Clientless SSL VPN and ActiveX question

Hey All,
First post for me here, so be gentle. I'll try to be as detailed as possible.
With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports. However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center. I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup. Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective. My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server). I am unable to browse (via bookmark) to the internal address of the remote web server. Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal. I am testing this external connectivity using a cell card to be able to simulate outside access. Is accessing the external IP address by design, or do I have something hosed?
Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions. I am not able to use controls that require my company's ActiveX controls (video, primarily). I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through. The stream only runs at about 5 fps, so it's not an intense stream.
I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail. I do see a decent number of "no translates" from a show nat:
match ip inside any outside any
NAT exempt
translate_hits = 8915, untranslate_hits = 6574
access-list nonat extended permit ip any any log notifications
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list outside_in extended permit icmp any any log notifications
access-list outside_in extended permit tcp any any log notifications
pager lines 24
logging enable
logging asdm informational
logging ftp-server 192.168.16.34 / syslog *****
mtu inside 1500
mtu outside 1500
ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.16.32 255.255.255.224
nat (inside) 1 192.168.17.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
192.168.2.0 is my corp network range
192.168.2.171 is my internal IP for corp ASA5510
97.x.x.x is the external interface for my corp ASA5510
192.168.16.34 is the internal interface for the remote ASA5505
64.x.x.x is the external interface for the remote ASA5505
192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505. I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN. Am I going about this the right way? Anyone have any suggestions, or do I have my config royally hosed?
Thanks much for any and all ideas!

Hey All, I appreciate all of the views on this post. I would appreciate any input - even if you think it might be far-fetched. I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself. Thanks, in advance!!

Similar Messages

ASA Clientless SSL VPN can't access login pages on websites

When I'm doing a clientless SSL VPN to my ASA and using the ASA to browse websites, I can pretty much go on to just about any website except specificly login websites. I can go on google and yahoo but when I click the "mail" button it just gives me an error message "Connection Failed - Server (site name) unavailable. When I go onto hotmail.com, it says server hotmail.com unavailable. When I browse by entering hotmail's IP address in, it says "Bad Request." Same happens on ebay, youtube, etc. Funny thing is, the ONLY login page I can get onto is Cisco's website's login page. I tried changing DNS servers, nothing changed. Here is my configuration:
show run
: Saved
ASA Version 8.4(4)1
hostname PatG
domain-name resolver4.opendns.com
enable password aDvdtQE/ih5t061i encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
boot system disk0:/asa844-1-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group Comcast
name-server 75.75.75.75
domain-name cdns01.comcast.net
dns server-group DefaultDNS
name-server 208.67.220.222
name-server 208.67.220.220
domain-name resolver4.opendns.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Remote1 protocol radius
aaa-server Remote1 (inside) host 192.168.1.8
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console Remote1
aaa authentication http console Remote1 LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd domain redtube.com
dhcpd auto_config outside
dhcpd option 150 ip 192.168.1.15 192.168.1.5
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
tunnel-group-list enable
group-policy Eng internal
group-policy Eng attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value EngineerMarks
group-policy RemoteHTTP internal
group-policy RemoteHTTP attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value Test
customization value Extra
username user1 password mbO2jYs13AXlIAGa encrypted privilege 0
tunnel-group Browser type remote-access
tunnel-group Browser general-attributes
authentication-server-group Remote1
default-group-policy RemoteHTTP
tunnel-group TEST type remote-access
tunnel-group TEST general-attributes
authentication-server-group Remote1
default-group-policy RemoteHTTP
tunnel-group TEST webvpn-attributes
group-alias testing enable
group-url https://24.19.162.53/testing enable
tunnel-group Engineering type remote-access
tunnel-group Engineering general-attributes
authentication-server-group Remote1 LOCAL
default-group-policy Eng
tunnel-group Engineering webvpn-attributes
group-alias engineering enable
group-url https://209.165.200.2/engineering enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
policy-map map
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:843e718c8d4b23b5f421f82fc0a0c255
: end
Can anyone please help me? Thanks

In your crypto ACLs for the site-to-site tunnels, add the ASA's public IP destined to the remote network, and mirror this ACL on the remote end VPN device.
Example:
ASA public IP: 2.2.2.2
Remote network: 192.168.1.0/24
access-list vpn_to_remote_network permit ip host 2.2.2.2 192.168.1.0 255.255.255.0
Mirror the above acl on the remote end router.
PS. If you found this post helpful, please rate it.

SSL VPN and dedicated IP address

Hello
I have an ASA 5505 8.3 and i setup it with ADSL 6.3
I am trying to dedicate IP addresses to clientless SSL VPN user: is it possible ?
If not is it possible with Anyconnect client ?
If yes i can't perform it !
I have a user test and i want dedicated him an IP address . After authentification user can connect to a web application but when i see the netstat, it is the IP adress of the ASA which is connected ...
Could you help me ?
Regards
L.Malandain

Two ways -
Frist create pool with one IP address and assign that to group policy.
Second- modify the user atributes-
username test password xxxxx
username test attributes
vpn-framed-ip-address
Thanks
Ajay

Port forwarding for clientless SSL VPN access

Hello,
I am currently trying to set up clientless SSL VPN access for some remote sites that our company does business with. Since their machines are not owned by my company, we don't want to install/support a VPN client. Therefore, SSL is a great option.
However, I'm running into an issue. I'm trying to set up port forwarding for a few remote servers. These remote servers are different and have distinct IP addresses. They are attempting to connect with two different servers here.
But my issue is that both servers are trying to use the same TCP port. The ASDM is not letting me use two different port forwarding rules for the same TCP port. The rules can exist side-by-side, but they cannot be used at the same time.
Why? It's not trying to access the same TCP port on a server when it's already in use. Is there anyway I can get around this?
If this doesn't make sense, please let me know and I'll do my best to explain it better.

Hi Caleb,
if you mean clientless webvpn port-forwarding lists, then you should be able to get your requirments. even the same port of the same server can be mapped to different ports bound to the loopback IP.
CLI:
ciscoasa(config) webvpn
ciscoasa(config-webvpn)# port-forward PF 2323 192.168.1.100 23
ciscoasa(config-webvpn)# port-forward PF 2300 192.168.1.200 23
then you apply the port-forwarder list under a group-policy
Hope this helps
Mashal
Mashal Alshboul

Works windows mobile with SSL VPN and anyconnect

Hello,
do anyone know if the following OS works with ASA 8.x SSL VPN client ,SSL clientless VPN and anyconnect client and Secure Desktop :
windows mobile 5.0 Premium phone edition
windows mobile 6.0
windows embedded CE,Net
windows mobile 2003
Thank you for your help
Michael

[url=http://fztodds.24fast.info/washington225.html] washington [/url]
[url=http://fztodds.24fast.info/washington16e.html] washington [/url]
[url=http://fztodds.24fast.info/washingtond66.html] washington [/url]
[url=http://fztodds.24fast.info/washington4e0.html] washington [/url]
[url=http://fztodds.24fast.info/washington00b.html] washington [/url]
[url=http://fztodds.24fast.info/washington1e7.html] washington [/url]
[url=http://ioinlfu.zotzoo.com/washington0a8.html] washington [/url]
[url=http://ioinlfu.zotzoo.com/washington9de.html] washington [/url]
[url=http://ioinlfu.zotzoo.com/washingtone4a.html] washington [/url]
[url=http://ioinlfu.zotzoo.com/washington4ec.html] washington [/url]
[url=http://ioinlfu.zotzoo.com/washington184.html] washington [/url]
[url=http://ioinlfu.zotzoo.com/washingtonb73.html] washington [/url]
[url=http://ioinlfu.zotzoo.com/washington853.html] washington [/url]
[url=http://ygkbfvp.wipou.com/washington1a5.html] washington [/url]
[url=http://ygkbfvp.wipou.com/washingtonde7.html] washington [/url]
[url=http://ygkbfvp.wipou.com/washington2b8.html] washington [/url]
[url=http://ygkbfvp.wipou.com/washington902.html] washington [/url]
[url=http://ygkbfvp.wipou.com/washingtonc99.html] washington [/url]
[url=http://ygkbfvp.wipou.com/washingtoncc7.html] washington [/url]
[url=http://ygkbfvp.wipou.com/washington598.html] washington [/url]
[url=http://yfldvbz.webheri.net/washingtonbe2.html] washington [/url]
[url=http://yfldvbz.webheri.net/washingtone9b.html] washington [/url]
[url=http://yfldvbz.webheri.net/washington4e0.html] washington [/url]
[url=http://yfldvbz.webheri.net/washington327.html] washington [/url]
[url=http://yfldvbz.webheri.net/washingtonada.html] washington [/url]
[url=http://yfldvbz.webheri.net/washingtond2b.html] washington [/url]
[url=http://yfldvbz.webheri.net/washington317.html] washington [/url]
[url=http://odwjneh.yourfreehosting.net/washington7cb.html] washington [/url]
[url=http://odwjneh.yourfreehosting.net/washingtoneaf.html] washington [/url]
[url=http://odwjneh.yourfreehosting.net/washington259.html] washington [/url]
[url=http://odwjneh.yourfreehosting.net/washington8e0.html] washington [/url]
[url=http://odwjneh.yourfreehosting.net/washingtonc03.html] washington [/url]
[url=http://odwjneh.yourfreehosting.net/washington092.html] washington [/url]
[url=http://odwjneh.yourfreehosting.net/washington79c.html] washington [/url]
[url=http://aeaukol.rack111.com/washington766.html] washington [/url]
[url=http://aeaukol.rack111.com/washingtona2e.html] washington [/url]
[url=http://aeaukol.rack111.com/washington4c4.html] washington [/url]
[url=http://aeaukol.rack111.com/washingtonb9f.html] washington [/url]
[url=http://aeaukol.rack111.com/washingtond3a.html] washington [/url]
[url=http://aeaukol.rack111.com/washington54a.html] washington [/url]
[url=http://aeaukol.rack111.com/washington777.html] washington [/url]
[url=http://uhbayoe.hostrator.com/washington300.html] washington [/url]
[url=http://uhbayoe.hostrator.com/washington239.html] washington [/url]
[url=http://uhbayoe.hostrator.com/washington7b4.html] washington [/url]
[url=http://uhbayoe.hostrator.com/washingtonad5.html] washington [/url]
[url=http://uhbayoe.hostrator.com/washingtone03.html] washington [/url]
[url=http://uhbayoe.hostrator.com/washington399.html] washington [/url]
[url=http://uhbayoe.hostrator.com/washington9e9.html] washington [/url]
[url=http://ggaubio.hostevo.com/washington878.html] washington [/url]
[url=http://ggaubio.hostevo.com/washington525.html] washington [/url]

Cisco ASA Site to Site IPSEC VPN and NAT question

Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.

Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni

Cisco 1841 SSL VPN and Anyconnect Help

I am pretty new to Cisco programming and am trying to get an SSL VPN set up for remote access using a web browser and using Anyconnect version 3.1.04509. If I try to connect via a web browser I get an error telling me the security certificate is not secure. If I try to connect via Anyconnect I get an error saying "Untrusted VPN Server Blocked." If I change the Anyconnect settings to allow connections to untrusted servers, I get two errors that say"Certificate does not match the server name" and "Certificate is malformed." Below is the running config in the router at this time. There is another Site-to-Site VPN tunnel that is up and working properly on this device. Any help would be greatly appreciated. Thanks
Current configuration : 7741 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname buchanan1841
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
enable secret 5 XXXXXXX
enable password XXXX
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
crypto pki trustpoint buchanan_Certificate
enrollment selfsigned
revocation-check crl
rsakeypair buchanan_rsakey_pairname
crypto pki certificate chain buchanan_Certificate
certificate self-signed 01
30820197 30820141 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
1D311B30 1906092A 864886F7 0D010902 160C6275 6368616E 616E3138 3431301E
170D3133 30373038 32323330 33335A17 0D323030 31303130 30303030 305A301D
311B3019 06092A86 4886F70D 01090216 0C627563 68616E61 6E313834 31305C30
0D06092A 864886F7 0D010101 0500034B 00304802 4100C76B D94BABC2 6D7FB1F1
AF9AA76F E631B841 7CFEA806 1F52420B 9C83D754 D58393B1 EC02FCA8 BFBE82D6
79645A32 4ECEDB43 8AEB1590 9CCC309E 17E70061 86150203 010001A3 6C306A30
0F060355 1D130101 FF040530 030101FF 30170603 551D1104 10300E82 0C627563
68616E61 6E313834 31301F06 03551D23 04183016 8014AF2E 3FCF66AF C8A43F5F
97DFABA9 C74371FD 127A301D 0603551D 0E041604 14AF2E3F CF66AFC8 A43F5F97
DFABA9C7 4371FD12 7A300D06 092A8648 86F70D01 01040500 034100C1 47D2E8B0
4AC15F69 E8CBE141 E8EE96C5 7BF1EE51 102278B8 ED525185 9F112FA6 0D51F7A6
3382DB09 8692EEE7 200471B3 BF12FBD0 223EB549 4A352049 513F4B
        quit
dot11 syslog
ip source-route
ip cef
no ipv6 cef
multilink bundle-name authenticated
username buchanan privilege 15 password 0 XXXXX
username cybera password 0 cybera
username skapple privilege 15 secret 5 XXXXXXXXXX
username buckys secret 5 XXXXXXXXXXX
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key p2uprEswaspus address XXXXXX
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set cybera esp-3des esp-md5-hmac
crypto ipsec profile cybera
set transform-set cybera
archive
log config
hidekeys
ip ssh version 1
interface Tunnel0
description Cybera WAN - IPSEC Tunnel
ip address x.x.x.x 255.255.255.252
ip virtual-reassembly
tunnel source x.x.x.x
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile cybera
interface FastEthernet0/0
description LAN Connection
ip address 192.168.1.254 255.255.255.0
ip helper-address 192.168.1.2
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description WAN Connection
ip address x.x.x.x 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface ATM0/0/0
no ip address
shutdown
atm restart timer 300
no atm ilmi-keepalive
interface Virtual-Template2
ip unnumbered FastEthernet0/0
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254
ip local pool LAN_POOL 192.168.1.50 192.168.1.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 4.71.21.0 255.255.255.224 x.x.x.x
ip route 10.4.0.0 255.255.0.0 x.x.x.x
ip route 10.5.0.0 255.255.0.0 x.x.x.x
ip route x.x.x.x 255.255.240.0 x.x.x.x
ip route x.x.x.x 255.255.255.255 x.x.x.x
ip route x.x.x.x 255.255.255.255 x.x.x.x
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.201 22 x.x.x.x 22 extendable
ip nat inside source static tcp 192.168.1.202 23 x.x.x.x 23 extendable
access-list 1 permit 192.168.1.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
password xxxxx
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway_1
ip address x.x.x.x port 443
http-redirect port 80
ssl trustpoint buchanan_Certificate
inservice
webvpn install svc flash:/webvpn/anyconnect-w
in-3.1.04059-k9.pkg sequence 1
webvpn context employees
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
   functions svc-enabled
   svc address-pool "LAN_POOL"
   svc default-domain "buchanan.local"
   svc keep-client-installed
   svc dns-server primary 192.168.1.2
   svc wins-server primary 192.168.1.2
virtual-template 2
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_2
gateway gateway_1
max-users 10
inservice
endbuchanan1841#

Perhaps you have changed the host-/domainname after the certificate was created?
I'd generate a new one ...
Michael
Please rate all helpful posts

Anyconnect ssl vpn and acl

Hi Everyone,
I was testing few things at my home lab.
PC---running ssl vpn------------sw------router------------ISP--------------ASA(ssl anyconnect)
anyconnect ssl is working fine and i am also able to access internet.
I am using full tunnel
i have acl on outside interface of ASA
1
True
any
any
ip
Deny
0
Default
i know that ACL is used for traffic passing via ASA.
I need to understand the traffic flow for access to internet via ssl vpn.?
Regards
MAhesh

As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.
You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

Ssl vpn and soft phone

Does the ASA or IOS support an SSL VPN that includes the Cisco softphone like it does say RDP, SSH, etc? I'm trying to determine if I can have a user connect a soft phone to our parent company's SSL VPN so they can use their Cisco phone system, while simultaneously having a remote access vpn tunnel to our division's data network. In short, our employees need to use phones that don't exist on our network while having access to our data network. I've been able to test having an SSL vpn session open at the same time as an IPSec remote access session, but the softphone is not an option in my current code of 8.4 on the ASA. I thought I heard it might be available in 9.0. It seems like it would work in reverse, i.e. having my users connect to my SSL VPN to use my data network and then IPSec to our parent company for the client's locally installed soft phone, but that's not an option for me. The link below seems to suggest it's possible in IOS at least, but I haven't been able to find any details beyond the sales pitch it offers.
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_securing_voice_traffic_with_cisco_ios_ssl_vpn.html
thank you

Following links may help you
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008072462a.shtml

SSL VPN and Dynamic DNS - ddns on IOS

Hello,
I'm trying to configure a SSL VPN tunnel via SDM on a 877 Router. The router gets the public IP address dynamically from the ISP, so I have configured the DDNS to access remotely to the router. I would like to know if it's possible to configure the SSL VPN to support the dynamic IP via SDM o CLI.
Regards
Gerard

Seems like i have fixed the problem using:
webvpn gateway gateway_1
ip interface Dialer0 port 443
ssl trustpoint local
inservice
However when the router is rebooted, it results in this error:
Invalid ip address First configure an IP address for the gateway
Any idea how to delay the webvpn commands at startup until dialer0 gets a dynamic IP ?

Clientless ssl vpn homepage after login problem

Hi all,
I have a problem with my clientless vpn portal.
I need to configure that when a user logs in through the portal, something that works just fine, that he ends up on the homepage.
Right now he ends up immediatly on the anyconnect button.
With the homepage I do mean the first button that says "Home".
Users must be able to click on the "Web Applications", below "Home".
Below "Web Applications" users must have their "Anyconnect" button aswell.
First of all I wasn't able to make the portal display the "Anyconnect" button in the menu.
Then after a while, I figured out that when de Dynamic Access Policy said "Unchanged" on the "Access Method" page.
When changing that parameter to "Anyconnect client" the portal is no portal anymore, I immediatly end up on the anyconnect client start.
When selecting "Web-Portal" I get the portal page, but the anyconnect menu is missing.
When selecting "Both-Default-Web-Portal" I get the anyconnect button, and all other menus, which is good.
But, I want the home button to be the default.
And not the anyconnect button, after logging in you immediatly get the start anyconnect page.
And then last but not least, when selecting "Both-Default-Anyconnect" you login to the webportal, anyconnect starts immediatly from the menu.
Something we want the end user to do manually (Click "Start Anyconnect") I mean!
I'm pretty sure the DAP is forcing that because of the options above.
But when selecting unchanged or anything that doesn't include Anyconnect, then the anyconnect button is gone...
I don't know what I can do to change that.
Am I missing something??
I would say DAP isn't needed, but when I set everything to default in the default DAP, then the anyconnect button is gone in the menu...
Kind regards,
Robin
Here's my configuration:
group-policy GP_company_intranet_portal attributes
wins-server value x.x.x.x
dns-server value x.x.x.x
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
default-domain value company.local
address-pools value IPP_SSLVPN01
webvpn
url-list value BML_company_intranet_portal
http-proxy disable
anyconnect keep-installer installed
anyconnect ask enable default webvpn
customization value CO_company_intranet_portal
http-comp gzip
hidden-shares none
activex-relay enable
file-entry disable
file-browsing disable
url-entry disable
smart-tunnel auto-signon disable
tunnel-group TG_company_portal_localauth type remote-access
tunnel-group TG_company_portal_localauth webvpn-attributes
customization CO_company_intranet_portal
group-url https://portal.company.be enable
username testaccount password xxxxxxxxxx encrypted privilege 0
username testaccount attributes
vpn-group-policy GP_company_intranet_portal
vpn-tunnel-protocol ssl-client ssl-clientless
password-storage disable
group-lock value TG_company_portal_localauth
service-type remote-access
Troubleshooting when logged in, just to verify if the right group-policy is being used:
FW-company# show vpn-sessiondb webvpn
Session Type: WebVPN
Username     : testaccount              Index        : 510
Public IP    : x.x.x.x
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : 3DES                   Hashing      : SHA1
Bytes Tx     : 114897                 Bytes Rx     : 16087
Group Policy : GP_company_intranet_portal
Tunnel Group : TG_company_portal_localauth
Login Time   : 14:50:56 GMT+2 Thu Oct 25 2012
Duration     : 0h:00m:03s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Hi jportugu,
I can't believe it, i serieously though I already did that... And that removed my anyconnect button from the menu.
Which is why I started playing with the DAP function in the first place.
I tried your suggestion and that now works..
Thanks!
The only new problem now is that my bookmarks aren't showing up anymore now.
But that must be a different problem I guess.
Might be DAP related again?
Result: I activated under the default DAP: "Bookmarks" ==> "Enable bookmarks"
Now everything works as it is supposed to...
Really strange though... I thought I did that already...
Thanks jportugu!!
Kind regards,
Robin

IP Phone SSL VPN and Split tunneling

Hi Team,
I went throught the following document which is very useful:
https://supportforums.cisco.com/docs/DOC-9124
The only things i'm not sure about split-tunneling point:
Group-policy must not be configured with split tunnel or split exclude. Only tunnel all is the supported tunneling policy
I could see many implementation when they used split-tunneling, like one of my customer:
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
banner value This system is only for Authorized users.
dns-server value 10.64.10.13 10.64.10.14
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value prod.mobily.lan
address-pools value SSLClientPool
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
username manager-max attributes
vpn-group-policy GroupPolicy1
tunnel-group PhoneVPN type remote-access
tunnel-group PhoneVPN general-attributes
address-pool SSLClientPool
authentication-server-group AD
default-group-policy GroupPolicy1
tunnel-group PhoneVPN webvpn-attributes
group-url https://84.23.107.10 enable
ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
access-list split-tunnel remark split-tunnel network list
access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
It is working for them w/o any issue.
My question would be
- is the limitation about split-tunneling still valid? If yes, why it is not recommended?
Thanks!
Eva

Hi,
If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password. If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided). Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server. If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure. The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'. If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
Did this answer your question? If so, please mark it Answered!

Trying to set up a ssl vpn and can't get to it from outside?

I have a barracuda sslvpn and a
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
When I try and edit the vpn service object to say destination 444 source default insted of source 444 I get this.
[OK] object service VPN
object service VPN
[ERROR] service tcp destination eq 444
Object is used in IPv6 access-list out_in. Can't change IP to IPv4.
ERROR: object (VPN) updation failed due to internal error

HI franklyhollywood:
Joomla is easy to set up (install) once Mysql and PHP is properly set up. CMS (Content Management
System) websites are the way to go. I am migrating all my sites to CMS, either full CMS or Partial
CMS. The Server Guys (and Girls) can help you get it set up properly. If you don't want the hassle
of configuring MySql and PHP on your Mac, use the preconfigured MAMP setup:
http://www.mamp.info/en/index.html
I am only interested in the final product (the website), so I chose MAMP to handle the database and
scripting language (PHP) chores. MAMP can be Installed, configured and up and running in minutes,
leaving me free to develop and make ready my sites for uploading to their eventual home on my
hosting provider's server.
Kj ♘

Clientless SSL VPN Portal Customizaiton fails on 5510

I am trying to customize a web VPN portal on my 5510 but I get errors whenever I try to add a customization object. Running ADSM 6.1(5)51 on ASA 8.0(5). The error I get when I try to apply a newly created customization object is:
[ERROR] export webvpn customization DfltCustomization disk0:/tmpAsdmImportFile2090698426
export webvpn customization DfltCustomization disk0:/tmpAsdmImportFile2090698426 ^
% Invalid input detected at '^' marker.
[ERROR] import webvpn customization test disk0:/tmpAsdmImportFile2090698426
% copying 'disk0:/tmpAsdmImportFile2090698426' to a temporary ramfs file failed
[ERROR] delete /noconfirm disk0:/tmpAsdmImportFile2090698426
%Error deleting disk0:/tmpAsdmImportFile2090698426 (No such file or directory)
Tried revert webvpn all but I get error on that as well:
Result of the command: "revert webvpn all"
%ERROR: ifs_rm_dir_rec: unknown type of file `disk0:/csco_config/97/customization/86D3828A0A0EB0FFA3B55870AAA43E4F'
Any ideas?
Joe

Hi,
As mentioned by Guru, the recommended action is to format the flash: memory.
Sometimes some webvpn files get corrupted resulting in missing DfltCustomization objects or import errors.
Once you format it, it should work fine.
Thanks.
Portu.

Client SSL Vpn question`

not sure if this is possible /device asa 5550 - But can a Client establish a SSL VPN to remote network and devices on the remote network access local network printers?
so you got one client one network A that creates a SSL VPN to network B , can network B be configured so that automatic job come across the same ssl vpn to a Different IP?

I do not know if its just me but I do not understand what you mean with this:
so you got one client one network A that creates a SSL VPN to network B , can network B be configured so that automatic job come across the same ssl vpn to a Different IP?
Can you try it to explain it one more time?
Now, I think you are saying the following, please look this:
HQ----ASA----INTERNET----------Office2
Now the Office2 will do a clientless SSL vpn to the ASA and afterwards you want the HQ to be able to contact some printers or servers on office 2 via the clientless SSL vpn, If that is the question the answer is NO. the clientless SSL vpn will only allow traffic to go from office2 to the HQ, and not all traffic, it will depend on what you use to configure the clientless ssl ( Smart tunnels, Port-forwarding,Plugins).
Again I am not sure if that was the question.
Regards,
Julio
Do rate all the helpful posts

Clientless SSL VPN and ActiveX question

Similar Messages

Maybe you are looking for