07-27-2010 07:02 AM
I have a Cisco 888 configured in a Dual WAN setup. There is an ADSL link connected to VLAN 100 and a SDSL link connected to Dialer0. The customer wants to use the ADSL link for normal browsing and wants external SSL VPN users to terminate on the SDSL link. I tried to configure the SDSL link as failover for the ADSL connection.
What's working:
- Internet access for the local clients
What's not working:
- Failover of the ADSL link to SDSL.
- SSL VPN access for clients. Surfing to the external IP address only results in a default HTTP page. Specifying /webvpn.html results in a 404 not found error.
Here's my configuration:
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname x
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 x
!
aaa new-model
!
!
aaa authentication login sslvpn local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3964912732
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3964912732
revocation-check none
rsakeypair TP-self-signed-3964912732
!
!
crypto pki certificate chain TP-self-signed-3964912732
certificate self-signed 03
x
quit
ip source-route
!
!
ip dhcp excluded-address 192.168.10.254
ip dhcp excluded-address 192.168.10.10 192.168.10.20
!
ip dhcp pool ccp-pool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 213.75.63.36 213.75.63.70
lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name x
no ipv6 cef
!
!
license udi pid CISCO888-K9 sn x
!
!
username ciscoadmin privilege 15 secret 5 x
username vpnuser password 0 x
!
!
controller DSL 0
mode atm
dsl-mode shdsl symmetric annex B
!
interface Loopback1
description SSL dhcp pool gateway address
ip address 192.168.250.1 255.255.255.0
!
interface Loopback2
description SSL VPN website IP address
ip address 10.10.10.1 255.255.255.0
ip policy route-map PBR_SSL
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
pvc KPN 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
switchport access vlan 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description LAN
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
!
interface Vlan100
description KPN ADSL 20/1
ip address dhcp
ip nat outside
ip virtual-reassembly
!
interface Dialer0
description KPN SDSL 2/2
ip address negotiated
ip access-group INTERNET_ACL in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username x password 0 x
no cdp enable
!
ip local pool sslvpnpool 192.168.250.2 192.168.250.100
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool SSLVPN-to-SDSL 10.10.10.1 10.10.10.1 netmask 255.255.255.0
ip nat inside source static tcp 10.10.10.1 443 interface Dialer0 443
ip nat inside source static tcp 10.10.10.1 80 interface Dialer0 80
ip nat inside source route-map NAT_ADSL interface Vlan100 overload
ip nat inside source route-map NAT_SDSL pool SSLVPN-to-SDSL overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 0.0.0.0 0.0.0.0 Dialer0 10
!
ip access-list extended INTERNET_ACL
remark Used with CBAC
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit tcp any host 92.64.32.169 eq 443 www
deny ip any any log
ip access-list extended LAN
permit ip 192.168.10.0 0.0.0.255 any
deny ip any any
!
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
route-map NAT_SDSL permit 10
match ip address LAN
match interface Dialer0
!
route-map NAT_ADSL permit 10
match ip address LAN
match interface Vlan100
!
route-map PBR_SSL permit 10
set interface Dialer0
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn gateway MyGateway
hostname d0c
ip address 10.10.10.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-3964912732
inservice
!
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.0217-k9.pkg sequence 1
!
webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.5.0217-k9.pkg sequence 2
!
webvpn install svc flash:/webvpn/anyconnect-macosx-powerpc-2.5.0217-k9.pkg sequence 3
!
webvpn context SecureMeContext
title "SSL VPN Service"
secondary-color #C0C0C0
title-color #808080
ssl authenticate verify all
!
login-message "VPN"
!
policy group MyDefaultPolicy
functions svc-enabled
svc address-pool "sslvpnpool"
svc keep-client-installed
default-group-policy MyDefaultPolicy
aaa authentication list sslvpn
gateway MyGateway
inservice
!
end
Any suggestions on where to look?
Solved! Go to Solution.
