Link to home
Create AccountLog in
Avatar of Moey_G
Moey_GFlag for Australia

asked on

Cisco WebVPN page does not display

Dear All,

Recently we had to make a change to one of our Cisco 2821 routers. We backed up the startup config to a TFTP server and made the changes.

Unfortunately the changes we made to the router stopped some other services working, so we rolled back to the configuration backup we made before any changes were made and did a reload.

Once the router had booted up with the old config, all services came back online except the Cisco WebVPN. If you use the Cisco VPN program you can connect and VPN OK but we previously had a page

http://ourdomain.com/vpn

That launched the Cisco WebVPN page and installed the client etc.

Since no ACL changes were made, and we reverted to the backup config anyway I can't see why it would have stopped working.

I can connect to the router using http to view the SDM config pages, so the router is responding to http traffic.

Anyway, have tried numerous different things, but VPN config is beyond the realms of Cisco training I've got. I'm new to this organisation, and the documentation for this router is pretty non-existant unfortunately.

Here is a snippet of the config, can you see anything wrong? Are there any things that would need to be re-configured if a router was reloaded(I wouldn't think so) and are there any "gotchas" with WebVPN setup I may have missed.

webvpn gateway gateway_1
 ip address 192.168.0.1 port 443 (IP address adjusted for post)
 http-redirect port 80
 ssl trustpoint Thawte
 inservice
 !
webvpn install svc flash:/webvpn/svc.pkg
 !
webvpn context VPN
 title "OurCompany - WebVPN"
 logo file logo.jpg
 title-color #009933
 secondary-color white
 text-color black
 ssl authenticate verify all
 !
 login-message "You must be authorised to use this service. Disconnect immediate
ly if you are not an authorised user."
 !
 policy group policy_1
   functions svc-enabled
   svc address-pool "VPN_Pool"

etc..



Thanks.
Avatar of btassure
btassure
Flag of United Kingdom of Great Britain and Northern Ireland image

Can you please post a full config? Make sure you sanitise any IP addresses and passwords.
Avatar of Moey_G

ASKER

Here is the full config, I've removed all public IPs and passwords.

I'm not sure, I have a feeling perhaps SSL isn't working properly, that or could a certificate issue cause this problem?

Thanks.

------------------------------------------------------------------

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging

!
aaa new-model
!
!
aaa authentication login default local group radius
aaa authentication login sdm_vpn_xauth_ml_1 group radius local
aaa authentication ppp default group radius
aaa authentication dot1x default group radius
aaa authorization exec default local group radius
aaa authorization network default group radius
aaa authorization network sdm_vpn_group_ml_1 group radius
aaa authorization network sdm_vpn_group_ml_4 local
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
!
aaa session-id common
!
resource policy
!
clock timezone
!
!
ip cef
!
!
ip domain name domain.net
ip name-server 10.101.1.3
!
voice-card 0
 no dspfarm
!
!
crypto pki trustpoint TP-self-signed-1676
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1676
 revocation-check none
 rsakeypair TP-self-signed-1676
!
crypto pki trustpoint Thawte
 enrollment terminal
 serial-number none
 fqdn vpn.company.com
 ip-address none
 password
 subject-name O=Company, OU=MIS, CN=vpn.company.com, C=AU, ST=
VIC, L=Melbourne
 crl query ldap://crl.thawte.com/ThawteSererverPremiuumCA.crl
 revocation-check crl
 rsakeypair vpn.company.com
 regenerate
!
!
crypto pki certificate chain TP-self-signed-16764
 certificate self-signed 01
CRYPTO STUFF HERE
  quit
crypto pki certificate chain Thawte
 certificate 7CRYPTO STUFF HERE
CRYPTO STUFF HERE
  quit
 certificate ca 01
  quit
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN
 key CRYPTO STUFF HERE
 dns 10.101.1.4 10.101.1.3
 wins 10.101.1.4
 domain company.com
 pool VPN_Pool
 acl 121
 include-local-lan
 max-users 48
 banner ^CBy logging on you acknowledge and agree that you are aware of and will
 comply with the companys computer usage policies. Also that you are aware the c
ompany conducts surveillance of staff computer use and that you are responsible
for all activity
in your username.
Disciplinary action for unauthorised, illegal, or fraudulent use may follow, and
 could include dismissal and/or legal prosecution. You must obtain and read a co
py of the Acceptable Use Policy prior to using the system.   ^C
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA3
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_4
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
 no ip address
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.100
 encapsulation dot1Q 100
 ip address 10.100.1.1 255.255.0.0
 ip nat inside
 ip inspect sdm_ins_in_101 in
 ip virtual-reassembly
!
interface GigabitEthernet0/0.120
 description $ETH-LAN$
 encapsulation dot1Q 120
 ip address 10.120.1.254 255.255.0.0
 ip access-group 120 in
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/0.150
 description $ETH-LAN$
 encapsulation dot1Q 150
 ip address 10.150.1.1 255.255.0.0
 ip access-group 150 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip inspect sdm_ins_in_101 in
 ip virtual-reassembly
!
interface GigabitEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address PUBLIC IP
 ip access-group 2101 in
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet0/0/0
 switchport access vlan 200
!
interface FastEthernet0/0/1
 switchport access vlan 200
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Virtual-Dot11Radio1
 no ip address
!
interface Virtual-PPP1
 no ip address
!
interface Vlan1
 no ip address
!
!
interface Virtual-TokenRing1
 no ip address
 ring-speed 16
!
router rip
 version 2
 network 10.0.0.0
!
ip local pool VPN_Pool 10.120.1.2 10.120.1.50
ip route 0.0.0.0 0.0.0.0 PUBLIC IP
ip route 10.1.0.0 255.255.0.0 10.100.1.2
ip route 10.2.0.0 255.255.0.0 10.100.1.2
ip route 10.3.0.0 255.255.0.0 10.100.1.2
ip route 172.16.0.0 255.255.0.0 10.100.1.2
ip route 192.168.0.0 255.255.0.0 10.100.1.2
!
ip flow-cache timeout active 1
ip flow-export version 5
ip flow-top-talkers
 top 15
 sort-by bytes
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.101.1.7 25 PUBLIC IP 25 route-map SDM_R
MAP_8 extendable
ip nat inside source static tcp 10.101.1.19 80 PUBLIC IP 80 route-map SDM_
RMAP_9 extendable
ip nat inside source static tcp 10.101.1.19 443 PUBLIC IP 443 route-map SD
M_RMAP_9 extendable
ip nat inside source static tcp 10.101.1.19 1494 PUBLIC IP 1494 route-map
SDM_RMAP_9 extendable
ip nat inside source static tcp 10.102.1.5 22 PUBLIC IP 29 route-map SDM_R
MAP_11 extendable
ip nat inside source static tcp 10.101.1.10 80 PUBLIC IP 80 route-map SDM_
RMAP_4 extendable
ip nat inside source static tcp 10.101.1.10 443 PUBLIC IP 443 route-map SD
M_RMAP_5 extendable
ip nat inside source static tcp 10.101.1.7 80 PUBLIC IP 80 route-map SDM_R
MAP_10 extendable
ip nat inside source static tcp 10.101.1.7 443 PUBLIC IP9 443 route-map SDM
_RMAP_7 extendable
ip nat inside source static tcp 10.101.1.108 23 PUBLIC IP 23 route-map SDM
_RMAP_13 extendable
ip nat inside source static tcp 10.101.1.3 80 PUBLIC IP 80 route-map SDM_R
MAP_3 extendable
ip nat inside source static tcp 10.101.1.3 443 PUBLIC IP 443 route-map SDM
_RMAP_6 extendable
!

!
!
!
route-map SDM_RMAP_11 permit 1
 match ip address 132
!
route-map SDM_RMAP_10 permit 1
 match ip address 131
!
route-map SDM_RMAP_13 permit 1
 match ip address 134
!
route-map SDM_RMAP_4 permit 1
 match ip address 125
!
route-map SDM_RMAP_5 permit 1
 match ip address 126
!
route-map SDM_RMAP_6 permit 1
 match ip address 127
!
route-map SDM_RMAP_7 permit 1
 match ip address 128
!
route-map SDM_RMAP_1 permit 1
 match ip address 122
!
route-map SDM_RMAP_3 permit 1
 match ip address 124
!
route-map SDM_RMAP_8 permit 1
 match ip address 129
!
route-map SDM_RMAP_9 permit 1
 match ip address 130
!
!
!
radius-server host IP ADDRESS auth-port 1645 acct-port 1646
radius-server key 7 KEYHERE
!
control-plane
!
!
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 exec-timeout 60 0
line aux 0
 password 7 PASSWORD
 modem InOut
 modem autoconfigure type mica
 transport input all
 speed 38400
 flowcontrol hardware
line vty 0 4
 exec-timeout 60 0
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180116
ntp server PUBLIC IP source GigabitEthernet0/1
!
webvpn gateway gateway_1
 ip address PUBLIC IP port 443
 http-redirect port 80
 ssl trustpoint Thawte
 inservice
 !
webvpn install svc flash:/webvpn/svc.pkg
 !
webvpn context VPN
 title "Company - WebVPN"
 logo file logo.jpg
 title-color #009933
 secondary-color white
 text-color black
 ssl authenticate verify all
 !
 login-message "You must be authorised to use this service. Disconnect immediate
ly if you are not an authorised user."
 !
 policy group policy_1
   functions svc-enabled
   svc address-pool "VPN_Pool"
   svc default-domain "domain.com"
   svc split include 10.100.0.0 255.255.0.0
   svc split include 10.101.0.0 255.255.0.0
   svc split include 10.102.0.0 255.255.0.0
   svc split include 10.103.0.0 255.255.0.0
   svc split include 10.104.0.0 255.255.0.0
   svc split include 10.105.0.0 255.255.0.0
   svc split include 10.106.0.0 255.255.0.0
   svc split include 10.107.0.0 255.255.0.0
   svc split include 10.108.0.0 255.255.0.0
   svc split include 10.109.0.0 255.255.0.0
   svc split include 10.110.0.0 255.255.0.0
   svc split include 10.111.0.0 255.255.0.0
   svc split include 10.112.0.0 255.255.0.0
   svc split include 10.113.0.0 255.255.0.0
   svc split include 10.114.0.0 255.255.0.0
   svc split include 10.115.0.0 255.255.0.0
   svc split include 10.116.0.0 255.255.0.0
   svc split include 10.117.0.0 255.255.0.0
   svc split include 10.118.0.0 255.255.0.0
   svc split include 10.140.0.0 255.255.0.0
   svc split include 10.148.0.0 255.255.0.0
   svc split include 10.149.0.0 255.255.0.0
   svc split include 10.150.0.0 255.255.0.0
   svc split include 10.147.0.0 255.255.0.0
   svc split include 10.119.0.0 255.255.0.0
   svc split include 10.146.0.0 255.255.0.0
   svc split include 172.16.0.0 255.255.0.0
   svc split include 192.168.0.0 255.255.0.0
   svc split include 10.1.1.0 255.255.255.0
   svc dns-server primary 10.101.1.3
   svc dns-server secondary 10.101.1.4
   svc wins-server primary 10.101.1.3
 default-group-policy policy_1
 aaa authentication list sdm_vpn_xauth_ml_1
 aaa accounting list radius
 gateway gateway_1 domain vpn
 inservice
!
!
end

Router#
ASKER CERTIFIED SOLUTION
Avatar of Moey_G
Moey_G
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer