Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
596
Views
0
Helpful
1
Replies

Cisco 1941 Router - Webvpn problem

joao.areias.igtek
Level 1
Level 1

‎12-26-2014 03:33 PM

Hi,

 

I have a cisco 1941 router. 

I'm configuring the webvpn feature to support remote user vpn connections.

For some reason it doesn't work.

When i try to connect to gateway from browser it fails ... It does redirect to the 443 port on any other port i configure, but after that is like not having connection to that port.

I have no ACL in the wan port. 

 

Can someone help me please.

Thanks.

 

Config:

version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
....
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
......
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login Utilizadores_VPN local
aaa authorization exec default local 
aaa authorization network RA-GROUP local 
!
!
!
!
!
aaa session-id common
clock timezone PCTime 0 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
ip cef
!
!
!
!
!
....
.....
 .....
!
!
.....
!
redundancy
!
!
!
!         
!
no ip ftp passive
ip ssh version 1

!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxx address IP
crypto isakmp client configuration address-pool local VPN_Pool
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group VPN_1
 key XXX
 pool SDM_POOL_1
 acl 103
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN_1
   client authentication list Utilizadores_VPN
   isakmp authorization list RA-GROUP
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set CB-3DES-MD5 esp-3des esp-md5-hmac 
 mode tunnel
crypto ipsec transform-set RA_VPN esp-3des esp-md5-hmac 
 mode tunnel
crypto ipsec transform-set ESP-MD5-AES-128 esp-aes esp-md5-hmac 
 mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA RA_VPN 
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
crypto map CB ipsec-isakmp 
 set peer IP
 set transform-set CB-3DES-MD5 
 match address 105
!
!
!
!
!
interface Loopback1
 ip address 192.168.245.254 255.255.255.0
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Rede Local$ETH-LAN$
 ip address 10.145.0.201 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.100
 description *** VLAN INTERNET ***
 encapsulation dot1Q 100
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 crypto map CB
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback1
!
interface Virtual-Template2 type tunnel
 ip unnumbered Loopback1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!         
ip local pool SDM_POOL_1 192.168.245.1 192.168.245.99
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1.100 overload
!
ip sla auto discovery
access-list 1 permit 10.145.0.0 0.0.0.255
access-list 1 remark == ACL para NAT ==
access-list 1 remark CCP_ACL Category=16
access-list 102 deny   ip 10.145.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 102 deny   ip 10.145.0.0 0.0.0.255 192.168.245.0 0.0.0.255
access-list 102 permit ip 10.145.0.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=4
access-list 103 permit ip 10.145.0.0 0.0.0.255 any
access-list 105 permit ip 10.145.0.0 0.0.0.255 10.0.0.0 0.255.255.255
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
!
!
!
control-plane
!
!

!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 XXX
 transport input all
!
scheduler allocate 20000 1000
!
!
webvpn gateway gateway_1
 ip address WANIP port 9443  
 http-redirect port 80
 ssl trustpoint TP-self-signed-3470861282
 logging enable
 inservice
 !
webvpn context crivedi
 secondary-color white
 title-color #CCCC66
 text-color black
 aaa authentication list Utilizadores_VPN
 gateway gateway_1
 logging enable
 !
 ssl authenticate verify all
 inservice
 !
 policy group policy_1
   functions svc-enabled
   svc address-pool "SDM_POOL_1" netmask 255.255.255.255
   svc keep-client-installed
   svc split include 10.145.0.0 255.255.255.0
 default-group-policy policy_1
!
end

Labels:
0 Helpful
1 Reply 1

joao.areias.igtek
Level 1
Level 1

‎01-04-2015 04:05 AM

Hi, 

 

I was able to solve yhe problem.

I created another self-signed certificate and assing the new trustpoint to the gateway and it start to work.

 

Best regardes,

João Areias

0 Helpful
Customers Also Viewed These Support Documents