cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1381
Views
0
Helpful
13
Replies

Full tunnel SSL VPN on ISR 1941W

Benso2013
Level 1
Level 1

I have all the necessary licenses on 1941W but I can't seem to get this SSL VPN configuration working properly. The device is being used as my main home router. I followed this Cisco document to do my configuration. From work or outside the house, I can connect to the VPN Gateway. However, I can't get to any devices on the home network, nor can I reach the internet even though I'm setup in a full tunnel. 

I'm hoping someone can look at my config and let me know what I'm missing.

Thanks.

I've removed and hidden some sensitive data.

hostname RBRouter
!
boot-start-marker
boot system flash0:/c1900-universalk9-mz.SPA.152-4.M6a.bin
boot-end-marker
!
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
service-module wlan-ap 0 bootimage autonomous
!
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.110 192.168.1.254
!
ip dhcp pool LAN-WLAN-POOL
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
domain-name HomeNet
lease 14
!
ip dhcp pool GUEST_WLAN
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 192.168.1.1
lease 2
!
ip domain lookup source-interface Vlan1
ip domain name HomeNet
ip host DigiCM 192.168.1.200
ip host HikNVR 192.168.1.105
ip host vcenter001 192.168.1.75
ip host SNMP-Syslog 192.168.1.207
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ip igmp snooping
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2788177606
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2788177606
revocation-check none
rsakeypair TP-self-signed-2788177606
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1941W-A/K9 sn <hidden>
license accept end user agreement
hw-module ism 0
!
!
!
archive
log config
hidekeys
path tftp://192.168.1.100/RBRouter/RBrouter
write-memory
time-period 10080
vtp domain ImEdge
vtp mode transparent
username admin privilege 15 secret 5 <hidden>.
!
redundancy
!
!
!
!
!
vlan 10
name private-vlan10
!
vlan 20
name private-5GVlan20
!
vlan 40
name guest-vlan40
!
no ip ftp passive
ip ssh version 2
!
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
!
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
!
zone security sslvpn-zone
!
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.1.04011-k9.pkg sequence 1
!
!
!
!
bridge irb
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip access-group BLOCK_INCOMING_DNS in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 11.11.11.11 255.255.255.255
ip nat inside
ip virtual-reassembly in
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
bridge-group 1
!
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 10
switchport mode trunk
no ip address
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface Virtual-Template1
no ip address
!
interface Virtual-Template2
ip unnumbered GigabitEthernet0/0
zone-member security sslvpn-zone
!
interface Vlan1
description $ES_LAN$
no ip address
ip nat inside
ip virtual-reassembly in
bridge-group 1
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool VPN_POOL 10.10.20.1 10.10.20.5
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 100
sort-by bytes
cache-timeout 360
!
ip dns server
ip nat inside source list NAT_THESE_TO_INTERNET interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 <hidden> 254
!
ip access-list standard Block_Incoming_SSH
permit 192.168.1.0 0.0.0.255 log
deny any log
!
ip access-list extended BLOCK_INCOMING_DNS
remark CCP_ACL Category=17
permit tcp any host <hidden> eq 443
permit tcp 192.168.1.0 0.0.0.255 host <hidden> eq domain
permit udp 192.168.1.0 0.0.0.255 host <hidden> eq domain
permit tcp 8.8.8.0 0.0.0.255 host <hidden> eq domain
permit udp 8.8.8.0 0.0.0.255 host <hidden> eq domain
deny tcp any host <hidden> eq domain log
deny udp any host <hidden> eq domain log
permit ip any any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended NAT_THESE_TO_INTERNET
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.40.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended VPN_ACL
permit ip 10.10.20.0 0.0.0.255 any
!
logging host 192.168.1.100
logging host 192.168.1.207
!
!
snmp-server community nemc RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps envmon
snmp-server enable traps entity-sensor threshold
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps syslog
snmp-server host 192.168.1.207 nemc
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
access-class Block_Incoming_SSH in
exec-timeout 30 0
password 7 <hidden>
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server time.nist.gov
!
!
webvpn gateway gateway_1
ip address <hidden> port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2788177606
inservice
!
webvpn context Home_VPN
secondary-color white
title-color #669999
text-color black
virtual-template 2
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
!
ssl authenticate verify all
inservice
!
policy group policy_1
functions svc-enabled
svc address-pool "VPN_POOL" netmask 255.255.255.255
svc default-domain "Homenet"
svc keep-client-installed
svc dns-server primary 8.8.8.8
default-group-policy policy_1
!
end

13 Replies 13

Philip D'Ath
VIP Alumni
VIP Alumni

The split tunnel list goes here:

webvpn context Home_VPN
  policy group policy_1
    svc split include 192.168.10.0 255.255.255.0

I like the idea of using a loopback for the virtual-template interface however, I don't want to setup a split tunnel. I want both my VPN and my internet to go through the tunnel. That's why I was going for the full tunnel. 

Is that not possible? The fact that I can't access the internet or local LAN leads me to believe that this might be related to NAT.

You need to add a "ip nat inside" to the Virtual-Template interface, and to configure NAT to treat this like an inside interface.

I added this NAT statement but I still can't get to the internet or my local LAN in full tunnel mode.

ip nat inside source list VPN_ACL interface gi0/0 overload

I think that should be working.  What software version are you using on your 1941?

c1900-universalk9-mz.SPA.152-4.M6a.bin

Unfortunately not. My  Smart Net expired.

Anyone else have any input on this issue? I could really use some help in solving this issue.

Thanks

In case anyone else is in the same predicament. This is what I did to get this working.

Thanks for your input Philip.

I used the following config from www.firewall.cx.

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/904-cisco-router-anyconnect-webvpn.html

aaa new-model
aaa authentication login sslvpn local
!
username chris secret firewall.cx
!
crypto key generate rsa label my-rsa-keys modulus 1024 
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.00495-k9.pkg sequence 1

!
ip local pool webvpn-pool 192.168.9.80 192.168.9.85
!
webvpn gateway Cisco-WebVPN-Gateway
 ip address 74.200.90.5 port 443 
 ssl encryption rc4-md5
 ssl trustpoint my-trustpoint
 inservice
 !
webvpn context Cisco-WebVPN
 title "Firewall.cx WebVPN Gateway"
 !
 acl "ssl-acl"
   permit ip 192.168.9.0 255.255.255.0 192.168.9.0 255.255.255.0
 login-message "Cisco Secure WebVPN"
 !
 policy group webvpnpolicy
   functions svc-required
   functions svc-enabled
   filter tunnel ssl-acl
   svc address-pool "webvpn-pool" netmask 255.255.255.0
   svc rekey method new-tunnel
   svc split include 192.168.9.0 255.255.255.0
 default-group-policy webvpnpolicy
 aaa authentication list sslvpn
 gateway Cisco-WebVPN-Gateway
 max-users 2
 !
 ssl authenticate verify all
 !
 url-list "rewrite"
 inservice

Try adding in the loopback anyway.  I have that in all my configs - that work.

Philip D'Ath
VIP Alumni
VIP Alumni

I normally use a Loopback interface for Virtual-Template2.  Not sure how important this is.

interface Loopback0
ip address 10.10.20.254 255.255.255.255

interface Virtual-Template2
ip unnumbered Loopback0

Philip D'Ath
VIP Alumni
VIP Alumni

Also it will only work when connected from the outside.