Hi Atri,

Actually, yes I mean U turning the traffic, however the commands in the mentioned documentation are not available using IOS SSLVPN.

Regards,

Jan

On a router if you have natting enabled for the traffic and a default route as well then you shouldn't have any problems in u-turning the traffic. U-turning is only required on ASAs which have security policies in place that would otherwise drop the traffic. Can you paste the configuration on your gateway?

Hi Atri,

Actually I placed the VPN users within the same subnet as the normal users, which means when normal users can access internet, things like default gateway as well as NAT are configured the right way.

I'm going to check on the other reactions.

Hi Rahul,

No, I am using a Cisco router, to be more specific, a Cisco 877W, using IOS SSLVPN.

Regards,
Jan

Jan,

I've recently written about it:

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2010/12/08/advantages-of-vti-configuration-for-ipsec-tunnels

Webvpn supports VTI configuration in newer IOS releases.

Marcin

Hi Marcin,

Thanks for your reply, I did some decent searching on anyconnect, and some related keywords, but didn't find your post.

Can you please indicate in which IOS version this feature was introduced?

I am using advipservicesk9-mz.124-24.T3.bin myself.

Thanks!
Regards,

Jan

Jan,

Indeed my post was meant to highlist benefits for IPSec and not specific to webvpn ;-)

I believe the functionality has been introduced with 12.4.20T and onwards where new CEF code was introduced, but I can't find the exact release.

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ssl_vpn_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1498349

Tha being said 12.4(24)T is the last software train in 12.4T and it should contain all features in config guide.

Marcin

Hi Marcin,

I changed the config with the information you provided, but it isn't working for me so far.

Hopefully you can help me a bit.

I have a 877W with an ATM interface as WAN interface (ASDL), which is configured  under ATM0.1

As stated in the docs I created the following interface:

interface Virtual-Template1
ip unnumbered ATM0.1
ip nat inside
ip virtual-reassembly

Secondly, I added this virtual template under the webvpn context:

virtual-template 1

According to the docs this should do the trick, however, the Virtual-Templace interface stays down, and the feature isn't working.

Virtual-Template1          123.123.123.123  YES TFTP   down                  down   

The webvpn is working flawlessy, using a split tunnel.

Hope you can indicate what's missing.

Best regards,

Jan

Jan,

I only tested this feature intially when introduced ... so my recollections are vague at best ;-)

How this is supposed to work (AFAIR) is to spawn virtual-access interfaces from virtual template, I'm not sure if it's technially necessary for virtual-template interface to be up/up.

That being said ... let's see "show webvpn context NAME_HERE" to verify if template is applied there.

I'm actually starting to think if I didn't sell you false hope ... I did a quick search in feature navigator and offically I see support in platforms starting from 18xx and in 15.1T (and on). Oddly enough the config guide from 12.4T contains VTI support without restrictions.

Marcin

Hi Marcin,

Actually the Virtual-Template is stated when issueing the show webvpn context [name] command.

router#sh webvpn context router
Admin Status: up
Operation Status: up
Error and Event Logging: Disabled
CSD Status: Disabled
Certificate authentication type: All attributes (like CRL) are verified
AAA Authentication List: default
AAA Authorizationtion List not configured
AAA Authentication Domain not configured
Default Group Policy: sslpolicy
Associated WebVPN Gateway: router

Domain Name and Virtual Host not configured
Maximum Users Allowed: 2
NAT Address not configured
VRF Name not configured
Virtual Template: 1

router#

Regards, Jan

Jan,

Odd, but if no virtual-access is spawned, well I guess you could open a TAC case to make sure this is supported on this particular platform version.

In the meantime, we could try the the old way, loopback interface with "ip nat inside" applied and send all traffic from VPN to it.

Marcin

Hi Jan,

Did you add the Virtual Template \ Or Made changes to the virtual-template 'after' defining it under the webvpn context ?

If you did then please remove the "virtual-template"command from under the webvpn config and then re-add it again.

Also the Virtual-Template will always stay down, it will be a virtual-access interface that you should be seeing Up in "show ip interface brief" command.

Thanks,

Naman