cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1243
Views
0
Helpful
2
Replies

IOS SSL VPN no data passing

2wheeljunkie
Level 1
Level 1

Hi,

I am currently using a 1841 router with AdvSec  12.4(24)T4 IOS on it. I used to have a working SSL tunnel configuration  working, but for some reason it had disappeared and I am rebuilding the  configuration.  Unfortunately, I have been able to configure the router  to perform the SSL tunnel, but I am not able to pass any data through  the VPN.  I am only able to ping the inside interface of the router and  this is it.  If I try to extended PING from the router to the remote PC I  am able to get replies.  Trying to PING anything on the remote network  does not provide any responses back.  I am thinking there is some sort  of routing not happening here or I am missing some sort of configuration  to allow the VPN to pass data through correctly.  Here is the snippet  of my configuration.  I tried to use CCP and the configuration it provided did not provide a solution.

Any help is appreciated.

Regards,

Karim

interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Inside
ip address 192.168.254.254 255.255.255.0
ip access-group BLOCK-ACCESS in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no mop enabled
service-policy output Family
!
interface FastEthernet0/1
description Outside
bandwidth 100000
ip address dhcp client-id FastEthernet0/1
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
!
ip local pool VPN_Pool 192.168.254.33 192.168.254.43

!

webvpn gateway SSL_gw
hostname remote.counterstrike.ca
ip address <IP removed> port 443 
ssl trustpoint TP-self-signed-697360447
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.5.2019-k9.pkg sequence 1
!
webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.5.2019-k9.pkg sequence 2
!
webvpn context remote_access
login-photo file SECURITY.jpg
logo file csns.jpg
color black
secondary-color red
title-color red
text-color black
ssl authenticate verify all
!
login-message "Access Restricted to Authorized Users"
!
policy group SSL_policy
   functions svc-enabled
   svc address-pool "VPN_Pool"
   svc keep-client-installed
   svc split include 192.168.254.0 255.255.255.0
virtual-template 1
default-group-policy SSL_policy
aaa authentication list default
gateway SSL_gw
max-users 2
inservice

1 Accepted Solution

Accepted Solutions

Todd Pula
Level 7
Level 7

The better pracitce config will utilize an IP pool that is not associated with any logical or physical interfaces on the router.  For example, you could use 192.168.253.0/24.  You will then need to ensure that your internal routing knows how to get traffic destined for the 192.168.253.0 pool back to the SSL gateway router. Finally, you will want to make sure that you exempt the 192.168.254.0/24->192.168.253.0/24 traffic from your outbound NAT process.

Todd

View solution in original post

2 Replies 2

Todd Pula
Level 7
Level 7

The better pracitce config will utilize an IP pool that is not associated with any logical or physical interfaces on the router.  For example, you could use 192.168.253.0/24.  You will then need to ensure that your internal routing knows how to get traffic destined for the 192.168.253.0 pool back to the SSL gateway router. Finally, you will want to make sure that you exempt the 192.168.254.0/24->192.168.253.0/24 traffic from your outbound NAT process.

Todd

Thanks Todd!!

I had totally missed about the NAT causing an issue and it feels like a amateurish mistake that I should have picked up with my level of expertise. 

Over wooked and underpaid I say.  LOL!! Anyway, I did change the VPN pool and also exempted the pool from the NAT route-map on the router.  I retried the connection and performed a PING to an internal server and with success I received responses.  I did try to use one of my applications and it worked flawlessly and with good performance too.  Again, Thank You for your help!!

Karim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: