cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4843
Views
0
Helpful
14
Replies

WEBVPn (SLVPN) no access to LAN

postict
Level 1
Level 1

On a C881 (IOS 15.0(1)M4) I can setup webvpn 9SSLVPN), but when a user logs in he only has access to the interfaces on the C881. No connection to the LAN.

With IOS 15 zoning is introduces and the Cisco Configuration create zoning and "virtual template 1" associated with Interface Virtual-Template1.

On the Cisco web site I'm only abe to find stuff related to setting-up SSLVPN with IOS 12.x and SDM, but not with IOS 15.

Can Cisco shead soem light on the zoning in the IOS 15.x in combination with SSLVPN and "access-lists" ?

I can not see where the LAN access is blocked.

Any suggestions are welcome.

14 Replies 14

Jennifer Halim
Cisco Employee
Cisco Employee

Zone Base FW works the same way in version 12.4 and 15.0.

Can you please share the current configuration and we can easily point to you if there is any misconfiguration.

Here is a sample configuration on ZBFW with VPN:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd8062a909.html

Hope this helps.

The config below:

(I've  replaces soem security relates entries with xxxx , <  > or ....)

I suspect that it is a NAT problem between the VLAn 126 (= LAN) and the SSLVPN client ip range.


Current configuration : 9848 bytes
!
! Last configuration change at 23:54:58 CET Wed Mar 23 2011 by secureadmin
! NVRAM config last updated at 23:14:16 CET Wed Mar 23 2011 by secureadmin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-700492967
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-700492967
revocation-check none
rsakeypair TP-self-signed-700492967
!
!
crypto pki certificate chain TP-self-signed-700492967
certificate self-signed 01
  xxxxxx
  xxxxxx
  xxxxxxx
  quit
ip source-route
!
!
ip dhcp database ftp://xxxxxxxx
ip dhcp excluded-address
ip dhcp excluded-address
!
ip dhcp pool 10
   network
   domain-name local.dmz
   dns-server
   netbios-node-type h-node
   default-router
!
!
ip cef
ip domain name postict.com
ip name-server
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid
!
!
username xxxx privilege 15 secret xxxxxxx
!
!
vlan 82,126
!
vlan 1004
bridge 0
stp type ieee
!
!
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
!
!
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
  pass
class class-default
  drop
!
zone security sslvpn-zone
!
!
!
!
!
!
!
interface Loopback0
ip address 172.25.25.254 255.255.255.0
zone-member security sslvpn-zone
!
!
interface FastEthernet0
switchport mode trunk
duplex full
speed 100
!
!
interface FastEthernet1
switchport access vlan 82
!
!
interface FastEthernet2
switchport access vlan 82
!
!
interface FastEthernet3
description "== VoIP =="
!
!
interface FastEthernet4
description $ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
!
interface Virtual-Template1
description $FW_INSIDE$
ip unnumbered Loopback0
zone-member security sslvpn-zone
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.1.86 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
!
interface Vlan126
description $FW_INSIDE$
ip address 192.168.126.86 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 100 in
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxx
ppp chap password xxxxxxx
no cdp enable
!
!
ip local pool VPN_Pool 172.25.25.10 172.25.25.20
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!

ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.58.0 255.255.255.0 192.168.126.1
!
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
!
logging 192.168.126.165
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.58.0 0.0.0.255
access-list 1 permit 192.168.126.0 0.0.0.255
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 23 permit 10.10.1.0 0.0.0.255
access-list 23 permit 192.168.126.0 0.0.0.255
......
.......
access-list 100 permit tcp any any
.....
.....
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn gateway gateway_1
ip address port 443 
http-redirect port 80
ssl trustpoint TP-self-signed-700492967
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.5.2019-k9.pkg sequence 1
!
webvpn context WebVPN
secondary-color white
title-color #FFFF00
text-color black
ssl authenticate verify all
!
!
policy group policy_1
   functions svc-enabled
   filter tunnel CCP_IP
   svc address-pool "VPN_Pool"
   svc default-domain "postict.com"
   svc keep-client-installed
   svc msie-proxy option bypass-local
   svc split dns "postict.com"
   svc split include 192.168.126.0 255.255.255.0
   svc split include 10.10.1.0 255.255.255.0
   svc dns-server primary 192.168.126.206
virtual-template 1
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1 domain SSLTunnel
inservice
!
end

Spot on, the NAT needs to be extended ACL and deny traffic from being NATed between the internal LAN and VPN Pool subnet.

Here is what needs to be configured:


access-list 120 deny ip 10.10.1.0 0.0.0.255 172.25.25.0 0.0.0.255

access-list 120 deny ip 192.168.126.0 0.0.0.255 172.25.25.0 0.0.0.255

access-list 120 deny ip 192.168.58.0 0.0.0.255 172.25.25.0 0.0.0.255

access-list 120 permit ip 10.10.1.0 0.0.0.255 any

access-list 120 permit ip 192.168.126.0 0.0.0.255 any

access-list 120 permit ip 192.168.58.0 0.0.0.255 any

ip nat inside source list 120 interface Dialer0 overload

no ip nat inside source list 1 interface Dialer0 overload

Then clear the translation table: clear ip nat trans *

Hope this helps.

Jennifer,

Thanks for quick reply.

Unfortunately you suggestion doesn't seems to work.

I've added the "log" entry to the access-list 120, but do not get any message in the syslog for this access-list.

Looks like the VPN client is not matching the access-list and is blocked some where else, but where?

I also added the "zone-member security sslvpn-zone" to the VLAN126 interface, but that did not help eighter.

I can also add that when I start a "trace route" from a WEBVPN client the first hop is the public interface of the C881. Which doesn't seems to be correct to me. Any suggestion how to this can be fixed are welcome.

I've also a C871 and with that one I do not have this issue.

Let's try to resolve the SSL VPN issue first, by removing all the zone member on all interfaces. This is to ensure that we can troubleshoot just on the SSL VPN without worrying about the ZBFW.

Once that has been removed, please kindly share the latest configuration to double check the config.

Also, pls save the config and reload the router once to confirm that it is still not working after the reload. Thanks.

Jennifer,

Thanks for you assistance.

Removed the zone membership of the various interfacese and after a copy run start reloaded the router.

Unfortunately still nog luck.

Client can connect to teh WEBVPN and gets an ip-address 172.25.25.14. Client can ping the VLAN126  (192.168.126.86) and VLAN 1 (10.10.1.86) interface the router. However client can not ping any ip address in the 10.10.1.0/24 or 192.168.126.0/24 range.

A trace route from the client to a LAN address (192.168.126.0/24) shows the Routers public address as the first hop. Which is probably the main reason why this is not working, Any suggestions/remarks are welcome.

Below the (partly securyt related stripped) config:

