All posts by patrickpreuss

Cisco AnyConnect VPN with Cisco 3845

After the implementation of the AnyConnect Client to our ASA5500 is at a good state i want to have some backup until our productional hardware will delivered. 😉

So i decided to use one of our Cisco 3845 Routers to do the job.

show version

[sourcecode gutter=”false” autolinks=”false” collapse=”true”]
C3845#show version
Load for five secs: 1%/0%; one minute: 3%; five minutes: 3%
Time source is NTP, 07:48:17.248 CET Sat Sep 11 2010
Cisco IOS Software, 3800 Software (C3845-ADVSECURITYK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support:
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 16:43 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T10, RELEASE SOFTWARE (fc1)

C3845 uptime is 34 weeks, 4 days, 14 hours, 47 minutes
System returned to ROM by reload at 15:53:45 CET Mon Jan 11 2010
System restarted at 15:55:20 CET Mon Jan 11 2010
System image file is "flash:c3845-advsecurityk9-mz.150-1.M1.bin"

First i installed the AnyConnect Package on the Router.

[sourcecode gutter=”false” autolinks=”false”]
C3845(config)#webvpn install svc flash:/anyconnect-win-2.5.1025-k9.pkg sequence 1
SSLVPN Package SSL-VPN-Client (seq:1): installed successfully

[sourcecode gutter=”false” autolinks=”false”]
ip local pool CSM_POOL_1
ip local pool vpnpool
ip local pool SSLVPNClient
webvpn gateway SSLVPN
ip address port 443
ssl trustpoint TP-self-signed-2234495401
webvpn install svc flash:/webvpn/anyconnect-win-2.5.1025-k9.pkg sequence 1
webvpn context SSLVPN
ssl authenticate verify all
policy group SSLVPN
functions svc-required
svc address-pool "CSM_POOL_1"
svc keep-client-installed
svc dns-server primary
svc dns-server secondary
default-group-policy SSLVPN
gateway SSLVPN
If you feel this helps a bit or may be not ? Please leave a comment.

Flickr : , , , , ,

Cisco ASA AnyConnect VPN

Some Notes what todo

radius authentication für die ASA

ASA 8.X: AnyConnect Start Before Logon Feature Configuration

Configuration Examples and TechNotes


av-pairs ????

certificate selection process

certifate import on cli / asdm  /ios

set the certificate on the interface : ssl trust-point MyTrustPoint Outside

Docu: Backup Gateway

Piuctures: ASDM, CCP

Write complete setup down ….

Reference the Docu. :-)

Flickr : , , , , ,

How to authentication AnyConnect VPN against RADIUS

AnyConnect and Cisco ACS Radius is a bit more complected because the ASA5500 documentation states that you can not use the Same Radius for
Authentication and Authorization. So things getting more complex by it self 😉 But if i see things in the right light we don’t need authorization at all so we will on monday how things will develope.

How to authentication AnyConnect VPN against RADIUS

The Authentication against RADIUS is quiet easy to configure.

Just add the RADIUS Servers as described here.
Than add following to the configuration:

[sourcecode gutter=”false” autolinks=”false”]
tunnel-group SSLClientProfile general-attributes
authentication-server-group AAA-RADIUS
By debuging the radius authentication is see our freeradius deliver the av-pairs with the authentication request so lets see if the ASA accepts them.
If you feel this helps a bit or may be not ? Please leave a comment.

Flickr : , , , , ,