Dual WAN router with SSL VPN unreachable for clients

Answered Question
Jul 27th, 2010
User Badges:

I have a Cisco 888 configured in a Dual WAN setup. There is an ADSL link connected to VLAN 100 and a SDSL link connected to Dialer0. The customer wants to use the ADSL link for normal browsing and wants external SSL VPN users to terminate on the SDSL link. I tried to configure the SDSL link as failover for the ADSL connection.


What's working:

- Internet access for the local clients


What's not working:

- Failover of the ADSL link to SDSL.

- SSL VPN access for clients. Surfing to the external IP address only results in a default HTTP page. Specifying /webvpn.html results in a 404 not found error.


Here's my configuration:


version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname x

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 x

!

aaa new-model

!

!

aaa authentication login sslvpn local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-3964912732

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3964912732

revocation-check none

rsakeypair TP-self-signed-3964912732

!

!

crypto pki certificate chain TP-self-signed-3964912732

certificate self-signed 03

  x

      quit

ip source-route

!

!

ip dhcp excluded-address 192.168.10.254

ip dhcp excluded-address 192.168.10.10 192.168.10.20

!

ip dhcp pool ccp-pool

   import all

   network 192.168.10.0 255.255.255.0

   default-router 192.168.10.254

   dns-server 213.75.63.36 213.75.63.70

   lease 0 2

!

!

ip cef

no ip domain lookup

ip domain name x

no ipv6 cef

!

!

license udi pid CISCO888-K9 sn x

!

!

username ciscoadmin privilege 15 secret 5 x

username vpnuser password 0 x

!

!

controller DSL 0

mode atm

dsl-mode shdsl symmetric annex B

!

interface Loopback1

description SSL dhcp pool gateway address

ip address 192.168.250.1 255.255.255.0

!

interface Loopback2

description SSL VPN website IP address

ip address 10.10.10.1 255.255.255.0

ip policy route-map PBR_SSL

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface ATM0

no ip address

load-interval 30

no atm ilmi-keepalive

pvc KPN 2/32

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

switchport access vlan 100

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description LAN

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1300

!

interface Vlan100

description KPN ADSL 20/1

ip address dhcp

ip nat outside

ip virtual-reassembly

!

interface Dialer0

description KPN SDSL 2/2

ip address negotiated

ip access-group INTERNET_ACL in

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp pap sent-username x password 0 x

no cdp enable

!

ip local pool sslvpnpool 192.168.250.2 192.168.250.100

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat pool SSLVPN-to-SDSL 10.10.10.1 10.10.10.1 netmask 255.255.255.0

ip nat inside source static tcp 10.10.10.1 443 interface Dialer0 443

ip nat inside source static tcp 10.10.10.1 80 interface Dialer0 80

ip nat inside source route-map NAT_ADSL interface Vlan100 overload

ip nat inside source route-map NAT_SDSL pool SSLVPN-to-SDSL overload

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip route 0.0.0.0 0.0.0.0 Dialer0 10

!

ip access-list extended INTERNET_ACL

remark Used with CBAC

permit icmp any any unreachable

permit icmp any any packet-too-big

permit icmp any any time-exceeded

permit tcp any host 92.64.32.169 eq 443 www

deny   ip any any log

ip access-list extended LAN

permit ip 192.168.10.0 0.0.0.255 any

deny   ip any any

!

dialer-list 1 protocol ip permit

no cdp run


!

!

!

!

route-map NAT_SDSL permit 10

match ip address LAN

match interface Dialer0

!

route-map NAT_ADSL permit 10

match ip address LAN

match interface Vlan100

!

route-map PBR_SSL permit 10

set interface Dialer0

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

!

webvpn gateway MyGateway

hostname d0c

ip address 10.10.10.1 port 443

http-redirect port 80

ssl trustpoint TP-self-signed-3964912732

inservice

!

webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.0217-k9.pkg sequence 1

!

webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.5.0217-k9.pkg sequence 2

!

webvpn install svc flash:/webvpn/anyconnect-macosx-powerpc-2.5.0217-k9.pkg sequence 3

!

webvpn context SecureMeContext

title "SSL VPN Service"

secondary-color #C0C0C0

title-color #808080

ssl authenticate verify all

!

login-message "VPN"

!

policy group MyDefaultPolicy

   functions svc-enabled

   svc address-pool "sslvpnpool"

   svc keep-client-installed

default-group-policy MyDefaultPolicy

aaa authentication list sslvpn

gateway MyGateway

inservice

!

end


Any suggestions on where to look?

Correct Answer by mulatif about 6 years 11 months ago

Hi,

This works for me. When client is trying to resolve the fqdn for domain as specified in "svc split dns.." it will contact the DNS server assigned through the Tunnel. For all other queries , it contacts the DNS outside the Tunnel.

You can run a packet capture on the Physical interface on the Client to see the DNS query leaving ?

Also in some home routers, the DNS is assigned as the Router itself (which usually is 192.168.X.X address), so you want to make sure that DNS server being assigned is not part of the Split Tunnel.



Naman

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mulatif Wed, 07/28/2010 - 09:56
User Badges:
  • Cisco Employee,

The possible issue here could be Asymmetric routing. So your Outside clients are connecting to the Dialer 10 interface but since your Default Route is through the other interface, so  return traffic is not leaving through dialer interface.

I would suggest to take this in two steps


1. Test with one Remote PC and add "ip route.." for that PC's Public IP to leave through Dialer 10.

2. Make sure it works. If it doesn't then you need to focus on the WebVPN part to see what could be wrong. However if this works then it proves WebVPN config is Ok.

3. Now remove the route in Step 2 and you will need to configure a Local Policy for the Router generated traffic (ip local policy

sandervanloosbroek Tue, 08/03/2010 - 09:48
User Badges:

I solved one piece of the puzzle:


webvpn gateway MyGateway

hostname d0c

ip address 10.10.10.1 port 443


This is wrong as it should hold the EXTERNAL IP address instead of the internal one. That fixed the WebVPN over the ADSL line. Now all that remains is fixing the routing and making sure the internet connection continues to work even when the VPN is active. For some reason the AnyConnect client applies a default route of 0.0.0.0 to all clients.


To be continued...

mulatif Tue, 08/03/2010 - 10:03
User Badges:
  • Cisco Employee,

By default , AnyConnect client uses "Full Tunneling" , which means all traffic needs to go through the Router. If you only want specific traffic to be sent through the AnyConnect client then use "Split-Tunneling", which can be configured as below


webvpn context X

policy group Y

  svc split include

  svc split include

...


Naman

sandervanloosbroek Wed, 08/04/2010 - 05:48
User Badges:

good tip Naman, the route is now being shown correctly in the connection details but traffic to the internet despite the correct route is still impossible. These are the connection statistics:


Protocol Info
    Active Protocol
        Protocol Cipher:  RSA_AES_128_SHA1
        Protocol Compression:  None
        Protocol State:  Connected
        Protocol:  TLS


Routes
    Secure Routes
        192.168.10.0                   255.255.255.0
Firewall Rules


Am I missing something common? It is my first WebVPN setup (used to do EasyVPN). Thanks for your help.

mulatif Thu, 08/05/2010 - 07:37
User Badges:
  • Cisco Employee,

Hi,

Below shows that 'only' traffic to 192.168.10.X network is being sent through the AnyConnect tunnel and all Internet traffic will leave through the local connection. So the only other reason I can think is that you are not assigning the user a correct DNS Server Address ?

The DNS Server is assigned using


webvpn context X

policy group Y

   svc dns-server primary

   svc dns-server secondary


Make sure that the DNS server you assign is reachable and can resolve names.

You can also make sure that its actually a DNS issues by trying to "ping 4.2.2.1" as a test for the client PC.


Naman

sandervanloosbroek Thu, 08/05/2010 - 08:01
User Badges:

I found out what was wrong 15 minutes ago, I activated an ACL in that policy as well that was conflicting. After I removed that the split tunnel worked flawlessly except for the DNS problem you also pointed out. Instead of pointing to a DNS server I would like the VPN clients to use their own DNS and not resolve anything through the gateway. I tried the following:


webvpn context SecureMeContext
title "VPN Service"
secondary-color orange
title-color black
ssl authenticate verify all
!
login-message "VPN"
!
policy group MyDefaultPolicy
   functions svc-enabled
   svc address-pool "sslvpnpool"
   svc keep-client-installed
   svc split dns "theirdomain.local"
   svc split include 192.168.x.0 255.255.255.0
default-group-policy MyDefaultPolicy
aaa authentication list sslvpn
gateway MyGateway
inservice


This doens't seem to work, do you have any other suggestions?

Correct Answer
mulatif Thu, 08/05/2010 - 09:14
User Badges:
  • Cisco Employee,

Hi,

This works for me. When client is trying to resolve the fqdn for domain as specified in "svc split dns.." it will contact the DNS server assigned through the Tunnel. For all other queries , it contacts the DNS outside the Tunnel.

You can run a packet capture on the Physical interface on the Client to see the DNS query leaving ?

Also in some home routers, the DNS is assigned as the Router itself (which usually is 192.168.X.X address), so you want to make sure that DNS server being assigned is not part of the Split Tunnel.



Naman

sandervanloosbroek Thu, 08/05/2010 - 10:55
User Badges:

It works for me too but only with the AnyConnect client on Windows. The Mac version of AnyConnect does not receive/interpret the split-dns command or so it seems so I'm stuck halfway. I might open a TAC for this as the setup does work correctly.

sandervanloosbroek Thu, 08/05/2010 - 14:02
User Badges:

Just got a reply from Cisco, this  is a confirmed bug [CSCtf20226] in Mac OS X 10.6. Their workaround is to  explicitly define external DNS servers. I used the Google public DNS  servers and this indeed works as expected.


(config-webvpn-group)#svc dns-server primary  8.8.8.8

(config-webvpn-group)#svc dns-server secondary  8.8.4.4


Now all I need to do is fix routing the VPN traffic over the other interface.

sandervanloosbroek Wed, 09/22/2010 - 05:29
User Badges:

With the help of user halijenn I have been able to solve the dual WAN problem. It turns out that the WebVPN interface *NEEDS* to be terminated on the default gateway or else it will not work. The obvious workaround is to make a route-map for all traffic except the WebVPN traffic so the default gateway can be set to the secondary interface and the WebVPN will work. I've posted my full config for anyone who ran into the same problem.


I've had stability problems (WebVPN would stop working) with the latest 15.1-2T1 version and downgraded to 15.0-1M3. I've also upgraded to the latest AnyConnect client (2.5.0.1025).


Thanks everyone who helped me.


S.

---


Current configuration : 6478 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxx
!
boot-start-marker
boot system flash:c880data-universalk9-mz.150-1.M3.bin
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login sslvpn local
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
no ip source-route
!
!
ip dhcp excluded-address 192.168.10.254
ip dhcp excluded-address 192.168.10.10 192.168.10.20
!
ip dhcp pool ccp-pool
   import all
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.254
   dns-server 213.x.x.x 213.x.x.x
   lease 0 2
!
!
ip cef
no ipv6 cef
!
!
license udi pid CISCO888-K9 sn FCZ1426C1EX
!
!
controller DSL 0
mode atm
dsl-mode shdsl symmetric annex B
!        
interface Loopback1
description SSL dhcp pool gateway address
ip address 192.168.250.1 255.255.255.0
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 2/32
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
switchport access vlan 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description LAN
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip policy route-map NonSSLOut
!
interface Vlan100
ip address 188.x.x.67 255.255.255.248
ip nat outside
ip virtual-reassembly
!
interface Dialer1
ip address 92.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 2
ppp authentication pap callin
ppp pap sent-username xxx password 0 xxx
no cdp enable
!
ip local pool sslvpnpool 192.168.250.2 192.168.250.100
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended LAN-only
deny   ip 192.168.10.0 0.0.0.255 192.168.250.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
!        
access-list 10 permit 192.168.250.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run


!
!
!
!
route-map NonSSLOut permit 10
match ip address LAN-only
set ip default next-hop 188.x.x.x
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn gateway MyGateway
ip address 92.x.x.x port 443 
http-redirect port 80
ssl trustpoint TP-self-signed-3964912732
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.5.1025-k9.pkg sequence 1
!
webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.5.1025-k9.pkg sequence 2
!
webvpn install svc flash:/webvpn/anyconnect-macosx-powerpc-2.5.1025-k9.pkg sequence 3
!
webvpn context SecureMeContext
ssl authenticate verify all
!
!
policy group MyDefaultPolicy
   functions svc-enabled
   svc address-pool "sslvpnpool"
   svc keep-client-installed
   svc split include 192.168.10.0 255.255.255.0
   svc dns-server primary 8.8.8.8
   svc dns-server secondary 8.8.4.4
default-group-policy MyDefaultPolicy
aaa authentication list sslvpn
gateway MyGateway
inservice
!
end

Actions

This Discussion