Michael
asked on
CISCO IOS SSL VPN Cannot conenct to internet
Cisco IOS SSL VPN on 1941. Caanot access Internet
Im configuring a 1941 router at my home to provide sslVPN for myself while I travel. The main purpose is to get around geofencing. I want all traffic to go across the vpn and exit the internet interface on the same router. with the config below im able to connect to resources on my own network but cannot connect to internet resources.
login as: root
Using keyboard-interactive authentication.
Password:
MyVPNTest#sh run
Building configuration...
Current configuration : 10462 bytes
!
! Last configuration change at 02:57:00 UTC Thu Sep 26 2019
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyVPNTest
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login sslvpn local
!
!
!
!
!
aaa session-id common
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name vpntest.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint my-trustpoint
enrollment selfsigned
serial-number
subject-name CN=firewallcx-certificate
revocation-check crl
rsakeypair my-rsa-keys
!
!
crypto pki certificate chain my-trustpoint
certificate self-signed 01
30820291 308201FA A0030201 02020101 300D0609 2A864886 F70D0101 05050030
64311F30 1D060355 04031316 66697265 77616C6C 63782D63 65727469 66696361
74653141 30120603 55040513 0B46474C 31373330 32304659 302B0609 2A864886
F70D0109 02161E62 72616E6E 656C6C79 6B6C2E6C 69656765 736F6C75 74696F6E
732E636F 6D301E17 0D313930 38323830 34343930 355A170D 32303031 30313030
30303030 5A306431 1F301D06 03550403 13166669 72657761 6C6C6378 2D636572
74696669 63617465 31413012 06035504 05130B46 474C3137 33303230 4659302B
06092A86 4886F70D 01090216 1E627261 6E6E656C 6C796B6C 2E6C6965 6765736F
6C757469 6F6E732E 636F6D30 819F300D 06092A86 4886F70D 01010105 0003818D
00308189 02818100 B46FDC92 7B6D7FAF 084F9258 B10115E5 290F4DED 9F497096
1DE57BCD 8D91A47D 9D3B50AC BA21F0E1 4E81FABD 79F96B4B 639685A3 28A75F47
0FAA5827 2B614417 A0CED535 38430B6D F256CF0A B0FC85EB D778EA01 8CE2F316
6E924884 4FB42600 6E2E287C A4F32CBD C9DE827C A1E5CB89 F38598B8 55F64D22
02DA8C51 66671A77 02030100 01A35330 51300F06 03551D13 0101FF04 05300301
01FF301F 0603551D 23041830 16801407 5B843777 32610833 83C5D575 EE0BC8AC
4447DE30 1D060355 1D0E0416 0414075B 84377732 61083383 C5D575EE 0BC8AC44
47DE300D 06092A86 4886F70D 01010505 00038181 00700B97 4B88302E 60905E3C
241FD7DA 834CBE3F 851C46EE 23AF2069 3D7FE2C6 F49D08F3 FC392667 ADB2E556
1BF58BEA 51CA5450 E8D00DA6 BDAC34C3 DDD023BC 49A47663 699B1FDB 937A28E6
8212CE52 7B36A842 B0AF1F57 C7544EAB 9D80A459 9EDAFDC4 9D73AFFB BE8A233C
E6A580E3 0BC2CF5E F7548858 BCE9A99B 27825291 76
quit
license udi pid CISCO1941/K9 sn FGL173020FY
license boot module c1900 technology-package securityk9
!
!
username root privilege 15 password 5 $1$YXgp$JxABi2EZmjrj/ZcQiY
username michael secret 5 $1$YXgp$JxABi2EZmjrj/ZcQiY
username michaelb secret 5 $1$f8QE$sMKwjwcHj0Sy2aGNon
!
redundancy
!
!
!
!
!
!
!
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile ipsec-profile
set transform-set ESP-AES-SHA
!
!!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.121.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map Melbourne
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
ip flow ingress
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
!
interface Dialer1
ip ddns update hostname MyVPNTest.no-ip.info
ip ddns update no-ip
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname mxxxxxxxx
ppp chap password 0 xxxxxxx
ppp pap sent-username xxxxxx password 0 xxxxxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
ip local pool webvpn-pool 10.121.245.50 10.121.245.100
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip dns server
no ip nat service sip udp port 5060
ip nat inside source list 23 interface Dialer1 overload
!
