cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
704
Views
0
Helpful
2
Replies

SSL VPN not Working with NAT ip

CSCO11520436
Level 1
Level 1

Hi,

I am facing SSL VPN issue in one of my router.

Below is my Router configuration Ddetails

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname RTR

!

boot-start-marker

boot system flash0:c3900-universalk9-mz.SPA.151-3.T3.bin

boot system flash0:c3900-universalk9-mz.SPA.151-3.T.bin

boot-end-marker

!

!

enable secret 5 <removed>

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sslvpn local

aaa authorization exec default local

!

!

!

!

!

aaa session-id common

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2616696585

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2616696585

revocation-check none

!

!

crypto pki certificate chain TP-self-signed-2616696585

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32363136 36393635 3835301E 170D3132 30373135 31343537

  32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36313636

  39363538 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100CADD 69D0296A 1C5E73C6 AE0D84F2 18C4D80C C6ABD34A 96574E39 A82F418F

  2C104610 E1635597 F1377688 898819C4 4736505B 8D779883 54F3EF51 0B236ADC

  BEF0A1BA 415E32F5 3243F5EC 6956E1B0 312B232B CFB51C20 A5DF6C85 A5C60F18

  51FB36D7 C3CCC933 14E449A1 567F8D8B A2CD2AA9 E5C5A4CC 293CFA8A 97A67DE7

  7BAF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 14ACB9C7 3A680EA3 563E0BE0 FA034289 BEE3D35F 6D301D06

  03551D0E 04160414 ACB9C73A 680EA356 3E0BE0FA 034289BE E3D35F6D 300D0609

  2A864886 F70D0101 04050003 81810037 68E6065A 6C2640C4 37CC1C5C 0B60108B

  83153755 06E5864D 297EF67B D7F7D43E 812671BB 4C1FD5AA DC2786E7 69369708

  597B7E7A 32E1F909 D803EAE6 6D1E1A3A 93BF2F5C DF19A610 2EBC28F1 3889F4A0

  BF912E86 774738B0 3EB28AF2 41F718EA B58B8B1B 9D2DFC7B B07B11F6 8B680E34

  EBD4A83A 80E3C243 2A1D8EB6 0A179D

      quit

no ipother cef

ip source-route

ip cef

!

!

!

!

!

no ip domain lookup

ip domain name <domain.com>

!

multilink bundle-name authenticated

!

!

license udi pid C3900-SPE150/K9 sn abcdefghijk

license accept end user agreement

license boot module c3900 technology-package securityk9

hw-module sm 3

!

!

!

username cisco pass <removed>

!

redundancy

!

!

!

!

no ip ftp passive

ip ssh version 2

!

class-map match-all subnet-branch

match access-group 102

class-map match-all subnet-other

match access-group 101

!

!

policy-map subnets

class subnet-other

  bandwidth percent 50

class subnet-branch

  bandwidth percent 49

policy-map physical

class class-default

  shape average percent 10

  police cir 10000000

   conform-action transmit

   exceed-action drop

  service-policy subnets

!

interface Loopback50

description SSL DHCP Pool Gateway Address

ip address 192.168.50.1 255.255.255.0

!

!

interface GigabitEthernet0/0

ip address 192.168.10.1 255.255.255.0 secondary

ip address 192.168.101.1 255.255.255.0 secondary

ip address 192.168.10.164 255.255.255.0

ip accounting output-packets

ip nat inside

ip virtual-reassembly in max-reassemblies 64

duplex full

speed auto

service-policy output physical

!

interface GigabitEthernet0/1

ip address 10.224.149.49 255.255.255.252

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/0/0

description ## WAN Interface ###

ip address 10.70.140.10 255.255.255.252

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

!

interface FastEthernet0/0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/3/0

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface GigabitEthernet3/0

ip address 10.1.1.1 255.255.255.0

!

interface Vlan1

no ip address

!

ip local pool sslvpnpool 192.168.50.2 192.168.50.100

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip flow-cache timeout inactive 10

ip flow-cache timeout active 5

ip flow-export version 5

ip flow-export destination 192.168.10.222 9991

!

ip nat translation timeout 3600

ip nat inside source list 199 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 10.70.140.9

!

ip access-list extended VTY_ACL

permit ip 192.168.10.0 0.0.0.255 any

deny   ip any any log

!

access-list 101 permit ip any 192.168.101.0 0.0.0.255

access-list 102 permit ip any 192.168.1.0 0.0.0.255

access-list 102 permit ip any 192.168.2.0 0.0.0.255

access-list 102 permit ip any 192.168.4.0 0.0.0.255

access-list 102 permit ip any 192.168.5.0 0.0.0.255

access-list 102 permit ip any 192.168.6.0 0.0.0.255

access-list 102 permit ip any 192.168.7.0 0.0.0.255

access-list 102 permit ip any 192.168.8.0 0.0.0.255

access-list 102 permit ip any 192.168.9.0 0.0.0.255

access-list 102 permit ip any 192.168.10.0 0.0.0.255

access-list 102 permit ip any 192.168.11.0 0.0.0.255

access-list 102 permit ip any 192.168.12.0 0.0.0.255

access-list 102 permit ip any 192.168.13.0 0.0.0.255

access-list 102 permit ip any 192.168.17.0 0.0.0.255

access-list 102 permit ip any 192.168.19.0 0.0.0.255

access-list 102 permit ip any 192.168.20.0 0.0.0.255

access-list 102 permit ip any 192.168.22.0 0.0.0.255

access-list 102 permit ip any 192.168.24.0 0.0.0.255

access-list 102 permit ip any 192.168.25.0 0.0.0.255

access-list 102 permit ip any 192.168.27.0 0.0.0.255

access-list 102 permit ip any 192.168.28.0 0.0.0.255

access-list 102 permit ip any 192.168.30.0 0.0.0.255

access-list 102 permit ip any 192.168.31.0 0.0.0.255

access-list 102 permit ip any 192.168.32.0 0.0.0.255

access-list 102 permit ip any 192.168.33.0 0.0.0.255

access-list 102 permit ip any 192.168.34.0 0.0.0.255

access-list 102 permit ip any 192.168.35.0 0.0.0.255

access-list 102 permit ip any 192.168.36.0 0.0.0.255

access-list 102 permit ip any 192.168.37.0 0.0.0.255

access-list 102 permit ip any 192.168.38.0 0.0.0.255

access-list 199 permit tcp any any eq 465

access-list 199 permit tcp any any eq 587

access-list 199 permit tcp any any eq 995

access-list 199 permit tcp any any eq 993

access-list 199 permit tcp any any eq smtp

access-list 199 permit tcp any any eq pop3

access-list 199 permit tcp any host XXX.112.233.76 eq 9400

access-list 199 permit tcp any host XXX.112.233.76 eq www

access-list 199 permit ip any host XXX.112.233.76

!

!

control-plane

!

!

privilege exec level 7 traceroute

privilege exec level 7 ping

privilege exec level 9 terminal monitor

privilege exec level 9 terminal no monitor

privilege exec level 9 terminal no

privilege exec level 9 terminal

privilege exec level 7 show mac-address-table

privilege exec level 7 show configuration

privilege exec level 7 show

privilege exec level 9 no debug ip ospf packet

privilege exec level 9 no debug ip ospf events

privilege exec level 9 no debug ip ospf adj

privilege exec level 9 no debug ip ospf

privilege exec level 9 no debug ip routing

privilege exec level 9 no debug ip

privilege exec level 9 no debug serial interface

privilege exec level 9 no debug serial

privilege exec level 9 no debug all

privilege exec level 9 no debug

privilege exec level 9 debug ip ospf packet

privilege exec level 9 debug ip ospf events

privilege exec level 9 debug ip ospf adj

privilege exec level 9 debug ip ospf

privilege exec level 9 debug ip routing

privilege exec level 9 debug ip

privilege exec level 9 debug serial interface

privilege exec level 9 debug serial

privilege exec level 9 debug all

privilege exec level 9 debug

privilege exec level 9 clear arp-cache

privilege exec level 9 clear

privilege exec level 9 no

!

line con 0

line aux 0

line 195

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

flowcontrol software

line vty 0 4

logging synchronous

transport input telnet ssh

transport output all

!

scheduler allocate 20000 1000

!

webvpn gateway MyGateway

ip address xxx.xxx.228.164 port 443 

ssl trustpoint self-signed

inservice

!

webvpn install svc flash0:/webvpn/anyconnect-win-2.4.1012-k9.pkg sequence 1

!

webvpn context SecureMeContext

title "My SSL VPN Service"

secondary-color #C0C0C0

title-color #808080

ssl authenticate verify all

!

login-message "Welcome to VPN"

!

policy group MyDefaultPolicy

   functions svc-enabled

   svc address-pool "sslvpnpool"

   svc keep-client-installed

default-group-policy MyDefaultPolicy

aaa authentication list sslvpn

gateway MyGateway domain testvpn

max-users 100

inservice

!

end

VISA_HYDR_SOFT#sh ver

Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.1(3)T3, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2011 by Cisco Systems, Inc.

Compiled Thu 15-Dec-11 00:09 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M8, RELEASE SOFTWARE (fc1)

RTR uptime is 4 minutes

System returned to ROM by reload at 14:55:15 UTC Sun Jul 15 2012

System restarted at 14:56:38 UTC Sun Jul 15 2012

System image file is "flash0:c3900-universalk9-mz.SPA.151-3.T3.bin"

Last reload type: Normal Reload

Last reload reason: Reload Command

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE150/K9 with 983040K/65536K bytes of memory.

Processor board ID abcdefghijk

6 FastEthernet interfaces

4 Gigabit Ethernet interfaces

1 terminal line

1 Virtual Private Network (VPN) Module

DRAM configuration is 72 bits wide with parity enabled.

255K bytes of non-volatile configuration memory.

250880K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------

Device#      PID            SN

-------------------------------------------------

*0        C3900-SPE150/K9       abcdefghikj    

Technology Package License Information for Module:'c3900'

-----------------------------------------------------------------

Technology    Technology-package           Technology-package

              Current       Type           Next reboot 

------------------------------------------------------------------

ipbase        ipbasek9      Permanent      ipbasek9

security      securityk9    Evaluation     securityk9

uc            None          None           None

data          None          None           None

Configuration register is 0x2102

VISA_HYDR_SOFT#show license detail

Index: 1     Feature: SNASw                             Version: 1.0

    License Type: EvalRightToUse

    License State: Not in Use, EULA not accepted

        Evaluation total period: 8  weeks 4  days

        Evaluation period left: 8  weeks 4  days

        Period used: 0  minute  0  second 

    License Count: Non-Counted

    License Priority: None

    Store Index: 6

    Store Name: Built-In License Storage

Index: 2     Feature: SSL_VPN                           Version: 1.0

    License Type: Permanent

    License State: Active, In Use

    License Count: 100/100/0  (Active/In-use/Violation)

    License Priority: Medium

    Store Index: 2

    Store Name: Primary License Storage

Index: 3     Feature: SSL_VPN                           Version: 1.0

    License Type: EvalRightToUse

    License State: Inactive

        Evaluation total period: 8  weeks 4  days

        Evaluation period left: 8  weeks 4  days

        Period used: 0  minute  0  second 

    License Count: 0/0  (In-use/Violation)

    License Priority: None

    Store Index: 4

    Store Name: Built-In License Storage

Index: 4     Feature: WAAS_Express                      Version: 1.0

    License Type: EvalRightToUse

    License State: Not in Use, EULA not accepted

        Evaluation total period: 8  weeks 4  days

        Evaluation period left: 8  weeks 4  days

        Period used: 0  minute  0  second 

    License Count: Non-Counted

    License Priority: None

    Store Index: 8

    Store Name: Built-In License Storage

Index: 5     Feature: cme-srst                          Version: 1.0

    License Type: EvalRightToUse

    License State: Not in Use, EULA not accepted

        Evaluation total period: 8  weeks 4  days

        Evaluation period left: 8  weeks 4  days

        Period used: 0  minute  0  second 

    License Count: 0/0  (In-use/Violation)

    License Priority: None

    Store Index: 7

    Store Name: Built-In License Storage

Index: 6     Feature: datak9                            Version: 1.0

    License Type: EvalRightToUse

    License State: Not in Use, EULA not accepted

        Evaluation total period: 8  weeks 4  days

        Evaluation period left: 8  weeks 4  days

        Period used: 0  minute  0  second 

    License Count: Non-Counted

    License Priority: None

    Store Index: 2

    Store Name: Built-In License Storage

Index: 7     Feature: gatekeeper                        Version: 1.0

    License Type: EvalRightToUse

    License State: Not in Use, EULA not accepted

        Evaluation total period: 8  weeks 4  days

        Evaluation period left: 8  weeks 4  days

        Period used: 0  minute  0  second 

    License Count: Non-Counted

    License Priority: None

    Store Index: 3

    Store Name: Built-In License Storage

Index: 8     Feature: ios-ips-update                    Version: 1.0

    License Type: EvalRightToUse

    License State: Not in Use, EULA not accepted

        Evaluation total period: 8  weeks 4  days

        Evaluation period left: 8  weeks 4  days

        Period used: 0  minute  0  second 

    License Count: Non-Counted

    License Priority: None

    Store Index: 5

    Store Name: Built-In License Storage

Index: 9     Feature: ipbasek9                          Version: 1.0

    License Type: Permanent

    License State: Active, In Use

    License Count: Non-Counted

    License Priority: Medium

    Store Index: 0

    Store Name: Primary License Storage

Index: 10    Feature: securityk9                        Version: 1.0

    License Type: Evaluation

    License State: Active, In Use

        Evaluation total period: 8  weeks 4  days

        Evaluation period left: 4  weeks 1  day 

        Period used: 4  weeks 2  days

        Expiry date: Aug 13 2012 19:34:47

    License Count: Non-Counted

    License Priority: Low

    Store Index: 1

    Store Name: Primary License Storage

Index: 11    Feature: securityk9                        Version: 1.0

    License Type: EvalRightToUse

    License State: Inactive

        Evaluation total period: 8  weeks 4  days

        Evaluation period left: 8  weeks 4  days

        Period used: 0  minute  0  second 

    License Count: Non-Counted

    License Priority: None

    Store Index: 0

    Store Name: Built-In License Storage

Index: 12    Feature: uck9                              Version: 1.0

    License Type: EvalRightToUse

    License State: Not in Use, EULA not accepted

        Evaluation total period: 8  weeks 4  days

        Evaluation period left: 8  weeks 4  days

        Period used: 0  minute  0  second 

    License Count: Non-Counted

    License Priority: None

    Store Index: 1

    Store Name: Built-In License Storage

My Service Provider has done the NAT of my router G0/0 ip address 192.168.10.164  to xxx.xxx.228.164 & I am able to telnet & SSH to my router via that public ip.

Any suggestions?

Karthik S
2 Replies 2

Mohammad Alhyari
Cisco Employee
Cisco Employee

HI ,

if i understand you correctly , please try to change the IP address under the VPN context to the ip address of your outside interface ( the private address in this case ).

cheers.

Mohammad.

Hi Mohammad,

It's not working. I have a doubt, natting with inside ip might be the problem for this. As my router G0/0 ip is natted to the Public ip which im trying from outside.

Any suggestions?

Karthik S
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: