11-29-2010 03:29 AM - edited 03-04-2019 10:36 AM
Hi,
I'm trying to configure an SSL vpn on a 1941 router. The vpn connects and I can see the router itself, but not any other networks behind the router. I created the ssl vpn configuration with CCP. IPsec vpn works perfectly and the SSL vpn is configured in the same firwall zone as IPsec so I'm not sure it's a firewall issue. Nat setup is the same as ipsec as well. Any ideas?
Thanks in advance,
Eric
11-29-2010 08:50 AM
Hi Eric,
can you ping any host on the other side of the tunnel?
Is the routing correctly configured?
Regards,
Antonio
11-29-2010 09:19 AM
I can't ping any host on the other side of the tunnel but I can ping any interface on the router. I believe routing is configured ok.
Regards,
Eric
12-01-2010 05:43 AM
Here's my config:
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO1941
!
boot-start-marker
warm-reboot uptime 2
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 8
logging buffered 2097152
logging console critical
enable secret 5 ####
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
no process cpu autoprofile hog
!
ipv6 unicast-routing
ipv6 cef
no ip source-route
ip cef
!
!
ip nbar port-map custom-03 udp 10000 10001 10002 10003 10004 10005 10006 10007 10008 10009 10010 10011 10012 10013 10014 10015
!
ip dhcp excluded-address 10.0.1.1 10.0.1.99
ip dhcp excluded-address 10.0.1.200 10.0.1.254
!
ip dhcp pool dhcp-pool-10-0-1-0
import all
network 10.0.1.0 255.255.255.0
domain-name ####
dns-server 10.0.1.5 194.72.0.98
default-router 10.0.1.1
netbios-name-server 10.0.1.5
lease 7
!
!
no ip bootp server
ip domain name ####
ip name-server 194.72.0.98
ip name-server 194.72.9.38
ip port-map user-ctcp-ezvpnsvr port tcp 11000
ip port-map user-voip-rtp port udp from 10000 to 10015
ip ips config location flash0:/IPS retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips advanced
retired false
!
ip ddns update method sdm_ddns1
HTTP
add ####
remove ####
interval minimum 24 0 0 0
!
!
multilink bundle-name authenticated
!
parameter-map type urlfpolicy local urlf-parameter_map
allow-mode on
parameter-map type urlf-glob cpaddbnwlocparadeny0
!
energywise domain #### security shared-secret 7 #### protocol udp port 43440 interface GigabitEthernet0/0
energywise neighbor 10.0.1.3 43440
crypto pki token default removal timeout 0
!
crypto pki trustpoint trps1_server
revocation-check none
!
!
crypto pki trustpoint TP-self-signed-238871991
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-238871991
revocation-check none
!
!
crypto pki certificate chain trps1_server
certificate ca 00 nvram:wtsuiciscoco#0CA.cer
crypto pki certificate chain TP-self-signed-238871991
certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
license udi pid CISCO1941/K9 sn ####
license accept end user agreement
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
!
!
archive
log config
hidekeys
username admin privilege 15 secret 5 ####
!
redundancy
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
!
!
!
ip tcp synwait-time 10
!
class-map match-any VOIP
match protocol skinny
match protocol sip
match protocol skype
match protocol custom-03
class-map match-any shape_outgoing_class
match any
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all CCP_SSLVPN
match access-group name SDM_IP
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 102
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match protocol user-ctcp-ezvpnsvr
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type urlfilter match-any cpaddbnwlocclassdeny0
match server-domain urlf-glob cpaddbnwlocparadeny0
class-map type inspect match-any sip-traffic
match protocol sip
class-map type inspect match-any -sdminspectclassmap-2
match protocol http
class-map type inspect match-any -sdminspectclassmap-1
match protocol http
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map match-any Management
match protocol ssh
match protocol telnet
match protocol dns
match protocol ntp
match protocol icmp
class-map type inspect match-any cpinspectclass0
match protocol http
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match class-map sip-traffic
match access-group name sip-out-in
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect urlfilter urlf-policy
description urlf-policy
parameter type urlfpolicy local urlf-parameter_map
class type urlfilter cpaddbnwlocclassdeny0
reset
log
policy-map type inspect ccp-sslvpn-pol
class type inspect cpinspectclass0
inspect
service-policy urlfilter urlf-policy
class type inspect CCP_SSLVPN
pass
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy urlfilter urlf-policy
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class class-default
pass
policy-map qos-outbound
class VOIP
set dscp ef
priority percent 70
class Management
bandwidth remaining percent 10
class class-default
bandwidth remaining percent 20
policy-map shape_outgoing
class shape_outgoing_class
shape average 377480
service-policy qos-outbound
policy-map type inspect ccp-permit
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop log
policy-map type inspect ccp-pol-outToIn
class type inspect -sdminspectclassmap-2
inspect
service-policy urlfilter urlf-policy
class type inspect CCP_PPTP
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
inspect
class class-default
drop log
policy-map type inspect sdm-permit-ip
class type inspect -sdminspectclassmap-1
inspect
service-policy urlfilter urlf-policy
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone security sslvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-ezvpn-zone source sslvpn-zone destination ezvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-ezvpn-zone-sslvpn-zone source ezvpn-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
!
crypto ctcp port 11000
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 3
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnusers
key ####
dns 10.0.1.5 194.72.0.98
wins 10.0.1.5
domain ####
pool ezvpn_pool
acl 101
include-local-lan
max-users 100
max-logins 2
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group vpnusers
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
keepalive 10 retry 2
virtual-template 1
!
crypto ipsec security-association idle-time 3600
!
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
ip address 10.0.11.1 255.255.255.0
!
interface Loopback1
ip address 10.0.10.1 255.255.255.0
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_INSIDE$$ETH-LAN$
ip address 10.0.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
ipv6 enable
no mop enabled
!
interface GigabitEthernet0/1
description $FW_INSIDE$$ES_LAN$$ETH-LAN$
ip address 10.0.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
ipv6 enable
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
bandwidth 370
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
pvc 0/38
cbr 370
tx-ring-limit 3
encapsulation aal5mux ppp dialer
dialer pool-member 1
service-policy out shape_outgoing
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly in
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2
ip unnumbered Loopback0
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly in
zone-member security sslvpn-zone
!
interface Dialer0
description $FW_OUTSIDE$
ip ddns update hostname ####
ip ddns update sdm_ddns1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ####
ppp chap password 7 ####
ppp pap sent-username #### password 7 ####
!
ip local pool ezvpn_pool 10.0.10.100 10.0.10.199
ip local pool sslvpn_pool 10.0.11.100 10.0.11.199
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-cache timeout active 1
ip flow-export version 5
ip flow-export destination 10.0.2.7 9996
ip flow-top-talkers
top 50
sort-by bytes
cache-timeout 500
!
ip dns server
ip nat inside source list NAT_ACCESS interface Dialer0 overload
ip nat inside source static tcp 10.0.1.8 5060 interface Dialer0 5060
ip nat inside source static udp 10.0.1.8 5060 interface Dialer0 5060
ip nat inside source static tcp 10.0.11.1 443 interface Dialer0 443
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.0.1.0 255.255.255.0 GigabitEthernet0/0
ip route 10.0.2.0 255.255.255.0 GigabitEthernet0/1
!
ip access-list standard NAT_ACCESS
remark CCP_ACL Category=2
permit 10.0.1.0 0.0.0.255
permit 10.0.2.0 0.0.0.255
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended sip-out-in
remark CCP_ACL Category=128
permit ip any host 10.0.1.8
!
ip sla 1
tcp-connect 10.0.1.3 9001
tos 184
tag tcp-connect
frequency 300
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 10.0.1.8
tag asterisk
frequency 300
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 10.0.1.5
tag data
frequency 300
ip sla schedule 3 life forever start-time now
ip sla 4
icmp-echo 10.0.1.2
tag wireless
frequency 300
ip sla schedule 4 life forever start-time now
ip sla 5
icmp-echo 10.0.1.9
tag cctv
ip sla schedule 5 life forever start-time now
ip sla 6
icmp-echo 10.0.1.4
tag voip-gateway
frequency 300
ip sla schedule 6 life forever start-time now
ip sla logging traps
logging esm config
logging trap debugging
logging host 10.0.2.7 transport tcp
logging 10.0.2.7
access-list 23 permit 10.0.1.0 0.0.0.255
access-list 23 permit 10.0.10.0 0.0.0.255
access-list 23 permit 10.0.2.0 0.0.0.255
access-list 23 permit 10.0.11.0 0.0.0.255
access-list 23 permit 10.0.3.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 101 permit ip 10.0.2.0 0.0.0.255 any
access-list 101 permit ip 10.0.3.0 0.0.0.255 any
access-list 101 permit ip 10.0.10.0 0.0.0.255 any
access-list 101 permit ip 10.0.11.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip any host 10.0.11.1
dialer-list 1 protocol ip permit
!
!
!
!
!
snmp-server community #### RW
snmp-server community #### RO
snmp-server ifindex persist
snmp-server location ####
snmp-server contact ####
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn gateway gateway_1
ip address 10.0.11.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-238871991
inservice
!
webvpn install svc flash0:/webvpn/anyconnect-dart-win-2.5.2001-k9.pkg sequence 1
!
webvpn install svc flash0:/webvpn/anyconnect-macosx-i386-2.5.2001-k9.pkg sequence 2
!
webvpn install svc flash0:/webvpn/anyconnect-linux-2.5.2001-k9.pkg sequence 3
!
webvpn context sslvpn
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "sslvpn_pool"
svc default-domain "####"
svc keep-client-installed
svc split include 10.0.11.0 255.255.255.0
svc split include 10.0.10.0 255.255.255.0
svc split include 10.0.3.0 255.255.255.0
svc split include 10.0.2.0 255.255.255.0
svc split include 10.0.1.0 255.255.255.0
svc dns-server primary 10.0.1.5
svc dns-server secondary 194.72.0.98
svc wins-server primary 10.0.1.5
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_2
gateway gateway_1
max-users 10
inservice
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide