CISCO IOS SSL VPN Cannot conenct to internet

Michael
Michael used Ask the Experts™
on
Cisco IOS SSL VPN on 1941. Caanot access Internet

Im configuring a 1941 router at my home to provide sslVPN for myself while I travel. The main purpose is to get around geofencing. I want all traffic to go across the vpn and exit the internet interface on the same router. with the config below im able to connect to resources on my own network but cannot connect to internet resources.

login as: root
Using keyboard-interactive authentication.
Password:

MyVPNTest#sh run
Building configuration...

Current configuration : 10462 bytes
!
! Last configuration change at 02:57:00 UTC Thu Sep 26 2019
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyVPNTest
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login sslvpn local
!
!
!
!
!
aaa session-id common
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
!
!
!
!
!
!
!
!
!

!
!
!
ip domain name vpntest.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4

!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint my-trustpoint
 enrollment selfsigned
 serial-number
 subject-name CN=firewallcx-certificate
 revocation-check crl
 rsakeypair my-rsa-keys
!
!
crypto pki certificate chain my-trustpoint
 certificate self-signed 01
  30820291 308201FA A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  64311F30 1D060355 04031316 66697265 77616C6C 63782D63 65727469 66696361
  74653141 30120603 55040513 0B46474C 31373330 32304659 302B0609 2A864886
  F70D0109 02161E62 72616E6E 656C6C79 6B6C2E6C 69656765 736F6C75 74696F6E
  732E636F 6D301E17 0D313930 38323830 34343930 355A170D 32303031 30313030
  30303030 5A306431 1F301D06 03550403 13166669 72657761 6C6C6378 2D636572
  74696669 63617465 31413012 06035504 05130B46 474C3137 33303230 4659302B
  06092A86 4886F70D 01090216 1E627261 6E6E656C 6C796B6C 2E6C6965 6765736F
  6C757469 6F6E732E 636F6D30 819F300D 06092A86 4886F70D 01010105 0003818D
  00308189 02818100 B46FDC92 7B6D7FAF 084F9258 B10115E5 290F4DED 9F497096
  1DE57BCD 8D91A47D 9D3B50AC BA21F0E1 4E81FABD 79F96B4B 639685A3 28A75F47
  0FAA5827 2B614417 A0CED535 38430B6D F256CF0A B0FC85EB D778EA01 8CE2F316
  6E924884 4FB42600 6E2E287C A4F32CBD C9DE827C A1E5CB89 F38598B8 55F64D22
  02DA8C51 66671A77 02030100 01A35330 51300F06 03551D13 0101FF04 05300301
  01FF301F 0603551D 23041830 16801407 5B843777 32610833 83C5D575 EE0BC8AC
  4447DE30 1D060355 1D0E0416 0414075B 84377732 61083383 C5D575EE 0BC8AC44
  47DE300D 06092A86 4886F70D 01010505 00038181 00700B97 4B88302E 60905E3C
  241FD7DA 834CBE3F 851C46EE 23AF2069 3D7FE2C6 F49D08F3 FC392667 ADB2E556
  1BF58BEA 51CA5450 E8D00DA6 BDAC34C3 DDD023BC 49A47663 699B1FDB 937A28E6
  8212CE52 7B36A842 B0AF1F57 C7544EAB 9D80A459 9EDAFDC4 9D73AFFB BE8A233C
  E6A580E3 0BC2CF5E F7548858 BCE9A99B 27825291 76
        quit
license udi pid CISCO1941/K9 sn FGL173020FY
license boot module c1900 technology-package securityk9
!
!
username root privilege 15 password 5 $1$YXgp$JxABi2EZmjrj/ZcQiY9KU1
username michael secret 5 $1$YXgp$JxABi2EZmjrj/ZcQiY9KU1
username michaelb secret 5 $1$f8QE$sMKwjwcHj0Sy2aGNonwNV1
!
redundancy
!
!
!
!
!

!
!
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.2.05015-k9.pkg sequence 1
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2

!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
 mode tunnel
!
!
crypto ipsec profile ipsec-profile
 set transform-set ESP-AES-SHA
!
!!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 10.121.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 ip policy route-map Melbourne
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 ip flow ingress
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
!
interface Dialer1
 ip ddns update hostname MyVPNTest.no-ip.info
 ip ddns update no-ip
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication chap pap callin
 ppp chap hostname mxxxxxxxx
 ppp chap password 0 xxxxxxx
 ppp pap sent-username xxxxxx password 0 xxxxxx
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
!
ip local pool webvpn-pool 10.121.245.50 10.121.245.100
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip dns server
no ip nat service sip udp port 5060
ip nat inside source list 23 interface Dialer1 overload
!
!
!
access-list 23 permit 10.121.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 20 0
 privilege level 15
 password bra99ers
 transport input telnet ssh
!
!
webvpn gateway Cisco-WebVPN-Gateway
 ip interface Dialer1 port 1111
 ssl encryption aes256-sha1
 ssl trustpoint my-trustpoint
 inservice
 !
webvpn context Cisco-WebVPN
 title "Firewall.cx WebVPN - Powered By Cisco"
 !
 acl "ssl-acl"
   permit ip 10.121.245.0 255.255.255.0 any
 login-message "Cisco Secure WebVPN"
 aaa authentication list sslvpn
 gateway Cisco-WebVPN-Gateway
 max-users 10
 !
 ssl authenticate verify all
 !
 url-list "rewrite"
 inservice
 !
 policy group webvpnpolicy
   functions svc-enabled
   filter tunnel ssl-acl
   svc address-pool "webvpn-pool" netmask 255.255.255.0
   svc rekey method new-tunnel
 default-group-policy webvpnpolicy
!
end

MyVPNTest#
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Not sure I understand at which point your internet access is not there.
Usually, when you want to secureall traffic from a remote vpn while allowing the user access to the internet.

You have to add exemptions to allow traffic..
Same-security-traffic  permit intra-interface
Same-security-traffic permit inter-interface

Author

Commented:
I am a  remote user using Anyconnect, I will be assigned an ip in the 10.121.245.0/24 subnet. I can access resources within my internal network, however I cannot access the internet. I do not want to split the traffic as the whole purpose of this is to get around geofencing while traveling.
Distinguished Expert 2017

Commented:
You need to add the same-security-traffic permit intra-interface , and inter-interface

There are also ACL rules you might need to authorize for VPN traffic to exit the outside interface.

Do you have a proxy in the lan? Use it?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2018

Commented:
There is no need for "same-security-traffic  permit xxx" if there is no zones configured.

Maybe I am missing something, but I don't see mechanism to implement default route in configuration.
Distinguished Expert 2017

Commented:
The person is trying to go from the VPN that secures all traffic out to the internet.
The VPN is secure all traffic, no split tunneling.
In order to allow a remote VPN originating traffic, I believe you have to permit intra.inbterface ..

This is dialer1 connection the WAN IP, Netmask, Gateway and Name servers are set when the connection is established to that carrier..

interface Dialer1
 ip ddns update hostname MyVPNTest.no-ip.info
 ip ddns update no-ip
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication chap pap callin
 ppp chap hostname mxxxxxxxx
 ppp chap password 0 xxxxxxx
 ppp pap sent-username xxxxxx password 0 xxxxxx
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable

ip dns server
no ip nat service sip udp port 5060
ip nat inside source list 23 interface Dialer1 overload
Distinguished Expert 2018

Commented:
yap, I missed ppp ipcp route default.

Author

Commented:
Guys I solved this Thanks for your responses. Issue was that the nat status was not defined on the VPN traffic which didn't allow it out.

The following global command fixed the issue

webvpn sslvpn-vif nat inside
Commented:
Solution in previous comment, thanks all
Distinguished Expert 2018

Commented:
Thank you for feedback.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial