02-16-2008 11:41 PM - edited 03-09-2019 08:07 PM
Hello,
I have configured WebVPN on a 1811W router running IOS 12.4(11)XW5, and although the gateway is set directly on an outside interface, the 443 port appears filtered to clients connecting through that interface (inside interface traffic is allowed). What can I do to force the router to listen for incoming connections on the outside interface (as it is supposed to)? I have no firewall or ACLs that could potentially interfere with the VPN.
Thanks!
Solved! Go to Solution.
07-16-2008 11:57 PM
I've switched to extended ACLs, but without success. Any other suggestions? I feel like I'm getting close to finally solving this issue!
07-17-2008 01:14 AM
show the configuration
describe your problem again.
07-17-2008 01:35 AM
I've attached my current config.
The problem is that the router does not return packets for connections initiated from an untrusted interface to the router itself (like in the case of webvpn), as long as NAT is enabled only for specific computers behind the network (as opposed to the entire LAN).
07-17-2008 01:36 AM
I've attached my current config.
The problem is that the router does not return packets for connections initiated from an untrusted interface to the router itself (like in the case of webvpn), as long as NAT is enabled only for specific computers behind the network (as opposed to the entire LAN).
07-17-2008 01:37 AM
07-17-2008 04:31 AM
Do you have static ip or dynamic ip for interfaces FastEthernet0 and Dialer0?
07-17-2008 04:35 AM
Both interfaces have dynamic IPs. Fa0 aquires the ip address thru DHCP and Di0 thru IPCP (PPPoE).
07-17-2008 05:42 AM
if you have dynamic IPs,
so how could you access them?
or maybe you static binding...
07-17-2008 05:48 AM
I use a free DDNS service for Di0, but I removed the relevant lines from the config file because the username and password were shown in clear.
07-17-2008 06:46 AM
This is you main route
ip route 0.0.0.0 0.0.0.0 FastEthernet0 10 track 123
This is you backup route
ip route 0.0.0.0 0.0.0.0 Dialer0 20 track 124
If you try access Dialer0 from outside, you return traffic goes through FastEthernet0.
You need do "Local PBR" for correction...
07-17-2008 10:35 AM
Problem solved!
It wasn't even necessary to implement a local policy route-map, since I don't intend to access the router from both interfaces.
What I did was to simply switch the metrics on the default routes and thus force the router to use the correct interface.
This, combined with the explicit removal of the local interface from NAT was the solution to this issue.
Thank you very much a.alekseev!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide