and it creates the policies to be used.  It wraps up the IP address pool to be used, the domain name, and the internal DNS server used.  The line split includes tells the VPN what IPs to send through the VPN and what to use the client’s normal IP methods.  Finally it attaches to the gateway that is defined at the top of this step.

policy group <POLICY_NAME>

functions svc-enabled
svc address-pool “<POOL_NAME>” netmask
svc default-domain “<DOMAIN_NAME>”
svc keep-client-installed
svc split include
svc dns-server primary <DNS_IP>
default-group-policy <POLICY_NAME>
gateway <GATEWAY>


I had to test this project for many months as there was a bug in the Cisco IOS version 151-3.T that when the router was rebooted it would replace the SSL certificate even if there was an existing one.  The work around was either upgrade IOS versions or make a CA server.  I upgraded.

Enjoy and if you have any questions comment or send me a message on the contact me page


Handy Cisco Commands

Here is a list of some unknown and very helpful Cisco Commands in IOS.

1) Reload after a specific time or after a specific amount of time:

reload [text | in [hh:]mm [text] | at hh:mm [month day | day month] [text] | cancel]


Router# reload in 10

-This command will reload the device in 10 minutes.  This is a perfect Cisco command to use if you are not sure if the next set of commands will terminate your connection to it and you need to reverse it without consoling in.

Router# reload at 16:00

-This Cisco command will reload the device at 4:00pm.

Router# reload cancel

-This Cisco command simply cancels the reload if it planned in the future.

2) Resetting an Interface to a Default State

Router(config)# Default interface (Interface)

-This simple cisco command will reset an interface back to the default state for further configuration

3) Show Filters

Router# show run | section interface

-This filter will show the section of the configuration about the keyword, in this case interface.

Router# show run | begin interface

-This filter will find the first time the keyword is used and show the configuration from that point forward.

Router# show run | include ospf

-This filter will show any command that has been entered into the running configuration that includes a command with the work ospf in it.

Router# show run | exclude ospf

-This filter will remove every line with the keyword in it.

4) The Alias Cisco Command

Router(config)#alias exec s show ip interface brief

-The command is powerful. Using the alias command you can specify that when you are in the exec mode and you type “s” it will in turn input the full show ip interface brief command for you. This will save minutes and maybe hours of typing long commands. The alias Cisco command can be used on any letter and make it do any cisco command.

5) Key Cisco Commands

Ctrl+A Move cursor to the beginning of the line
Ctrl+E Move cursor to the end of the line
Up Retrieve last command from history
Down Retrieve next command from history
Ctrl+W Erase previous word
Ctrl+U Erase the entire line
Ctrl+C Exit configuration mode
Ctrl+Z Apply the current command and exit configuration mod

As always leave me a comment or contact me via the contact page.