Re: IOS SSL VPN application issues

s-kirk · ‎03-25-2009

Hi,

I have setup WEBVPN with the SSL client on a Cisco 2811. The WebVPN gateway is via a loopback address on the router, so I NAT port 443 to this address as it enters the ADSL interface.

Everything works great apart from when I try to access an internal address on the router itself (such as the internal LAN 192.168.0.1).

If I try to telnet to this address I connect but then spurious characters appear and the session hangs. I also cannot access the CME web pages via this address.

I have tried disabling CEF to see if some weird internal issue is the problem but that did not fix it.

Anyone else experienced this?

Thanks

Scott

s-kirk · ‎03-29-2009

I have now changed to a static IP address with my provider.

I reconfigured the WebVpn gateway to be the WAN interface and allowed https on the same interface.

The SSL VPN is still working great apart from when I try to connect to interfaces directly connected to the router.

Telnet (to LAN IP address) connects but then spurious characters appear and the telnet session hangs.

I would really appreciate some help on this one!!

Thanks

Farrukh Haroon · ‎04-03-2009

Can you post your SSL+ACL related configuration?

Regards

Farrukh

s-kirk · ‎04-04-2009

Farrukh,

As requested please see related config below:

aaa new-model

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login sdm_vpn_xauth_ml_2 local

aaa authentication login sdm_vpn_xauth_ml_3 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

ip cef

!

crypto pki trustpoint TP-self-signed-569873274

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-569873274

revocation-check none

rsakeypair TP-self-signed-569873274

!

crypto pki certificate chain TP-self-signed-569873274

certificate self-signed 01

!

interface GigabitEthernet1/0

description $SWDMADDR:192.168.0.2$

ip address 10.0.0.1 255.255.255.0

no ip route-cache cef

!

interface GigabitEthernet1/0.1

encapsulation dot1Q 1 native

ip address 192.168.0.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

no ip route-cache same-interface

!

interface GigabitEthernet1/0.20

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

ip helper-address 10.0.0.1

no ip route-cache same-interface

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

ip access-group 101 in

ip mtu 1452

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

!

ip local pool TEST 192.168.20.200 192.168.20.240

!

ip route 0.0.0.0 0.0.0.0 Dialer0 permanent

!

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

!

access-list 101 remark WEBVPN

access-list 101 permit tcp any host 203.206.169.63 eq 443

access-list 101 deny ip any any log

!

route-map SDM_RMAP_1 permit 1

match ip address 102

!

webvpn gateway gateway_1

ip address 203.206.169.63 port 443

ssl trustpoint TP-self-signed-569873274

inservice

!

webvpn install svc flash:/webvpn/svc_1.pkg sequence 1

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

webvpn context visicom

secondary-color white

title-color #669999

text-color black

ssl authenticate verify all

!

url-list "WEB"

heading "Welcome"

url-text "OWA" url-value "http://192.168.0.10/exchange"

!

policy group policy_1

url-list "WEB"

functions svc-enabled

svc address-pool "TEST"

svc keep-client-installed

svc rekey method new-tunnel

svc split include 192.168.0.0 255.255.255.0

svc split include 192.168.20.0 255.255.255.0

svc split include 10.10.10.0 255.255.255.0

default-group-policy policy_1

aaa authentication list sdm_vpn_xauth_ml_3

gateway gateway_1

inservice