Network Topology
On site, SSLVPN services need to be isolated through VRF and the default certificate is used.
Problem Description
After the on-site configuration is completed according to the following configuration, dialing is normal, but the intranet resources cannot be pinged. There is no echo of the debug intranet IP and there is no session:
#
acl advanced 3002
rule 0 permit ip vpn-instance VPN1 destination intranet-resource-IP 0.0.255.255 counting
#
interface SSLVPN-AC1
description VPN-DHCP
ip binding vpn-instance VPN1
ip address 172.X.X.X 255.255.255.0
#
sslvpn gateway gw
vpn-instance VPN1
ip address GWIP port 2000
service enable
#
sslvpn context ctx1
vpn-instance VPN1
gateway gw domain domain1
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool sslvpn-pool mask 255.255.255.0
ip-route-list rtlist
include Intranet resourcesIP 255.255.0.0
policy-group pgroup
filter ip-tunnel acl 3002
ip-tunnel access-route ip-route-list rtlist
service enable
#
Process Analysis
Checking that the routing is normal, the routing problem is ruled out. When checking the binding of each configuration to the VRF, it is found that the ACL configuration is also bound to the VRF.
This does not require binding to the VRF. This problem is caused by VRF binding error.
Solution
In the above case, just remove VRF from the acl configuration:
#
acl advanced 3002 rule 0 permit ip destination intranet-resource-IP 0.0.255.255 counting
#
The situation of binding VRF in the configuration is as follows:
1. The physical port of the SSLVPN gateway needs to be bound
2. The AC port needs to be bound
3. Bind under SSLVPN Gateway
4. Bind under SSLVPN context
5. Do not bind the authorization ACL in the SSLVPN context
6. Security policies need to be bound