cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5113
Views
0
Helpful
4
Replies

SSL VPN on 1801 w/ IOS 2.4(24)T2 and AnyConnect 2.4

donschoppe
Level 1
Level 1

Hi,

I'm trying to configure my 1801 with SSL VPN.  The 1801 is running IOS 2.4(24)T2 and AnyConnect 2.4.0202 is installed.  The 1801 connects to the WAN via ADSL (bellsouth) with negotiated (but static) IP.

Currently, my test client (WinXP) can successfully connect to the webvpn portal, download/install the AnyConnect client, and start the full tunnel.  However, the client can't reliably reach hosts on the remote LAN and LAN hosts can't reach the client.  Attached is my current configuration.  I've not found any good examples showing the proper way to configure the SSL VPN when sitting behind a NAT'ed public IP and firewall, so the issue is likely related to this part of the config.  I would apprecate any help or suggestions as my head is starting to spin .

Regards,

Don

Message was edited by: donschoppe Problem solved:  See my last post for a working configuration including zone based firewall.

4 Replies 4

donschoppe
Level 1
Level 1

Some progress, but not "there" yet...

I completely removed the zone based firewall plus ips configuration, changed the webvpn gateway to use the Dialer0 interface, and added a virtual-template 1 interface with "ip nat inside".   The webvpn config looks something like this:

webvpn gateway gateway_1
ip interface Dialer0 port 443 
ssl trustpoint TP-self-signed-1111111111
inservice
!
webvpn sslvpn-vif nat inside
!
webvpn install svc flash:/webvpn/anyconnect-win-2.4.0202-k9.pkg sequence 1
!
webvpn context sslvpn
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group policy_1
   functions svc-enabled
   svc address-pool "sslvpn"
   svc keep-client-installed
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1

template Virtual-Template1

max-users 10
inservice
!

Now the client is able to ping the router and Internet sites such as google.com through the VPN tunnel.  However, when I attempt to ping a host on the home LAN, no reply is returned to the client.  Wireshark (on the client's AnyConnect adapter I/F) shows an outgoing ARP request to locate the pinged host, and a response coming back, indicating the host is located at MAC 00:11:22:33:44:55.  I assume this is the MAC of the VPN gateway interface?

I'd appreciate any ideas or suggestions for further debugging.

Thanks,

Don

Hi,

Does anyone have a working config (on a recent IOS release) that they could share, in which a remote AnyConnect client can successfully tunnel through the router's public facing I/F (with NAT/PAT) to reach hosts on the private home LAN (and in which the home LAN hosts can reach the remote client through the tunnel)?  Any overview of how the new SSLVPN-VIF interface is supposed to be used with NAT/PAT  and the zone based firewall would be a big help too!

Thanks,

Don

I finally have a working config including zone based firewall support.  A copy is attached for anyone that is interested.  They key to making this work was to use a virtual-template to configure "ip nat inside" and "zone-member security in-zone" for the SSLVPN-VIF.

Don

Don, thanks for posting your configurations below, this helped me sort out the same exact issue running on an 871 with 15.0(1)M1.  However I found that the loopbacks (unless you are using them for something else) were not nescessary or could be due to refinements in my later IOS.  I also found that for me to get this to work, I had to install the virtual-template interface, then apply it to the webvpn context, then I had to reload to get it to work.  For whatever reason the SSLVPN-VIF interface didn't mesh with the virtual-template before I did the reload.  Maybe I could have accomplished this by removing all the webvpn pieces and applying them in a particular order, but I didn't attempt this.

Here are my relevant configurations on my 871, note the ZBPF configs and minimal and included just to provide the whole picture without providing an entire device configuration.