cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
446
Views
5
Helpful
6
Replies
itsecurity mk
Beginner

Problem in Configuring WEBVPN on cisco ASA5510

Kindly help in configuring web vpn in cisco asa 5510 with ios 8.0(2)

 

Note:interface Ethernet0/0 ip add 192.168.10.10 is natted with public ip 213.42.x.x on core Firewall which is connected to ISP.

 

hereunder is the running config

 

 

ciscoasa# sh running-config
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.10.10 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.12.12 255.255.255.0
!

!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 104 extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 104 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.12.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
webvpn
 enable outside
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol l2tp-ipsec
group-policy VPN-TEST-GRP internal
group-policy VPN-TEST-GRP attributes
 dns-server value 192.168.12.4
 vpn-simultaneous-logins 10
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
group-policy VPN internal
username khan password Af47yOOFe80n.V9z encrypted privilege 15
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa#

 

 

any kind of help is appreciated.

6 REPLIES 6

Hello,

 

Here You can find a configuration guide of Clientless configuration, also make sure to disable the AnyConnect essentials if it is enabled, because WebVPN does not work along with it, also When you try to connect from the outside use the Public IP address that the ISP has assigned to your ASA.

Let me know if that configuration guide is not that clear since they were using a really old ASA version

 

 

Please don't forget to rate and mark as correct the helpful post!

 

David Castro,

 

Thanks,

 

 

Hi David Castro,

Thankx for the reply.I am getting below error and also check attached print screen error while accessing

public ip from outside.

ciscoasa(config-webvpn)# url-list ServerList "FOCUS_SRV_1" https://192.168.12.4
INFO: This command has been deprecated.

 

check below the running config:

 


ciscoasa# sh running-config
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.10.10 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.12.12 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 213.42.20.20
 name-server 192.241.229.222
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
webvpn
 enable outside
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 webvpn
username mphone password LmaAMiSap4sM9qfb encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
 default-group-policy GroupPolicy1
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa#

Hello,

 

The group URL goes under the tunnel group:

 

On this Link you can find the commands with ASA version 8.0:

- http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/vpngrp.html#wpxref71863

 

For example:

 

 tunnel-group <name> type webvpn
  tunnel-group <name> webvpn-attributes
  group-url https://XXXXXX

 

XXXXXX --> has to be the Public IP address not the Private IP address

 

Make sure the translation is fine from private to public!,

 

Also access the address with https --> https://213.42.233.97/

 

Connect from the outside and analyze the NAT statements if necessary.

 

Please don´t forget to rate and mark as correct the hepful Pots!

 

David Castro,

 

Regards,

 

Hi David Castro,

I am getting  same   error please check below config

ciscoasa# sh running-config
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.10.10 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.12.12 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 213.42.20.20
 name-server 192.241.229.222
access-list 104 extended permit esp any any
access-list 104 extended permit icmp any any
access-list 104 extended permit udp any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 104 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.12.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
webvpn
 enable outside
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 webvpn
username mphone password LmaAMiSap4sM9qfb encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
 default-group-policy GroupPolicy1
tunnel-group mphone type remote-access
tunnel-group mphone webvpn-attributes
 group-url https://213.42.233.97 enable
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa#

Hi,

 

If you are still getting the same error, go ahead and enable the webVPN from the inside and open the browser on your side network and browse the private IP address on the inside interface using https.

 

webvpn

 enable inside

 

If this works, you are having issues with the translation now. 

 

Let me know if this worked so we can isolate this!

 

David Castro,

Regards,

Hi David,

I am sorry for the delay response .I can access the web vpn from inside

so please check the core firewall config and let me know any ip natting

issue is there or not because from outside i cant able to access webvpn

 

ASA Version 7.0(6)
!
hostname BKASA
enable password ksl/OIxVJ.ZK/5nw encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 10
 nameif OUTSIDE
 security-level 0
 ip address 213.42.x.x 255.255.x.x
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.12 255.255.255.0

dns domain-lookup OUTSIDE
dns domain-lookup inside

access-list 104 extended permit tcp any 213.42.x.x 255.255.255.240 eq 1433
access-list 104 extended permit tcp any 213.42.x.x 255.255.255.240 eq 5632
access-list 104 extended permit tcp any 213.42.x.x 255.255.255.240 eq pcanywh
ere-data
access-list 104 extended permit tcp any 213.42.x.x 255.255.255.240 eq www
access-list 104 extended permit tcp any 213.42.x.x 255.255.255.240 eq 8080
access-list 104 extended permit tcp any 213.42.x.x 255.255.255.240 eq telnet

access-list 104 extended permit tcp any 213.42.x.x 255.255.255.240 eq ssh
access-list 104 extended permit tcp any 213.42.x.x 255.255.255.240 range ftp-data ftp
access-list 104 extended permit esp any any
access-list 104 extended permit icmp any any
access-list 104 extended permit udp any any

pager lines 24
mtu OUTSIDE 1500
mtu inside 1500
no asdm history enable
arp timeout 14400

global (OUTSIDE) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,OUTSIDE) 213.42.233.97 192.168.10.10 netmask 255.255.255.255 //here it is natted with public ip

access-group 104 in interface OUTSIDE


http server enable
http 192.168.14.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside

telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:ec585e2120bdbd6cb267bb1896968933
: end
BKASA#