How to configure Cisco VPN SSL aka WebVPN

The SSL VPN feature (also known as WebVPN) provides support for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided through a Secure Socket Layer- (SSL-) enabled SSL VPN gateway. The SSL VPN gateway allows remote users to establish a secure Virtual Private Network (VPN) tunnel using a web browser. This feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTP over SSL (HTTPS) browser support.

What is SSL?

Secure Sockets Layer is a protocol developed by Netscape for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data – a public key known to everyone and a private or secret key known only to the recipient of the message.

SSL VPN delivers three modes of SSL VPN access:

  • Clientless: Clientless mode provides secure access to private web resources and will provide access to web content. This mode is useful for accessing most content that you would expect to access in a web browser, such as Internet access, databases, and online tools that employ a web interface.
  • Thin Client (port-forwarding Java applet): Thin client mode extends the capability of the cryptographic functions of the web browser to enable remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access protocol (IMAP), Telnet, and Secure Shell (SSH).
  • Tunnel Mode: Full tunnel client mode offers extensive application support through its dynamically downloaded Cisco AnyConnect VPN Client (next-generation SSL VPN Client) for SSL VPN. Full tunnel client mode delivers a lightweight, centrally configured and easy-to-support SSL VPN tunneling client that provides network layer access to virtually any application.

There are few steps to set up an SSL VPN:

  1. Configure a trust point
  2. Create an account
  3. Configure WebVPN
  4. Test WebVPN


In this example, there’s a VPN SSL server with tunnel mode and thin client functionality. The WebVPN service is listening to the address https://[dialer1_ip_address].

1. Configure a trust point

Create your rsa keys:

Ciscozine(config)#crypto key generate rsa label ciscozine-rsa modulus 2048

then, if you have not a CA, create your local pki (used by the SSL server)

Ciscozine(config)#crypto pki trustpoint my-ciscozine-ca
Ciscozine(ca-trustpoint)#enrollment selfsigned
Ciscozine(ca-trustpoint)#subject-name cn=Ciscozine
Ciscozine(ca-trustpoint)#rsakeypair ciscozine-rsa

and to obtain the certificate for your router from the local certificate authority:

crypto pki enroll my-ciscozine-ca

The system will ask you some questions; choose what you prefer, but it is important to response “yes” to the last question “Generate Self Signed Router Certificate?”.

Note: If you would more info about self-signed certificates read this article.

2. Create an account

For security, it is recommended to create an account without privilege:

username ciscozine privilege 0 secret myt3ST

3. Configure WebVPN

3.a Configure the gateway properties
The gateway defines the basic network and cryptographic settings of the SSL VPN server.

Create a gateway named ‘ciscozine_gw’, link it to the dialer1 and select the trustpoint to use (in this example, the ‘my-ciscozine-ca’). The ‘inservice’ command is required to enable the webvpn functionality.

Ciscozine(config)#webvpn gateway ciscozine_gw
Ciscozine(config-webvpn-gateway)#ip interface Dialer1 port 443
Ciscozine(config-webvpn-gateway)#ssl trustpoint my-ciscozine-ca

3.b Configure the context properties
The context defines portal customization, url list (for the clientless features), port forwarding list (for the thin client), the AAA properties and so on.

Define a url-list and a port-forwarding list (to access to the RDP/HTTP server); then link this context to the ‘ciscozine_gw’ gateway and enable the “ciscozine-ctx” context using the “inservice” command.

Ciscozine(config)#webvpn context ciscozine-ctx
Ciscozine(config-webvpn-context)#url-list "my-url-list"
Ciscozine(config-webvpn-url)#heading "My-website"
Ciscozine(config-webvpn-url)#url-text "ciscozine" url-value ""
Ciscozine(config-webvpn-url)#url-text "Test-http-server" url-value ""
Ciscozine(config-webvpn-context)#port-forward "my-website"
Ciscozine(config-webvpn-port-fwd)#local-port 3390 remote-server "" remote-port 3389 description "my-rdp"
Ciscozine(config-webvpn-context)#aaa authentication list login-for-vpn
Ciscozine(config-webvpn-context)#gateway ciscozine_gw

3.c Configure the policy group
In the policy groups are applied properties like url-list, port-forwarding list, SVC configuration (for the tunnel mode client) and so on.

Apply the url-list and the port-forward list defined in the previous step (3.b Configure the context properties). Configure the SSL VPN Client (SVC) to allow the remote access for the network

Ciscozine(config-webvpn-context)#policy group ciscozine_policy
Ciscozine(config-webvpn-group)#url-list "my-url-list"
Ciscozine(config-webvpn-group)#port-forward "my-website"
Ciscozine(config-webvpn-group)#functions svc-enabled
Ciscozine(config-webvpn-group)#svc address-pool "VPN-SSL-POOL"
Ciscozine(config-webvpn-group)#svc keep-client-installed
Ciscozine(config-webvpn-group)#svc split include

Define the default group policy:

Ciscozine(config-webvpn-context)#default-group-policy ciscozine_policy

Specify the IP pool addresses used by the Cisco SSL VPN client interface:

ip local pool VPN-SSL-POOL

3.d Install the Cisco Anyconnect
The Cisco Anyconnect is the client used for the tunnel mode feature and it depens by the platforms used. For the Windows, MacOS or Linux operative systems, the client could be saved into the router, so when a client tried to start a full tunnel mode, the Vpn client will be downloaded automatically.

To install the SVC for windows platform, download the client from the Cisco site, upload into your router and install in the ‘webvpn’ folder.

webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 1

4. Test WebVPN
Open your https page, log in (using the ‘ciscozine’ account created in the second step) and check the three functionality:

  • Clientless: click the url list to check how it works
  • Thin client: enable thin client feature (an applet java). If you use Windows, test it using the command: mstsc /v
  • Full client: install the client and check if
    • you can ping a remote host, for instance: ping
    • you can see the webpage

Remember: To enable a SSL VPN gateway or context process, use the inservice command in webvpn gateway configuration or webvpn context configuration mode. To disable a SSL VPN gateway or context process without removing the configuration from the router configuration file, use the no form of this command.

Restrictions of CiscoAnyConnect VPN Client:

  • Datagram Transport Layer Security (DTLS) with SSL connections
  • Standalone Mode
  • IPv6 VPN access
  • Compression support
  • Language Translation (localization)
  • Client-side authentication
  • Adaptive Security Appliance (ASA) and Adaptive Security Device Manager (ASDM) and any command-line interface (CLI) associated with the them
  • Adjusting Maximum Transmission Unit (MTU) size
  • Sequencing

Remember: You can use your smartphone as a VPNSSL Client! For more info check the “Cisco AnyConnect Secure Mobility Client” functionality.



  1. Thanks for the help, there were additional commands in here that I was not using to make my SSL-VPN from working. I believe everytime I would reboot the router it would loose the certificate. I plan to try test this next downtime.

    Your site is also filled with tons of details that I love to read about. Thanks again.

  2. If you want internet access through cisco anyconnect vpn client, you have to take out svc split commands and add interface that accepts vpn client traffic to nat inside policy. In my case I have c1921 router.
    here is the config without the gateway part:

    interface Virtual-Template1
    ip unnumbered GigabitEthernet0/1
    ip nat inside
    ip virtual-reassembly in
    webvpn context Cisco-WebVPN
    virtual-template 1
    aaa authentication list default
    gateway vpngateway
    policy group webvpnpolicy
    functions svc-enabled
    functions svc-required
    svc address-pool “vpnpool” netmask
    svc keep-client-installed
    svc dns-server primary
    default-group-policy webvpnpolicy


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.