Re: Full tunneling with AnyConnect Client and Cisco 881

Tenere · ‎11-17-2010

Hello out there,

after spending some hours trying to implement full tunneling with AnyConnect client on a Cisco 881, software 12.4(24)T4 I am out of ideas.

I looked for documents and related posts here in the community but didn't found what I was looking for.

I used http://www.cisco.com/en/US/products/ps8411/products_configuration_example09186a0080b25941.shtml, http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a0080720346.shtml and http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_sslug.html in order to get the client machine in the LAN behind the 881 and to tunnel all traffic through the 881.

I was able to connect the client machine via AnyConnect to the 881 and was able to ping the inside interface of the 881 but was neither able to ping any other machine in the LAN nor to ping any machine in the WAN.

Being used to use ASAs for this purpose I am not familiar with AnyConnect and Cisco IOS.

I do highly appreciate any comment which leads me in the right direction and get the scenario up and running.

Best regards and thanks in advance,

Joerg

Jennifer Halim · ‎11-17-2010

1) The ip pool subnet needs to be in different subnet than the internal network

2) Similar to ASA, NAT exemption needs to be configured on the router. Currently your ACL 105 only has permit statements. You would need to create a deny statement between the internal networks and the AnyConnect ip pool subnet. ACL 105 should look like this:

access-list 105 deny ip 172.200.200.0 0.0.0.255 0.0.0.255

access-list 105 permit ip 172.200.200.0 0.0.0.255 any

3) ZBFW configuration needs to have the action of "inspect" instead of "pass":

policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
inspect

Hope that resolves the issue.

Tenere · ‎11-30-2010

Hi Jennifer,

thanks for the answer. Unfortunately I was not able to answer the last weeks.

Unfortunately this hints didn't solve my problem...

I changed the IP pool, the access list and the policy map but I still can't ping the host in the LAN and stations in the WAN.

What also looks strange ist the gateway adress the laptop running the Cisyo Anyconnect Client has been assigned...

Ethernet-Adapter LAN-Verbindung 2:

   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
   Physikalische Adresse . . . . . . : 00-05-9C-3C-3A-00
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   Verbindungslokale IPv6-Adresse . : fe80::8ccb:a6f9:fed3:d47d%18(Bevorzugt)
   IPv4-Adresse . . . . . . . . . . : 172.200.201.1(Bevorzugt)
   Subnetzmaske . . . . . . . . . . : 255.255.255.255
   Standardgateway . . . . . . . . . : 172.200.201.3
   DHCPv6-IAID . . . . . . . . . . . : 268436890
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-13-45-64-A1-00-24-7E-DB-49-C6
   DNS-Server . . . . . . . . . . . : 194.25.0.52
                                       194.25.0.60
   NetBIOS über TCP/IP . . . . . . . : Aktiviert

Any more ideas???

I have no clues any more...

Best regards,

Joerg

Jennifer Halim · ‎12-01-2010

The out-zone to self zone is incorrect.

Here is the class-map:

class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 106

You would need to change it to the following:

class-map type inspect match-any sdm-access
match class-map sdm-cls-access
match access-group 106

match class-map SDM_VPN_TRAFFIC

Tenere · ‎12-02-2010

Thanks again for the help.

I changed the config according to the last posting.

Unfortunately it didn't work... I have no access any more to the machine. Neither via SSH nor with the anyconnect client...

Any light at the end of the tunnel...?????

I am sorry that I seem to be too stupid to get this scenario up and running...

Cheers,

Joerg