Anyconnect connection fail after ISP change

c.console · ‎02-23-2016

Hi all,

2 days ago a customer have changed his ISP.

The new ISP have configured a router with a gui with ip address 172.16.0.1/24 address

The ISP Router have a GUI for port forwarding and basic configuration.

From the GUI i have configured a NAT for the TCP port 443 to the WAN address of the internal router (172.16.0.2/24)

Anyway the anyconnect client is unable to find the remote server and the connection fails.

This is the sh rum of the internal router... did i miss something ?

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DG01
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauthlist local
aaa authentication login sslvpn local
aaa authorization exec default local
aaa authorization exec vty group xauthlocal
aaa authorization exec defaultlocal group bdbusers
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint my-trustpoint
enrollment selfsigned
serial-number
subject-name CN=
revocation-check crl
rsakeypair my-rsa-keys
!
!
crypto pki certificate chain my-trustpoint
certificate self-signed 02
3082026D 308201D6 A0030201 02020102 300D0609 2A864886 F70D0101 05050030

quit
!
!
!
!

!
!
!
!
ip name-server 192.168.0.27
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn
!
!
username locadmin 15 secret 5
crypto vpn anyconnect flash:/webvpn/anyconnect-win-4.2.01022-k9.pkg sequence 1
!
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
shutdown
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
description INSIDE
switchport access vlan 10
no ip address
!
interface FastEthernet3
description ISP
switchport access vlan 20
no ip address
!
interface Vlan1
no ip address
!
!
interface Vlan10
description INSIDE
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address 172.16.0.2
ip nat outside
ip virtual-reassembly in
!
!
ip local pool webvpn-pool 192.168.0.240 192.168.0.252
ip default-gateway 172.16.0.1
ip forward-protocol nd
no ip http server
ip http secure-server
!
!
ip nat inside source list mylan interface Vlan20 overload
!
ip access-list standard mylan
permit 192.168.0.0 0.0.0.255
!
no cdp run
!
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
!
!
webvpn gateway Cisco-WebVPN-Gateway
ip address 172.16.0.2 port 443
ssl encryption rc4-md5
ssl trustpoint my-trustpoint
inservice
!
webvpn context Cisco-WebVPN
title "VPN GATEWAY"
!
acl "ssl-acl"
permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
login-message "WebVpn"
aaa authentication list sslvpn
gateway Cisco-WebVPN-Gateway
!
ssl authenticate verify all
!
url-list "rewrite"
inservice
!
policy group webvpnpolicy
functions svc-enabled
filter tunnel ssl-acl
svc address-pool "webvpn-pool" netmask 255.255.255.0
svc rekey method new-tunnel
svc split include 192.168.0.0 255.255.255.0
default-group-policy webvpnpolicy
!
end

nspasov · ‎02-23-2016

Have you checked if the ISP router's outside/inside interfaces have an ACL that could be blocking the traffic?

Thank you for rating helpful posts!

c.console · ‎02-23-2016

Hi

The ISP support have perform a check on this router.

No ACL seems to be active on the IN/OUT interface...

nspasov · ‎02-24-2016

Hmm, if the only that has changed is the ISP then that would be my #1 suspect.

I have a few more questions:

1. Can you obtain the actual NAT configuration from the ISP router? Or even better full config?

2. Confirm exact problem:

2.1 Are remote users able to connect but then not have access

2.2 Or are remote users not able to reach the VPN device and get a login prompt?

3. Do you have a diagram that shows how the network is setup? It appears to me that you are also doing NAT on the internal router to the ISP, where all internal IPs are going to the ISP as 172.16.0.2?

4. Are VPN users supposed to have LAN and Internet access after the connection is established?

Thank you for rating helpful posts!

c.console · ‎02-24-2016

1) I have asked but i'm not too confident about a quick repsonse

2.1) No, simply the von server appear to be offline or unreacheable

2.2) No login prompt only "Connection attempt timed out" error

3) Simply ISP Router -> Internal router the internal network 192.168.0.0/24 requests to the internet are natted to the 172.16.0.2 directly connected to the isp router 172.16.0.1.

So i have a internal interface vlan 10 (IP NAT INSIDE) with 192.168.0.1 and an external interface vlan 20 172.16.0.2 (IP NAT OUTSIDE)

Can be a configuration mistake on the internal router ? (natting problem i suppose)

nspasov · ‎03-11-2016

Sorry for the delayed reply but I was out of the country. Were you able to resolve your issue?