03-03-2011 08:16 AM
Hi,
I am currently using a 1841 router with AdvSec 12.4(24)T4 IOS on it. I used to have a working SSL tunnel configuration working, but for some reason it had disappeared and I am rebuilding the configuration. Unfortunately, I have been able to configure the router to perform the SSL tunnel, but I am not able to pass any data through the VPN. I am only able to ping the inside interface of the router and this is it. If I try to extended PING from the router to the remote PC I am able to get replies. Trying to PING anything on the remote network does not provide any responses back. I am thinking there is some sort of routing not happening here or I am missing some sort of configuration to allow the VPN to pass data through correctly. Here is the snippet of my configuration. I tried to use CCP and the configuration it provided did not provide a solution.
Any help is appreciated.
Regards,
Karim
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Inside
ip address 192.168.254.254 255.255.255.0
ip access-group BLOCK-ACCESS in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no mop enabled
service-policy output Family
!
interface FastEthernet0/1
description Outside
bandwidth 100000
ip address dhcp client-id FastEthernet0/1
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
!
ip local pool VPN_Pool 192.168.254.33 192.168.254.43
!
webvpn gateway SSL_gw
hostname remote.counterstrike.ca
ip address <IP removed> port 443
ssl trustpoint TP-self-signed-697360447
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.5.2019-k9.pkg sequence 1
!
webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.5.2019-k9.pkg sequence 2
!
webvpn context remote_access
login-photo file SECURITY.jpg
logo file csns.jpg
color black
secondary-color red
title-color red
text-color black
ssl authenticate verify all
!
login-message "Access Restricted to Authorized Users"
!
policy group SSL_policy
functions svc-enabled
svc address-pool "VPN_Pool"
svc keep-client-installed
svc split include 192.168.254.0 255.255.255.0
virtual-template 1
default-group-policy SSL_policy
aaa authentication list default
gateway SSL_gw
max-users 2
inservice
Solved! Go to Solution.
03-03-2011 08:43 AM
The better pracitce config will utilize an IP pool that is not associated with any logical or physical interfaces on the router. For example, you could use 192.168.253.0/24. You will then need to ensure that your internal routing knows how to get traffic destined for the 192.168.253.0 pool back to the SSL gateway router. Finally, you will want to make sure that you exempt the 192.168.254.0/24->192.168.253.0/24 traffic from your outbound NAT process.
Todd
03-03-2011 08:43 AM
The better pracitce config will utilize an IP pool that is not associated with any logical or physical interfaces on the router. For example, you could use 192.168.253.0/24. You will then need to ensure that your internal routing knows how to get traffic destined for the 192.168.253.0 pool back to the SSL gateway router. Finally, you will want to make sure that you exempt the 192.168.254.0/24->192.168.253.0/24 traffic from your outbound NAT process.
Todd
03-03-2011 09:24 AM
Thanks Todd!!
I had totally missed about the NAT causing an issue and it feels like a amateurish mistake that I should have picked up with my level of expertise.
Over wooked and underpaid I say. LOL!! Anyway, I did change the VPN pool and also exempted the pool from the NAT route-map on the router. I retried the connection and performed a PING to an internal server and with success I received responses. I did try to use one of my applications and it worked flawlessly and with good performance too. Again, Thank You for your help!!
Karim
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: