03-14-2011 03:28 AM
I have a router 877 with IOS-12.4(24)T5
My problem is when I try to connect to https (or http) from outside to open the web portal for connect using WebVPN (SSL VPN)
It never responds!!!
I can connect to may public IP from inside LAN, instead, and open the webvpn portal and download the anyconnect software and establish the SSL VPN.
I can connect to my LAN using Cisco VPN Client from outside and I have a Site-to-Site VPN working too.
This is my config (without sensible data):
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
877_Feria#
877_Feria#show run
Building configuration...
Current configuration : 7756 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 877_Feria
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone Paris 1
clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint SSL
enrollment selfsigned
fqdn none
subject-name CN=vpnferia
revocation-check crl
rsakeypair SSL_FERIA
!
!
crypto pki certificate chain SSL
certificate self-signed 03
3082020E 30820177 A0030201 02020103 300D0609 2A864886 F70D0101 04050030
13311130 0F060355 04031308 76706E66 65726961 301E170D 31313033 31343037
33353338 5A170D32 30303130 31303030 3030305A 30133111 300F0603 55040313
0876706E 66657269 6130819F 300D0609 2A864886 F70D0101 01050003 818D0030
81890281 81009F30 1B5E0CF6 F3376884 0712B635 9C8D3749 237D3F13 CB9728D1
7293B978 6BE81A2F 06951D72 C30178C0 91B4786B 7E701B59 62622A31 96D023C1
BDB82295 E4E77FC8 97BF34CA 16B03F53 5EC21F5E 88BA12E1 E5D12729 58136A53
76E35D33 1A99EF9F E7B034D6 EB3CF17C A73ECAA1 326573DE 164BB1F3 5EA8EE17
4AB73CD3 22950203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF
301D0603 551D1104 16301482 12383737 5F466572 69612E66 65726961 2E657330
1F060355 1D230418 30168014 51E4D8C7 6347B08A D3CB8F2E F4E4C400 061DB6B4
301D0603 551D0E04 16041451 E4D8C763 47B08AD3 CB8F2EF4 E4C40006 1DB6B430
0D06092A 864886F7 0D010104 05000381 81008160 0AAD04E3 D247EA6C C1F6E93C
5D0B4C8F 25319E30 8EBABE6F 50E53F7D 57DE0F8A 13BB3212 642C4EAC A32610A6
75D6568E DA5CEF92 E59D511B 80186AF8 73CC11E6 F1E82065 C47E6B60 82BCA939
9FF3F06D E3858349 3007AFC2 A2F0CE59 809FA1E1 F2B7FEA1 9B13E8AA 1FEF6AF1
96E627FC 481642F4 A466EFE7 8124C374 044F
quit
dot11 syslog
ip source-route
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
ip cef
ip domain name feria.net
ip name-server 192.168.254.3
!
!
!
!
username user1 privilege 15 secret 5 $1$zMca$0AkwxrsfBY63XPUHxv31N0
username userVPN secret 5 $1$8iKr$8WV5IhFUmI671.XGp3Gb11
username userWebVPN secret 5 $1$3HPK$tvFjfrQd86iAoHGsa5Uu01
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key interkey address 8.2.24.3
!
crypto isakmp client configuration group CiscoVPN
key 123456
pool ippool
max-users 10
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group CiscoVPN
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to8.2.24.3
set peer 8.2.24.3
set transform-set ESP-3DES-SHA
match address 101
!
archive
log config
hidekeys
!
!
ip ssh source-interface Vlan1
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
hold-queue 224 in
!
interface ATM0.1 point-to-point
ip address 8.3.8.6 255.255.255.240
ip nat outside
ip virtual-reassembly
pvc 8/32
encapsulation aal5snap
!
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered ATM0.1
!
interface Virtual-Template2 type tunnel
ip unnumbered ATM0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.254.240 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local pool ippool 192.168.253.1 192.168.253.10
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
access-list 1 permit 192.168.254.0 0.0.0.255 log
access-list 2 permit any
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=19
access-list 100 remark IPSec Rule
access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.254.0 0.0.0.255 192.168.0.0 0.0.0.255
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 100 in
privilege level 15
login authentication clientauth
transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn gateway gateway_1
hostname 877_Feria
ip address 8.3.8.6 port 443
http-redirect port 80
ssl trustpoint SSL
inservice
!
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.2017-k9.pkg sequence 1
!
webvpn context VPN-Feria
secondary-color white
title-color #FF9900
text-color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "ippool"
svc keep-client-installed
virtual-template 1
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_2
gateway gateway_1 domain vpnferia
max-users 10
inservice
!
end
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
What can I miss???
Thank you to all!!
Solved! Go to Solution.
04-26-2011 07:23 PM
Try adding a NAT statement for the ouside.
ip nat inside source static tcp 8.3.8.6 443 8.3.8.6 443
assuming 8.3.8.6 is your public IP.
-Brian
03-14-2011 06:18 AM
If the Webvpn works from inside and not outside, I would rather say that might be a routing/acl/nat issue.
To confirm, try to show webvpn and show ip http server commands to check both are online, and try to run debug cry pki / debug webvpn when connecting from outside to check what's going on.
03-14-2011 07:22 AM
In addition, check if your ISP is not blocking port 443.
Try configuring the webvpn on a high port, e.g.
webvpn gateway gateway_1
ip address 8.3.8.6 port 4433
then try to connect to that port from the outside.
hth
Herbert
03-14-2011 09:13 AM
The ISP tell me that there are not blocked ports onto this ADSL
The debug commands does not report anything on the outside port. My first suspect was that the ISP block ports but I can connect using the Cisco VPN Client and I can establish my LAN-to-LAN tunnel with my remote peer,... so at least this services are open.
I tried other high ports like 4443, 44433,... and so on, without success!
I have not more ideas!
04-26-2011 07:23 PM
Try adding a NAT statement for the ouside.
ip nat inside source static tcp 8.3.8.6 443 8.3.8.6 443
assuming 8.3.8.6 is your public IP.
-Brian
05-05-2011 03:39 AM
It worked!!!!!
Thanks Brian!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide