1.0 Overview

This document provides a detailed, production-ready guide for deploying Cisco AnyConnect Secure Mobility Client (SSL VPN) on Cisco Integrated Services Routers Generation 2 (ISR G2), specifically models such as the Cisco 891 and 2901. Our analysis begins with a foundational configuration and builds upon it by integrating essential components and best practices required for a stable, secure, and fully functional remote access solution.

2.0 Technical Problem Analysis

The core requirement is to establish a remote access SSL VPN solution using Cisco AnyConnect on an ISR G2 platform. An initial configuration attempt provides a solid framework, correctly identifying key components such as Public Key Infrastructure (PKI) for certificates, AAA for authentication, and the WebVPN gateway/context structure.

However, a critical evaluation reveals several omissions that prevent a fully operational and robust deployment. Key missing elements include the installation of the AnyConnect client package on the router, assignment of DNS servers to VPN clients, the creation of a Virtual-Template interface for session termination, and a crucial NAT exemption rule to ensure proper traffic flow. This guide will address these gaps to create a complete solution.

3.0 Comprehensive Configuration Guide

This section details the step-by-step configuration process. Ensure you have the appropriate securityk9 technology package license activated and the desired AnyConnect client package (e.g., anyconnect-win-x.x.xxxx-webdeploy-k9.pkg) uploaded to the router’s flash memory.

Step 1: Public Key Infrastructure (PKI) Setup

A certificate is mandatory for SSL encryption. For lab or testing purposes, a self-signed certificate is acceptable. For production environments, it is strongly recommended to enroll with a trusted public Certificate Authority (CA).

! Generate an RSA keypair
crypto key generate rsa general-keys label SSL_VPN_KEY modulus 2048

! Create a PKI trustpoint for the self-signed certificate
crypto pki trustpoint SELF_SIGNED_TP
 enrollment selfsigned
 subject-name cn=vpn.yourdomain.com
 revocation-check none
 rsakeypair SSL_VPN_KEY

! Generate the certificate
crypto pki enroll SELF_SIGNED_TP

Step 2: AAA and Local User Configuration

This configuration utilizes the local router database for user authentication. For larger deployments, integrating with a RADIUS or TACACS+ server is the recommended practice.

aaa new-model
! Define authentication and authorization methods for the VPN
aaa authentication login SSL_VPN_AUTH local
aaa authorization network SSL_VPN_AUTHOR local

! Create a local user for testing
username vpnuser privilege 15 secret YourStrongPassword

Step 3: IP Address Pool for VPN Clients

Define a dedicated IP address pool to be assigned to connecting AnyConnect clients. Ensure this subnet does not overlap with any existing internal networks.

ip local pool SSL_VPN_POOL 192.168.100.1 192.168.100.50

Step 4: WebVPN Gateway, Context, and AnyConnect Package Installation

This is the core of the SSL VPN configuration. We will define the gateway, create a context, install the AnyConnect package, and enable the service.

! Configure the WebVPN Gateway
webvpn gateway ANYCONNECT_GATEWAY
 ip address <Your_Public_IP> port 443
 ssl trustpoint SELF_SIGNED_TP
 inservice

! Configure the WebVPN Context and install the client package
webvpn context ANYCONNECT_CONTEXT
 title "Company Remote Access Portal"
 login-message "Welcome. Unauthorized access is prohibited."
 ssl authenticate verify all
 policy group ANYCONNECT_POLICY
 
 ! **CRITICAL STEP:** Install the AnyConnect package for client distribution
 webvpn install svc flash:/anyconnect-win-x.x.xxxx-webdeploy-k9.pkg sequence 1
 
 gateway ANYCONNECT_GATEWAY
 inservice

Step 5: Group Policy and Split-Tunneling

The group policy defines the specific attributes for connecting users, including the IP pool, DNS servers, and split-tunneling behavior.

! Define the ACL for split-tunneling (traffic to be tunneled)
ip access-list extended SPLIT_TUNNEL_ACL
 permit ip 192.168.1.0 0.0.0.255 any ! Example: Internal LAN

! Configure the policy group
policy group ANYCONNECT_POLICY
 functions svc-enabled
 svc address-pool name SSL_VPN_POOL
 svc split-tunnel network-list SPLIT_TUNNEL_ACL
 
 ! **CRITICAL STEP:** Assign DNS servers to clients
 svc dns-server primary 8.8.8.8
 svc dns-server secondary 1.1.1.1

Step 6: Virtual-Template Interface (Best Practice)

The Virtual-Template interface is the logical interface where VPN sessions are terminated. It is best practice for applying policies like QoS or ACLs to VPN traffic.

interface Virtual-Template1 type tunnel
 ip unnumbered Vlan1 ! Or your primary LAN interface
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile default

! Associate the Virtual-Template with the WebVPN Context
webvpn context ANYCONNECT_CONTEXT
 virtual-template 1

Step 7: NAT Exemption (Critical for Functionality)

If the router is performing NAT for your internal network, you must create an exemption rule to prevent traffic from the VPN client pool from being NAT’d when accessing internal resources.

! ACL to identify traffic that should NOT be NAT'd
ip access-list extended VPN_NAT_EXEMPT_ACL
 deny   ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 ! LAN to VPN Pool
 permit ip 192.168.1.0 0.0.0.255 any ! Permit all other LAN traffic for NAT

! Route-map to apply the NAT exemption logic
route-map NAT_EXEMPT_MAP permit 10
 match ip address VPN_NAT_EXEMPT_ACL

! Apply the route-map to your NAT statement
ip nat inside source route-map NAT_EXEMPT_MAP interface <Your_WAN_Interface> overload

4.0 Conclusion

By supplementing the initial framework with the critical steps outlined above—namely, installing the AnyConnect package, defining DNS servers, implementing the Virtual-Template interface, and configuring NAT exemption—this guide provides a complete and robust configuration. This enhanced solution ensures that clients can not only connect successfully but also resolve internal resources and pass traffic correctly through the network, meeting the standards for a production-level deployment. Always perform thorough testing after implementation to validate connectivity and security posture.