Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL VPN not working with static nat ip

Hi All,

I have my SSL-VPN (SONICWALL) box behind Cisco ASA box, I have done the Static NAT for the SSL BOX Im able to ping the box from internet, but not able to login to the ssl vpn webpage. Previously SSL box was working with the static public ip.

Any suggestions would be great

Karthik S
22 REPLIES
Cisco Employee

SSL VPN not working with static nat ip

Can you share the config pls.

Do you have access-list that allowed the inbound access on the SSL VPN ports?

New Member

SSL VPN not working with static nat ip

Hi Jennifer,

i have written access-list like below

object network SSL-Host

host 172.16.1.16

access-list acl_in permit ip host SSL-Host any

object network SSL-Host-Pub

host 182.x.x.x

access-list acl_out permit any host SSL-Host-Pub

Any suggestions?

Karthik S
Cisco Employee

SSL VPN not working with static nat ip

The acl should be:

access-list acl_out permit any host SSL-Host

New Member

SSL VPN not working with static nat ip

Hi,

can you explain me, how can we put the private ip permit in acl_out.

Karthik S
Cisco Employee

SSL VPN not working with static nat ip

There is changes on access-list from version 8.3 onwards where you should use the real IP in the access-list instead of the NATed IP.

here is the doc for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp460665

(check out row: "Use of Real IP addresses in access lists instead of translated addresses" under Firewall Features section.

New Member

SSL VPN not working with static nat ip

Hi Jennifer,

So the configuration should be like this

object network SSL-Host

host 172.16.1.16

access-list acl_in permit ip host SSL-Host any

object network SSL-Host-Pub

host 182.x.x.x

access-list acl_out permit any host SSL-Host

object network SSL-Host

nat (Inside,Outside) static 182.x.x.x

correct me if I am wrong...

Karthik S
Cisco Employee

SSL VPN not working with static nat ip

Yes, that is correct.

New Member

SSL VPN not working with static nat ip

Hi Jennifer,

I've been beating my head against this problem and doesn't seem the obvious reason why it doesn't work.

3945 router running c3900-universalk9-mz.SPA.151-3.T.bin

is configured  for SSL VPN. In  the status line of AnyConnect Client I see "Unable to process response  from x.x.x.x"

aaa new-model

aaa authentication login sslvpn local

aaa session-id common

!

username xxxxx privilege 15 secret xxxxxxx

!

!

!

interface Loopback50

description SSL DHCP Pool Gateway Address

ip address 192.168.50.1 255.255.255.0

!

interface Loopback10

description SSL VPN Website IP address

ip address x.x.x.164 255.255.255.255

!

ip local pool new 192.168.50.2 192.168.50.100

!

ip http server

ip http authentication local

ip http secure-server

!

ip access-list extended VTY_ACL

permit ip 192.168.10.0 0.0.0.255 any

deny ip any any log

!

line vty 0 4

access-class VTY_ACL in

logging synchronous

transport input telnet ssh

transport output all

!

webvpn gateway MyGateway

ip address x.x.x.164 port 443

http-redirect port 80

ssl trustpoint

inservice

!

webvpn install svc flash0:/anyconnect-win-2.4.1012-k9.pkg

!

webvpn context SecureMeContext

title "My SSL VPN Service"

secondary-color #C0C0C0

title-color #808080

ssl authenticate verify all

!

login-message "Welcome to VPN"

!

policy group MyDefaultPolicy

functions svc-enabled

svc address-pool "sslvpnpool"

svc keep-client-installed

default-group-policy MyDefaultPolicy

aaa authentication list sslvpn

gateway MyGateway domain testvpn

max-users 100

inservice

!

pls help me out on this.

Karthik S
Cisco Employee

SSL VPN not working with static nat ip

You don't need to configure loopback 10 with the same ip address as the SSL VPN termination ip address. Please remove loopback10 and see if that resolves the issue.

Also this ip address: x.x.x.164, is it being routed towards the 3945?

New Member

SSL VPN not working with static nat ip

Hi Jennifer,

IP add x.x.x.164 been routed towards my router i have tested the same by login to the router from public.

removed loopback10 still no luck

any suggestion?

Karthik S
Cisco Employee

SSL VPN not working with static nat ip

Can you share the router full config pls, and also are you able to telnet on port 443 from the outside towards the public ip?

New Member

SSL VPN not working with static nat ip

Hi Jennifer,

i am able to telnet to 443 port from outside. If you have any working ssl vpn config on router pls share.

Karthik S
Cisco Employee

SSL VPN not working with static nat ip

Here is a sample config:

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080af314a.shtml

Seems like you already got all the config configured.

New Member

SSL VPN not working with static nat ip

Hi Jennifer,

I followed the same link to config. any suggestion?

Karthik S
Cisco Employee

SSL VPN not working with static nat ip

Do you have SecurityK9 as well as the SSL license installed on your 3900 router?

please share the output of "show license"

New Member

SSL VPN not working with static nat ip

HI Jennifer,

i have the Evaluation license file in my router. I got the same from licensing@cisco.com

Karthik S
Cisco Employee

SSL VPN not working with static nat ip

can you pls share the output of "show license", you can remove the serial#

New Member

SSL VPN not working with static nat ip

Hi Jennifer,

RTR#sh license

Index 1 Feature: ipbasek9                      

    Period left: Life time

    License Type: Permanent

    License State: Active, In Use

    License Count: Non-Counted

    License Priority: Medium

Index 2 Feature: securityk9                    

    Period left: 625 weeks 4  days

    Period Used: 7  weeks 6  days

    License Type: Evaluation

    License State: Active, In Use

    License Count: Non-Counted

    License Priority: Low

Index 3 Feature: uck9                          

    Period left: 617 weeks 0  day 

    Period Used: 7  weeks 6  days

    License Type: Evaluation

    License State: Active, In Use

    License Count: Non-Counted

    License Priority: Low

Index 4 Feature: datak9                        

    Period left: 625 weeks 0  day 

    Period Used: 0  minute  0  second 

    License Type: Evaluation

    License State: Active, Not in Use, EULA accepted

    License Count: Non-Counted

    License Priority: Low

Index 5 Feature: gatekeeper                    

    Period left: Not Activated

    Period Used: 0  minute  0  second 

    License Type: Evaluation

    License State: Not in Use, EULA not accepted

    License Count: Non-Counted

    License Priority: None

Index 6 Feature: LI                            

Index 7 Feature: SSL_VPN                       

    Period left: Life time

    License Type: Permanent

    License State: Active, In Use

    License Count: 100/100/0  (Active/In-use/Violation)

    License Priority: Medium

Index 8 Feature: ios-ips-update                

    Period Used: 0  minute  0  second 

    License Type: Evaluation

    Start Date:         N/A, End Date: Dec 31 2025

    License State: Not in Use, EULA not accepted

    License Count: Non-Counted

    License Priority: None

Index 9 Feature: SNASw                         

    Period left: Not Activated

    Period Used: 0  minute  0  second 

    License Type: Evaluation

    License State: Not in Use, EULA not accepted

    License Count: Non-Counted

    License Priority: None

Index 10 Feature: hseck9                        

Index 11 Feature: cme-srst                      

    Period left: Not Activated

    Period Used: 0  minute  0  second 

    License Type: Evaluation

    License State: Not in Use, EULA not accepted

    License Count: 5000/0/0  (Active/In-use/Violation)

    License Priority: None

Index 12 Feature: WAAS_Express                  

    Period left: Not Activated

    Period Used: 0  minute  0  second 

    License Type: Evaluation

    License State: Not in Use, EULA not accepted

    License Count: Non-Counted

    License Priority: None

any suggestions?

Karthik S
Cisco Employee

SSL VPN not working with static nat ip

Looks ok to me..

Might want to run debug on the router and see why it's failing.

New Member

SSL VPN not working with static nat ip

Hi Jennifer,

what are the commands output you required?

Karthik S
Cisco Employee

SSL VPN not working with static nat ip

debug webvpn trace

New Member

SSL VPN not working with static nat ip

Hi Jennifer,

Command not working.

Karthik S
1129
Views
0
Helpful
22
Replies