03-30-2015 03:00 AM
Hello, I'm trying to setup WebVPN to my internal network. The client is connected to the router, but I cant ping anything from my internal network. Also I've lost ping between hosts in the internal network. I can ping only gateway (192.168.162.0)
IOS Version 15.1(4)M9
ip local pool webvpn-pool 192.168.162.212 192.168.162.218
ip nat inside source list 1 interface GigabitEthernet0/0 overload
access-list 1 permit 192.168.162.0 0.0.0.255
webvpn gateway Cisco-WebVPN-Gateway
ip address X.X.X.X port 1025
ssl encryption rc4-md5
ssl trustpoint my-trustpoint
inservice
!
webvpn context Cisco-WebVPN
title Easy VPN"
ssl authenticate verify all
!
url-list "rewrite"
!
acl "ssl-acl"
permit ip 192.168.162.0 255.255.255.0 192.168.162.0 255.255.255.0
!
login-message "Cisco Secure WebVPN"
!
policy group webvpnpolicy
functions svc-enabled
functions svc-required
filter tunnel ssl-acl
svc address-pool "webvpn-pool" netmask 255.255.255.0
svc rekey method new-tunnel
svc split include 192.168.162.0 255.255.255.0
default-group-policy webvpnpolicy
aaa authentication list sslvpn
gateway Cisco-WebVPN-Gateway
max-users 2
inservice
!
Solved! Go to Solution.
03-30-2015 05:34 AM
Hi,
I saw the VPN configuration:
policy group webvpnpolicy
functions svc-enabled
functions svc-required
filter tunnel ssl-acl
svc address-pool "webvpn-pool" netmask 255.255.255.0
svc rekey method new-tunnel
svc split include 192.168.162.0 255.255.255.0
default-group-policy webvpnpolicy
aaa authentication list sslvpn
gateway Cisco-WebVPN-Gateway
max-users 2
inservice
acl "ssl-acl"
permit ip 192.168.162.0 255.255.255.0 192.168.162.0 255.255.255.0
ip local pool webvpn-pool 192.168.162.212 192.168.162.218
ip nat inside source list 1 interface GigabitEthernet0/0 overload
access-list 1 permit 192.168.162.0 0.0.0.255
I would recommend you the following:
1. Use an IP local pool with a different range than the one used in the Inside network (Routing wise issues)
2. Removed the VPN filter, it is completely unnecessary, since it is permitting the same that the (Split tunnel is):
policy group webvpnpolicy
no filter tunnel ssl-acl
3. Use an extended ACL on the NAT, and create NAT exemption for the Inside Network to the IP local pool on the outside:
ip access-list extended NAT
deny ip 192.168.162.0 0.0.0.255 XXXX XXXXX --> IP network for the IP pool
Permit ip 192.168.0.0 0.0.0.255 any
ip nat inside source list NAT interface GigabitEthernet0/0 overload
Those are the proper changes I would recommend you to apply.
Please don't forget to rate and mark as correct the helpful Post!
David Castro,
03-30-2015 05:34 AM
Hi,
I saw the VPN configuration:
policy group webvpnpolicy
functions svc-enabled
functions svc-required
filter tunnel ssl-acl
svc address-pool "webvpn-pool" netmask 255.255.255.0
svc rekey method new-tunnel
svc split include 192.168.162.0 255.255.255.0
default-group-policy webvpnpolicy
aaa authentication list sslvpn
gateway Cisco-WebVPN-Gateway
max-users 2
inservice
acl "ssl-acl"
permit ip 192.168.162.0 255.255.255.0 192.168.162.0 255.255.255.0
ip local pool webvpn-pool 192.168.162.212 192.168.162.218
ip nat inside source list 1 interface GigabitEthernet0/0 overload
access-list 1 permit 192.168.162.0 0.0.0.255
I would recommend you the following:
1. Use an IP local pool with a different range than the one used in the Inside network (Routing wise issues)
2. Removed the VPN filter, it is completely unnecessary, since it is permitting the same that the (Split tunnel is):
policy group webvpnpolicy
no filter tunnel ssl-acl
3. Use an extended ACL on the NAT, and create NAT exemption for the Inside Network to the IP local pool on the outside:
ip access-list extended NAT
deny ip 192.168.162.0 0.0.0.255 XXXX XXXXX --> IP network for the IP pool
Permit ip 192.168.0.0 0.0.0.255 any
ip nat inside source list NAT interface GigabitEthernet0/0 overload
Those are the proper changes I would recommend you to apply.
Please don't forget to rate and mark as correct the helpful Post!
David Castro,
03-30-2015 06:38 AM
Hi,
Could you mark your question as Answered, by clicking on "Endorse Answer".
David Castro,
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: