SSL VPN Problems configuring via CCA 2.2

Unanswered Question
Dec 24th, 2009

I have configured the SSL VPN via CCA 2.2 and it does not seem to be working.   Here is what I have done so far.....

In CCA 2.2:

- Configure > Security > SSL VPN

- On the Advanced tab, I checked "Full Tunnel" and added IP address range

- Installed AnyConnect client package "anyconnect-win-2.4.0202-k9.pkg"

- Checked "Enable split tunneling" and added other networks

- The configuration was sent successfully to the router, but received an error about the firewall not recognized.

- Added entry to firewall to allow port 443 via the Public IP address of WAN interface.

Tried accessing via web browser remotely and received a Page cannot be displayed, also tried accessing via AnyConnect Client remotely and was unable to connect.

After going back into  SSL VPN in CCA (without making any changes in CLI), it told me that the configuration on the device was unrecognized and to continue I had to delete the current SSL VPN config and re-create it.   Even after recreating it still did not work.

Here is the configuration:

ip inspect name SDM_MEDIUM https


interface Loopback3

ip address 52.52.52.52 255.255.255.0


interface FastEthernet0/0

description $FW_OUTSIDE$

ip address xxx.xxx.xxx.xxx 255.255.255.240

ip access-group 104 in

ip nat outside

ip inspect SDM_MEDIUM out

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

service-policy input sdmappfwp2p_SDM_MEDIUM

service-policy output sdmappfwp2p_SDM_MEDIUM




interface Virtual-Template3 type serial

ip unnumbered Loopback3

ip nat inside

ip virtual-reassembly





ip local pool SDM_WEBVPN_POOL_1 192.168.232.10 192.168.232.19




access-list 104 permit tcp any host xxx.xxx.xxx.xxx eq 443




webvpn gateway SDM_WEBVPN_GATEWAY_1

ip address xxx.xxx.xxx.xxx port 443 

ssl trustpoint TP-self-signed-429721078

inservice

!

webvpn install svc flash:/webvpn/anyconnect-win-2.4.0202-k9.pkg sequence 1

!

webvpn context SDM_WEBVPN_CONTEXT_1

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

!

policy group SDM_WEBVPN_POLICY_1

   functions svc-enabled

   svc address-pool "SDM_WEBVPN_POOL_1"

   svc split include 10.0.0.0 255.255.255.0

   svc split include 10.1.1.0 255.255.255.0

   svc split include 10.1.10.0 255.255.255.252

virtual-template 3

default-group-policy SDM_WEBVPN_POLICY_1

aaa authentication list sdm_vpn_xauth_ml_1

gateway SDM_WEBVPN_GATEWAY_1

inservice

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Steven Smith Sun, 01/03/2010 - 12:00

If CCA doesn't recognize the firewall, it is likely the problem.  You will probably have to delete the FW settings, the VPN settings, and then readd them.  Have you made changes to the FW outside of CCA?  If so, you should look at the CCA out of band guide for this.

brandon.kallas Mon, 01/04/2010 - 15:27

This UC500 was configured quite a long time ago and before CCA was really used for all the configuration where CLI was necessary for different features.  Since there are a lot of customization and it's a production system, we currently do not want to rebuild the system to be "in-band" at this point.   I have opened up SSL (port 443) on the existing firewall, is there other ports and/or protocols that need to be opened on the firewall?   Can you please send me an example of a firewall configuration that has SSL VPN configured and working?

Actions

This Discussion