Routing WebVPN packets through non-default WAN interface

Answered Question
Sep 20th, 2010

A customer has 2 WAN connections on his Cisco 888, 1 over Ethernet through a VLAN and 1 SDSL over ATM. Both connections work and I set the WebVPN gateway to terminate at the SDSL IP. This works fine from inside the LAN but from the internet this doesn't work, probably because of the default gateway pointing to the other interface.

I read up on policy based routing but got stuck on how to implement this. There is no real interface so I can't figure out where to apply the route policy. Anyone have any suggestions to point me in the right direction? Mostly on how and where to implement the route-map.

Relevant config below. Inside LAN is 129.168.10.x, loopback WebVPN address pool is 192.168.250.x. Default gateway is 188.x.x.x and non-default WAN SDSL is 92.x.x.x

Thanks for any suggestions in advance.

---

!

controller DSL 0

mode atm

dsl-mode shdsl symmetric annex B

!

interface Loopback1

description SSL dhcp pool gateway address

ip address 192.168.250.1 255.255.255.0

!

interface ATM0

no ip address

load-interval 30

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

pvc 2/32

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!       

!

interface FastEthernet0

switchport access vlan 100

!

!

interface Vlan1

description LAN

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Vlan100

ip address 188.x.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly in

!        

interface Dialer1

ip address 92.x.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip policy route-map SSL-in

dialer pool 1

dialer-group 2

ppp authentication pap callin

ppp pap sent-username

no cdp enable

!

ip local pool sslvpnpool 192.168.250.2 192.168.250.100

!

ip nat inside source list 100 interface Vlan100 overload

ip route 0.0.0.0 0.0.0.0 188.x.x.x

ip route 0.0.0.0 0.0.0.0 Dialer1 20

!        

ip access-list extended SSL-in

permit ip any any

deny   ip any any

!

logging esm config

access-list 10 permit 192.168.250.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

no cdp run

!

route-map SSL-in permit 10

match ip address SSL-in

set interface Dialer1

!

!

webvpn gateway MyGateway

ip address 92.x.x.x port 443 

http-redirect port 80

ssl trustpoint TP-self-signed-3964912732

inservice

!

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 2 months ago

The NAT statement also needs to be changed to VLAN 100 interface.

Pls remove the following:

ip nat inside source list 100 interface Dialer1 overload

And add the following:

ip nat inside source list 100 interface Vlan100 overload

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Mon, 09/20/2010 - 22:27

Unfortunately you can't terminate the WebVPN on the interface where the default route is actually pointing to another interface.

If your default route is pointing towards VLAN100, the WebVPN needs to be terminated on that interface.

sandervanloosbroek Tue, 09/21/2010 - 01:35

Thanks halijenn, that's a clear cut answer!

Now I need to find another solution to make my customer happy. I can obviously switch the default routers to look like this:

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 0.0.0.0 0.0.0.0 188.x.x.x 20

That will take care of the WebVPN problem. Now all I need to do is to redirect the LAN traffic to the VLan100 interface. My access list would look like this to refuse packages coming form the SSL pool.

ip access-list extended LAN-only 
 deny ip 192.168.250.0 0.0.0.255 any 
permit ip 192.168.10.0 0.0.0.255 any
deny   ip any any

My route-map would redirect the LAN packages to Vlan100

route-map NonSSLOut permit 10 match ip address LAN-only
set interface Vlan100

And I'd apply the policy to the default gateway.

interface Dialer1

  ip policy route-map NonSSLOut

Will this work or did I miss anything?

Jennifer Halim Tue, 09/21/2010 - 04:19

You should configure the following default route via policy based route instead:

no ip route 0.0.0.0 0.0.0.0 188.x.x.x 20

ip access-list extended LAN-only 
 deny ip 192.168.10.0 0.0.0.255 192.168.250.0 0.0.0.255 
permit ip 192.168.10.0 0.0.0.255 any


route-map NonSSLOut permit 10 match ip address LAN-only    
set ip default next-hop 188.x.x.x


interface Vlan1
     ip policy route-map NonSSLOut

Basically, the above will achieve the following:
- For traffic between internal LAN towards the WebVPN pool subnet, it will be routed via the normal default route (Dialer1)
- For everything else from internal LAN, it will be routed via the policy based routing towards the next-hop off VLAN 100 next hop ip address.

Hope that helps.
sandervanloosbroek Wed, 09/22/2010 - 03:45

This doesn't seem to work. Internet connectivity for the local clients is lost after I apply the route-map to the Dialer 1 interface. If I add the following to the route-map internet connectivity is restored but is routed over the SDSL interface instead of Vlan 100.

route-map NonSSLOut permit 10
match ip address LAN-only
set interface Vlan100
set ip default next-hop 188.200.159.65

What am I missing here? Config below:

version 15.0
!
!
controller DSL 0
mode atm
dsl-mode shdsl symmetric annex B
!
!
!
!
!
!
!
!        
interface Loopback1
description SSL dhcp pool gateway address
ip address 192.168.250.1 255.255.255.0
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 2/32
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
switchport access vlan 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description LAN
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan100
description KPN ADSL 20/1
ip address 188.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
!
interface Dialer1
ip address 92.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip policy route-map NonSSLOut
dialer pool 1
dialer-group 2
ppp authentication pap callin
ppp pap sent-username
no cdp enable
!
ip local pool sslvpnpool 192.168.250.2 192.168.250.100
!
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended LAN-only
deny   ip 192.168.10.0 0.0.0.255 192.168.250.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended SSL-in
permit ip any any
deny   ip any any
!
access-list 10 permit 192.168.250.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run

!

route-map NonSSLOut permit 10
match ip address LAN-only
set interface Vlan100
set ip default next-hop 188.200.159.65
!
webvpn gateway MyGateway
ip address 92.x.x.x port 443 
http-redirect port 80
ssl trustpoint TP-self-signed-3964912732
inservice
!
end

sandervanloosbroek Wed, 09/22/2010 - 04:33

Stupid me but it still doesn't work. If I remove the set interface vlan 100 from the route

map and apply the route map to the vlan 1 interface internet connectivity is lost again.

If I apply the set interface Vlan 100 to the route map internet connectivity is restored again but through Dialer 1, not through Vlan 100.

Any other suggestions?

Correct Answer
Jennifer Halim Wed, 09/22/2010 - 04:40

The NAT statement also needs to be changed to VLAN 100 interface.

Pls remove the following:

ip nat inside source list 100 interface Dialer1 overload

And add the following:

ip nat inside source list 100 interface Vlan100 overload

sandervanloosbroek Wed, 09/22/2010 - 04:56

Great work, internet connectivity is restored and WebVPN works as well. Thank you so much

for your time and patience!

S.

Actions

This Discussion