Solved: Re: WebVPN - no connectivity from outside interface - Page 2

mateid1234 · ‎02-16-2008

Hello,

I have configured WebVPN on a 1811W router running IOS 12.4(11)XW5, and although the gateway is set directly on an outside interface, the 443 port appears filtered to clients connecting through that interface (inside interface traffic is allowed). What can I do to force the router to listen for incoming connections on the outside interface (as it is supposed to)? I have no firewall or ACLs that could potentially interfere with the VPN.

Thanks!

mateid1234 · ‎07-16-2008

I've switched to extended ACLs, but without success. Any other suggestions? I feel like I'm getting close to finally solving this issue!

a.alekseev · ‎07-17-2008

show the configuration

describe your problem again.

mateid1234 · ‎07-17-2008

I've attached my current config.

The problem is that the router does not return packets for connections initiated from an untrusted interface to the router itself (like in the case of webvpn), as long as NAT is enabled only for specific computers behind the network (as opposed to the entire LAN).

mateid1234 · ‎07-17-2008

I've attached my current config.

The problem is that the router does not return packets for connections initiated from an untrusted interface to the router itself (like in the case of webvpn), as long as NAT is enabled only for specific computers behind the network (as opposed to the entire LAN).

mateid1234 · ‎07-17-2008

Sorry, the attachement got lost while writing the message.

a.alekseev · ‎07-17-2008

Do you have static ip or dynamic ip for interfaces FastEthernet0 and Dialer0?

mateid1234 · ‎07-17-2008

Both interfaces have dynamic IPs. Fa0 aquires the ip address thru DHCP and Di0 thru IPCP (PPPoE).

a.alekseev · ‎07-17-2008

if you have dynamic IPs,

so how could you access them?

or maybe you static binding...

mateid1234 · ‎07-17-2008

I use a free DDNS service for Di0, but I removed the relevant lines from the config file because the username and password were shown in clear.

a.alekseev · ‎07-17-2008

This is you main route

ip route 0.0.0.0 0.0.0.0 FastEthernet0 10 track 123

This is you backup route

ip route 0.0.0.0 0.0.0.0 Dialer0 20 track 124

If you try access Dialer0 from outside, you return traffic goes through FastEthernet0.

You need do "Local PBR" for correction...

mateid1234 · ‎07-17-2008

Problem solved!

It wasn't even necessary to implement a local policy route-map, since I don't intend to access the router from both interfaces.

What I did was to simply switch the metrics on the default routes and thus force the router to use the correct interface.

This, combined with the explicit removal of the local interface from NAT was the solution to this issue.

Thank you very much a.alekseev!