ASA Clientless SSL VPN can't access login pages on websites

Similar Messages

• Asa 5505 Remote VPN Can't access with my local network

  Hello Guys ,, i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration , please can you help me
  ASA Version 8.2(1)
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 155.155.155.10 255.255.255.0
  interface Vlan5
  no nameif
  no security-level
  no ip address
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy mull internal
  group-policy mull attributes
  vpn-tunnel-protocol IPSec
  username xxx password eKJj9owsQwAIk6Cw encrypted privilege 0
  vpn-group-policy Mull
  tunnel-group mull type remote-access
  tunnel-group mull general-attributes
  address-pool vpn-Pool
  default-group-policy mull
  tunnel-group mull ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context

  Hey Jennifer i did every thing you mention it , but still i can't reach my inside network (LOCAL network)  iam using Shrew Soft VPN Access Manager for my vpn connection
  here is my cry ipsec sa
  interface: outside
      Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 155.155.155.1
        local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
        current_peer:155.155.155.1, username: Thomas
        dynamic allocated peer ip: 192.168.100.1
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 155.155.155.1/4500, remote crypto endpt.: 155.155.155.20/4500
        path mtu 1500, ipsec overhead 82, media mtu 1500
        current outbound spi: 73FFAB96
      inbound esp sas:
        spi: 0x1B5FFBF1 (459275249)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 2894
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
      outbound esp sas:
        spi: 0x73FFAB96 (1946135446)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 2873
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

• Can't access login page in IE

  Hi,
  Some of my participants/customers, from the same
  organization, can’t access the login page when they are going
  to participate in a meeting. They can access the login screen for
  Connect Pro Central but not for the meeting. For example the can
  access
  http://wezupport.emea.acrobat.com
  but not
  http://wezupport.emea.acrobat.com/support.
  They just get a message that the site cannot be displayed. This
  happens with Internet Explorer (6.0) but not with Firefox.
  Has anyone experience this problem?
  Dan

  Björn, I too log in from Sweden and have the same issue: open the forums' page, log in and I am sent automatically to the "sorry, this page is not available" alternatively I get an error 404. As soon as I am sent to the "sorry, this page is not available" I too get automatically loggen in, but if I go back to the forums page (doesn't matter how, if I refresh, go back or open in a new window), I am not inlogged and the process continues.
  I have to go through that at least 3 times before this jumping to and fro ends and the forum recognizes me.

• Port forwarding for clientless SSL VPN access

  Hello,
  I am currently trying to set up clientless SSL VPN access for some remote sites that our company does business with. Since their machines are not owned by my company, we don't want to install/support a VPN client. Therefore, SSL is a great option.
  However, I'm running into an issue. I'm trying to set up port forwarding for a few remote servers. These remote servers are different and have distinct IP addresses. They are attempting to connect with two different servers here.
  But my issue is that both servers are trying to use the same TCP port. The ASDM is not letting me use two different port forwarding rules for the same TCP port. The rules can exist side-by-side, but they cannot be used at the same time.
  Why? It's not trying to access the same TCP port on a server when it's already in use. Is there anyway I can get around this?
  If this doesn't make sense, please let me know and I'll do my best to explain it better.

  Hi Caleb,
  if you mean clientless webvpn port-forwarding lists, then you should be able to get your requirments. even the same port of the same server can be mapped to different ports bound to the loopback IP.
  CLI:
  ciscoasa(config) webvpn
  ciscoasa(config-webvpn)# port-forward PF 2323 192.168.1.100 23
  ciscoasa(config-webvpn)# port-forward PF 2300 192.168.1.200 23
  then you apply the port-forwarder list under a group-policy
  Hope this helps
  Mashal
  Mashal Alshboul

• Clientless SSL VPN and ActiveX question

  Hey All,
  First post for me here, so be gentle.  I'll try to be as detailed as possible.
  With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports.  However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center.  I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup.  Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective.  My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
  First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server).  I am unable to browse (via bookmark) to the internal address of the remote web server.  Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal.  I am testing this external connectivity using a cell card to be able to simulate outside access.  Is accessing the external IP address by design, or do I have something hosed?
  Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions.  I am not able to use controls that require my company's ActiveX controls (video, primarily).  I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through.  The stream only runs at about 5 fps, so it's not an intense stream.
  I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail.  I do see a decent number of "no translates" from a show nat:
    match ip inside any outside any
      NAT exempt
      translate_hits = 8915, untranslate_hits = 6574
  access-list nonat extended permit ip any any log notifications
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
  access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
  access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
  access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
  access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list outside_in extended permit icmp any any log notifications
  access-list outside_in extended permit tcp any any log notifications
  pager lines 24
  logging enable
  logging asdm informational
  logging ftp-server 192.168.16.34 / syslog *****
  mtu inside 1500
  mtu outside 1500
  ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (inside) 1 interface
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 192.168.16.32 255.255.255.224
  nat (inside) 1 192.168.17.0 255.255.255.0
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group outside_in in interface outside
  192.168.2.0 is my corp network range
  192.168.2.171 is my internal IP for corp ASA5510
  97.x.x.x is the external interface for my corp ASA5510
  192.168.16.34 is the internal interface for the remote ASA5505
  64.x.x.x is the external interface for the remote ASA5505
  192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
  As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out   Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505.  I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
  I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN.  Am I going about this the right way?  Anyone have any suggestions, or do I have my config royally hosed?
  Thanks much for any and all ideas!

  Hey All,  I appreciate all of the views on this post.  I would appreciate any input - even if you think it might be far-fetched.  I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself.  Thanks, in advance!!

• I've used Project Web App on Sharepoint 2013. After clear job queue about force check-in then I've got this error. This made me can't access some pages in PWA anymore e.g. Project center, Resoure center, PWA setting, etc.

  I've used Project Web App on Sharepoint 2013. After clear job queue about force check-in then I've got this error. This made me can't access some pages in PWA anymore e.g. Project center, Resoure center, PWA setting, etc.  Who have ever found this problem,
  pls. help.
  The pop up error msg. is "Sorry, you don't have access to this page"

  Hi,
  According to your description, after you cleared job queue about force check-in then you can't access some pages in PWA.
  Maybe you need to check in the pages which has been checked out.
  If you have administrative rights, it is possible to override the check-out via the View All Site Content page:
  Site Actions->View All Site Content->Pages->Hover the item you want to check in, and from the context-menu (arrow-down next to the filename), choose "Discard Check Out"
  Besides, to troubleshooting the error “Sorry, you don't have access to this page”, refer to the following articles:
  http://sharepoint.rackspace.com/sharepoint-2013-troubleshooting-an-access-issue-with-a-custom-master-page
  http://technet.microsoft.com/en-us/library/ff758656(v=office.15).aspx
  In addition, as this issue is related to project server, I suggest you create a new thread on project server, more experts will assist you:
  https://social.technet.microsoft.com/Forums/projectserver/en-US/home?category=project
  Best Regards,
  Lisa Chen
  Lisa Chen
  TechNet Community Support

• I'm an admin of this site, but now can't access some pages in Project Server 2013 e.g. Project center, PWA setting

  I'm an admin of this site, but now can't access some pages in Project Server 2013 e.g. Project center, PWA setting

  it may be your browser.  CHeck the folloinwg
  1) Turn on Compatibilty mode
  2) Security Options / Make it a local trusted site
  3) Turn of Protected Mode in the browser under Security
  and have you tried it from Chrome
  CHeers!
  Michael Wharton, MVP, MBA, PMP, MCT, MCTS, MCSD, MCSE+I, MCDBA
  Website http://www.WhartonComputer.com
  Blog http://MyProjectExpert.com contains my field notes and SQL queries

• Can I undo iCloud Drive? I can't access my Pages docs on iMac since I upgraded to OS 8, unless I upgrade to OS X Yosemite.  I don't need ICloud!

  Can I undo iCloud Drive? I can't access my Pages docs on iMac 10.9.5 since recent upgrade, unless I also upgrade to OS X Yosemite.  I don't need iCloud for docs.

  Hi ..
  Unfortunately, you're stuck between a rock and a hard place until Yosemite is released this fall. Hopefully sometime in October.
  http://www.tuaw.com/2014/09/16/be-aware-be-careful-be-prepared-for-icloud-drive/

• Clientless ssl vpn homepage after login problem

  Hi all,
  I have a problem with my clientless vpn portal.
  I need to configure that when a user logs in through the portal, something that works just fine, that he ends up on the homepage.
  Right now he ends up immediatly on the anyconnect button.
  With the homepage I do mean the first button that says "Home".
  Users must be able to click on the "Web Applications", below "Home".
  Below "Web Applications" users must have their "Anyconnect" button aswell.
  First of all I wasn't able to make the portal display the "Anyconnect" button in the menu.
  Then after a while, I figured out that when de Dynamic Access Policy said "Unchanged" on the "Access Method" page.
  When changing that parameter to "Anyconnect client" the portal is no portal anymore, I immediatly end up on the anyconnect client start.
  When selecting "Web-Portal" I get the portal page, but the anyconnect menu is missing.
  When selecting "Both-Default-Web-Portal" I get the anyconnect button, and all other menus, which is good.
  But, I want the home button to be the default.
  And not the anyconnect button, after logging in you immediatly get the start anyconnect page.
  And then last but not least, when selecting "Both-Default-Anyconnect" you login to the webportal, anyconnect starts immediatly from the menu.
  Something we want the end user to do manually (Click "Start Anyconnect") I mean!
  I'm pretty sure the DAP is forcing that because of the options above.
  But when selecting unchanged or anything that doesn't include Anyconnect, then the anyconnect button is gone...
  I don't know what I can do to change that.
  Am I missing something??
  I would say DAP isn't needed, but when I set everything to default in the default DAP, then the anyconnect button is gone in the menu...
  Kind regards,
  Robin
  Here's my configuration:
  group-policy GP_company_intranet_portal attributes
  wins-server value x.x.x.x
  dns-server value x.x.x.x
  vpn-tunnel-protocol ssl-client ssl-clientless
  split-tunnel-policy tunnelall
  default-domain value company.local
  address-pools value IPP_SSLVPN01
  webvpn
    url-list value BML_company_intranet_portal
    http-proxy disable
    anyconnect keep-installer installed
    anyconnect ask enable default webvpn
    customization value CO_company_intranet_portal
    http-comp gzip
    hidden-shares none
    activex-relay enable
    file-entry disable
    file-browsing disable
    url-entry disable
    smart-tunnel auto-signon disable
  tunnel-group TG_company_portal_localauth type remote-access
  tunnel-group TG_company_portal_localauth webvpn-attributes
  customization CO_company_intranet_portal
  group-url https://portal.company.be enable
  username testaccount password xxxxxxxxxx encrypted privilege 0
  username testaccount attributes
  vpn-group-policy GP_company_intranet_portal
  vpn-tunnel-protocol ssl-client ssl-clientless
  password-storage disable
  group-lock value TG_company_portal_localauth
  service-type remote-access
  Troubleshooting when logged in, just to verify if the right group-policy is being used:
  FW-company# show vpn-sessiondb webvpn
  Session Type: WebVPN
  Username     : testaccount              Index        : 510
  Public IP    : x.x.x.x
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : 3DES                   Hashing      : SHA1
  Bytes Tx     : 114897                 Bytes Rx     : 16087
  Group Policy : GP_company_intranet_portal
  Tunnel Group : TG_company_portal_localauth
  Login Time   : 14:50:56 GMT+2 Thu Oct 25 2012
  Duration     : 0h:00m:03s
  Inactivity   : 0h:00m:00s
  NAC Result   : Unknown
  VLAN Mapping : N/A                    VLAN         : none

  Hi jportugu,
  I can't believe it, i serieously though I already did that... And that removed my anyconnect button from the menu.
  Which is why I started playing with the DAP function in the first place.
  I tried your suggestion and that now works..
  Thanks!
  The only new problem now is that my bookmarks aren't showing up anymore now.
  But that must be a different problem I guess.
  Might be DAP related again?
  Result: I activated under the default DAP: "Bookmarks" ==> "Enable bookmarks"
  Now everything works as it is supposed to...
  Really strange though... I thought I did that already...
  Thanks jportugu!!
  Kind regards,
  Robin

• ASA 5505 VPN can't access connected network

  I have an ASA 5505 with ipsec VPN configured on it.  I am able to  connect to the ASA but I can't ping a connected network.  I get a dhcp  assigned address in the network I am trying to reach but can't access  that network on Vlan5.  Please help.
  I attached the config.

  I think final questions, can you have two nat statements that point to the same acl ie.
  access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 172.31.1.0 255.255.255.0
  access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0
  nat (inside) 0 access-list no_nat
  nat (inside) 1 192.168.9.0 255.255.255.0
  nat (fw-civic) 0 access-list no_nat
  nat (fw-civic) 1 192.168.5.0 255.255.255.0
  Or do I need to create a new acl for the fw-civic interface?
  Thanks

• Cisco ASA 5520 SSL VPN Web Login Customization For RSA Login

  I have a Cisco 5520 that I have RSA radius with hardware token up and working witrhout issue. The RSA radius authentication works fine.
  My problem is that I want the login page of the WebVPN portal to display two fields for the user RSA passcode. An RSA passcode is the PIN and the current toke code together.
  I want one field to accept the PIN from the passcode and the other field to accept the TOKEN CODE from the RSA token.
  Currently the login page has in this order:
  USERNAME:
  PASSCODE:
  My end state would be:
  USERNAME:
  PIN:
  TOKENCODE:
  I know this has been done with the native Cisco IPSEC client but I cannot find a way to do this with the WebVPN login page. I have been thru the Customization page and can't seem to get this to work correctly.
  Thanks.

  Hello friend!
  Please allow me to resurect this old post. Did you have the solution?
  Regards!

• Cisco ASA 5505 SSL VPN

  Hi Everyone,
  In my study home lab, I wanted to configure a cisco ASA 5505 ( Base license) to allow SSL VPN. I follow carefully the configuration procedure as instructed on a short videos I downloaded on youtube.
  I configured my outside e0/0 with a valid static IP address, unfortunately the vpn connection is timeout on a remote ( different) internet connection. But if  I connect to my own internet line using a WIFI the VPN ( AnyConnect SSL VPN client ) connection is established.
  I need help to solve this mystery. Please find attached the ASA config: #show run
  I hope my explaination does make sense, if not accept my apology I am just new in cisco technology.
  Best regards,
  BEN

  If you can connect with your own internet line, then most probably it's not an issue with the ASA configuration.
  I would check how you are routing the ASA to the internet, and if there is any ACL that might be blocking inbound access to the ASA on the device in front of the ASA.

• ASA 5505 SSL VPN LOG failed

  %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3293 for TLSv1 session.
  %ASA-6-725003: SSL client outside:58.211.122.212/3293 request to resume previous session.
  %ASA-6-725002: Device completed SSL handshake with client outside:58.211.122.212/3293
  %ASA-6-113012: AAA user authentication Successful : local database : user = admin
  %ASA-6-113009: AAA retrieved default group policy (SSLCLientPolicy) for user = admin
  %ASA-6-113008: AAA transaction status ACCEPT : user = admin
  %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.grouppolicy = SSLCLientPolicy
  %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.username = admin
  %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.tunnelgroup = SSLClientProfile
  %ASA-6-734001: DAP: User admin, Addr 58.211.122.212, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy
  %ASA-4-716023: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> Session could not be established: session limit of 2 reached.
  %ASA-4-716007: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> WebVPN Unable to create session.
  %ASA-6-302013: Built inbound TCP connection 137616 for outside:58.211.122.212/3294 (58.211.122.212/3294) to identity:61.155.55.66/443 (61.155.55.66/443)
  %ASA-6-302013: Built inbound TCP connection 137617 for outside:58.211.122.212/3295 (58.211.122.212/3295) to identity:61.155.55.66/443 (61.155.55.66/443)
  %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3294 for TLSv1 session.
  %ASA-6-725003: SSL client outside:58.211.122.212/3294 request to resume previous session.
  %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3295 for TLSv1 session.
  %ASA-6-725003: SSL client outside:58.211.122.212/3295 request to resume previous session.
  Red error what is the reason? Only appears in the window 2003 server.

  ciscoasa# show   activation-key 
  Serial Number:  JMX1314Z1UV
  Running Activation Key: 0x9625fa6a 0x68e90200 0x38c3adac 0xaa0448d0 0x4b3815b6
  Licensed features for this platform:
  Maximum Physical Interfaces    : 8        
  VLANs                          : 3, DMZ Restricted
  Inside Hosts                   : 10       
  Failover                       : Disabled
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 10       
  Dual ISPs                      : Disabled 
  VLAN Trunk Ports               : 0        
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled 
  This platform has a Base license.
  The flash activation key is the SAME as the running key.
  ciscoasa#
  Sure ？it was licence question？

• VPN - can't access internet over VPN

  Hi,
  I have an issue with VPN.
  For my work I need to be able to log into my office network remotely and then access remote desktop connection from within my work network.
  This won't work unless I am accessing the internet from inside the VPN.
  I have got this working on a PC, just had to select "Use default gateway on remote network" and now when I access the VPN on a windows laptop I am accessing the internet over the VPN.
  When I connect to the VPN on the Mac I can access the network, email server, file servers etc, but can not access the internet through the VPN.
  I have tried:
  - changing the service order
  - ticking and unpicking the send all traffic over VPN setting
  I can get to the point where I can access my work network over the VPN while also accessing the internet over my wifi but cannot get it so I can access the internet over the VPN connection. It is a PPTP VPN.
  Does anyone know how I get my Mac to use the default gateway on the remote network?

  If this server is behind a (NAT-) router you need to turn on "ipforwarding only" in Server Admin NAT configuration otherwise the server wont route packets beyond it's subnet.

• Safari not accessing login pages

  Safari right now will not access any login page, citing "because it couldn’t establish a secure connection to the server". I had a harddrive fail recently and had installed a new one (120 GB replacing an 80 GB) and thus had to reinstall OS Tiger onto the new harddrive. At the same time, I upgraded my RAM by adding another 512 MB chip. I went through all the updates and everything seemed to be fine until I noticed Safari couldn't access any login page (gmail, netscape, apple ID, etc.). Before the failure, everything was working perfectly. Then the next time software updater ran, every time it tried to install something it would hang up before it finished. I have emptied the caches, the history, set cookies to always accept, reset safari, and removed the plist. Nothing has worked thus far and I am avoiding reinstalling Tiger.
  I am using SBC DSL, and a friend had almost the same setup as me (except he has a G4 PowerPC with the mirrored doors) and he has no problem with it.
  I know I can use Firefox and IE, but I hate those browsers and would like to use Safari. I also really would like to download the latest updates.
  Other than that, I have not had any problems.
  I would appreciate any help, thanks.

  did this worked fantastic as a number of other applications have also freed up it had started with safari then software update, text edit, imovie etc i also have x509 certificates that i have put into the trash what are they and should i bin these as well