dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2027
cyclone_z
join:2006-06-19
Ames, IA

cyclone_z

Member

[HELP] Configuring remote access SSL VPN

I am just getting started with Cisco IOS. I have a Cisco 881 security router and would like to set up remote access with SSL VPN. I have been playing around on it to see if I can get the VPN to work. I left a number of settings at the default.

At this point, I can connect to the outside interface with Firefox and it prompts me to accept the self-signed certificate. After I accept the cert, I get a message saying the connection was reset. On Chrome, I get "no data received" and the exact error is: ERR_EMPTY_RESPONSE.

Here is the config:


yourname#sh run
Building configuration...

Current configuration : 3630 bytes
!
! Last configuration change at 06:09:23 UTC Tue Feb 4 2014 by chris
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-2639227812
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2639227812
revocation-check none
rsakeypair TP-self-signed-2639227812
!
!
crypto pki certificate chain TP-self-signed-2639227812
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32363339 32323738 3132301E 170D3134 30323033 32313233
31365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36333932
32373831 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CADD 63574CA3 871BA4C1 D62A55A9 87F99C4C 9C58C413 F3497CA4 7213B8FB
8FD61D70 BAB8A66C A420871D 01B84D09 DB12FEA3 F06F3C19 8A97E82E 0F1FB7A1
7EC1053B 94BACA23 DAF27F3F 71037B78 6FC8EC3F E6EABBB9 61E18238 70C433AF
FAF04FF3 C38C46FE 2B6F8D39 8EBC2243 79B3DAF3 FFAA7BF0 817857A8 F9A719DC
905F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 143AA2C6 5EF5EFFD B5696A0B F6B3C6DD 52B42E43 0D301D06
03551D0E 04160414 3AA2C65E F5EFFDB5 696A0BF6 B3C6DD52 B42E430D 300D0609
2A864886 F70D0101 05050003 8181009E 3600A0E4 AAAEA09E C832C7A7 C7BAB558
6086E105 FEBA2EC2 AA3115A4 7FEF2920 679D262C 0A5D3AD8 3406DC3D 56D38D9D
A793B136 1CAFB7C6 0DF8258D F196025F BFB76420 D2928DB3 E468417C 485E3714
54A8CDBB 54097C71 A8DF7C06 3B289950 CF34F01F 87BB9CAD 59F8CCE4 B4645C0C
B12E9AD1 63B3756F 6CA234A7 8FC083
quit
!
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FTX180180QM
!
!
username chris password 0 XXXXXX
!
crypto vpn anyconnect flash:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 74.74.74.74 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
description $ETH_LAN$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
!
!
webvpn gateway yourname
hostname yourname
ip address 74.74.74.74 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2639227812
inservice
!
webvpn context Cisco-WebVPN
title "SSL VPN"
!
acl "ssl-acl"
permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
login-message "Welcome"
!
ssl authenticate verify all
inservice
!
end

kamikatze
join:2007-11-02

2 edits

kamikatze

Member

Check my last post in this thread. Sounds very similar.
»Anyconnect 2.5 annoyance

Ah, you're also missing the gateway statement under webvpn context section.
webvpn context Cisco-WebVPN
title "SSL VPN"
!
acl "ssl-acl"
permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
login-message "Welcome"
!
ssl authenticate verify all
gateway yourname
inservice
cyclone_z
join:2006-06-19
Ames, IA

cyclone_z

Member

Thanks; that helped. Now I am getting a web page on the outside interface, but it says,
"The requested WebVPN domain is not in service."

kamikatze
join:2007-11-02

kamikatze

Member

This is a known bug in 15.1(1)XB:
CSCtc72615 SSLVPN: Inservice command is not working for webvpn context
But looks like you're using 15.2. Try another IOS build, maybe there's a bug regression in this particular one, can't think of any other reason.
cyclone_z
join:2006-06-19
Ames, IA

cyclone_z

Member

OK, I will check. I thought I was on 12.4... but that output I posted does say 15.2. Hmm..