Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2183
Views
10
Helpful
5
Replies

IOS WEBVPN problem: only LAN access

Go to solution
alex3385
Level 1
Level 1

‎10-28-2012 04:07 AM

Hi, i've a problem with the WEBVPN configuration, the client can connect to the gateway, but it can't reach internet connection.

My device is C877 with c870-advipservicesk9-mz.151-3.T2

this is my configuration:

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service sequence-numbers

!

hostname C877

!

boot-start-marker

boot system flash c870-advipservicesk9-mz.151-3.T2.bin

boot system tftp c870-advipservicesk9-mz.151-3.T2.bin 192.168.10.254

boot system rom

boot-end-marker

!

!

logging buffered 9000

enable secret 5 <removed>

enable password <removed>

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authentication ppp default local

aaa authorization exec local_author local

aaa authorization network default if-authenticated

!

!

!

!

!

aaa session-id common

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-966267525

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-966267525

revocation-check none

rsakeypair TP-self-signed-966267525

!

!

crypto pki certificate chain TP-self-signed-966267525

certificate self-signed 01

    <snip>

      quit

dot11 syslog

no ip source-route

!

!

!

ip dhcp pool local-client

network 192.168.10.0 255.255.255.0

dns-server 192.168.10.1

default-router 192.168.10.1

!

!

!

ip cef

ip name-server 213.205.32.70

ip name-server 193.43.2.1

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 nntp

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 ntp

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 vdolive

ip ddns update method sdm_ddns1

HTTP

  <removed>

interval maximum 28 0 0 0

!

ip ddns update method net_client

DDNS both

!

no ipv6 cef

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

l2tp tunnel timeout no-session 15

!

!

!

username user privilege 15 secret 5 <removed>

!

!

ip ssh version 1

ip ssh pubkey-chain

  username user

  quit

!

!

!

!

!

!

!

crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1

connect acl 108

group utenti key <removed>

mode client

peer <removed>

virtual-interface 2

username user password <removed>

xauth userid mode local

!

!

!

!

!

interface Loopback0

ip address 192.168.8.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

no ip address

spanning-tree portfast

!

interface FastEthernet1

no ip address

spanning-tree portfast

!

interface FastEthernet2

no ip address

spanning-tree portfast

!

interface FastEthernet3

no ip address

spanning-tree portfast

!

interface Virtual-Template1

ip unnumbered Vlan1

peer default ip address pool PPTP-Pool

ppp encrypt mppe auto

ppp authentication ms-chap ms-chap-v2

!

interface Virtual-Template2 type tunnel

no ip address

no ip unreachables

ip virtual-reassembly in

tunnel mode ipsec ipv4

!

interface Vlan1

ip address 192.168.10.1 255.255.255.0

ip access-group 101 in

ip nat inside

ip virtual-reassembly in

crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 inside

!

interface Dialer0

ip address negotiated

ip access-group 102 in

ip nat outside

ip inspect DEFAULT100 out

ip virtual-reassembly in

ip virtual-reassembly out

encapsulation ppp

dialer pool 1

<removed>

<removed>

<removed>

crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1

!

ip local pool PPTP-Pool 192.168.10.100 192.168.10.150

ip local pool WEBVPN-Pool 192.168.8.100 192.168.8.150

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat pool p2p 192.168.1.10 192.168.1.10 netmask 255.255.255.0 type rotary

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.10.252 12000 interface Dialer0 20101

ip nat inside source static tcp 192.168.10.251 1723 interface Dialer0 1723

ip nat inside destination list 100 pool p2p

ip route 0.0.0.0 0.0.0.0 Dialer0 2

ip route 192.168.60.0 255.255.255.0 Dialer0

!

logging 192.168.10.254

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 100 permit tcp any any range 6881 6999 log

access-list 100 permit udp any any range 6881 6999 log

access-list 101 permit ip any host 192.168.10.1

access-list 101 permit tcp 192.0.0.0 0.255.255.255 any

access-list 101 permit udp 192.0.0.0 0.255.255.255 any

access-list 101 permit icmp 192.0.0.0 0.255.255.255 any

access-list 101 permit gre 192.168.10.0 0.0.0.255 any

access-list 101 deny   ip any any log

access-list 102 remark Per vpn pptp

access-list 102 permit gre any any

access-list 102 permit esp any any log

access-list 102 remark Per vpn pptp

access-list 102 permit tcp any any eq 1723 log

access-list 102 permit tcp any any eq 9998

access-list 102 permit udp any any eq 9999

access-list 102 permit tcp any any eq 8080 log

access-list 102 permit tcp any any eq 443

access-list 102 permit udp any any eq 2301

access-list 102 permit udp any any eq 2304

access-list 102 permit tcp any any eq 2300

access-list 102 permit tcp any any eq 11116

access-list 102 permit tcp any any range 6881 6999 log

access-list 102 permit udp any any range 6881 6999 log

access-list 102 permit udp any any eq 20101

access-list 102 permit udp host 192.43.244.18 eq ntp any eq ntp

access-list 102 permit udp host <removed> any eq 10000

access-list 102 permit udp host <removed> any eq non500-isakmp

access-list 102 permit udp host <removed> any eq isakmp

access-list 102 permit esp host <removed> any

access-list 102 permit ahp host <removed> any

access-list 102 permit icmp any any unreachable

access-list 102 deny   ip 10.0.0.0 0.255.255.255 any

access-list 102 deny   ip 172.16.0.0 0.15.255.255 any

access-list 102 deny   ip 192.168.0.0 0.0.255.255 any

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 deny   ip host 255.255.255.255 any

access-list 102 deny   ip host 0.0.0.0 any

access-list 102 deny   ip any any log

access-list 102 remark Per vpn pptp

access-list 106 permit ip 192.168.10.0 0.0.0.255 any

access-list 108 permit ip 192.168.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

!

!

!

snmp-server community <removed> RO

!

!

!

control-plane

!

!

line con 0

login authentication local_authen

no modem enable

transport output telnet

line aux 0

login authentication local_authen

transport output telnet

line vty 0 4

session-timeout 3600

access-class 106 in

privilege level 15

password 7 <removed>

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

!

webvpn gateway gateway_1

ip interface Dialer0 port 443

ssl trustpoint TP-self-signed-966267525

inservice

!

webvpn install svc flash:/webvpn/anyconnect-win-3.1.00495-k9.pkg sequence 1

!

webvpn context context_1

title "SSL VPN Login"

color #CCCC66

secondary-color white

title-color #ffc800

text-color black

ssl authenticate verify all

!

login-message "SSL VPN Login"

!

policy group policy_1

   functions svc-enabled

   svc address-pool "WEBVPN-Pool" netmask 255.255.255.0

   svc keep-client-installed

   svc dns-server primary 192.168.10.1

default-group-policy policy_1

aaa authentication list local_authen

gateway gateway_1

inservice

!

end

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
5 Replies 5

Go to solution
olpeleri
Cisco Employee
Cisco Employee

‎10-29-2012 01:40 AM

Hello,

Can you clarify your question?

Do you mean you want NAT the webvpn traffic and do a U-Turn on this gateway?

Cheers,

0 Helpful

Go to solution
alex3385
Level 1
Level 1
In response to olpeleri

‎10-29-2012 02:37 AM

Hi,

thank you for your reply.

Yes, i want that the client can access to the internal network, and use only the internet connection of the gateway.

Now when the client is connected can only access the internal network of the gateway, but the other traffic is not NATed to external interface.

The client route table should be ok:

          0.0.0.0          0.0.0.0     client LAN gateway     client LAN IP     20

          0.0.0.0          0.0.0.0      192.168.8.1              192.168.8.102      2

0 Helpful

Go to solution
olpeleri
Cisco Employee
Cisco Employee
In response to alex3385

‎10-29-2012 02:47 AM

Did you try to configure your setup as described here [ using a virtual-template and configure ip nat inside ]

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-2mt/sec-conn-sslvpn-ssl-vpn.html#GUID-CA99AAF5-6ABF-4C3D-ABF9-2F56B66D076C

Cheers,

Go to solution
alex3385
Level 1
Level 1
In response to olpeleri

‎10-29-2012 03:35 AM

Hi,

i've tryed now and it's working!!

thank you very much!

for reference, i've added:

interface Virtual-Template3

ip unnumbered Vlan1

ip nat inside

ip virtual-reassembly in

access-list 1 permit 192.168.8.0 0.0.0.255

webvpn context context_1

  virtual-template 3

Go to solution
olpeleri
Cisco Employee
Cisco Employee
In response to alex3385

‎10-29-2012 03:38 AM

Hello,

Excellent! That's the power of virtual-template interface, you can enable IP features like NAT and get U-turn working as designed.

Cheers

0 Helpful
Customers Also Viewed These Support Documents