Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anyconnect on 1800 series with basic setup only partially working

This is driving me nuts.  I have Anyconnect working perfectly on an 1811 until I add some basic zone firewall commands.  After adding the firewall I can still connect but can only access the router and none of the other internal devices.

To simplify it I have the vpn and internal interfaces in the same security zone almost identical to this Cisco example although I have the exact same problem if I use separate zones and additional firewall rules.

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-vpn-client/111891-anyconnect-ios-zbpf-config.html

I'm far from being an expert so I figure there is something here that will jump right out at the next person who looks at it.

!

! Last configuration change at 02:17:02 UTC Tue Feb 11 2014 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

!

!

!

!

!

aaa session-id common

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2352512162

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2352512162

revocation-check none

rsakeypair TP-self-signed-2352512162

!

!

crypto pki certificate chain TP-self-signed-2352512162

certificate self-signed 01

            quit

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 192.168.1.1 192.168.1.199

!

ip dhcp pool ccp-pool

import all

network 192.168.1.0 255.255.255.0

domain-name yourdomain.com

dns-server 192.168.1.3 192.168.1.2

default-router 192.168.1.1

lease 0 2

!

!

!

ip cef

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

license udi pid CISCO1811W-AG-A/K9 sn FTX

username cisco privilege 15 secret 0 cisco

!

!

!

class-map type inspect match-all CCP_SSLVPN

match access-group name CCP_IP

class-map type inspect match-any SDM_WEBVPN

match access-group name SDM_WEBVPN

class-map type inspect match-all SDM_WEBVPN_TRAFFIC

match class-map SDM_WEBVPN

match access-group 101

class-map type inspect match-any ccp-cls-insp-traffic

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-sslvpn-pol

class type inspect CCP_SSLVPN

  pass

class class-default

  drop

policy-map type inspect ccp-inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_WEBVPN_TRAFFIC

  inspect

class class-default

  drop

!

zone security in-zone

zone security out-zone

zone-pair security zp-in-zone-in-zone source in-zone destination in-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security zp-out-zone-in-zone source out-zone destination in-zone

service-policy type inspect ccp-sslvpn-pol

!

!

interface Loopback0

ip address 172.16.0.1 255.255.255.255

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio1

no ip address

shutdown

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

station-role root

!

interface FastEthernet0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1

description $ETH-WAN$$FW_OUTSIDE$

ip address 66.66.66.66 255.255.255.248

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

no ip address

!

interface FastEthernet9

no ip address

!

interface Virtual-Template1

description $FW_INSIDE$

ip unnumbered Loopback0

zone-member security in-zone

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Async1

no ip address

encapsulation slip

!

ip local pool VPN_POOL 10.10.10.1 10.10.10.254

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 1 interface FastEthernet1 overload

ip route 0.0.0.0 0.0.0.0 66.66.66.65

!

ip access-list extended CCP_IP

remark CCP_ACL Category=128

permit ip any any

ip access-list extended SDM_WEBVPN

remark CCP_ACL Category=1

permit tcp any any eq 443

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any host 66.66.66.66

no cdp run

!

!

!

!

control-plane

!

!

!

line con 0

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

access-class 23 in

transport input telnet ssh

line vty 5 15

access-class 23 in

transport input telnet ssh

!

!

webvpn gateway gateway_1

ip address 66.66.66.66 port 443 

http-redirect port 80

ssl trustpoint TP-self-signed-2352512162

inservice

!

webvpn install svc flash:/webvpn/anyconnect-macosx-i386-3.1.05152-k9.pkg sequence 1

!

webvpn context vpn

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "VPN_POOL" netmask 255.255.255.255

   svc keep-client-installed

   svc split include 192.168.1.0 255.255.255.0

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

inservice

!

end

Thanks much for taking a look and any ideas.

151
Views
0
Helpful
0
Replies