Current configuration : 10222 bytes
!
! Last configuration change at 12:46:17 CET Fri Mar 25 2011
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret xxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-700492967
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-700492967
revocation-check none
rsakeypair TP-self-signed-700492967
!
!
crypto pki certificate chain TP-self-signed-700492967
certificate self-signed 01
  30820249 ....
  ..
  8617C7BE BB
        quit
ip source-route
!
ip dhcp database ftp://
ip dhcp excluded-address 10.10.1.1 10.10.1.50
ip dhcp excluded-address 10.10.1.81 10.10.1.254
!
ip dhcp pool 10
   network 10.10.1.0 255.255.255.0
   domain-name local.dmz
   dns-server
   netbios-node-type h-node
   default-router 10.10.1.86
!
!
ip cef
ip domain name
ip name-server
ip name-server
ip name-server
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn xxxxxxx
!
!
vtp interface F0
vtp domain PostICT
vtp mode transparent
username xxxxx
username xxxxx
!
!
vlan 82,126
!
vlan 1004
bridge 0
stp type ieee
!
!
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
!
!
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
  pass
class class-default
  drop
!
zone security sslvpn-zone
!
!
!
!
!
!
!
interface Loopback0
ip address 172.25.25.254 255.255.255.0
!
!
interface FastEthernet0
switchport mode trunk
duplex full
speed 100
!
!
interface FastEthernet1
switchport access vlan 82
!
!
interface FastEthernet2
switchport access vlan 82
!
!
interface FastEthernet3
description "== VoIP =="
!
!
interface FastEthernet4
description $ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
  duplex auto
  speed auto
  pppoe-client dial-pool-number 1
  !
!
interface Virtual-Template1
  description $FW_INSIDE$
  ip unnumbered Loopback0
  !
!
interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
  ip address 10.10.1.86 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip tcp adjust-mss 1412
  !
!
interface Vlan126
  description $FW_INSIDE$
  ip address 192.168.126.86 255.255.255.0
  no ip redirects
  no ip proxy-arp
ip flow ingress
  ip nat inside
  ip virtual-reassembly
  !
!
interface Dialer0
  description $FW_OUTSIDE$
  ip address negotiated
  ip access-group 100 in
  ip mtu 1452
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap callin
  ppp chap hostname xxxxxx
  ppp chap password xxxxxx
  no cdp enable
  !
!
ip local pool VPN_Pool 172.25.25.10 172.25.25.20
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static tcp 10.10.1.203 80 80 extendable
ip nat inside source static tcp 10.10.1.206 25 25 extendable
ip nat inside source static tcp 10.10.1.206 443 8443 extendable
ip nat inside source static tcp 10.10.1.84 443 443 extendable
ip nat inside source static udp 10.10.1.84 1194 1194 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.58.0 255.255.255.0 192.168.126.1
!
ip access-list extended CCP_IP
permit ip any any
!
logging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.58.0 0.0.0.255
access-list 1 permit 192.168.126.0 0.0.0.255
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 23 permit 10.10.1.0 0.0.0.255
access-list 23 permit 192.168.126.0 0.0.0.255

access-list 100 permit ip 10.10.1.0 0.0.0.255 any
access-list 100 remark Incomming SSLVPN server
access-list 100 permit tcp any host eq 443 log
access-list 100 permit udp any eq domain host
access-list 100 deny   ip any any log
access-list 100 deny   tcp any any log
access-list 100 deny   udp any any log
access-list 120 deny   ip 10.10.1.0 0.0.0.255 172.25.25.0 0.0.0.255 log
access-list 120 deny   ip 192.168.126.0 0.0.0.255 172.25.25.0 0.0.0.255 log
access-list 120 deny   ip 192.168.58.0 0.0.0.255 172.25.25.0 0.0.0.255 log
access-list 120 permit ip 10.10.1.0 0.0.0.255 any log
access-list 120 permit ip 192.168.126.0 0.0.0.255 any log
access-list 120 permit ip 192.168.58.0 0.0.0.255 any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
snmp-server community xxxx
snmp-server host xxxxxx
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
ntp logging
ntp source Dialer0
ntp master
ntp update-calendar
ntp server
!
webvpn gateway gateway_1
ip address port 443
http-redirect port 80
ssl trustpoint TP-self-signed-700492967
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.5.2019-k9.pkg sequence 1
!
webvpn context WebVPN
secondary-color white
title-color #FFFF00
text-color black
ssl authenticate verify all
!
!
policy group policy_1
   functions svc-enabled
   filter tunnel CCP_IP
   svc address-pool "VPN_Pool"
   svc default-domain "postict.com"
   svc keep-client-installed
text-color black
ssl authenticate verify all
!
!
policy group policy_1
   functions svc-enabled
   filter tunnel CCP_IP
   svc address-pool "VPN_Pool"
   svc default-domain "Domainname.local"
   svc keep-client-installed
   svc msie-proxy option bypass-local
   svc split dns "domainname.local"
   svc split include 192.168.126.0 255.255.255.0
   svc split include 10.10.1.0 255.255.255.0
   svc dns-server primary 192.168.126.206
virtual-template 1
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1 domain SSLTunnel
inservice
!
end

You have not removed the following as advised earlier:

ip nat inside source list 1 interface Dialer0 overload

Pls remove the above, and clear the translation: clear ip nat trans *

and try the VPN again.

Ok,

I missed that remark.

I removed the "ip nat inside source list 1 interface Dialer0 overload"  and rebooted the router. ( after copy run start)

After this the WEBVPN worked.

I than put the "ip nat inside source list 1 interface Dialer0 overload" back in place and reloaded (after copy run start) the router.

Again all worked.
Probably the reload after changing the nat settings was the step I omitted.

Case with the WEBVPN acces to LAN is now solved.

Thanks for you assistance.

Kind regards,

Jan

Please remove the one that reference to ACL 1 as advised earlier as that is not a correct configuration and is not required.

The reason why it works when you put it back again is because the one that reference ACL 120 will be at the top so that will get used first, and when you put ACL 1 nat statement back in again, it will go to the second line of the NAT statement hence it's working.

In any case, please kindly remove the one that reference ACL 1 as it's not meant to be configured that way anyway:

no ip nat inside source list 1 interface Dialer0 overload

Thanks for your update on this post, and please kindly mark the post as answered so others can learn from your post. Thank you.

When I remove the "ip nat inside source list 1 interface Dialer0 overload" users form the LAN are not able to get to the Web any more.

Seems NAT form the 192.168.126.0/24 range is not working any more.

When I enable NAT (ip nat inside source list 1 interface Dialer0 overload) again the users can server teh web again.

I must add that the the router has a fixed pubilc address and also routes an other public range, which is configured as static NAT.

When there is no "source list 1 nat" and only a "sourec list 120 nat" rule

"sh ip nat" lists only the NAT for the "other public range" which is outside to inside.

When there is a "source list 1 nat" and a "source list 120 nat" rule "sh ip nat tran" shows both translations.Inside global is different for both access lists.

Pro Inside global         Inside local          Outside local         Outside global
tcp :443   10.10.1.84:443        ---                   ---
tcp :25    10.10.1.206:25        31.177.155.12:2874    31.177.155.12:2874
...

...

tcp :39450   10.10.1.206:39450     216.163.188.45:80     216.163.188.45:80
tcp :46404   10.10.1.206:46404     208.50.223.240:80     208.50.223.240:80
....

....

When I put the " source lsit 1" back in place it is put above the "source list 120":

ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static tcp 10.10.1.203 80   80 extendable

The WebVPN is bound to the ""

Can you please share the latest output of:

show access-list 1

show access-lits 120

#sh access-lists 1
Standard IP access list 1
    10 permit 192.168.58.0, wildcard bits 0.0.0.255
    20 permit 192.168.126.0, wildcard bits 0.0.0.255 (878 matches)
    30 permit 10.10.1.0, wildcard bits 0.0.0.255 (8273 matches)
#sh access-lists 120
Extended IP access list 120
    10 deny ip 10.10.1.0 0.0.0.255 172.25.25.0 0.0.0.255 log
    20 deny ip 192.168.126.0 0.0.0.255 172.25.25.0 0.0.0.255 log
    30 deny ip 192.168.58.0 0.0.0.255 172.25.25.0 0.0.0.255 log
    40 permit ip 10.10.1.0 0.0.0.255 any log
    50 permit ip 192.168.126.0 0.0.0.255 any log
    60 permit ip 192.168.58.0 0.0.0.255 any log

Doesn't make sense as they essentially have the same permit statement so should NAT too.

BTW, the "sho ip nat trans" output is showing you the static translation, not the dynamic, which will always be there since you have ip nat inside source static statement.

After removing "ip nat inside source list 1 interface Dialer0 overload", did you perform "clear ip nat trans *" and/or reload the router to see if access-list 120 works? Doesn't seem to be any hitcount on ACL 120.

There is currently not an active WEBVPN connection, that is probably why we don't see a hit on that one.

I'll perform more tests (reloads) later today when I also have a WEBVPN connection set up.

After each change I'll reload the router to make sure alle changes are applied correctly.

I just removed the "source list 1", "cleard ip nat tran". In that case no internet access form the LAN. Cleated the counters on the remaining access list 120. "Sh ip nat trans" did not list any hit on the access list 120 and internet access from the 10.10.1.203 has dropped, and is restored when I add the "source list 1" again.

I do agree all is not very consistend.