I am testing ASA5540 ver 7.1(1). I have got two problems:
1. Once I enabled web type ACL and Port Forwarding together, the port forwarding application stopped working. When I disabled the web type acl, port forwarding just work fine. I tried following applications: SSH, RDP and FTP. I have some running configuration about this part below:
1. This would be expected behaviour I believe. With the "filter" option on the "functions" command-line you're saying that I want the specified filter to be applied to all those functions. However your filter/ACL only allows access to URL's, because there is always an implicit "deny everything" at the end of any type of ACL. If you want to also allow SSH, FTP, etc through then you need to add that to the end of the same ACL, so something like this should work for you:
This will have the same effect of filtering out yahoo.com, but will allow everything else after that.
2. This is also expected. When you see this error you can save the certifictae off to a file on your PC, then open it up and install it into the certifictae store on your machine. The next time you use WebVPN you shouldn't see this error. The message is simply telling you that it received a certificate from the ASA that it doesn't know if it should trust or not, you have to tell it to trust it by adding it into your store.
Did you ever get part 2 resolved? I'd like to make this message go away if possible. I installed the cert to my trusted root CA store on my PC but I still get the 2 messages with warnings that make me view the cert then accept it.
This is the single biggest problem we face with the SSL VPN SVC deployment. Different browsers, or even browsers with different settings will act differently for this certificate. This is not covered in the documehtation at all.
(on my soapbox)
In my opinion, the actual expected browser settings need to be documented by Cisco, or SSL VPN SVC will not succeed in the marketplace.
(off my soapbox)
We will be purchasing a certificate to get around part of this (the address not matching the device name and the certificate being from an untrusted source).
But browser settings can still make the certificate hard to import, and each Cisco customer deploying SSL VNP SVC ends up trying to document this horror show themselves.
(on my soapbox)
Cisco could easily provide sample documentation to make deployment much easier.
Documentation is an essential part of the product.
The Cisco Secure Firewall and SecureX teams are looking for feedback from active Secure Firewall users who may or may not have already activated SecureX. Your responses will help us improve the Firepower experience in SecureX. Th...
Related documentsCisco ISE (Identity Services Engine) IPv6 features by release2.6ISE ManagementNetwork Time Protocol SupportDomain Name System SupportExternal RepositoriesAudit Logs and ReportsSimple Network Management ProtocolAccess Control Lists And Dyn...
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 126.96.36.199Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 188.8.131.52R1(config-ikev2-keyring-pee...