Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
701
Views
0
Helpful
0
Replies

Anyconnect on 1800 series with basic setup only partially working

jabesha
Level 1
Level 1

‎02-19-2014 06:26 AM - edited ‎02-21-2020 07:30 PM

This is driving me nuts.  I have Anyconnect working perfectly on an 1811 until I add some basic zone firewall commands.  After adding the firewall I can still connect but can only access the router and none of the other internal devices.

To simplify it I have the vpn and internal interfaces in the same security zone almost identical to this Cisco example although I have the exact same problem if I use separate zones and additional firewall rules.

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-vpn-client/111891-anyconnect-ios-zbpf-config.html

I'm far from being an expert so I figure there is something here that will jump right out at the next person who looks at it.

!

! Last configuration change at 02:17:02 UTC Tue Feb 11 2014 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

!

!

!

!

!

aaa session-id common

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2352512162

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2352512162

revocation-check none

rsakeypair TP-self-signed-2352512162

!

!

crypto pki certificate chain TP-self-signed-2352512162

certificate self-signed 01

            quit

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 192.168.1.1 192.168.1.199

!

ip dhcp pool ccp-pool

import all

network 192.168.1.0 255.255.255.0

domain-name yourdomain.com

dns-server 192.168.1.3 192.168.1.2

default-router 192.168.1.1

lease 0 2

!

!

!

ip cef

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

license udi pid CISCO1811W-AG-A/K9 sn FTX

username cisco privilege 15 secret 0 cisco

!

!

!

class-map type inspect match-all CCP_SSLVPN

match access-group name CCP_IP

class-map type inspect match-any SDM_WEBVPN

match access-group name SDM_WEBVPN

class-map type inspect match-all SDM_WEBVPN_TRAFFIC

match class-map SDM_WEBVPN

match access-group 101

class-map type inspect match-any ccp-cls-insp-traffic

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-sslvpn-pol

class type inspect CCP_SSLVPN

  pass

class class-default

  drop

policy-map type inspect ccp-inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_WEBVPN_TRAFFIC

  inspect

class class-default

  drop

!

zone security in-zone

zone security out-zone

zone-pair security zp-in-zone-in-zone source in-zone destination in-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security zp-out-zone-in-zone source out-zone destination in-zone

service-policy type inspect ccp-sslvpn-pol

!

!

interface Loopback0

ip address 172.16.0.1 255.255.255.255

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio1

no ip address

shutdown

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

station-role root

!

interface FastEthernet0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1

description $ETH-WAN$$FW_OUTSIDE$

ip address 66.66.66.66 255.255.255.248

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

no ip address

!

interface FastEthernet9

no ip address

!

interface Virtual-Template1

description $FW_INSIDE$

ip unnumbered Loopback0

zone-member security in-zone

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Async1

no ip address

encapsulation slip

!

ip local pool VPN_POOL 10.10.10.1 10.10.10.254

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 1 interface FastEthernet1 overload

ip route 0.0.0.0 0.0.0.0 66.66.66.65

!

ip access-list extended CCP_IP

remark CCP_ACL Category=128

permit ip any any

ip access-list extended SDM_WEBVPN

remark CCP_ACL Category=1

permit tcp any any eq 443

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any host 66.66.66.66

no cdp run

!

!

!

!

control-plane

!

!

!

line con 0

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

access-class 23 in

transport input telnet ssh

line vty 5 15

access-class 23 in

transport input telnet ssh

!

!

webvpn gateway gateway_1

ip address 66.66.66.66 port 443 

http-redirect port 80

ssl trustpoint TP-self-signed-2352512162

inservice

!

webvpn install svc flash:/webvpn/anyconnect-macosx-i386-3.1.05152-k9.pkg sequence 1

!

webvpn context vpn

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "VPN_POOL" netmask 255.255.255.255

   svc keep-client-installed

   svc split include 192.168.1.0 255.255.255.0

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

inservice

!

end

Thanks much for taking a look and any ideas.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents