Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2343
Views
0
Helpful
5
Replies

WebVPN not works from outside ports (https or http) with IOS-12.4(24)T5

Go to solution
inma.espinosa
Level 1
Level 1

‎03-14-2011 03:28 AM

I have a router 877 with IOS-12.4(24)T5

My problem is when I try to connect to https (or http) from outside to open the web portal for connect using WebVPN (SSL VPN)

It never responds!!!

I can connect to may public IP from inside LAN, instead, and open the webvpn portal and download the anyconnect software and establish the SSL VPN.

I can connect to my LAN using Cisco VPN Client from outside and I have a Site-to-Site VPN working too.

This is my config (without sensible data):

---------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------

877_Feria#

877_Feria#show run

Building configuration...

Current configuration : 7756 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 877_Feria

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 52000

!

aaa new-model

!

!

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

aaa session-id common

clock timezone Paris 1

clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00

!

crypto pki trustpoint SSL

enrollment selfsigned

fqdn none

subject-name CN=vpnferia

revocation-check crl

rsakeypair SSL_FERIA

!

!

crypto pki certificate chain SSL

certificate self-signed 03

  3082020E 30820177 A0030201 02020103 300D0609 2A864886 F70D0101 04050030

  13311130 0F060355 04031308 76706E66 65726961 301E170D 31313033 31343037

  33353338 5A170D32 30303130 31303030 3030305A 30133111 300F0603 55040313

  0876706E 66657269 6130819F 300D0609 2A864886 F70D0101 01050003 818D0030

  81890281 81009F30 1B5E0CF6 F3376884 0712B635 9C8D3749 237D3F13 CB9728D1

  7293B978 6BE81A2F 06951D72 C30178C0 91B4786B 7E701B59 62622A31 96D023C1

  BDB82295 E4E77FC8 97BF34CA 16B03F53 5EC21F5E 88BA12E1 E5D12729 58136A53

  76E35D33 1A99EF9F E7B034D6 EB3CF17C A73ECAA1 326573DE 164BB1F3 5EA8EE17

  4AB73CD3 22950203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF

  301D0603 551D1104 16301482 12383737 5F466572 69612E66 65726961 2E657330

  1F060355 1D230418 30168014 51E4D8C7 6347B08A D3CB8F2E F4E4C400 061DB6B4

  301D0603 551D0E04 16041451 E4D8C763 47B08AD3 CB8F2EF4 E4C40006 1DB6B430

  0D06092A 864886F7 0D010104 05000381 81008160 0AAD04E3 D247EA6C C1F6E93C

  5D0B4C8F 25319E30 8EBABE6F 50E53F7D 57DE0F8A 13BB3212 642C4EAC A32610A6

  75D6568E DA5CEF92 E59D511B 80186AF8 73CC11E6 F1E82065 C47E6B60 82BCA939

  9FF3F06D E3858349 3007AFC2 A2F0CE59 809FA1E1 F2B7FEA1 9B13E8AA 1FEF6AF1

  96E627FC 481642F4 A466EFE7 8124C374 044F

        quit

dot11 syslog

ip source-route

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool ccp-pool

   import all

   network 10.10.10.0 255.255.255.248

   default-router 10.10.10.1

   lease 0 2

!

!

ip cef

ip domain name feria.net

ip name-server 192.168.254.3

!

!

!

!

username user1 privilege 15 secret 5 $1$zMca$0AkwxrsfBY63XPUHxv31N0

username userVPN secret 5 $1$8iKr$8WV5IhFUmI671.XGp3Gb11

username userWebVPN secret 5 $1$3HPK$tvFjfrQd86iAoHGsa5Uu01

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key interkey address 8.2.24.3

!

crypto isakmp client configuration group CiscoVPN

key 123456

pool ippool

max-users 10

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group CiscoVPN

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 2

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA1

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to8.2.24.3

set peer 8.2.24.3

set transform-set ESP-3DES-SHA

match address 101

!

archive

log config

  hidekeys

!

!

ip ssh source-interface Vlan1

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

hold-queue 224 in

!

interface ATM0.1 point-to-point

ip address 8.3.8.6 255.255.255.240

ip nat outside

ip virtual-reassembly

pvc 8/32

  encapsulation aal5snap

!

crypto map SDM_CMAP_1

crypto ipsec df-bit clear

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template1

ip unnumbered ATM0.1

!

interface Virtual-Template2 type tunnel

ip unnumbered ATM0.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.254.240 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip local pool ippool 192.168.253.1 192.168.253.10

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 ATM0.1

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload

!

access-list 1 permit 192.168.254.0 0.0.0.255 log

access-list 2 permit any

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 remark CCP_ACL Category=19

access-list 100 remark IPSec Rule

access-list 100 deny   ip 192.168.254.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 100 permit ip any any

access-list 101 remark CCP_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.254.0 0.0.0.255 192.168.0.0 0.0.0.255

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 100 in

privilege level 15

login authentication clientauth

transport input telnet ssh

!

scheduler max-task-time 5000

!

webvpn gateway gateway_1

hostname 877_Feria

ip address 8.3.8.6 port 443

http-redirect port 80

ssl trustpoint SSL

inservice

!

webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.2017-k9.pkg sequence 1

!

webvpn context VPN-Feria

secondary-color white

title-color #FF9900

text-color black

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "ippool"

   svc keep-client-installed

virtual-template 1

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_2

gateway gateway_1 domain vpnferia

max-users 10

inservice

!

end

---------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------

What can I miss???

Thank you to all!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Brian Small
Cisco Employee
Cisco Employee
In response to inma.espinosa

‎04-26-2011 07:23 PM

Try adding a NAT statement for the ouside.

ip nat inside source static tcp 8.3.8.6 443 8.3.8.6 443

assuming 8.3.8.6 is your public IP.

-Brian

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee

‎03-14-2011 06:18 AM

If the Webvpn works from inside and not outside, I would rather say that might be a routing/acl/nat issue.

To confirm, try to show webvpn and show ip http server commands to check both are online, and try to run debug cry pki / debug webvpn when connecting from outside to check what's going on.

0 Helpful

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to Bastien Migette

‎03-14-2011 07:22 AM

In addition, check if your ISP is not blocking port 443.

Try configuring the webvpn on a high port, e.g.

webvpn gateway gateway_1

  ip address 8.3.8.6 port 4433

then try to connect to that port from the outside.

hth
Herbert

0 Helpful

Go to solution
inma.espinosa
Level 1
Level 1
In response to Herbert Baerten

‎03-14-2011 09:13 AM

The ISP tell me that there are not blocked ports onto this ADSL

The debug commands does not report anything on the outside port. My first suspect was that the ISP block ports but I can connect using the Cisco VPN Client and I can establish my LAN-to-LAN tunnel with my remote peer,... so at least this services are open.

I tried other high ports like 4443, 44433,... and so on, without success!

I have not more ideas!

0 Helpful

Go to solution
Brian Small
Cisco Employee
Cisco Employee
In response to inma.espinosa

‎04-26-2011 07:23 PM

Try adding a NAT statement for the ouside.

ip nat inside source static tcp 8.3.8.6 443 8.3.8.6 443

assuming 8.3.8.6 is your public IP.

-Brian

0 Helpful

Go to solution
inma.espinosa
Level 1
Level 1
In response to Brian Small

‎05-05-2011 03:39 AM

It worked!!!!!

Thanks Brian!!!!

0 Helpful
Customers Also Viewed These Support Documents