Re: ASA WebVPN Questions

zhenningx · ‎03-20-2006

Hello,

I am testing ASA5540 ver 7.1(1). I have got two problems:

1. Once I enabled web type ACL and Port Forwarding together, the port forwarding application stopped working. When I disabled the web type acl, port forwarding just work fine. I tried following applications: SSH, RDP and FTP. I have some running configuration about this part below:

access-list 1 webtype deny url http://www.yahoo.com

access-list 1 webtype permit url any

port-forward RDP_Test ssh x.x.x.x ssh SSH Test

port-forward RDP_Test ftp x.x.x.x ftp FTP Test

port-forward RDP_Test 1089 x.x.x.x 3389

group-policy WebvpnGroupPolicy1 internal

group-policy WebvpnGroupPolicy1 attributes

vpn-tunnel-protocol webvpn

webvpn

functions url-entry file-access file-entry file-browsing port-forward filter

filter value 1

port-forward value RDP_Test

2. I tried to set up SSL VPN client. And when the client browser is installing the SVC software, I got following error message:

An error has been found in the VPN server certificate. Certificate received is signed by an untrusted certificate authority.

I am not sure what caused this problem. Do I need to install anything in my local Trusted Root Certification Authorities Store for SSL VPN Client?

Thank you for your comments!

Dennis

gfullage · ‎03-21-2006

1. This would be expected behaviour I believe. With the "filter" option on the "functions" command-line you're saying that I want the specified filter to be applied to all those functions. However your filter/ACL only allows access to URL's, because there is always an implicit "deny everything" at the end of any type of ACL. If you want to also allow SSH, FTP, etc through then you need to add that to the end of the same ACL, so something like this should work for you:

access-list 1 webtype deny url http://www.yahoo.com

access-list 1 webtype permit url any

access-list 1 webtype permit tcp any

This will have the same effect of filtering out yahoo.com, but will allow everything else after that.

2. This is also expected. When you see this error you can save the certifictae off to a file on your PC, then open it up and install it into the certifictae store on your machine. The next time you use WebVPN you shouldn't see this error. The message is simply telling you that it received a certificate from the ASA that it doesn't know if it should trust or not, you have to tell it to trust it by adding it into your store.

bhatok · ‎09-19-2006

Did you ever get part 2 resolved? I'd like to make this message go away if possible. I installed the cert to my trusted root CA store on my PC but I still get the 2 messages with warnings that make me view the cert then accept it.

westjefferson · ‎07-27-2007

This is the single biggest problem we face with the SSL VPN SVC deployment. Different browsers, or even browsers with different settings will act differently for this certificate. This is not covered in the documehtation at all.

(on my soapbox)

In my opinion, the actual expected browser settings need to be documented by Cisco, or SSL VPN SVC will not succeed in the marketplace.

(off my soapbox)

We will be purchasing a certificate to get around part of this (the address not matching the device name and the certificate being from an untrusted source).

But browser settings can still make the certificate hard to import, and each Cisco customer deploying SSL VNP SVC ends up trying to document this horror show themselves.

(on my soapbox)

Cisco could easily provide sample documentation to make deployment much easier.

Documentation is an essential part of the product.

(off my soapbox).

=seymour=