cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
356
Views
0
Helpful
0
Replies

SSL VPN on Cisco 1941 with Firewall woes

orkman2013
Level 1
Level 1

Hi Folks,

Been trying to setup SSL VPN on a 1941 with limited sucess.

I can get the VPN configured and working but as soon as enable the firewall it blocks the VPN

The VPN connects and I can ping the internal gateway address from a remote client  but I can't

connect to any of the internal Lan address.

Been round and round in circles, any help appreciated.

Cheers

Building configuration...

Current configuration : 9532 bytes

!

! Last configuration change at 13:08:29 UTC Sun Feb 23 2014 by admin

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

!

no logging buffered

enable secret 4 xxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

!

!

!

aaa session-id common

!

ip cef

!

!

!

!

!

!

ip name-server 8.8.8.8

ip name-server 4.4.4.4

no ipv6 cef

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint my-gw-ca

enrollment selfsigned

subject-name Cn=gw

revocation-check crl

rsakeypair gw-rsa

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

!

crypto pki certificate chain my-gw-ca

certificate self-signed 01

  30820320 30820208 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  DAC0F948 A5B56EDD CD6DABBD 47463AB2 7E3F0DC3 DF4ECCE6 EAC5E916 B83DA4D0 C3119E9B

            quit

crypto pki certificate chain test_trustpoint_config_created_for_sdm

license udi pid CISCO1941/K9 sn

!

!

username aaa privilege 15 secret 4

username bbb privilege 0 secret 4

username ccc privilege 15 view root secret 4

redundancy

!

class-map type inspect match-all CCP_SSLVPN

match access-group name CCP_IP

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any SDM_WEBVPN

match access-group name SDM_WEBVPN

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-all SDM_WEBVPN_TRAFFIC

match class-map SDM_WEBVPN

match access-group 102

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

!

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  pass

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  pass

policy-map type inspect ccp-sslvpn-pol

class type inspect CCP_SSLVPN

  pass

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_WEBVPN_TRAFFIC

  inspect

class class-default

  pass

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

!

zone security out-zone

zone security in-zone

zone security sslvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone

service-policy type inspect ccp-sslvpn-pol

!

!

crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.05152-k9.pkg sequence 1

!

!

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$FW_INSIDE$

ip address 192.168.192.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $ETH-WAN$$FW_OUTSIDE$

ip address 194.74.99.99 255.255.255.224

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

!

interface Virtual-Template1

description $FW_INSIDE$

ip unnumbered GigabitEthernet0/1

zone-member security in-zone

!

interface Virtual-Template2

description $FW_INSIDE$

ip unnumbered GigabitEthernet0/1

zone-member security in-zone

!

interface Virtual-Template3

ip unnumbered GigabitEthernet0/1

zone-member security sslvpn-zone

!

ip local pool vpn-ssl-pool 192.168.192.200 192.168.192.210

ip forward-protocol nd

!

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip dns server

ip nat inside source list 1 interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

!

ip access-list extended CCP_IP

remark CCP_ACL Category=128

permit ip any any

ip access-list extended SDM_WEBVPN

remark CCP_ACL Category=1

permit tcp any any eq 4444

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.192.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 192.168.192.2

access-list 102 remark CCP_ACL Category=128

access-list 102 permit ip any host 194.74.2.81

!

!

!

!

!

control-plane

!

!

webvpn gateway ssl_gw

ip address 194.74.99.99 port 4444 

ssl trustpoint my-gw-ca

inservice

!

webvpn context ssl-ctx

!

acl "ssl-acl"

   permit ip 192.168.192.0 255.255.255.0 192.168.192.0 255.255.255.0

gateway ssl_gw

max-users 10

!

ssl authenticate verify all

inservice

!

policy group ssl_policy

   functions svc-enabled

   filter tunnel ssl-acl

   svc address-pool "vpn-ssl-pool" netmask 255.255.255.0

   svc keep-client-installed

   svc split include 192.168.192.0 255.255.255.0

   svc dns-server primary 192.168.192.2

default-group-policy ssl_policy

!

end

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: