cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2637
Views
0
Helpful
4
Replies

Cisco CSR 1000v Anyconnect SSL local connectivity only

Paolo Betti
Level 1
Level 1

hello everyone,

 

I'm trying to use a Cisco AWS CSR 1000 router as a SSL VNP terminator. I'm following instructions from below link (that is not a really well explained guide): 

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-3s/sec-conn-sslvpn-xe-3s-book.html#GUID-DCB20ADF-1F8E-434B-AE97-54802879F34F

For now I'm using local authentication with a username/password configured on the CSR Router (I will try after to authenticate users against corporate LDAP or Radius Server). After some working I'm able to connect with Cisco Anyconnect client to the pubblic IP of the CSR Router (Amazon Elastic) and, after successfully authenticate against local username, I received an IP address and all correct parameters .

Issue I have is that after SSL VPN connection is established, I'm not able to ping or reach any IP destination inside Cloud Amazon or my Corporate network that is connected to Amazon via IPSec VPN. Also Amazon internal Default Gateway is not reachable from the SSL client. Only destination I'm able to ping is IP address of CSR router (172.30.16.10).

All internal IP destinations are reachable when I try to ping them from the CSR 1000 router CLI.

Any suggestion is welcome, I did several tests without being able to solve the issue .....

Thanks in advance to everyone.

Regards,

Paolo

 

 

 

 

 

 

4 Replies 4

Paolo Betti
Level 1
Level 1

Hello,

no one else has encountered the same problem?
In general, someone has managed to run correctly csr1000v as SSL VPN terminator on Amazon environment ?
Any example / network schema / suggestion?

Thanks in advance for any replies.

Paolo

Hi Paolo,

I realize this reply is late, but did you disable source/dest check on the CSR's interface in the EC2 console and add your ip pool as secondary addresses on the CSR network interface in EC2?  I was also considering implementing Anyconnect on a CSR and came across your post while looking for info.  Any info you can share regarding your experience would be much appreciated!

Sam

j.beckner
Level 1
Level 1

Did you ever fix this problem? I am having the exact same problem.

j.beckner
Level 1
Level 1

This is kind of late reply on this, but I had the exact same problem setting up Anyconnect at on CSR 1000v at AWS.  Anyconnect user could ping inside interface of CSR 1000v but not devices on the AWS subnet.  I just recently  figured out how to make this work.    I used an address pool that was outside the subnet of the CSR inside interface.  In this case the CSR inside interface connected to the AWS inside subnet has address 10.20.30.5/24, and I set the anyconnect client address pool in the 10.30.1.0/24 subnet.  This way the AWS subnet used its default route to the CSR instead of ip proxy-arp to reach the client.  

 

It looks like maybe either the AWS subnet doesn't like proxy-arp, or maybe the CSR 1000v doesn't support proxy-arp.

 

One other issue is that the CSR 1000v with IOS XE does not support automatic Anyconnect client download or update to the users.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: