09-14-2018 01:02 AM
Hello!
Cisco CSR1000V router to which AnyConnect users and terminated IPSec with remote LAN.
LANs 10.251.0.0/24 hosts are available via IPSec to remote LAN hosts 10.120.0.0/16
To Clients AnyConnect 10.251.100.0/24 is available LAN 10.251.0.0/24
The problem is that the remote LAN 10.120.0.0/16 is not available for AnyConnect 10.251.100.0/24 clients((
AnyConnect Clients on the workstations have the necessary route, but the traceroute has lost on the CSR1000, does not go to IPSec... Unfortunately, I did not find any clear reasons why such a scheme does not work. Please help. The sample from the config and the diagram below.
crypto pki trustpoint anyconnectvpn enrollment selfsigned subject-name CN=vpn.host.ru revocation-check none rsakeypair anyconnect ! ..... crypto ssl proposal sslvpn-proposal protection rsa-aes256-sha1 ! crypto ssl authorization policy sslvpn-auth-policy include-local-lan pool SSL_Client dns dns.host.ru def-domain host.ru route set access-list sslvpn-tunnel ! crypto ssl policy sslvpn-policy ssl proposal sslvpn-proposal pki trustpoint anyconnectvpn sign ip address local vpn.host.ru port 443 ! crypto ssl profile sslvpn-profile match policy sslvpn-policy aaa authentication user-pass list sslvpn aaa authorization group user-pass list sslvpn sslvpn-auth-policy authentication remote user-pass max-users 20 ! ! crypto vpn anyconnect bootflash:/webvpn/anyconnect-macos-4.6.02074-webdeploy-k9.pkg sequence 1 ! crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.6.02074-webdeploy-k9.pkg sequence 2 ! crypto isakmp policy 10 encr aes 256 hash sha256 authentication pre-share group 16 lifetime 28800 ! crypto isakmp key SuPerPSK address 1.2.3.4 ! crypto map WAN_map 10 ipsec-isakmp set peer 1.2.3.4 set security-association lifetime seconds 10800 set transform-set ESP-AES-256-SHA-256 set pfs group16 match address l2l-tunnel .... ip local pool SSL_Client 10.251.100.2 10.241.100.254 ..... ip access-list standard sslvpn-tunnel permit 10.251.0.0 0.0.255.255 permit 10.120.0.0 0.0.255.255 ip access-list extended l2l-tunnel permit ip 10.251.0.0 0.0.255.255 10.120.0.0 0.0.255.255
09-18-2018 09:42 AM
09-19-2018 09:16 AM
10-10-2018 02:04 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide