07-16-2012 10:55 AM
Hi,
I am facing SSL VPN issue in one of my router.
Below is my Router configuration Ddetails
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RTR
!
boot-start-marker
boot system flash0:c3900-universalk9-mz.SPA.151-3.T3.bin
boot system flash0:c3900-universalk9-mz.SPA.151-3.T.bin
boot-end-marker
!
!
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sslvpn local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2616696585
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2616696585
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-2616696585
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32363136 36393635 3835301E 170D3132 30373135 31343537
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36313636
39363538 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CADD 69D0296A 1C5E73C6 AE0D84F2 18C4D80C C6ABD34A 96574E39 A82F418F
2C104610 E1635597 F1377688 898819C4 4736505B 8D779883 54F3EF51 0B236ADC
BEF0A1BA 415E32F5 3243F5EC 6956E1B0 312B232B CFB51C20 A5DF6C85 A5C60F18
51FB36D7 C3CCC933 14E449A1 567F8D8B A2CD2AA9 E5C5A4CC 293CFA8A 97A67DE7
7BAF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14ACB9C7 3A680EA3 563E0BE0 FA034289 BEE3D35F 6D301D06
03551D0E 04160414 ACB9C73A 680EA356 3E0BE0FA 034289BE E3D35F6D 300D0609
2A864886 F70D0101 04050003 81810037 68E6065A 6C2640C4 37CC1C5C 0B60108B
83153755 06E5864D 297EF67B D7F7D43E 812671BB 4C1FD5AA DC2786E7 69369708
597B7E7A 32E1F909 D803EAE6 6D1E1A3A 93BF2F5C DF19A610 2EBC28F1 3889F4A0
BF912E86 774738B0 3EB28AF2 41F718EA B58B8B1B 9D2DFC7B B07B11F6 8B680E34
EBD4A83A 80E3C243 2A1D8EB6 0A179D
quit
no ipother cef
ip source-route
ip cef
!
!
!
!
!
no ip domain lookup
ip domain name <domain.com>
!
multilink bundle-name authenticated
!
!
license udi pid C3900-SPE150/K9 sn abcdefghijk
license accept end user agreement
license boot module c3900 technology-package securityk9
hw-module sm 3
!
!
!
username cisco pass <removed>
!
redundancy
!
!
!
!
no ip ftp passive
ip ssh version 2
!
class-map match-all subnet-branch
match access-group 102
class-map match-all subnet-other
match access-group 101
!
!
policy-map subnets
class subnet-other
bandwidth percent 50
class subnet-branch
bandwidth percent 49
policy-map physical
class class-default
shape average percent 10
police cir 10000000
conform-action transmit
exceed-action drop
service-policy subnets
!
interface Loopback50
description SSL DHCP Pool Gateway Address
ip address 192.168.50.1 255.255.255.0
!
!
interface GigabitEthernet0/0
ip address 192.168.10.1 255.255.255.0 secondary
ip address 192.168.101.1 255.255.255.0 secondary
ip address 192.168.10.164 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly in max-reassemblies 64
duplex full
speed auto
service-policy output physical
!
interface GigabitEthernet0/1
ip address 10.224.149.49 255.255.255.252
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/0
description ## WAN Interface ###
ip address 10.70.140.10 255.255.255.252
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
!
interface FastEthernet0/0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface GigabitEthernet3/0
ip address 10.1.1.1 255.255.255.0
!
interface Vlan1
no ip address
!
ip local pool sslvpnpool 192.168.50.2 192.168.50.100
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export version 5
ip flow-export destination 192.168.10.222 9991
!
ip nat translation timeout 3600
ip nat inside source list 199 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.70.140.9
!
ip access-list extended VTY_ACL
permit ip 192.168.10.0 0.0.0.255 any
deny ip any any log
!
access-list 101 permit ip any 192.168.101.0 0.0.0.255
access-list 102 permit ip any 192.168.1.0 0.0.0.255
access-list 102 permit ip any 192.168.2.0 0.0.0.255
access-list 102 permit ip any 192.168.4.0 0.0.0.255
access-list 102 permit ip any 192.168.5.0 0.0.0.255
access-list 102 permit ip any 192.168.6.0 0.0.0.255
access-list 102 permit ip any 192.168.7.0 0.0.0.255
access-list 102 permit ip any 192.168.8.0 0.0.0.255
access-list 102 permit ip any 192.168.9.0 0.0.0.255
access-list 102 permit ip any 192.168.10.0 0.0.0.255
access-list 102 permit ip any 192.168.11.0 0.0.0.255
access-list 102 permit ip any 192.168.12.0 0.0.0.255
access-list 102 permit ip any 192.168.13.0 0.0.0.255
access-list 102 permit ip any 192.168.17.0 0.0.0.255
access-list 102 permit ip any 192.168.19.0 0.0.0.255
access-list 102 permit ip any 192.168.20.0 0.0.0.255
access-list 102 permit ip any 192.168.22.0 0.0.0.255
access-list 102 permit ip any 192.168.24.0 0.0.0.255
access-list 102 permit ip any 192.168.25.0 0.0.0.255
access-list 102 permit ip any 192.168.27.0 0.0.0.255
access-list 102 permit ip any 192.168.28.0 0.0.0.255
access-list 102 permit ip any 192.168.30.0 0.0.0.255
access-list 102 permit ip any 192.168.31.0 0.0.0.255
access-list 102 permit ip any 192.168.32.0 0.0.0.255
access-list 102 permit ip any 192.168.33.0 0.0.0.255
access-list 102 permit ip any 192.168.34.0 0.0.0.255
access-list 102 permit ip any 192.168.35.0 0.0.0.255
access-list 102 permit ip any 192.168.36.0 0.0.0.255
access-list 102 permit ip any 192.168.37.0 0.0.0.255
access-list 102 permit ip any 192.168.38.0 0.0.0.255
access-list 199 permit tcp any any eq 465
access-list 199 permit tcp any any eq 587
access-list 199 permit tcp any any eq 995
access-list 199 permit tcp any any eq 993
access-list 199 permit tcp any any eq smtp
access-list 199 permit tcp any any eq pop3
access-list 199 permit tcp any host XXX.112.233.76 eq 9400
access-list 199 permit tcp any host XXX.112.233.76 eq www
access-list 199 permit ip any host XXX.112.233.76
!
!
control-plane
!
!
privilege exec level 7 traceroute
privilege exec level 7 ping
privilege exec level 9 terminal monitor
privilege exec level 9 terminal no monitor
privilege exec level 9 terminal no
privilege exec level 9 terminal
privilege exec level 7 show mac-address-table
privilege exec level 7 show configuration
privilege exec level 7 show
privilege exec level 9 no debug ip ospf packet
privilege exec level 9 no debug ip ospf events
privilege exec level 9 no debug ip ospf adj
privilege exec level 9 no debug ip ospf
privilege exec level 9 no debug ip routing
privilege exec level 9 no debug ip
privilege exec level 9 no debug serial interface
privilege exec level 9 no debug serial
privilege exec level 9 no debug all
privilege exec level 9 no debug
privilege exec level 9 debug ip ospf packet
privilege exec level 9 debug ip ospf events
privilege exec level 9 debug ip ospf adj
privilege exec level 9 debug ip ospf
privilege exec level 9 debug ip routing
privilege exec level 9 debug ip
privilege exec level 9 debug serial interface
privilege exec level 9 debug serial
privilege exec level 9 debug all
privilege exec level 9 debug
privilege exec level 9 clear arp-cache
privilege exec level 9 clear
privilege exec level 9 no
!
line con 0
line aux 0
line 195
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
flowcontrol software
line vty 0 4
logging synchronous
transport input telnet ssh
transport output all
!
scheduler allocate 20000 1000
!
webvpn gateway MyGateway
ip address xxx.xxx.228.164 port 443
ssl trustpoint self-signed
inservice
!
webvpn install svc flash0:/webvpn/anyconnect-win-2.4.1012-k9.pkg sequence 1
!
webvpn context SecureMeContext
title "My SSL VPN Service"
secondary-color #C0C0C0
title-color #808080
ssl authenticate verify all
!
login-message "Welcome to VPN"
!
policy group MyDefaultPolicy
functions svc-enabled
svc address-pool "sslvpnpool"
svc keep-client-installed
default-group-policy MyDefaultPolicy
aaa authentication list sslvpn
gateway MyGateway domain testvpn
max-users 100
inservice
!
end
VISA_HYDR_SOFT#sh ver
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.1(3)T3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 15-Dec-11 00:09 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M8, RELEASE SOFTWARE (fc1)
RTR uptime is 4 minutes
System returned to ROM by reload at 14:55:15 UTC Sun Jul 15 2012
System restarted at 14:56:38 UTC Sun Jul 15 2012
System image file is "flash0:c3900-universalk9-mz.SPA.151-3.T3.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE150/K9 with 983040K/65536K bytes of memory.
Processor board ID abcdefghijk
6 FastEthernet interfaces
4 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 72 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 C3900-SPE150/K9 abcdefghikj
Technology Package License Information for Module:'c3900'
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Evaluation securityk9
uc None None None
data None None None
Configuration register is 0x2102
VISA_HYDR_SOFT#show license detail
Index: 1 Feature: SNASw Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
Store Index: 6
Store Name: Built-In License Storage
Index: 2 Feature: SSL_VPN Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: 100/100/0 (Active/In-use/Violation)
License Priority: Medium
Store Index: 2
Store Name: Primary License Storage
Index: 3 Feature: SSL_VPN Version: 1.0
License Type: EvalRightToUse
License State: Inactive
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: 0/0 (In-use/Violation)
License Priority: None
Store Index: 4
Store Name: Built-In License Storage
Index: 4 Feature: WAAS_Express Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
Store Index: 8
Store Name: Built-In License Storage
Index: 5 Feature: cme-srst Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: 0/0 (In-use/Violation)
License Priority: None
Store Index: 7
Store Name: Built-In License Storage
Index: 6 Feature: datak9 Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
Store Index: 2
Store Name: Built-In License Storage
Index: 7 Feature: gatekeeper Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
Store Index: 3
Store Name: Built-In License Storage
Index: 8 Feature: ios-ips-update Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
Store Index: 5
Store Name: Built-In License Storage
Index: 9 Feature: ipbasek9 Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Store Index: 0
Store Name: Primary License Storage
Index: 10 Feature: securityk9 Version: 1.0
License Type: Evaluation
License State: Active, In Use
Evaluation total period: 8 weeks 4 days
Evaluation period left: 4 weeks 1 day
Period used: 4 weeks 2 days
Expiry date: Aug 13 2012 19:34:47
License Count: Non-Counted
License Priority: Low
Store Index: 1
Store Name: Primary License Storage
Index: 11 Feature: securityk9 Version: 1.0
License Type: EvalRightToUse
License State: Inactive
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
Store Index: 0
Store Name: Built-In License Storage
Index: 12 Feature: uck9 Version: 1.0
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
Store Index: 1
Store Name: Built-In License Storage
My Service Provider has done the NAT of my router G0/0 ip address 192.168.10.164 to xxx.xxx.228.164 & I am able to telnet & SSH to my router via that public ip.
Any suggestions?
07-16-2012 12:38 PM
HI ,
if i understand you correctly , please try to change the IP address under the VPN context to the ip address of your outside interface ( the private address in this case ).
cheers.
Mohammad.
07-17-2012 05:30 AM
Hi Mohammad,
It's not working. I have a doubt, natting with inside ip might be the problem for this. As my router G0/0 ip is natted to the Public ip which im trying from outside.
Any suggestions?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide