How to enable SSL VPN on SR520

Unanswered Question
Jun 15th, 2009

I have configured the SR520 using CCA 2.0 and configured all the SSL settings that are listed under the SSL Server window. When I try to connect using anyconnect it says that it failed to connect.


Other than configuring the choices under SSL SERVERS, what else do I need to do to make it work?


Thanks,


Johnny

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eoncablewire Tue, 06/16/2009 - 08:20

Any takers on this? Has anyone been able to make it work? I could really use a hand here.


Thanks

eoncablewire Tue, 06/16/2009 - 14:25

I dont have access to it now but was looking for a CCA compatible solution. I will post the config tomorrow after I get a copy.


I know that the SSL pages in CCA were added there for a reason. If you have to go to the CLI in order to make it work which renders the configuration non-CCA compatible, then why add the SSL pages into CCA in the first place. (i am frustrated... yes)


With that in mind I am thinking that there is some other option that is not on the SSL pages that must be enabled for it to work, but what?


Thanks,


Johnny

addis Wed, 06/17/2009 - 06:14

CCA should be sufficient to do this.


Let's try a few things and see if we can figure it out.

eoncablewire Wed, 06/17/2009 - 16:39

I configured the SSL VPN using CCA 2.0 and it wont work. The IPSEC Vpn works but not the SSL. I put it at the customer location and changed the ip address. When clicked SSL VPN it told me that the IP had changed and I had to delete the SSL vpn and add a new one. So I did and it didnt work. I think there is something wrong with this router... or IOS version....


Anyway here is the config:


Building configuration...


Current configuration : 17634 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SR520
!
boot-start-marker
boot system flash sr520-advipservicesk9-mz.124-24.t.bin
boot-end-marker
!
logging message-counter syslog
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-592898570
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-592898570
revocation-check none
rsakeypair TP-self-signed-592898570
!
!
crypto pki certificate chain TP-self-signed-592898570
certificate self-signed 01
  3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35393238 39383537 30301E17 0D303230 33303930 38323130
  305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3539 32383938
  35373030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  EE2BEE41 286FF820 4CEC7613 65BFF114 00450EB5 3F0EDE1E 2C1AF151 E9D71648
  4AEF48E3 33A6718F CA220FCE A8D22C2B F2FDF3A7 F544E6B3 DC17F351 941A315B
  6C2B50E8 31163F6E 9631567F A42B8EC0 CE416B74 3D3A4AB9 F8185D90 18F8CF7B
  652EA402 3B2C5BFA 7FCC778E 42C359C9 B4387561 CA35A5D7 A0AAA67F 5C98FEF3
  02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D
  11040930 07820553 52353230 301F0603 551D2304 18301680 143622CB F0CE97E5
  16E3E754 05662992 76EF7E0B 9D301D06 03551D0E 04160414 3622CBF0 CE97E516
  E3E75405 66299276 EF7E0B9D 300D0609 2A864886 F70D0101 04050003 8181008C
  97E5658E A0172C20 BC083B32 B0969956 AC267175 9A6372A2 9B88077F C3A4C7ED
  30E26B70 0751E974 F8E1B31E 19972105 12ABEFC3 8C26EBBA 894C702E 7787928D
  3AB1C067 283195A0 2DF91C81 12FAF5CB 8681D2F7 5B2FF6D5 B68C11B0 4DE63985
  68C131C7 1C6A7EEA F6B7BAE0 FABE1A2D A994958C F2D4F4A0 7254193F BB0CFF
       quit
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.75.1 192.168.75.10
!
ip dhcp pool inside
   import all
   network 192.168.75.0 255.255.255.0
   default-router 192.168.75.1
   dns-server XXXXXXX.196 XXXXX.196
!
!
ip cef
ip name-server 4.2.2.2
ip port-map user-protocol--1 port tcp 3389
no ipv6 cef
!
multilink bundle-name authenticated
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com


parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com


parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com


!
!
username XXXXX privilege 15 secret 5
username XXXXX privilege 15 secret 5
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
key XXXXXXX
dns XXXX.196 XXXXX.196
pool SDM_POOL_1
acl 101
max-users 10
crypto isakmp profile sdm-ike-profile-1
   match identity group EZVPN_GROUP_1
   client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
   isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
  hidekeys
!
process-max-time 150
!
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 105
match protocol user-protocol--1
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect imap match-any sdm-app-imap
match  invalid-command
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 106
class-map type inspect gnutella match-any sdm-app-gnutella
match  file-transfer
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservices
match  service any
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
match  service any
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
match  service any
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect pop3 match-any sdm-app-pop3
match  invalid-command
class-map type inspect match-all sdm-nat-h323-1
match access-group 104
match protocol h323
class-map type inspect kazaa2 match-any sdm-app-kazaa2
match  file-transfer
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match  request port-misuse im
match  request port-misuse p2p
match  req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect ymsgr match-any sdm-app-yahoo
match  service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
match  service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
match  file-transfer
match  text-chat
match  search-file-name
class-map type inspect match-all dhcp_out_self
match access-group name dhcp-resp-permit
class-map type inspect match-all dhcp_self_out
match access-group name dhcp-req-permit
class-map type inspect http match-any sdm-app-httpmethods
match  request method bcopy
match  request method bdelete
match  request method bmove
match  request method bpropfind
match  request method bproppatch
match  request method connect
match  request method copy
match  request method delete
match  request method edit
match  request method getattribute
match  request method getattributenames
match  request method getproperties
match  request method index
match  request method lock
match  request method mkcol
match  request method mkdir
match  request method move
match  request method notify
match  request method options
match  request method poll
match  request method propfind
match  request method proppatch
match  request method put
match  request method revadd
match  request method revlabel
match  request method revlog
match  request method revnum
match  request method save
match  request method search
match  request method setattribute
match  request method startrev
match  request method stoprev
match  request method subscribe
match  request method trace
match  request method unedit
match  request method unlock
match  request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
match  search-file-name
match  text-chat
class-map type inspect http match-any sdm-http-allowparam
match  request port-misuse tunneling
class-map type inspect fasttrack match-any sdm-app-fasttrack
match  file-transfer
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-sip-2
match access-group 103
match protocol sip
class-map type inspect match-all sdm-nat-sip-1
match access-group 102
match protocol sip
class-map type inspect edonkey match-any sdm-app-edonkeydownload
match  file-transfer
class-map type inspect match-all sdm-protocol-imap
match protocol imap
class-map type inspect aol match-any sdm-app-aol
match  service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect dhcp_self_out
  pass
class type inspect sdm-cls-icmp-access
  inspect
class class-default
  pass
policy-map type inspect p2p sdm-action-app-p2p
class type inspect edonkey sdm-app-edonkeychat
  log
  allow
class type inspect edonkey sdm-app-edonkeydownload
  log
  allow
class type inspect fasttrack sdm-app-fasttrack
  log
  allow
class type inspect gnutella sdm-app-gnutella
  log
  allow
class type inspect kazaa2 sdm-app-kazaa2
  log
  allow
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
  log
  reset
class type inspect http sdm-app-httpmethods
  log
  reset
class type inspect http sdm-http-allowparam
  log
  allow
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
  log
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
  log
policy-map type inspect im sdm-action-app-im
class type inspect aol sdm-app-aol
  log
  allow
class type inspect msnmsgr sdm-app-msn
  log
  allow
class type inspect ymsgr sdm-app-yahoo
  log
  allow
class type inspect aol sdm-app-aol-otherservices
  log
  reset
class type inspect msnmsgr sdm-app-msn-otherservices
  log
  reset
class type inspect ymsgr sdm-app-yahoo-otherservices
  log
  reset
policy-map type inspect sdm-inspect
class type inspect sdm-cls-insp-traffic
  inspect
class type inspect SDM-Voice-permit
  pass
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-protocol-http
  inspect
  service-policy http sdm-action-app-http
class type inspect sdm-protocol-imap
  inspect
  service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
  inspect
  service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
  inspect
  service-policy p2p sdm-action-app-p2p
class type inspect sdm-protocol-im
  inspect
  service-policy im sdm-action-app-im
class class-default
  drop
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit
  pass
class type inspect sdm-nat-sip-1
  pass
class type inspect sdm-nat-sip-2
  pass
class type inspect sdm-nat-h323-1
  pass
class type inspect sdm-nat-user-protocol--1-1
  pass
class class-default
  drop
policy-map type inspect sdm-permit
class type inspect SDM_WEBVPN_TRAFFIC
class type inspect SDM_EASY_VPN_SERVER_PT
  pass
class type inspect dhcp_out_self
  pass
class class-default
  drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
  pass
class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport trunk native vlan 75
switchport mode trunk
macro description cisco-switch
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address XX.XX.XX.194 255.255.255.240
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan75
ip nat inside
ip virtual-reassembly
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
no ip address
!
interface Vlan75
description $FW_INSIDE$
ip address 192.168.75.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip local pool SDM_POOL_1 172.16.33.10 172.16.33.20
ip local pool SDM_WEBVPN_POOL_1 172.17.33.30 172.17.33.40
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.193
ip route 10.1.1.0 255.255.255.0 192.168.75.2
ip route 10.1.10.0 255.255.255.0 192.168.75.2
ip route 192.168.10.0 255.255.255.0 192.168.75.2
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.10.12 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.75.2 5060 interface FastEthernet4 5060
ip nat inside source static udp 192.168.75.2 5060 interface FastEthernet4 5060
ip nat inside source static tcp 192.168.75.2 1720 interface FastEthernet4 1720
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended SDM_WEBVPN
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended dhcp-req-permit
remark SDM_ACL Category=1
permit udp any eq bootpc any eq bootps
ip access-list extended dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any eq bootpc
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.75.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip XX.XX.XX.192 0.0.0.15 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.75.0 0.0.0.255 any
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip 10.1.10.0 0.0.0.3 any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.75.2
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.75.2
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.75.2
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.10.12
access-list 106 remark SDM_ACL Category=128
access-list 106 permit ip any host XX.XX.XX.194
!
!
!
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn gateway SDM_WEBVPN_GATEWAY_1
ip address XX.XX.XX.194 port 443 
ssl trustpoint TP-self-signed-592898570
inservice
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
!
webvpn context SDM_WEBVPN_CONTEXT_1
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group SDM_WEBVPN_POLICY_1
   functions svc-enabled
   svc address-pool "SDM_WEBVPN_POOL_1"
   svc keep-client-installed
default-group-policy SDM_WEBVPN_POLICY_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway SDM_WEBVPN_GATEWAY_1
inservice
!
end

Thanks

eoncablewire Fri, 06/19/2009 - 19:27

Well I defaulted the router using the v9 default configuration (after some trouble that factory config didnt want to leave), reprogrammed the router and would you believe it the SSL tunnel is connecting now. The client is hanging on the software update but I suspect that has to do with the client package which I will experiment with.


I even dropped it in front of a working sip trunk enabled UC520 and the phones never skipped a beat.


I have learned my lesson: always apply the latetest default config before deploying a new router.


Anyone out there know a central location for current configs for the SBCS 500 series products, that is hopefully updated frequently?


Please let me know.


Thanks


Johnny

eoncablewire Tue, 06/23/2009 - 15:56

Well after much work we got the SSL client to connect. I had the wrong version on the router and got that corrected (that is a whole document in itself - there is a bug in 12.4 T that affects the SSL when putting on the old client).


Now once connected there is no internet access or inside access on the client pc. I am hoping the CCA guys can shed some light on this.


I did find that we had to set the firewall from medium to low in order for the ssl client to connect. I wonder why the necessary settings are in place for ipsec but not ssl?


Once that was done TAC tells me that that the zone based firewall is not allowign the traffic through but there is no way to set it using CCA.


I am told the solution is to add a zone profile for the SSL (which is already added for IPSEC) or they are going to add an acl for the SSL tunnel to allow traffic.


This confuses me as there is a SSL VPN setting within CCA so I dont understand why configuring the tunnel with CCA results in requiring cli to complete it. It makes me think I am missing something somehwere within CCA to make it work.


Does anyone know anythign about this?


Thanks