Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
0
Helpful
2
Replies

SSLVPN Client -> IPSEC Site-to-Site -> Remote LAN

casey2542@gmail.com
Level 1
Level 1

‎07-02-2016 06:08 PM - edited ‎02-21-2020 08:53 PM

Hello,

I'm having trouble getting this to work after applying ZBF to my inside/outside interfaces.  The setup is this:

AnyConnect Client--------->Local 2911<------------IPSEC Site-to-Site------------>Remote 2911<---------->LAN Host

                                         192.168.16.1                                                             192.168.50.2             192.168.50.50

Everything worked perfectly until I enabled the firewall on the local Router.  I could ping from the Anyconnect client all the way through to the remote host.  What am I missing?


version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login SSLVPN local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.16.1 192.168.16.128
ip dhcp excluded-address 192.168.16.214
ip dhcp excluded-address 192.168.16.225
!
ip dhcp pool LAN-POOL
network 192.168.16.0 255.255.255.0
domain-name xxxxxxx
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.16.1
!
!
!
ip domain name xxxxxxxx
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 4.2.2.2
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
cts logging verbose
!
crypto pki trustpoint SSLVPN-TRUSTPOINT
enrollment selfsigned
serial-number
subject-name CN=mhc-certificate
revocation-check crl
rsakeypair SSLVPN
!
!
crypto pki certificate chain SSLVPN-TRUSTPOINT
certificate self-signed 02

-REMOVED-

license udi pid CISCO2911/K9 sn xxxxxxxxxxx
!
!
username xxxxxxx privilege 15 secret 5 xxxxxxxxxxx
username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxx
username xxxxxxx secret 5 xxxxxxxx
!
redundancy
!
!
!
!
!
!
class-map type inspect match-any ALL-PROTOCOLS-CMAP
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all ICMP-CMAP
match access-group name ICMP
class-map type inspect match-all HTTPS-CMAP
match protocol https
class-map type inspect match-any SSH-CMAP
match access-group name SSH_ACCESS
class-map type inspect match-all IPSEC-CMAP
match access-group name ISAKMP_IPSEC
!
policy-map type inspect OUTSIDE->INSIDE-POLICY
class type inspect ICMP-CMAP
inspect
class type inspect IPSEC-CMAP
pass
class type inspect HTTPS-CMAP
pass
class class-default
drop
policy-map type inspect OUTSIDE->ROUTER-POLICY
class type inspect IPSEC-CMAP
pass
class type inspect SSH-CMAP
inspect
class type inspect ICMP-CMAP
inspect
class type inspect HTTPS-CMAP
pass
class class-default
drop
policy-map type inspect ROUTER->OUTSIDE-POLICY
class type inspect ICMP-CMAP
inspect
class class-default
pass
policy-map type inspect ALLOW-ALL
class type inspect IPSEC-CMAP
pass
class type inspect ALL-PROTOCOLS-CMAP
inspect
class class-default
pass
!
zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE->OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect ALLOW-ALL
zone-pair security OUTSIDE->INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE->INSIDE-POLICY
zone-pair security ROUTER->OUTSIDE source self destination OUTSIDE
service-policy type inspect ROUTER->OUTSIDE-POLICY
zone-pair security OUTSIDE->ROUTER source OUTSIDE destination self
service-policy type inspect OUTSIDE->ROUTER-POLICY
!
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxx address xxxxxx
!
!
crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CRYPTO 10 ipsec-isakmp
set peer xxxxxxx
set transform-set TRANSFORM
match address VPN-TRAFFIC
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN-INTERFACE
ip address xxxxxxxx 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
crypto map CRYPTO
!
interface GigabitEthernet0/1
description LAN-INTERFACE
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1
no ip address
zone-member security INSIDE
!
ip local pool REMOTE-POOL 192.168.17.10 192.168.17.20
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.16.5 21 xxxxxxxx 21 extendable
ip route 0.0.0.0 0.0.0.0 xxxxxxxxx
!
ip access-list extended ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
ip access-list extended ISAKMP_IPSEC
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp
ip access-list extended SSH_ACCESS
permit tcp any any eq 22
ip access-list extended VPN-TRAFFIC
permit ip 192.168.16.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.17.0 0.0.0.255 192.168.50.0 0.0.0.255
!
!
!
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny ip 192.168.16.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny ip 192.168.17.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 100 permit ip 192.168.17.0 0.0.0.255 any
access-list 100 remark
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 10 30
privilege level 15
transport input telnet ssh
line vty 5 15
exec-timeout 10 30
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 0.pool.ntp.org prefer source GigabitEthernet0/0
ntp server 1.pool.ntp.org source GigabitEthernet0/0
!
!
webvpn gateway SSLVPNGW
ip address xxxxxxxx port 443
http-redirect port 80
ssl trustpoint SSLVPN-TRUSTPOINT
inservice
!
webvpn context ANYCONNECTVPN
aaa authentication list SSLVPN
gateway SSLVPNGW
max-users 20
!
ssl authenticate verify all
inservice
!
policy group ANYCONNECT-POLICY
functions svc-enabled
svc address-pool "REMOTE-POOL" netmask 255.255.255.0
svc keep-client-installed
svc split include 192.168.16.0 255.255.255.0
svc split include 192.168.50.0 255.255.255.0
svc dns-server primary 8.8.8.8
svc dns-server secondary 8.8.4.4
default-group-policy ANYCONNECT-POLICY
!
end

Thanks!

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎07-03-2016 10:15 PM

Take a look at the config my config wizard produces.  Tick the "User to site" and "site to site" options, and then look at the firewall config.

http://www.ifm.net.nz/cookbooks/890-isr-wizard.html

Otherwise in the above config you'll make life easier if you convert to using VTI tunnels for your site to site VPN rather than a crypto map.

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html

0 Helpful

casey2542@gmail.com
Level 1
Level 1
In response to Philip D'Ath

‎07-05-2016 12:03 AM

Thanks for the suggestions Philip. I switched over to using a VTI setup for the site-to-site but still had trouble pinging from an anyconnect on the near end all the way through to a remote client.  I finally got it working after trying this:

interface Loopback0
ip address 172.16.1.1 255.255.255.255

interface Virtual-Template1
ip unnumbered Loopback0

webvpn context ANYCONNECTVPN
virtual-template 1

I'll reapply all of the firewall stuff and retest tomorrow.

Thanks Again!

0 Helpful
Customers Also Viewed These Support Documents