02-16-2008 11:41 PM - edited 03-09-2019 08:07 PM
Hello,
I have configured WebVPN on a 1811W router running IOS 12.4(11)XW5, and although the gateway is set directly on an outside interface, the 443 port appears filtered to clients connecting through that interface (inside interface traffic is allowed). What can I do to force the router to listen for incoming connections on the outside interface (as it is supposed to)? I have no firewall or ACLs that could potentially interfere with the VPN.
Thanks!
Solved! Go to Solution.
07-17-2008 06:46 AM
This is you main route
ip route 0.0.0.0 0.0.0.0 FastEthernet0 10 track 123
This is you backup route
ip route 0.0.0.0 0.0.0.0 Dialer0 20 track 124
If you try access Dialer0 from outside, you return traffic goes through FastEthernet0.
You need do "Local PBR" for correction...
02-17-2008 09:09 AM
do a
'show tcp brief all num'
And that will show you what ports the router is listening on. If you see an IPADDRESS:443 vs *:443, then it's listening on that IP address.
Please post your configuration for more assistance.
02-17-2008 09:53 AM
02-18-2008 12:18 PM
Does the 'show webvpn context' show the context as up?
02-18-2008 07:10 PM
Yes, the context is up (AS/up, OS/up) and I can access the portal from the inside interface by using the public ip address. It's only when I try to connect from the Internet that the router fails to respond.
It's like the router is blocking all connections to itself from the outside interfaces based on some default rule/policy/ACl/etc., but I have no idea what that may be or how it can be altered.
The only way I was able to open port 443 was by forwarding it to some computer behind the router, which obviously is of no help.
06-21-2008 04:01 AM
After analyzing the problem in more detail I came to the conclusion that the port is indeed open on the outside interface, but the tcp connections are dropped during the initial handshake. Here is what actually happens:
TCB84E12BD4 created
Reserved port 443 in Transport Port Agent for TCP IP type 1
TCP0: state was LISTEN -> SYNRCVD [443 -> y.y.y.y(4718)]
TCP: tcb 84E12BD4 connection to y.y.y.y:4718, peer MSS 1460, MSS is 516
TCP: sending SYN, seq 2578099390, ack 3152674293
TCP0: Connection to y.y.y.y:4718, advertising MSS 536
x.x.x.x:3 <---> y.y.y.y:4718 congestion window changes
cwnd from 536 to 536, ssthresh from 65535 to 1072
TCP0: timeout #1 - timeout is 4000 ms, seq 2578099390
TCP: (443) -> y.y.y.y(4718)
TCP0: bad seg from y.y.y.y -- bad sequence number: port 443 seq 3152674292 ack 0 rcvnxt 315267429
3 rcvwnd 4128 len 0
TCP0: timeout #2 - timeout is 4000 ms, seq 2578099390
TCP: (443) -> y.y.y.y(4718)
connection attempt to port 36109
TCP: sending RST, seq 0, ack 2677520110
TCP: sent RST to 92.84.106.222:2777 from x.x.x.x:36109
TCP0: bad seg from y.y.y.y -- bad sequence number: port 443 seq 3152674292 ack 0 rcvnxt 315267429
3 rcvwnd 4128 len 0
Released port 443 in Transport Port Agent for TCP IP type 1 delay 240000
TCP0: state was SYNRCVD -> CLOSED [443 -> y.y.y.y(4718)]
TCB 0x84E12BD4 destroyed
where x.x.x.x is the address of the router and y.y.y.y is the address of the remote client (a 2003 server machine)
I would very much appreciate any ideas on how to solve this problem!
07-15-2008 05:54 AM
I am having the same issues. How was this condition resolved?
07-16-2008 05:21 AM
Unfortunately, I am still trying to find a solution for this problem. Maybe you could post your configuration, so we can try to at least rule out what is not causing this behavior.
07-16-2008 05:29 AM
Exclude ip address of the local interface from the NAT.
[Pls RATE if HELPS]
07-16-2008 07:28 AM
Please elaborate a bit more on your solution, because I'm not sure that I understand what I'm supposed to do. The ip address of the virtual interface (BVI1) is not being natted directly, but several computers behind the router (sharing the same IP class) are. Is this the problem?
07-16-2008 10:22 AM
ip access-list ext NAT
deny ip host 172.16.0.100 any
permit ip 172.16.0.0 0.0.0.255 any
route-map ISP1nat permit 10
match ip address NAT
match interface FastEthernet0
!
route-map ASYNCnat permit 10
match ip address NAT
match interface Dialer2
!
route-map ISP2nat permit 10
match ip address NAT
match interface Dialer0
!
07-16-2008 06:18 PM
Yes, this works, but now I cannot use different ISPs for different computers. If I create two access lists like
ip access-list ext THRUISP1
deny ip host 172.16.0.100 any
permit ip host 172.16.0.1 any
or
permit ip 172.16.0.0 0.0.0.7 any
and
ip access-list ext THRUISP2
deny ip host 172.16.0.100 any
permit ip host 172.16.0.9 any
or
permit ip 172.16.0.8 0.0.0.7 any
the problem reappears! I think I'm missing the logic behind this.
Is there an alternative way of using concurrent NAT translations without having this problem?
My ultimate goal is to allow
access list 1 -> ISP1 -> ISP2 -> ASYNC
access list 2 -> ISP2 -> ISP1 -> ASYNC
while using ISP2 for incoming webvpn connections.
Is this possible? Thanks!
07-16-2008 10:56 PM
Use policy based routing and stay NAT as it is.
[Pls RATE if HELPS]
07-16-2008 11:19 PM
This is what I'm using right now (leaving the ASYNC interface aside):
interface BVI1
ip policy route-map RMAP
ip access-list ext NAT
deny ip host 172.16.0.100 any
permit ip 172.16.0.0. 0.0.0.255 any
ip access-list standard THRUISP1
permit 172.16.0.1
permit 172.16.0.2
ip access-list standard THRUISP2
permit 172.16.0.3
permit 172.16.0.4
route-map RMAP permit 10
match ip address THRUISP1
set ip next-hop verify-availability x.x.x.x 10 track 123
set ip next-hop verify-availability y.y.y.y 20 track 124
!
route-map RMAP permit 20
match ip address THRUISP2
set ip next-hop verify-availability y.y.y.y 10 track 124
set ip next-hop verify-availability x.x.x.x 20 track 123
!
route-map ISP1nat permit 10
match ip address NAT
match interface FastEthernet0
!
route-map ISP2nat permit 10
match ip address NAT
match interface Dialer0
ip nat inside source route-map ISP1nat interface FastEthernet0 overload
ip nat inside source route-map ISP2nat interface Dialer0 overload
In this configuration the problem remains the same. As soon as I try to add a specific host to either THRUISP1 or THRUISP2 the router stops responding to incoming connections! The only way it works is if I replace both acces lists with the NAT list. Am I doing something wrong?
07-16-2008 11:31 PM
show the configuration
describe you problem again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide