WebVPN Clientless SSL VPN to intranet website - links to external sites are not working

srbrandt40 — Fri, 21 Feb 2020 16:59:52 GMT

I have setup WebVPN clientless SSL VPN so our users that are external login and there is a link to our company intranet website. Any of the links that exist on the website or are internal on our LAN/WAN work correctly.

My problem is this website has quite a few links that are external such as company videos hosted on YouTube and websites hosted outside by third parties.

When I click on one of these links I get : Connection Failed Server "url" unavailable

I have tried different settings and so far none have fixed this issue.

Group Policy : General - Web ACL - Allowed_External Permit any url

What am I missing to make this work?

Re: WebVPN Clientless SSL VPN to intranet website - links to external sites are not working

balaji.bandi — Mon, 01 Apr 2019 20:32:51 GMT

Not sure what device you have configured for Web VPN, ( i was assuming you configured ASA)

please refer below reference guide(and post the running config to have look)

https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html

Re: WebVPN Clientless SSL VPN to intranet website - links to external sites are not working

srbrandt40 — Mon, 01 Apr 2019 21:42:32 GMT

Yes this is setup on a Cisco ASA 5550 ASA version 9.1.7.32

Connection Profile= RemoteUsers GroupPolicy_RemoteUsers

Running Config

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2019.04.01 16:16:39 =~=~=~=~=~=~=~=~=~=~=~=
show run
: Saved
:
: Serial Number:xxxxxxxxxxxxxxxx
: Hardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
:
ASA Version 9.1(7)32
!
hostname tconnect
domain-name tc.inet
enable password xxxxxxxxxx encrypted
names
ip local pool VPN_Pool1 172.25.224.1-172.25.225.254 mask 255.255.254.0
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172..xx.xx.xx 255.255.255.0
!
interface GigabitEthernet0/2
<--- More --->

shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address 10.254.xx.xx 255.255.255.0
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa917-32-k8.bin
boot system disk0:/asa917-23-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
<--- More --->

name-server 172.xx.xx.xx
name-server 172.xx.xx.xx
domain-name tc.inet
object network NETWORK_OBJ_172.25.224.0_23
subnet 172.25.224.0 255.255.254.0
object-group network DM_INLINE_NETWORK_1
network-object 172.xx.xx.0 255.255.255.0
network-object object NETWORK_OBJ_172.25.224.0_23
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any
access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access_in extended deny ip any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
<--- More --->

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Allowed_External webtype permit url http://* log debugging interval 300
access-list Allowed_External webtype permit url https://* log debugging interval 300
pager lines 24
logging enable
logging timestamp
logging list VPN-USER-DISCONNECT message 746012
logging list VPN-USER-DISCONNECT message 722051
logging list VPN-USER-DISCONNECT message 746013
logging list VPN-USER-DISCONNECT message 113019
logging list VPN-USER-DISCONNECT message 716038
logging list VPN-USER-DISCONNECT message 716001
logging list VPN-USER-DISCONNECT message 611101
logging list VPN-USER-DISCONNECT message 716039
logging list VPN-USER-DISCONNECT message 716052
logging list VPN-USER-DISCONNECT message 716023
logging list VPN-USER-DISCONNECT message 716002
logging list VPN-USER-DISCONNECT message 716058
logging list VPN-USER-DISCONNECT message 716059
logging list VPN-USER-DISCONNECT message 716060
logging console critical
logging trap VPN-USER-DISCONNECT
<--- More --->

logging asdm VPN-USER-DISCONNECT
logging host inside 172.xx.xx.xx
logging permit-hostdown
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7121.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.25.224.0_23 NETWORK_OBJ_172.25.224.0_23 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.254.254.1 1
route inside 10.0.0.0 255.0.0.0 172.xx.xxx.1 1
route inside 172.16.0.0 255.240.0.0 172.xx.xxx.1 1
route inside 172.xx.xxx.0 255.255.255.0 172.xx.xxx.1 1
route inside 192.168.0.0 255.255.0.0 172.xx.xxx.1 1
route inside 0.0.0.0 0.0.0.0 172.xx.xxx.1 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
<--- More --->

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
appl-acl Allowed_External
url-list value CompassOnly
file-browsing disable
file-entry disable
url-entry disable
svc ask none default webvpn
aaa-server TC_Radius protocol radius
reactivation-mode timed
aaa-server TC_Radius (inside) host 172.xx.x.128
key xxxx
authentication-port 1812
accounting-port 1813
radius-common-pw xxxx
no mschapv2-capable
aaa-server TC_Radius (inside) host 172.xx.x.129
key xxxx
authentication-port 1812
accounting-port 1813
<--- More --->

radius-common-pw xxxx
aaa-server SecureAuth_Radiu protocol radius
aaa-server SecureAuth_Radiu (inside) host 172.xx.x.163
timeout 60
key xxxx
authentication-port 1812
accounting-port 1813
radius-common-pw xxxx
no mschapv2-capable
aaa-server SA_OATH protocol radius
aaa-server SA_OATH (inside) host 172.xx.x.164
timeout 60
key xxxx
authentication-port 1812
accounting-port 1813
radius-common-pw xxxx
no mschapv2-capable
aaa-server SecureAuth_New protocol radius
aaa-server SecureAuth_New (inside) host 172.xx.x.54
timeout 60
key xxxx
authentication-port 1812
accounting-port 1813
radius-common-pw xxxx
<--- More --->

no mschapv2-capable
user-identity default-domain LOCAL
eou allow none
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.xx.xxx.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
<--- More --->

crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
<--- More --->

crypto ca trustpoint ASDM_TrustPoint2
keypair ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint6
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint7
keypair ASDM_TrustPoint7
crl configure
crypto ca trustpoint ASDM_TrustPoint8
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint9
enrollment terminal
crl configure
<--- More --->

crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint2
certificate 2f
quit
crypto ca certificate chain ASDM_TrustPoint3
certificate ca 15a
quit
<--- More --->

crypto ca certificate chain ASDM_TrustPoint4
certificate ca 02
quit
crypto ca certificate chain ASDM_TrustPoint5
certificate ca 1f3
quit
crypto ca certificate chain ASDM_TrustPoint6
certificate ca 4b

quit
crypto ca certificate chain ASDM_TrustPoint7
certificate 0e
quit
crypto ca certificate chain ASDM_TrustPoint8
certificate ca 03
quit
crypto ca certificate chain ASDM_TrustPoint9
certificate ca 0d
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
<--- More --->

crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
<--- More --->

crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2
telnet timeout 5
ssh stricthostkeycheck
ssh 172.xx.xxx.0 255.255.255.0 inside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 10
vpn-sessiondb max-other-vpn-limit 5000
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 5000
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.xx.xxx.xx source inside
ssl encryption dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint7 outside
webvpn
<--- More --->

enable outside
csd image disk0:/csd_3.5.2008-k9.pkg
csd hostscan image disk0:/hostscan_4.2.02075-k9.pkg
anyconnect image disk0:/anyconnect-win-4.2.02075-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.2.02075-k9.pkg 2
anyconnect profiles RemoteUsers_client_profile disk0:/RemoteUsers_client_profile.xml
anyconnect enable
tunnel-group-list enable
smart-tunnel list Taylor_Tubes RDP mstsc.exe platform windows
smart-tunnel list Taylor_Tubes IE iexplore.exe platform windows
smart-tunnel list Taylor_Tubes Firefox Firefox.exe platform windows
smart-tunnel list Taylor_Tubes Chrome_browser chrome.exe platform windows
smart-tunnel list Taylor_Tubes Safari /Applications/Safari platform mac
smart-tunnel list Taylor_Tubes Outlook outlook.exe platform windows
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
wins-server value 172.xx.xxx.xx
dns-server value 172.xx.xxx.xx
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value xxx.xxx.inet
webvpn
anyconnect ask enable default webvpn timeout 10
<--- More --->

auto-signon allow uri * auth-type ntlm
group-policy GroupPolicy_RemoteUsers internal
group-policy GroupPolicy_RemoteUsers attributes
wins-server value 172.xx.xxx.xx
dns-server value 172.xx.xxx.xx
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value corp.tcc.inet
webvpn
url-list value Applications&Links
filter value Allowed_External
anyconnect profiles value RemoteUsers_client_profile type user
smart-tunnel enable Taylor_Tubes
username gnsadmin password xxxxxxxxxx encrypted privilege 15
username gnsadmin attributes
password-storage disable
tunnel-group RemoteUsers type remote-access
tunnel-group RemoteUsers general-attributes
address-pool VPN_Pool1
authentication-server-group TC_Radius
authorization-server-group TC_Radius
default-group-policy GroupPolicy_RemoteUsers
tunnel-group RemoteUsers webvpn-attributes
group-alias Compass enable
<--- More --->

group-alias RemoteUsers disable
group-url http://newcompass.tc.inet enable
without-csd
tunnel-group RemoteUsers ipsec-attributes
ikev1 trust-point ASDM_TrustPoint2
tunnel-group WebVPN_Prof type remote-access
tunnel-group WebVPN_Prof general-attributes
authentication-server-group TC_Radius
default-group-policy GroupPolicy_RemoteUsers
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
<--- More --->

inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global-policy
class global-class
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
<--- More --->

destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 22
subscribe-to-alert-group configuration periodic monthly 22
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:32387d8764fbfd06733995ce6a6dab98
: end

tconnect# show version

Cisco Adaptive Security Appliance Software Version 9.1(7)32
Device Manager Version 7.12(1)

topic Re: WebVPN Clientless SSL VPN to intranet website - links to external sites are not working in Network Security

WebVPN Clientless SSL VPN to intranet website - links to external sites are not working

Re: WebVPN Clientless SSL VPN to intranet website - links to external sites are not working

Re: WebVPN Clientless SSL VPN to intranet website - links to external sites are not working