Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1563
Views
0
Helpful
4
Replies

Cisco 1841 SSL VPN

hasanreza
Level 1
Level 1

‎02-15-2013 01:04 AM

Dear All,

I have configured SSL VPN on Cisco 1841 router running (1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T1) , I have PPPoe broadband connection and NAT is has been configured , i have below issues

1) From the portal i cannot access any internal websites.

2) The nbns servers dont show up , of i click on the nbns link the router hangs .

3) Cisco Any connect client (ver 2.5) after verfiying the certificate gives the error unable to process the response from xxx.dyndns.org

4) Even the port forwarded server donot show up.

Find the running config below

Current configuration : 4989 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Gateway

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$SciF$TlX1tR5qaG9ZE7pdZHcRJ/

!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.236.5.1 10.236.5.20

!

ip dhcp pool ContosoPool

--More--                              network 10.236.5.0 255.255.255.0

   default-router 10.236.5.254

   dns-server 213.42.20.20 195.229.241.222

!

!

ip domain name contoso.local

ip name-server 213.42.20.20

ip name-server 195.229.241.22

ip name-server 195.229.241.222

ip ddns update method dyndns

HTTP

  add

http://hasanreza:xxxxxxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a

>

  remove

http://hasanreza:xxxxxxxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a

>

interval maximum 1 0 0 0

!

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-1981248591

--More--                            enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1981248591

revocation-check none

rsakeypair TP-self-signed-1981248591

!

!

crypto pki certificate chain TP-self-signed-1981248591

certificate self-signed 01

  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31393831 32343835 3931301E 170D3133 30323133 32303436

  35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39383132

  34383539 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100966A 2A69AE7A 4176E6FA B40DBA79 F565767A DBAF32D4 71E074A4 A4957FCB

  E66C004A F66A114C BC75FB44 425BA233 09188AC3 4158D697 109B2297 0966516E

  A58FD1DE AB29A793 9B09CA45 37BE9C2D FA4701E1 14D23168 57AB0424 BBBE64A3

  81C0DA83 9CC63535 32F749FB E6B9F48E 1D7DCB31 3FB5DD8A 8C86D929 7046A25D

  1DC90203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603

  551D1104 0B300982 07476174 65776179 301F0603 551D2304 18301680 14DBDCEA

  731F12BB CCFADCE0 099A25A6 84BE1AAF 34301D06 03551D0E 04160414 DBDCEA73

  1F12BBCC FADCE009 9A25A684 BE1AAF34 300D0609 2A864886 F70D0101 04050003

  81810095 BF9A5BE4 9B6654F1 B9B88E11 39115E62 9EB2EC4A 5BF4247A 86C04D08

--More--                             7BA52FF1 4FE5D889 2AB68FE6 545FC4BA 8AAD279E C4BEA8A0 7B0C4FE2 F56C3971

  899B67D0 E72005E1 B4BE30BF DE21253F 2DBBCFE5 D463F444 412D0B90 E42CBCE2

  3F878F3B F49A05A4 FB530639 ECACCEC9 9D2EC56A F33A97D2 30C53041 7CAC5AF6 9F1E28

   quit

!

!

username admin privilege 15 password 0 xxxxxxxx

username ali password 0 xxxxxx

archive

log config

  hidekeys

!

!

!

!

!

interface FastEthernet0/0

description Internal Network (Protected Interface)

ip address 10.236.5.254 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

--More--                           !

interface FastEthernet0/1

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface ATM0/0/0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface BRI0/1/0

no ip address

encapsulation hdlc

shutdown

!

interface Dialer1

ip ddns update hostname xxxxxxxxx.dyndns.org

ip ddns update dyndns

ip address negotiated

--More--                            ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1460

dialer pool 1

ppp pap sent-username vermam password 0 xxxxxxxxx

!

ip local pool webssl 10.236.6.10 10.236.6.30

ip route 0.0.0.0 0.0.0.0 Dialer1

!

!

ip http server

no ip http secure-server

ip nat inside source list nat interface Dialer1 overload

!

ip access-list extended internal

permit ip any 10.236.5.0 0.0.0.255

ip access-list extended nat

permit ip 10.236.5.0 0.0.0.255 any

!

!

!

!

--More--                           !

control-plane

!

!

line con 0

line aux 0

line vty 0 4

exec-timeout 0 0

login local

transport preferred ssh

transport input ssh

line vty 5 15

exec-timeout 0 0

login local

transport preferred ssh

transport input ssh

!

scheduler allocate 20000 1000

!

webvpn gateway gateway_1

ip interface Dialer1 port 443

ssl encryption rc4-md5

ssl trustpoint TP-self-signed-1981248591

--More--                            inservice

!

webvpn cef

!

webvpn context webvpn

title "Simple IT Portal"

secondary-color white

title-color #CCCC66

text-color black

ssl encryption rc4-md5

ssl authenticate verify all

!

url-list "WebServers"

   heading "WebServers"

   url-text "Google" url-value "

www.google.com

"

   url-text "MainFrameServer" url-value "10.236.5.2"

!

nbns-list "ContosoServers"

   nbns-server 10.236.5.10

   nbns-server 10.236.5.11

   nbns-server 10.236.5.12

login-message "Welecom to SimpleIt Portal"

--More--                            !

port-forward "PortForwarding"

   local-port 3389 remote-server "10.236.5.10" remote-port 3389 description "Server-DC01"

!

policy group policy1

   url-list "WebServers"

   port-forward "PortForwarding"

   nbns-list "ContosoServers"

   functions file-access

   functions file-browse

   functions file-entry

  default-group-policy policy1

  gateway gateway_1

  max-users 10

  inservice

!

Please advise i have really searched via the google but nothing has helped yet ,

Please advise

Hasan reza

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎02-15-2013 01:50 AM

Your config looks ok, but your IOS is way to old. If I remember right there were also Java-incompatibilities for the port-forwarding. If you want to stay on 12.4.15, the IOS 12.4.15T17 is the actual one.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

hasanreza
Level 1
Level 1
In response to Karsten Iwen

‎02-15-2013 09:02 AM

Thanks for update (I was really desperately awaiting it), i have only 32 mb flash card hence i am using this IOS , anyways can please tell me if i need to make some acl rule changes to get this whole this to work ,

Or

Suggest me some IOS , below is list of services i need from the cisco1841

1) Basic Routing

2) VPN (Site to Site)

3) SSL VPN

4) Some basic firewall features

But as i said i have only 32 mb of flash , also since this router does not have a service contract i would not be able to download it from cisco website , if possible just give me guidelines so i choose the right ios.

0 Helpful

Karsten Iwen
VIP
VIP
In response to hasanreza

‎02-15-2013 09:46 AM

For the SSL-VPN you only need a line "permit ip any any eq 443" incoming on your dialer0.

The 1841 uses standard CF-cards. I changed all CFs on many ISRs in the past (mostly Kingston and Sandisk). With a recent Bootrom a 2GB-Card should work. If you have something smaller 1GB it should work also with an older bootrom.

Also without a service contract it should be possible to get a new release because your release has security-vulnerabilities. These include the following:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-dhcpv6

This is from the security-advisory:

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
    

  • +1 800 553 2447 (toll free from within North America)
    • 

  • +1 408 526 7209 (toll call from anywhere in the world)
    • 

  • e-mail: tac@cisco.com
    • 

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

hasanreza
Level 1
Level 1
In response to Karsten Iwen

‎02-15-2013 10:24 AM

Thanks Karsten,

Now can you please help me atleast to get the SSL VPN Client working, is there a possibility of Teamviewer Session (If its not asking for too much)

Regards

Hasan Reza

0 Helpful
Customers Also Viewed These Support Documents