08-05-2010 09:14 AM
Hi,
This works for me. When client is trying to resolve the fqdn for domain as specified in "svc split dns.." it will contact the DNS server assigned through the Tunnel. For all other queries , it contacts the DNS outside the Tunnel.
You can run a packet capture on the Physical interface on the Client to see the DNS query leaving ?
Also in some home routers, the DNS is assigned as the Router itself (which usually is 192.168.X.X address), so you want to make sure that DNS server being assigned is not part of the Split Tunnel.
Naman
07-28-2010 09:56 AM
The possible issue here could be Asymmetric routing. So your Outside clients are connecting to the Dialer 10 interface but since your Default Route is through the other interface, so return traffic is not leaving through dialer interface.
I would suggest to take this in two steps
1. Test with one Remote PC and add "ip route.." for that PC's Public IP to leave through Dialer 10.
2. Make sure it works. If it doesn't then you need to focus on the WebVPN part to see what could be wrong. However if this works then it proves WebVPN config is Ok.
3. Now remove the route in Step 2 and you will need to configure a Local Policy for the Router generated traffic (ip local policy
08-03-2010 09:48 AM
I solved one piece of the puzzle:
webvpn gateway MyGateway
hostname d0c
ip address 10.10.10.1 port 443
This is wrong as it should hold the EXTERNAL IP address instead of the internal one. That fixed the WebVPN over the ADSL line. Now all that remains is fixing the routing and making sure the internet connection continues to work even when the VPN is active. For some reason the AnyConnect client applies a default route of 0.0.0.0 to all clients.
To be continued...
08-03-2010 10:03 AM
By default , AnyConnect client uses "Full Tunneling" , which means all traffic needs to go through the Router. If you only want specific traffic to be sent through the AnyConnect client then use "Split-Tunneling", which can be configured as below
webvpn context X
policy group Y
svc split include
svc split include
...
Naman
08-04-2010 05:48 AM
good tip Naman, the route is now being shown correctly in the connection details but traffic to the internet despite the correct route is still impossible. These are the connection statistics:
Protocol Info
Active Protocol
Protocol Cipher: RSA_AES_128_SHA1
Protocol Compression: None
Protocol State: Connected
Protocol: TLS
Routes
Secure Routes
192.168.10.0 255.255.255.0
Firewall Rules
Am I missing something common? It is my first WebVPN setup (used to do EasyVPN). Thanks for your help.
08-05-2010 07:37 AM
Hi,
Below shows that 'only' traffic to 192.168.10.X network is being sent through the AnyConnect tunnel and all Internet traffic will leave through the local connection. So the only other reason I can think is that you are not assigning the user a correct DNS Server Address ?
The DNS Server is assigned using
webvpn context X
policy group Y
svc dns-server primary
svc dns-server secondary
Make sure that the DNS server you assign is reachable and can resolve names.
You can also make sure that its actually a DNS issues by trying to "ping 4.2.2.1" as a test for the client PC.
Naman
08-05-2010 08:01 AM
I found out what was wrong 15 minutes ago, I activated an ACL in that policy as well that was conflicting. After I removed that the split tunnel worked flawlessly except for the DNS problem you also pointed out. Instead of pointing to a DNS server I would like the VPN clients to use their own DNS and not resolve anything through the gateway. I tried the following:
webvpn context SecureMeContext
title "VPN Service"
secondary-color orange
title-color black
ssl authenticate verify all
!
login-message "VPN"
!
policy group MyDefaultPolicy
functions svc-enabled
svc address-pool "sslvpnpool"
svc keep-client-installed
svc split dns "theirdomain.local"
svc split include 192.168.x.0 255.255.255.0
default-group-policy MyDefaultPolicy
aaa authentication list sslvpn
gateway MyGateway
inservice
This doens't seem to work, do you have any other suggestions?
08-05-2010 09:14 AM
Hi,
This works for me. When client is trying to resolve the fqdn for domain as specified in "svc split dns.." it will contact the DNS server assigned through the Tunnel. For all other queries , it contacts the DNS outside the Tunnel.
You can run a packet capture on the Physical interface on the Client to see the DNS query leaving ?
Also in some home routers, the DNS is assigned as the Router itself (which usually is 192.168.X.X address), so you want to make sure that DNS server being assigned is not part of the Split Tunnel.
Naman
08-05-2010 10:55 AM
It works for me too but only with the AnyConnect client on Windows. The Mac version of AnyConnect does not receive/interpret the split-dns command or so it seems so I'm stuck halfway. I might open a TAC for this as the setup does work correctly.
08-05-2010 02:02 PM
Just got a reply from Cisco, this is a confirmed bug [CSCtf20226] in Mac OS X 10.6. Their workaround is to explicitly define external DNS servers. I used the Google public DNS servers and this indeed works as expected.
(config-webvpn-group)#svc dns-server primary 8.8.8.8
(config-webvpn-group)#svc dns-server secondary 8.8.4.4
Now all I need to do is fix routing the VPN traffic over the other interface.
09-22-2010 05:29 AM
With the help of user halijenn I have been able to solve the dual WAN problem. It turns out that the WebVPN interface *NEEDS* to be terminated on the default gateway or else it will not work. The obvious workaround is to make a route-map for all traffic except the WebVPN traffic so the default gateway can be set to the secondary interface and the WebVPN will work. I've posted my full config for anyone who ran into the same problem.
I've had stability problems (WebVPN would stop working) with the latest 15.1-2T1 version and downgraded to 15.0-1M3. I've also upgraded to the latest AnyConnect client (2.5.0.1025).
Thanks everyone who helped me.
S.
---
Current configuration : 6478 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxx
!
boot-start-marker
boot system flash:c880data-universalk9-mz.150-1.M3.bin
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login sslvpn local
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
no ip source-route
!
!
ip dhcp excluded-address 192.168.10.254
ip dhcp excluded-address 192.168.10.10 192.168.10.20
!
ip dhcp pool ccp-pool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 213.x.x.x 213.x.x.x
lease 0 2
!
!
ip cef
no ipv6 cef
!
!
license udi pid CISCO888-K9 sn FCZ1426C1EX
!
!
controller DSL 0
mode atm
dsl-mode shdsl symmetric annex B
!
interface Loopback1
description SSL dhcp pool gateway address
ip address 192.168.250.1 255.255.255.0
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
switchport access vlan 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description LAN
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip policy route-map NonSSLOut
!
interface Vlan100
ip address 188.x.x.67 255.255.255.248
ip nat outside
ip virtual-reassembly
!
interface Dialer1
ip address 92.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 2
ppp authentication pap callin
ppp pap sent-username xxx password 0 xxx
no cdp enable
!
ip local pool sslvpnpool 192.168.250.2 192.168.250.100
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended LAN-only
deny ip 192.168.10.0 0.0.0.255 192.168.250.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
!
access-list 10 permit 192.168.250.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
!
!
!
route-map NonSSLOut permit 10
match ip address LAN-only
set ip default next-hop 188.x.x.x
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn gateway MyGateway
ip address 92.x.x.x port 443
http-redirect port 80
ssl trustpoint TP-self-signed-3964912732
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.5.1025-k9.pkg sequence 1
!
webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.5.1025-k9.pkg sequence 2
!
webvpn install svc flash:/webvpn/anyconnect-macosx-powerpc-2.5.1025-k9.pkg sequence 3
!
webvpn context SecureMeContext
ssl authenticate verify all
!
!
policy group MyDefaultPolicy
functions svc-enabled
svc address-pool "sslvpnpool"
svc keep-client-installed
svc split include 192.168.10.0 255.255.255.0
svc dns-server primary 8.8.8.8
svc dns-server secondary 8.8.4.4
default-group-policy MyDefaultPolicy
aaa authentication list sslvpn
gateway MyGateway
inservice
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide