your requirement for the

Junichi Yoshida · ‎08-27-2015

Hello.

Let me know if you have any exprience or solution about this issue.

My customer wants to connect from internet to their own C892 with Cisco Anyconnect.

the setting is complete and can connect to LAN via VPN.

But they need to use global IP of C892 to connect the AWS over internet.

So I removed the Split tunnel config on ISR but it is not working yet.

I think need to add DTG config like ASA config as below.

route inside 0 0 <LAN IP > tunneled

please let me know if you have any advice for this issue.

Thank you.

please refer to the below config. some configation is skip.

Global IP : 1.1.1.1 (Temp) via PPPoE

Anyconnect VPN IP : 192.168.11.200 ~ 250/24

LAN IP : 192.168.11.254/24

-----------------------------------------------------------------------------

aaa authentication login LOCAL_ANYCON local

!

aaa session-id common

clock timezone JST 9 0

!

crypto pki server LOCAL_CA

no database archive

issuer-name cn="1.1.1.1"

grant auto

lifetime certificate 3650

lifetime ca-certificate 3650

eku server-auth

!

crypto pki trustpoint LOCAL_CA

revocation-check crl

rsakeypair LOCAL_CA

!

crypto pki trustpoint ha_SERVER_CERT

enrollment url http://1.1.1.1:80

subject-name cn="1.1.1.1"

revocation-check crl

rsakeypair ha_SERVER_CERT

!

crypto pki certificate chain LOCAL_CA

certificate ca 01

3082020B 30820174 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

19311730 15060355 0403130E 3135332E 3135362E 34352E31 3234301E 170D3135

8F850FCE 9690AF1C 85FD2EC5 CECF47B5 555F13C8 E78AB084 F356715D C3CAC01C

6B769639 20302C17 EFDB042F 04A340

quit

crypto pki certificate chain Ha_SERVER_CERT

certificate 02

30820234 3082019D A0030201 02020102 300D0609 2A864886 F70D0101 05050030

19311730 15060355 0403130E 3135332E 3135362E 34352E31 3234301E 170D3135

71CDEAFE D24349C1 8CCC4DA2 F7F7E81B 1777E77F 9785AA48 78BB795E 225DFF6A

52F12376 4EE1C153 30DDDBC6 538E46AB 86086CBC 1F91BE0C 9930371D 365A1EF3

206669A0 1761D6E3 5A1C8A12 FC403918 320BCFF9 5D0E2489 2C3FD581 816A26E1

2837DF8A A6D7A9F5 C405F56B 6C1FC446 E56FB0F8 7862A287

quit

certificate ca 01

3082020B 30820174 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

8F850FCE 9690AF1C 85FD2EC5 CECF47B5 555F13C8 E78AB084 F356715D C3CAC01C

6B769639 20302C17 EFDB042F 04A340

quit

!

ip dhcp excluded-address 192.168.11.1

ip dhcp excluded-address 192.168.11.11 192.168.11.12

ip dhcp excluded-address 192.168.11.254

ip dhcp excluded-address 192.168.11.100 192.168.11.250

!

ip dhcp pool HA

!

ip dhcp pool Ha

network 192.168.11.0 255.255.255.0

default-router 192.168.11.254

dns-server 202.234.232.6 221.113.139.250

!

ip domain name ha.local

ip name-server 202.234.232.6

ip name-server 221.113.139.250

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid C892FSP-K9 sn FGL192723AE

!

username actest1 password 7 070C285F4D06485744

username huser password 7 112118371314021945

!

crypto vpn anyconnect flash:/webvpn/anyconnect-macosx-i386-3.1.10010-k9.pkg sequence 1

!

crypto vpn anyconnect flash:/webvpn/anyconnect-win-3.1.10010-k9.pkg sequence 2

!

interface GigabitEthernet7

no ip address

!

interface GigabitEthernet8

no ip address

duplex auto

speed auto

!

interface GigabitEthernet9

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Vlan1

ip address 192.168.11.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1414

!

interface Dialer1

ip address negotiated

ip mtu 1454

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname cisco@bizf.ocn.ne.jp

ppp chap password cisco

!

ip local pool ha_ANYCON 192.168.11.200 192.168.11.250

ip forward-protocol nd

ip http server

no ip http secure-server

!

ip nat inside source list 1 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

dialer-list 1 protocol ip permit

!

access-list 1 permit 192.168.11.0 0.0.0.255

!

control-plane

!

webvpn gateway WG_ANYCON

ip address 1.1.1.1 port 443

ssl trustpoint ha_SERVER_CERT

inservice

!

webvpn context WC_ANYCON

gateway WG_ANYCON

!

ssl authenticate verify all

inservice

!

policy group PG_ANYCON

functions svc-enabled

functions svc-required

svc address-pool "ha_ANYCON" netmask 255.255.255.0

svc keep-client-installed

svc dpd-interval gateway 30

svc keepalive 300

svc dns-server primary 202.243.232.6

svc dns-server secondary 221.113.139.250

default-group-policy PG_ANYCON

!

end

pjain2 · ‎09-02-2015

Hey Hiroyuki,

Is this your requirement:

anyconnect users====vpn====1.1.1.1router

router1.1.1.1========ipsec vpn=======AWS

do you need to be able to connect anyconnect clients to the router on the WAN interface and also setup an ipsec tunnel between router's WAN interface and the AWS?

If this is your requiremt, do you also need to be able to access the subnets behind the AWS from the anyconnect clients?

Regards

Junichi Yoshida · ‎09-10-2015

Hello pjain2,

I am really sorry for checking lately.

I think that they aren't using IP Sec conection for AWS.

Please refer to below.

anyconnect users====vpn====1.1.1.1router

anyconnect user global IP 1.1.1.1( using NAT ) ===== SSL VPN(?) or etc.==== AWS

Let me know if you have any solution for this issue.

Any way, very thank you for reply.

Regards

pjain2 · ‎09-10-2015

your requirement for the connection of anyconnect users to the AWS is not clear.

you want to nat the anyconnect pool subnet to 1.1.1.1 and then send it out through the tunnel to AWS. not sure if you are trying to build an ssl tunnel to the AWS.

How to set the DTG for anyconnect on ISR(C892)?