10-28-2012 04:07 AM
Hi, i've a problem with the WEBVPN configuration, the client can connect to the gateway, but it can't reach internet connection.
My device is C877 with c870-advipservicesk9-mz.151-3.T2
this is my configuration:
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname C877
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.151-3.T2.bin
boot system tftp c870-advipservicesk9-mz.151-3.T2.bin 192.168.10.254
boot system rom
boot-end-marker
!
!
logging buffered 9000
enable secret 5 <removed>
enable password <removed>
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication ppp default local
aaa authorization exec local_author local
aaa authorization network default if-authenticated
!
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-966267525
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-966267525
revocation-check none
rsakeypair TP-self-signed-966267525
!
!
crypto pki certificate chain TP-self-signed-966267525
certificate self-signed 01
<snip>
quit
dot11 syslog
no ip source-route
!
!
!
ip dhcp pool local-client
network 192.168.10.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.10.1
!
!
!
ip cef
ip name-server 213.205.32.70
ip name-server 193.43.2.1
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 nntp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 ntp
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 vdolive
ip ddns update method sdm_ddns1
HTTP
<removed>
interval maximum 28 0 0 0
!
ip ddns update method net_client
DDNS both
!
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
!
!
!
username user privilege 15 secret 5 <removed>
!
!
ip ssh version 1
ip ssh pubkey-chain
username user
quit
!
!
!
!
!
!
!
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
connect acl 108
group utenti key <removed>
mode client
peer <removed>
virtual-interface 2
username user password <removed>
xauth userid mode local
!
!
!
!
!
interface Loopback0
ip address 192.168.8.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
spanning-tree portfast
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool PPTP-Pool
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2
!
interface Virtual-Template2 type tunnel
no ip address
no ip unreachables
ip virtual-reassembly in
tunnel mode ipsec ipv4
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 inside
!
interface Dialer0
ip address negotiated
ip access-group 102 in
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly in
ip virtual-reassembly out
encapsulation ppp
dialer pool 1
<removed>
<removed>
<removed>
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
!
ip local pool PPTP-Pool 192.168.10.100 192.168.10.150
ip local pool WEBVPN-Pool 192.168.8.100 192.168.8.150
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat pool p2p 192.168.1.10 192.168.1.10 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.10.252 12000 interface Dialer0 20101
ip nat inside source static tcp 192.168.10.251 1723 interface Dialer0 1723
ip nat inside destination list 100 pool p2p
ip route 0.0.0.0 0.0.0.0 Dialer0 2
ip route 192.168.60.0 255.255.255.0 Dialer0
!
logging 192.168.10.254
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 permit tcp any any range 6881 6999 log
access-list 100 permit udp any any range 6881 6999 log
access-list 101 permit ip any host 192.168.10.1
access-list 101 permit tcp 192.0.0.0 0.255.255.255 any
access-list 101 permit udp 192.0.0.0 0.255.255.255 any
access-list 101 permit icmp 192.0.0.0 0.255.255.255 any
access-list 101 permit gre 192.168.10.0 0.0.0.255 any
access-list 101 deny ip any any log
access-list 102 remark Per vpn pptp
access-list 102 permit gre any any
access-list 102 permit esp any any log
access-list 102 remark Per vpn pptp
access-list 102 permit tcp any any eq 1723 log
access-list 102 permit tcp any any eq 9998
access-list 102 permit udp any any eq 9999
access-list 102 permit tcp any any eq 8080 log
access-list 102 permit tcp any any eq 443
access-list 102 permit udp any any eq 2301
access-list 102 permit udp any any eq 2304
access-list 102 permit tcp any any eq 2300
access-list 102 permit tcp any any eq 11116
access-list 102 permit tcp any any range 6881 6999 log
access-list 102 permit udp any any range 6881 6999 log
access-list 102 permit udp any any eq 20101
access-list 102 permit udp host 192.43.244.18 eq ntp any eq ntp
access-list 102 permit udp host <removed> any eq 10000
access-list 102 permit udp host <removed> any eq non500-isakmp
access-list 102 permit udp host <removed> any eq isakmp
access-list 102 permit esp host <removed> any
access-list 102 permit ahp host <removed> any
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 102 remark Per vpn pptp
access-list 106 permit ip 192.168.10.0 0.0.0.255 any
access-list 108 permit ip 192.168.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community <removed> RO
!
!
!
control-plane
!
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
session-timeout 3600
access-class 106 in
privilege level 15
password 7 <removed>
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
!
webvpn gateway gateway_1
ip interface Dialer0 port 443
ssl trustpoint TP-self-signed-966267525
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-3.1.00495-k9.pkg sequence 1
!
webvpn context context_1
title "SSL VPN Login"
color #CCCC66
secondary-color white
title-color #ffc800
text-color black
ssl authenticate verify all
!
login-message "SSL VPN Login"
!
policy group policy_1
functions svc-enabled
svc address-pool "WEBVPN-Pool" netmask 255.255.255.0
svc keep-client-installed
svc dns-server primary 192.168.10.1
default-group-policy policy_1
aaa authentication list local_authen
gateway gateway_1
inservice
!
end
Solved! Go to Solution.
10-29-2012 02:47 AM
Did you try to configure your setup as described here [ using a virtual-template and configure ip nat inside ]
Cheers,
10-29-2012 01:40 AM
Hello,
Can you clarify your question?
Do you mean you want NAT the webvpn traffic and do a U-Turn on this gateway?
Cheers,
10-29-2012 02:37 AM
Hi,
thank you for your reply.
Yes, i want that the client can access to the internal network, and use only the internet connection of the gateway.
Now when the client is connected can only access the internal network of the gateway, but the other traffic is not NATed to external interface.
The client route table should be ok:
0.0.0.0 0.0.0.0 client LAN gateway client LAN IP 20
0.0.0.0 0.0.0.0 192.168.8.1 192.168.8.102 2
10-29-2012 02:47 AM
Did you try to configure your setup as described here [ using a virtual-template and configure ip nat inside ]
Cheers,
10-29-2012 03:35 AM
Hi,
i've tryed now and it's working!!
thank you very much!
for reference, i've added:
interface Virtual-Template3
ip unnumbered Vlan1
ip nat inside
ip virtual-reassembly in
access-list 1 permit 192.168.8.0 0.0.0.255
webvpn context context_1
virtual-template 3
10-29-2012 03:38 AM
Hello,
Excellent! That's the power of virtual-template interface, you can enable IP features like NAT and get U-turn working as designed.
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide