The purpose of HSRP (Hot Standby Routing Protocol) is to check interfaces and other connectivity parameters, and if the interface is down then a failover takes place from Active HSRP Router to standby HSRP router. There is no direct correlation between HSRP and IPSEC. However, we can use HSRP to provide VPN tunnel failover, as we will explain in the example diagram below.

For example assume the following scenario: A site-to-site IPSEC VPN is terminated on a router which happens to be the active HSRP router on a failover pair. If this router fails, then IPSEC must be immediately switched to HSRP standby Router. On diagram below, VIP means HSRP Virtual IP address.

Equipment used in This lab:
HQ1 and HQ2 – c3725-advsecurityk9-mz.124-1c
The rest – 2691 IOS c2691-adventerprisek9-mz.123-17a

LAB Scenario:

We’ve got HQ with two HSRP routers, and two Remote Offices. The PCs in Branches must have access to servers located in HQ. Therefore the connection must be  using high availability and be secured, that’s why two routers are located in HQ, which provide high availability and VPN Termination.

First of all I’ve started EIGRP on external interfaces of Branches (Fa0/0) and on all interfaces of WAN Router. I’ll not talk about how I did that. That step was only necessary to establish full routing connectivity for my lab scenario.

HQ Routers Configuration:

For providing high availability on HQ’s LAN interface, HSRP should be used. I’ve configured high priority on HQ1 (value 145) for becoming Active Router, and Standby Router HQ2 has priority 140. Virtual IP address is 192.168.1.1. Also I’ve configured tracking of Fa0/0 and Fa0/1, which means that if Fa0/0 or Fa0/1 goes down, then priority of Router will decrease by 10, and if both of them go down, priority will decrease by 20. In our case if Fa0/0 or Fa0/1 on HQ1 goes down, this means that priority of HQ1 will be less than the priority of HQ2, therefore HQ2 will become the active device.

The Command “preempt” gives opportunity to router to become active if this router has higher priority than an existing one. For example: in our case when the lost interfaces on HQ1 come up again, the preempt command will bring HQ1 as active again.

hq1#show running-config interface fastEthernet 0/1
interface FastEthernet0/1
ip address 192.168.1.11 255.255.255.0
standby 1 ip 192.168.1.1
standby 1 priority 145
standby 1 preempt
standby 1 track FastEthernet0/1
standby 1 track FastEthernet0/0       

hq2#show running-config interface fastEthernet 0/1
interface FastEthernet0/1
ip address 192.168.1.12 255.255.255.0
standby 1 ip 192.168.1.1
standby 1 priority 140
standby 1 preempt
standby 1 track FastEthernet0/0
standby 1 track FastEthernet0/1     

! Configuration on WAN side is the same as on LAN. HSRP with the same priorities is on this interface as well. 
hq1#show running-config interface fastEthernet 0/0
interface FastEthernet0/0
ip address 192.168.2.11 255.255.255.0
standby 2 ip 192.168.2.2
standby 2 priority 145
standby 2 preempt
standby 2 track FastEthernet0/1
standby 2 track FastEthernet0/0

hq2#show running-config interface fastEthernet 0/0

interface FastEthernet0/0
ip address 192.168.2.12 255.255.255.0
standby 2 ip 192.168.2.2
standby 2 priority 140
standby 2 preempt
standby 2 track FastEthernet0/0
standby 2 track FastEthernet0/1

! Verify HSRP Configuration. Now active router for Group 1 and 2 are HQ1 and HQ2 is Standby.

hq1#show standby brief
                    P indicates configured to preempt.
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       2   145  P Active   local           192.168.2.12    192.168.2.2
Fa0/1       1   145  P Active   local           192.168.1.12    192.168.1.1     

hq2#show standby brief
                    P indicates configured to preempt.
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       2   140  P Standby  192.168.2.11    local           192.168.2.2
Fa0/1       1   140  P Standby  192.168.1.11    local           192.168.1.1   

! Now lets configure Crypto isakmp policy on HQ1 and HQ2 . Let’s use the most light policy and also indicate KEY as well.

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123 address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery  

! Create access list, by which the traffic, going through the VPN Tunnel, will be matched. In this case traffic going from 192.168.1.0/24 to 192.168.4.0/24 and 192.168.5.0/24 networks.
ip access-list extended vpn
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255     

! Create IPSEC Transform-set and dynamic crypto map.
crypto ipsec transform-set ts esp-3des esp-md5-hmac

crypto dynamic-map vpn 10
set transform-set ts
match address vpn
reverse-route

crypto map dynmap 10 ipsec-isakmp dynamic vpn

! Let’s consider the most interesting part, where we must do correlation between HSRP and IPSEC. Create a name of HSRP group and attach crypto map to HSRP group. After this we must assign HSRP virtual address to Branches in VPN Peer Addresses. When Active HSRP router switches to Standby Router, VPN tunnels will be switched from HSRP active router to HSRP Standby router as well.
interface FastEthernet0/0
standby 2 name VPNHA
crypto map dynmap redundancy VPNHA   

The above concludes the configuration of HQ Routers. Let’s look at configuration of Branches. There is a standard configuration on Branches and in fact nothing is changed. Just remember that the peer address of the VPN tunnel in branches must be the VIP HSRP address of the HQ routers.

Branch Routers Configuration:
! Configure crypto isapkmp policy
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2

!set remote Peer IP address. In this case this will be the HSRP Virtual ip address.
crypto isakmp key 123 address 192.168.2.2

!create IPsec Transform set.
crypto ipsec transform-set ts esp-3des esp-md5-hmac
!
!For Branch 1 Create Access-list which matches Interesting Traffic for VPN Tunnel.
ip access-list extended vpn
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

!For Branch 2 Create Access-list which matches Interesting Traffic for VPN Tunnel.
ip access-list extended vpn
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

! Create crypto map. In peer we indicate HSRP Virtual IP address. All the rest are not changed. Also turn on Reverse route, because when VPN tunnel is established, in Branches’ routing table the VPN Tunnel Destination network will be added statically.
crypto map vpn 10 ipsec-isakmp
set peer 192.168.2.2
set transform-set ts
match address vpn
reverse-route

First check VPN, ping SRV from Host1 and Host2 and see if VPN establishes and the traffic we want  is matched.

host1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
..!!!

branch1#show crypto isakmp sa
dst             src             state          conn-id slot
192.168.2.2     192.168.3.2     QM_IDLE              1    0

branch1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: vpn, local addr. 192.168.3.2

protected vrf:
local  ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 192.168.2.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest 15
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0

branch1#show access-lists vpn
Extended IP access list vpn
10 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255 (32 matches)

host2#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.!!!!

branch2#show crypto isakmp sa
dst             src             state          conn-id slot
192.168.2.2     192.168.3.3     QM_IDLE              1    0

branch2#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: vpn, local addr. 192.168.3.3

protected vrf:
local  ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 192.168.2.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest 19
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

branch2#show access-lists vpn
Extended IP access list vpn
10 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255 (39 matches)

We see that everything is working as we want. Now let’s see how High availability is working. Ping SRV from Host1 and at the same time let’s switch off Fa0/1 on HQ1 and see how this switching will be done.

host1#ping 192.168.1.2 repeat 100000
Type escape sequence to abort.
Sending 100000, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!……………………………..
….!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 76 percent (127/167), round-trip min/avg/max = 8/52/172 ms

hq1#show crypto isakmp sa
dst             src             state          conn-id slot status
192.168.2.2     192.168.3.2     QM_IDLE              1    0 ACTIVE
192.168.2.2     192.168.3.3     QM_IDLE              2    0 ACTIVE

hq1#show standby brief
P indicates configured to preempt.
|
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       2   135  P Standby  192.168.2.12    local           192.168.2.2
Fa0/1       1   135  P Init     unknown         unknown         192.168.1.1

hq2#show crypto isakmp sa
dst             src             state          conn-id slot status
192.168.2.2     192.168.3.2     QM_IDLE              1    0 ACTIVE

hq2#show standby brief
P indicates configured to preempt.
|
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       2   140  P Active   local           192.168.2.11    192.168.2.2
Fa0/1       1   140  P Active   local           unknown         192.168.1.1

High availability is working as we planned. As a result of shutting down, some pings failed and soon switching occurred to HSRP Standby router and connection was established again.

In this post I will talk about Hub-and-Spoke VPN with one dynamic and two static crypto-maps between Cisco routers. The scenario is as following: There is a central HQ site which will be the Hub of our VPN network and also two branch sites which will be the spokes in our VPN network (see diagram below). The central HQ site will have a dynamic crypto-map while the branch sites will have a static crypto map. By configuring the central site with a dynamic crypto-map it means that the remote branch sites can have a dynamic public IP address. The branch sites will have a static crypto-map because for them the remote site (i.e the central HQ site) will have a static public IP address.

First of all let’s discuss some key points you must have in mind for this scenario which uses both static crypto-map and Dynamic crypto-map.

●     In the case of static crypto-map all peers on the VPN terminator (HUB) must be configured manually with their specific static public IP address. In the case of a dynamic crypto-map we don’t have to configure the peers one-by-one on the VPN terminator (HUB).  There are no changes on the spoke sites, i.e. we leave static crypto-map as it was.

●     In the case of dynamic crypto-map, the initiator of VPN session will be only the spoke site. This means that if traffic doesn’t come from the Spoke in the VPN tunnel, then VPN dynamic tunnel will not be established. When, however, traffic is initiated from the spoke site (branch) then the VPN tunnel will be established and the connection will be bidirectional between branch and HQ.

●    There is a simple configuration on the HUB site. If we add more spokes, configuration will be done only on spoke site and there is no need for changing anything on HUB.

Let’s set our LAB network diagram below.

Equipment used in This lab:

• HQ – 3725 IOS c3725-advsecurityk9-mz.124-1c
• Branches – 2691 IOS c2691-adventerprisek9-mz.123-17a

LAB Scenario:

We’ve got HQ office and two Branches, which are connected via Internet. The Hosts in Branches must have secure access to the servers located in HQ. That is, network subnets 192.168.4.0/24 and 192.168.5.0/24 must have secure access to subnet 192.168.1.0/24. That’s an ordinary scenario, which many organizations implement all over the world. Since this is a Lab scenario, only private IP addresses were used. In a real scenario the WAN IP addresses of HQ and Branches routers will be public IP.

Configuration:

The very first thing you need to do in such a scenario is to verify that all sites have IP connectivity between them. Verify that all WAN interfaces of routers can reach each other over the Internet.

Branches Configuration.

! Create isakmp policy.  If you have multiple policies it is recommended that the most strong policy should be first (i.e have the lowest policy number).
crypto isakmp policy 10
encr aes 256
hash sha
authentication pre-share
group 2

! Configure crypto isakmp key. The keys between peers must be the same. In our case the branches should specify the static IP address of HQ and have the same key with HQ

crypto isakmp key somestrongkey address 192.168.2.2

! Configure IPsec transform-set.  This specifies what encryption and Hash algorithm should be used for encryption of VPN traffic.

crypto ipsec transform-set ts esp-aes 256 esp-sha-hmac

! Create access list by which we’ll match interesting traffic that will pass through the VPN. In case of Branch 1 will be the following: if source is 192.168.4.0/24 and destination is 192.168.1.0/24 then traffic will be encrypted. Similarly for Branch 2, if source is 192.168.5.0/24 and destination is 192.168.1.0/24 then traffic will be encrypted.
Branch 1 ACL:

ip access-list extended vpn
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

Branch 2 ACL:

ip access-list extended vpn
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

! Create crypto-map and snap to it the already created transform-set and access list. Also indicate VPN peer and turn on Reverse-route. The purpose of reverse-route is that when VPN tunnel is established, Destination network of access list created for interesting traffic will be added in routing table as static route. In our case this access list is “vpn” and the destination network of this access list is 192.168.1.0/24.

crypto map vpn 10 ipsec-isakmp
set peer 192.168.2.2
set transform-set ts
match address vpn
reverse-route

!Assign crypto-map to external interface. In our case Fa0/0. After this, ISAKMP will turn on.
interface FastEthernet0/0
crypto map vpn

Configuration of Branches is done. Let’s start HQ configuration.

HQ Configuration:
! crypto isakmp policy will not be changed.
crypto isakmp policy 10
encr aes 256
hash sha
authentication pre-share
group 2

! All peer addresses are assigned with a secret key, i.e. all zeros are assigned, for avoiding writing each branch’s IP address separately.
crypto isakmp key somestrongkey address 0.0.0.0 0.0.0.0

! IPSec Transform-set will not change.
crypto ipsec transform-set ts esp-aes 256 esp-sha-hmac

! Access list, by which interesting traffic is matched, will be changed. Source will be 192.168.1.0/24 and destination will be 192.168.4.0/24 and 192.168.5.0/24.
ip access-list extended vpn
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

! Configure Dynamic crypto-map.  Assign the same parameters, except assigning peers.
crypto dynamic-map vpndynamic 10
set transform-set ts
match address vpn
reverse-route

!Create crypto-map and snap to it already created dynamic crypto-map.
crypto map dynmap 10 ipsec-isakmp dynamic vpndynamic

!Assign crypto-map on external interface. In our case Fa0/0. After this ISAKMP will turn on.

interface FastEthernet0/0
crypto map dynmap

Verification:

Now the configuration is done and let’s start checking if it works. First of all ping SRV from host1. Check the following:  Is VPN tunnel established or not, decaps/encaps increases or not, RRI (reverse-route injection) is added in Branche1 and HQ Routing Tables and also if hit counts in access lists change or not.

!We see, that first few pings are lost, because VPN tunnel takes some time to get established.
host1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 40/96/164 ms

host1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/62/124 ms

!Now check if ISAKMP peers are in state or not.

hq#show crypto isakmp sa
dst             src             state          conn-id slot status
192.168.2.2     192.168.3.2     QM_IDLE              1    0 ACTIVE

branch1#show crypto isakmp sa
dst             src             state          conn-id slot
192.168.2.2     192.168.3.2     QM_IDLE              1    0

!Let’s see again if encaps/decaps increase. If not and they ping each other, this means that traffic is not going through VPN tunnel.

branch1#show crypto ipsec sa
interface: FastEthernet0/0
crypto map tag: vpn, local addr. 192.168.3.2
protected vrf:
local  ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 192.168.2.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypto: 13, #pkts digest 13
#pkts decaps: 12, #pkts decrypto: 12, #pkts verify 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

hq#show crypto ipsec sa
interface: FastEthernet0/0
crypto map tag: dynmap, local addr 192.168.2.2
protected vrf: (none)
local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer 192.168.3.2 port 500
PERMIT, flags={}
#pkts encaps: 12, #pkts encrypto: 12, #pkts digest: 12
#pkts decaps: 13, #pkts decrypto: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

!Let’s check that RRI is all right and access lists are matched.

hq#show ip route static
S    192.168.4.0/24 [1/0] via 192.168.3.2

branch1#show ip route static
S    192.168.1.0/24 [1/0] via 192.168.2.2

hq#show access-lists vpn
Extended IP access list vpn
10 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
20 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255 (25 matches)

branch1#show access-lists vpn
Extended IP access list vpn
10 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255 (26 matches)

All the above indicate that everything is all right and VPN is working properly. Also remember that we’ve not assigned peers in HQ configuration and that makes configuration simple (when we have 20 branches there is no need for assigning static peers of Branches on the HQ site). Another great advantage of dynamic crypto map on the HQ site is when a branch site receives dynamic public IP address from the ISP.

In this post I will explain how to configure WEB VPN (or sometimes called SSL VPN) using the Anyconnect VPN client on a Cisco 870 router.

Web Based VPN has three Remote Access modes:

Clientless – You connect to a web page portal from which you can have access to web based applications, File Sharing and Outlook Web Access (OWA) inside the corporate network .

Thin client – This mode allows TCP Port- Forwarding on applications, such as Telnet, SSH, SMTP POP3, Remote Desktop Connection (RDP). It uses a Java applet. This mode may be used only on TCP Based Applications.

Tunnel Mode or AnyConnect VPN client – almost same as an Easy VPN Client (IPSEC VPN client). In this mode you must have Administrator permissions on your remote access laptop/PC and any IP based Application can be used through this mode. A Java client is downloaded to the user’s PC and facilitates the security and encryption from the remote user towards the termination device (router or firewall).

Both ASA and Cisco IOS Routers support web vpn technologies. On ASA an extra license is required if you want to have more than two users for your remote access web vpn. Without purchasing any license it provides support for only two users.

We will be using the following Network diagram in our example:

Requirements for Anyconnect VPN:

• Java runtime 1.4 or later.
• Cisco IOS 12.4(15)T7 (supports ONLY clientless Web Based VPN)
• CISCO IOS 12.4(20)T (supports all web vpn modes, both clientless and anyconnect Client VPN).

Used in Lab for this tutorial:

• Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
• ANY Connect Client: anyconnect-win-2.3.2016-k9.
• FireFox 3.6.8 and IE 8
• Windows XP SP2 and Windows Server Ultimate 32 bit

Configuration.

!Configure Certificate

crypto pki trustpoint local
enrollment selfsigned
revocation-check crl
rsakeypair my_key 1024 1024

!Generate Certificate and turn on HTTPS Service

crypto pki enroll local
ip http secure-server

!Before starting the actual configuration of Web Vpn, first we configure Gateway, on which IP address we shall terminate the Anyconnect VPN, which certificates to use, on which port we shall run the VPN and any redirections necessary ( i.e. if request comes on port 80 port, it will redirect the user to port 443). All these are configured under the webvpn mode.

! enable webvpn gateway configuration mode to configure SSL VPN Gateway. ONLY one Gateway is configured in an SSL VPN Network
webvpn gateway soho

! configure hostname for SSL VPN; in our example hostname is home
hostname home

!configure IP address and port on which SSL VPN will connect.
ip address 99.99.99.160 port 443

!Configure SSL Certificate; in our Example this Certificate is Self-signed
ssl trustpoint local

!configure Redirect. If somebody connects to TCP port 80 it will be redirected to port 443

http-redirect port 80

! Enable WebVPN Gateway
inservice

!turn on AAA and for authentication we use local database
aaa new-model
aaa authentication login webvpn local

!Create Local address pool, from which we’ll assign IP addresses to anyconnect clients.
ip local pool webvpn1 192.168.2.5 192.168.2.10

!Create loopback interface, if we want to announce this network in any dynamic protocol.
interface Loopback2
ip address 192.168.2.1 255.255.255.0

!Create access list, which  later will be used to control what the webvpn client will be allowed to access. This is not access list for Split Tunneling. Split Tunnel is created in context configuration mode.
!
ip access-list extended webvpn-acl
permit tcp 192.168.2.0 0.0.0.255 host 192.168.3.100 eq 3389
!

!After this we need to create a profile context.
!  Create Webvpn context; same as profile on easy vpn
webvpn context networkstraining.com

! change default Title
title “IP Networks Training and Tutorials”

! Verify SSL Certificate.
ssl authenticate verify all

! Change default login message displayed on login page before user login.
login-message “Enter your credentials”

!Configure policy for this group with name networkstraining
policy group  networkstraining

!configure banner to be displayed after successful login
banner “authentication success”

! enable tunnel support for the remote user. If the Cisco AnyConnect VPN Client software package fails to install, the remote user can continue to use clientless mode or thin-client mode.
functions svc-enabled

! Below we configure an SSL VPN tunnel access filter which uses the ACL we have created above. Gives us the opportunity to control which type of traffic must allow or block via access list. In our example we created  webvpn-acl access list, which permits access from network 192.168.2.0/24 to TCP 3389 ( Remote Desktop Protocol )  of host 192.168.3.100 and all the rest are blocked.

filter tunnel webvpn-acl

! Configure IP address pool.  When client is connected via anyconnect client an IP will be assigned from this pool.
svc address-pool webvpn1

! Configures the domain for a policy group.
svc default-domain “http://www.networkstraining.com”

! To install Cisco any connect client on User’s PC.  When this feature is not turned on, when user is disconnected then Cisco anyconnect client will be automatically uninstalled.

svc keep-client-installed

!In case of successful authorization it will show us URL below
svc homepage “http://www.networkstraining.com”

!Configures the tunnel key to be refreshed by initiating a new tunnel connection
svc rekey method new-tunnel

! Below is the split tunnel configuration which specifies the destination network to permit access within the tunnel when the user connects via Cisco anyconnect client.  If we don’t indicate this parameter, then there will be Full Tunnel, meaning that all traffic will pass through the Cisco web VPN Server
svc split include 192.168.3.0 255.255.255.0

!Default group
default-group-policy one

!The name of authentication group. We’ve already created AAA group named webvpn and here this group will be used
aaa authentication list webvpn

!  Bind this context to Gateway created above

gateway soho

! Activate created context.
inservice

After the above we need to install anyconnect client to the flash memory of the router. The version of anyconnect client must support the operating system of the users that will be using the anyconnect service.

webvpn#copy tftp://192.168.3.100/anyconnect-win-2.3.2016-k9.pkg flash
webvpn(config)#webvpn install svc flash:anyconnect-win-2.3.2016-k9.pkg

After this we check if anyconnect cliet installation was successful in our configuration.

!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
!

Cisco supports several types of VPN implementations on the ASA but they are generally categorized as either “IPSec Based VPNs” or “SSL Based VPNs“. The first category uses the IPSec protocol for secure communications while the second category uses SSL. SSL Based VPNs are also called WebVPN in Cisco terminology. The two general VPN categories supported by Cisco ASA are further divided into the following VPN technologies.

IPSec Based VPNs:

• Lan-to-Lan IPSec VPN: Used to connect remote LAN networks over unsecure media (e.g Internet). It runs between ASA-to-ASA or ASA-to-Cisco Router.
• Remote Access with IPSec VPN Client: A VPN client software is installed on user’s PC to provide remote access to the central network. Uses the IPSec protocol and provides full network connectivity to the remote user. The users use their applications at the central site as they normally would without a VPN in place.

SSL Based VPNs (WebVPN):

• Clientless Mode WebVPN: This is the first implementation of SSL WebVPN supported from ASA version 7.0 and later. It lets users establish a secure remote access VPN tunnel using just a Web browser. There is no need for a software or hardware VPN client. However, only limited applications can be accessed remotely.
• AnyConnect WebVPN: A special Java based client is installed on the user’s computer providing an SSL secure tunnel to the central site. Provides full network connectivity (similar with IPSec remote access client). All applications at the central site can be accessed remotely.

From the description above you can understand that the AnyConnect WebVPN technology combines the best from both IPSec based VPNs and SSL based VPNs. It offers full network connectivity to the remote user without having to install a dedicated VPN software like the IPSec remote access client. The AnyConnect VPN client is a lightweight Java client (around 3MB) which can be installed or uninstalled from the remote user’s PC dynamically.