SSL vpn + ZFW + Routemap

lorenzo.castelletti · ‎10-19-2011

Hi everybody.

I'm trying to set up a webvpn on a 1928 router where I had previously configured ZFW and routemaps to route traffic between two different WANs.

I created a virtual-template and assigned it to the inside zone, for now.

I can successfully connect to the vpn, but I can't reach any of the internal IPs. If I delete the line "virtual-template 1" from the webvpn context, I can then ping the internal router interface, but no internal servers.

Any Idea on what the problem could be? Do I need to direct VPN traffic to the virtual-template in my route-maps? Any special attention to NAT for the VPN traffic?

Thanks to anyone could lead me to the solution.

ilwadhi.r · ‎10-19-2011

Hi

It would be nice if i could see sh Tech from your Router to be able to give you an exact answer.

In the mean while please review below mentioned document on allowing SSL VPN Traffic through ZBF.

http://www.cisco.com/en/US/products/ps8411/products_configuration_example09186a0080b25941.shtml

HTH

Rahul ILWADHI

lorenzo.castelletti · ‎10-19-2011

Thanks for your reply and the link, Rahul.

I had actually already tried to replicate the configuration in the example, but to no avail.

Here are the relevant parts of the current configuration:

interface GigabitEthernet0/0

ip address 192.168.117.254 255.255.255.0

ip accounting output-packets

ip nat inside

ip virtual-reassembly in

zone-member security IN

ip policy route-map ADSL

duplex auto

speed auto

no mop enabled

!

interface Virtual-Template1

ip unnumbered GigabitEthernet0/0

zone-member security IN

!

interface Dialer0

ip address negotiated

ip accounting output-packets

ip nat outside

ip virtual-reassembly in

zone-member security OUT

encapsulation ppp

dialer pool 2

ppp chap hostname xxxxxx

ppp chap password 7 xxxxxx

ppp pap sent-username xxxxxx password 7 xxxxxx

!

interface Dialer1

ip address negotiated

ip nat outside

ip virtual-reassembly in

zone-member security OUT

encapsulation ppp

dialer pool 1

ppp chap hostname xxxxxx

ppp chap password 7 xxxxxx

ppp pap sent-username xxxxxx password 7 xxxxxx

!

ip local pool dhcp 192.168.118.230 192.168.118.240

!

ip nat inside source list NAT-LAN-ACL interface Dialer0 overload

ip nat inside source list NAT-SERVER-ACL interface Dialer1 overload

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

route-map ADSL permit 10

match ip address NAT-SERVER-ACL

set default interface Dialer1

!

route-map ADSL permit 20

match ip address NAT-LAN-ACL

set default interface Dialer0

!

webvpn gateway gateway_1

ip address xxxxxx port 443

http-redirect port 80

ssl trustpoint TP-self-signed-4090975068

inservice

!

webvpn install svc usbflash0:/webvpn/anyconnect-win-2.5.0217-k9.pkg sequence 1

!

webvpn context new

secondary-color white

title-color #669999

text-color black

ssl authenticate verify all

!

policy group policy_1

functions svc-enabled

svc address-pool "dhcp"

svc keep-client-installed

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

virtual template 1

max-users 10

inservice

!

ilwadhi.r · ‎10-19-2011

Thanks for sharing snapshot of config,

First Things First

1. If you bypass ZBF Does SSL VPN Work ? i am asking this because it will isolate if the issue is with ssl vpn or zbf ?

2. If it does then we need to investigate it with zbf point of view. Else it may be ssl vpn issue ?

3. From the config attached

a)it is not eminent if self zone is being used here or not i would request you to include output of

sh zone-pair security

2) sh access-list

Thanks

Rahul

lorenzo.castelletti · ‎10-19-2011

Hello Rahul,

it was indeed the ZFW blocking somehow the vpn traffic. Thanks for leading me to that.

The zone pairs are IN to OUT and OUT to IN, with the vpn interface assigned to IN. No self zone configured.

I tried permitting all traffic in every class map using only "permit ip any any" ACLs but it wouldn't work.

as soon as I de-member every interface from security zones, the vpn starts working