Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IOS SSL VPN application issues

Hi,

I have setup WEBVPN with the SSL client on a Cisco 2811. The WebVPN gateway is via a loopback address on the router, so I NAT port 443 to this address as it enters the ADSL interface.

Everything works great apart from when I try to access an internal address on the router itself (such as the internal LAN 192.168.0.1).

If I try to telnet to this address I connect but then spurious characters appear and the session hangs. I also cannot access the CME web pages via this address.

I have tried disabling CEF to see if some weird internal issue is the problem but that did not fix it.

Anyone else experienced this?

Thanks

Scott

3 REPLIES
New Member

Re: IOS SSL VPN application issues

I have now changed to a static IP address with my provider.

I reconfigured the WebVpn gateway to be the WAN interface and allowed https on the same interface.

The SSL VPN is still working great apart from when I try to connect to interfaces directly connected to the router.

Telnet (to LAN IP address) connects but then spurious characters appear and the telnet session hangs.

I would really appreciate some help on this one!!

Thanks

Re: IOS SSL VPN application issues

Can you post your SSL+ACL related configuration?

Regards

Farrukh

New Member

Re: IOS SSL VPN application issues

Farrukh,

As requested please see related config below:

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login sdm_vpn_xauth_ml_2 local

aaa authentication login sdm_vpn_xauth_ml_3 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

!

ip cef

!

crypto pki trustpoint TP-self-signed-569873274

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-569873274

revocation-check none

rsakeypair TP-self-signed-569873274

!

!

crypto pki certificate chain TP-self-signed-569873274

certificate self-signed 01

!

interface GigabitEthernet1/0

description $SWDMADDR:192.168.0.2$

ip address 10.0.0.1 255.255.255.0

no ip route-cache cef

!

interface GigabitEthernet1/0.1

encapsulation dot1Q 1 native

ip address 192.168.0.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

no ip route-cache same-interface

!

interface GigabitEthernet1/0.20

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

ip helper-address 10.0.0.1

no ip route-cache same-interface

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

ip access-group 101 in

ip mtu 1452

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

!

!

ip local pool TEST 192.168.20.200 192.168.20.240

!

ip route 0.0.0.0 0.0.0.0 Dialer0 permanent

!

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

!

access-list 101 remark WEBVPN

access-list 101 permit tcp any host 203.206.169.63 eq 443

access-list 101 deny ip any any log

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 102

!

!

webvpn gateway gateway_1

ip address 203.206.169.63 port 443

ssl trustpoint TP-self-signed-569873274

inservice

!

webvpn install svc flash:/webvpn/svc_1.pkg sequence 1

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

!

webvpn context visicom

secondary-color white

title-color #669999

text-color black

ssl authenticate verify all

!

url-list "WEB"

heading "Welcome"

url-text "OWA" url-value "http://192.168.0.10/exchange"

!

!

policy group policy_1

url-list "WEB"

functions svc-enabled

svc address-pool "TEST"

svc keep-client-installed

svc rekey method new-tunnel

svc split include 192.168.0.0 255.255.255.0

svc split include 192.168.20.0 255.255.255.0

svc split include 10.10.10.0 255.255.255.0

default-group-policy policy_1

aaa authentication list sdm_vpn_xauth_ml_3

gateway gateway_1

inservice

191
Views
0
Helpful
3
Replies