!
!
access-list 23 permit 10.121.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 20 0
privilege level 15
password bra99ers
transport input telnet ssh
!
!
webvpn gateway Cisco-WebVPN-Gateway
ip interface Dialer1 port 1111
ssl encryption aes256-sha1
ssl trustpoint my-trustpoint
inservice
!
webvpn context Cisco-WebVPN
title "Firewall.cx WebVPN - Powered By Cisco"
!
acl "ssl-acl"
permit ip 10.121.245.0 255.255.255.0 any
login-message "Cisco Secure WebVPN"
aaa authentication list sslvpn
gateway Cisco-WebVPN-Gateway
max-users 10
!
ssl authenticate verify all
!
url-list "rewrite"
inservice
!
policy group webvpnpolicy
functions svc-enabled
filter tunnel ssl-acl
svc address-pool "webvpn-pool" netmask 255.255.255.0
svc rekey method new-tunnel
default-group-policy webvpnpolicy
!
end
MyVPNTest#
Im configuring a 1941 router at my home to provide sslVPN for myself while I travel. The main purpose is to get around geofencing. I want all traffic to go across the vpn and exit the internet interface on the same router. with the config below im able to connect to resources on my own network but cannot connect to internet resources.
login as: root
Using keyboard-interactive authentication.
Password:
MyVPNTest#sh run
Building configuration...
Current configuration : 10462 bytes
!
! Last configuration change at 02:57:00 UTC Thu Sep 26 2019
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyVPNTest
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login sslvpn local
!
!
!
!
!
aaa session-id common
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name vpntest.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint my-trustpoint
enrollment selfsigned
serial-number
subject-name CN=firewallcx-certificate
revocation-check crl
rsakeypair my-rsa-keys
!
!
crypto pki certificate chain my-trustpoint
certificate self-signed 01
30820291 308201FA A0030201 02020101 300D0609 2A864886 F70D0101 05050030
64311F30 1D060355 04031316 66697265 77616C6C 63782D63 65727469 66696361
74653141 30120603 55040513 0B46474C 31373330 32304659 302B0609 2A864886
F70D0109 02161E62 72616E6E 656C6C79 6B6C2E6C 69656765 736F6C75 74696F6E
732E636F 6D301E17 0D313930 38323830 34343930 355A170D 32303031 30313030
30303030 5A306431 1F301D06 03550403 13166669 72657761 6C6C6378 2D636572
74696669 63617465 31413012 06035504 05130B46 474C3137 33303230 4659302B
06092A86 4886F70D 01090216 1E627261 6E6E656C 6C796B6C 2E6C6965 6765736F
6C757469 6F6E732E 636F6D30 819F300D 06092A86 4886F70D 01010105 0003818D
00308189 02818100 B46FDC92 7B6D7FAF 084F9258 B10115E5 290F4DED 9F497096
1DE57BCD 8D91A47D 9D3B50AC BA21F0E1 4E81FABD 79F96B4B 639685A3 28A75F47
0FAA5827 2B614417 A0CED535 38430B6D F256CF0A B0FC85EB D778EA01 8CE2F316
6E924884 4FB42600 6E2E287C A4F32CBD C9DE827C A1E5CB89 F38598B8 55F64D22
02DA8C51 66671A77 02030100 01A35330 51300F06 03551D13 0101FF04 05300301
01FF301F 0603551D 23041830 16801407 5B843777 32610833 83C5D575 EE0BC8AC
4447DE30 1D060355 1D0E0416 0414075B 84377732 61083383 C5D575EE 0BC8AC44
47DE300D 06092A86 4886F70D 01010505 00038181 00700B97 4B88302E 60905E3C
241FD7DA 834CBE3F 851C46EE 23AF2069 3D7FE2C6 F49D08F3 FC392667 ADB2E556
1BF58BEA 51CA5450 E8D00DA6 BDAC34C3 DDD023BC 49A47663 699B1FDB 937A28E6
8212CE52 7B36A842 B0AF1F57 C7544EAB 9D80A459 9EDAFDC4 9D73AFFB BE8A233C
E6A580E3 0BC2CF5E F7548858 BCE9A99B 27825291 76
quit
license udi pid CISCO1941/K9 sn FGL173020FY
license boot module c1900 technology-package securityk9
!
!
username root privilege 15 password 5 $1$YXgp$JxABi2EZmjrj/ZcQiY
username michael secret 5 $1$YXgp$JxABi2EZmjrj/ZcQiY
username michaelb secret 5 $1$f8QE$sMKwjwcHj0Sy2aGNon
!
redundancy
!
!
!
!
!
!
!
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile ipsec-profile
set transform-set ESP-AES-SHA
!
!!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.121.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map Melbourne
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
ip flow ingress
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
!
interface Dialer1
ip ddns update hostname MyVPNTest.no-ip.info
ip ddns update no-ip
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname mxxxxxxxx
ppp chap password 0 xxxxxxx
ppp pap sent-username xxxxxx password 0 xxxxxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
ip local pool webvpn-pool 10.121.245.50 10.121.245.100
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip dns server
no ip nat service sip udp port 5060
ip nat inside source list 23 interface Dialer1 overload
!
!
!
access-list 23 permit 10.121.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 20 0
privilege level 15
password bra99ers
transport input telnet ssh
!
!
webvpn gateway Cisco-WebVPN-Gateway
ip interface Dialer1 port 1111
ssl encryption aes256-sha1
ssl trustpoint my-trustpoint
inservice
!
webvpn context Cisco-WebVPN
title "Firewall.cx WebVPN - Powered By Cisco"
!
acl "ssl-acl"
permit ip 10.121.245.0 255.255.255.0 any
login-message "Cisco Secure WebVPN"
aaa authentication list sslvpn
gateway Cisco-WebVPN-Gateway
max-users 10
!
ssl authenticate verify all
!
url-list "rewrite"
inservice
!
policy group webvpnpolicy
functions svc-enabled
filter tunnel ssl-acl
svc address-pool "webvpn-pool" netmask 255.255.255.0
svc rekey method new-tunnel
default-group-policy webvpnpolicy
!
end
MyVPNTest#
ASKER
I am a remote user using Anyconnect, I will be assigned an ip in the 10.121.245.0/24 subnet. I can access resources within my internal network, however I cannot access the internet. I do not want to split the traffic as the whole purpose of this is to get around geofencing while traveling.
You need to add the same-security-traffic permit intra-interface , and inter-interface
There are also ACL rules you might need to authorize for VPN traffic to exit the outside interface.
Do you have a proxy in the lan? Use it?
There are also ACL rules you might need to authorize for VPN traffic to exit the outside interface.
Do you have a proxy in the lan? Use it?
There is no need for "same-security-traffic permit xxx" if there is no zones configured.
Maybe I am missing something, but I don't see mechanism to implement default route in configuration.
Maybe I am missing something, but I don't see mechanism to implement default route in configuration.
The person is trying to go from the VPN that secures all traffic out to the internet.
The VPN is secure all traffic, no split tunneling.
In order to allow a remote VPN originating traffic, I believe you have to permit intra.inbterface ..
This is dialer1 connection the WAN IP, Netmask, Gateway and Name servers are set when the connection is established to that carrier..
The VPN is secure all traffic, no split tunneling.
In order to allow a remote VPN originating traffic, I believe you have to permit intra.inbterface ..
This is dialer1 connection the WAN IP, Netmask, Gateway and Name servers are set when the connection is established to that carrier..
interface Dialer1
ip ddns update hostname MyVPNTest.no-ip.info
ip ddns update no-ip
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname mxxxxxxxx
ppp chap password 0 xxxxxxx
ppp pap sent-username xxxxxx password 0 xxxxxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
ip dns server
no ip nat service sip udp port 5060
ip nat inside source list 23 interface Dialer1 overload
yap, I missed ppp ipcp route default.
ASKER
Guys I solved this Thanks for your responses. Issue was that the nat status was not defined on the VPN traffic which didn't allow it out.
The following global command fixed the issue
webvpn sslvpn-vif nat inside
The following global command fixed the issue
webvpn sslvpn-vif nat inside
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thank you for feedback.
Usually, when you want to secureall traffic from a remote vpn while allowing the user access to the internet.
You have to add exemptions to allow traffic..
Same-security-traffic permit intra-interface
Same-security-traffic permit inter-interface