cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
485
Views
0
Helpful
2
Replies

WebVPN cannot access Internal network on 2821

mkpetkov123
Level 1
Level 1

Hello, I'm trying to setup WebVPN to my internal network. The client is connected to the router, but I cant ping anything from my internal network. Also I've lost ping between hosts in the internal network. I can ping only gateway (192.168.162.0)

IOS Version 15.1(4)M9

 

ip local pool webvpn-pool 192.168.162.212 192.168.162.218

ip nat inside source list 1 interface GigabitEthernet0/0 overload

access-list 1 permit 192.168.162.0 0.0.0.255

webvpn gateway Cisco-WebVPN-Gateway
 ip address X.X.X.X port 1025
 ssl encryption rc4-md5
 ssl trustpoint my-trustpoint
 inservice
 !
webvpn context Cisco-WebVPN
 title  Easy VPN"
 ssl authenticate verify all
 !
 url-list "rewrite"
 !
 acl "ssl-acl"
   permit ip 192.168.162.0 255.255.255.0 192.168.162.0 255.255.255.0
 !
 login-message "Cisco Secure WebVPN"
 !
 policy group webvpnpolicy
   functions svc-enabled
   functions svc-required
   filter tunnel ssl-acl
   svc address-pool "webvpn-pool" netmask 255.255.255.0
   svc rekey method new-tunnel
   svc split include 192.168.162.0 255.255.255.0
 default-group-policy webvpnpolicy
 aaa authentication list sslvpn
 gateway Cisco-WebVPN-Gateway
 max-users 2
 inservice
!

 

1 Accepted Solution

Accepted Solutions

Hi,

 

I saw the VPN configuration:

 

 policy group webvpnpolicy
   functions svc-enabled
   functions svc-required
   filter tunnel ssl-acl
   svc address-pool "webvpn-pool" netmask 255.255.255.0
   svc rekey method new-tunnel
   svc split include 192.168.162.0 255.255.255.0
 default-group-policy webvpnpolicy
 aaa authentication list sslvpn
 gateway Cisco-WebVPN-Gateway
 max-users 2
 inservice

acl "ssl-acl"
   permit ip 192.168.162.0 255.255.255.0 192.168.162.0 255.255.255.0

 

ip local pool webvpn-pool 192.168.162.212 192.168.162.218

ip nat inside source list 1 interface GigabitEthernet0/0 overload

access-list 1 permit 192.168.162.0 0.0.0.255

 

I would recommend you the following:

1. Use an IP local pool with a different range than the one used in the Inside network (Routing wise issues)

2. Removed the VPN filter, it is completely unnecessary,  since it is permitting the same that the (Split tunnel is):

policy group webvpnpolicy

 no filter tunnel ssl-acl

3. Use an extended ACL on the NAT, and create NAT exemption for the Inside Network to the IP local pool on the outside:

 

ip access-list extended NAT

 deny ip 192.168.162.0 0.0.0.255 XXXX XXXXX --> IP network for the IP pool

 Permit ip 192.168.0.0 0.0.0.255 any

 

ip nat inside source list NAT interface GigabitEthernet0/0 overload

 

Those are the proper changes I would recommend you to apply.

 

Please don't forget to rate and mark as correct the helpful Post!

 

David Castro,

View solution in original post

2 Replies 2

Hi,

 

I saw the VPN configuration:

 

 policy group webvpnpolicy
   functions svc-enabled
   functions svc-required
   filter tunnel ssl-acl
   svc address-pool "webvpn-pool" netmask 255.255.255.0
   svc rekey method new-tunnel
   svc split include 192.168.162.0 255.255.255.0
 default-group-policy webvpnpolicy
 aaa authentication list sslvpn
 gateway Cisco-WebVPN-Gateway
 max-users 2
 inservice

acl "ssl-acl"
   permit ip 192.168.162.0 255.255.255.0 192.168.162.0 255.255.255.0

 

ip local pool webvpn-pool 192.168.162.212 192.168.162.218

ip nat inside source list 1 interface GigabitEthernet0/0 overload

access-list 1 permit 192.168.162.0 0.0.0.255

 

I would recommend you the following:

1. Use an IP local pool with a different range than the one used in the Inside network (Routing wise issues)

2. Removed the VPN filter, it is completely unnecessary,  since it is permitting the same that the (Split tunnel is):

policy group webvpnpolicy

 no filter tunnel ssl-acl

3. Use an extended ACL on the NAT, and create NAT exemption for the Inside Network to the IP local pool on the outside:

 

ip access-list extended NAT

 deny ip 192.168.162.0 0.0.0.255 XXXX XXXXX --> IP network for the IP pool

 Permit ip 192.168.0.0 0.0.0.255 any

 

ip nat inside source list NAT interface GigabitEthernet0/0 overload

 

Those are the proper changes I would recommend you to apply.

 

Please don't forget to rate and mark as correct the helpful Post!

 

David Castro,

Hi,

 

Could you mark your question as Answered, by clicking on "Endorse Answer".

 

David Castro,

 

Regards,