We have mail servers at primary/secondary site, if primary site is down, we want URL on ASA to go to secondary location. We kind of knwo hopw to do script to do redirects but do not know where/how to invoke script on ASA for webvpn. Anyone done anythign like this? Thanks.
On the ASA for webvpn, when users select an entry, we want to check to see
if our primary or secondary service is up and based on lets say a ping
result, we want to direct users to a specific URL based on the results of
script. So here are the URL statements in our ASA:
tunnel-group SSLWEBVPN webvpn-attributes
group-url https://email.health.state.ny.us enable
group-url https://email.health.state.ny.us/latsweb enable
group-url https://email.health.state.ny.us/password enable
If we wanted to run a script (sample that our Cisco local supplied us is
below) to redirect, how would we do that on ASA?
use CGI qw(:standard);
==some ping or up/down checking logic here===
$obj = new CGI;
m> JANET FISHER
04/02/2010 01:56 cc
Please respond to script to redirect traffic on
A new message was posted in the Discussion thread "How to use script to
redirect traffic on ASA?":
Author : trippi
Profile : https://supportforums.cisco.com/people/trippi
The Cisco ASA has no scripting capability built into the O/S you will need to use a load balancer like the Cisco CSS or ACE appliances on the back-end. These devices can do a much more secure job of enabling the functionality you’re looking for. They can provide instant fail-over without compromising your security posture. Developing a scripting solution to provide this functionality will take many hours of development and testing. Integrating a load balancer solution will allow the group-url on the ASA to stay the same and the fail-over would be handled on the back-end. These devices have scripting capability and support many methods of application state awareness. A ping request alone to check the status of your email application may not give a proper state indication. The service may be stopped yet the server may be running and respond to ping requests. Suggested load balancer topology:
If you would still like to pursue a scripting solution I would suggest the following topology:
If you have an automated way of indicating when your mail server or service is unavailable you may be able to use SecureCRT from VanDyke Software and write a VBscript that will login to the ASA via SSH and reconfigure WebVPN for the secondary mail site. For security reasons I do not recommend that you do this, an automated process may have undesired results, and placing administrative credentials within a script is never a good idea! However if the system owner is willing to accept the risk here are the steps to accomplish this:
1. Backup your configuration using ASDM Tools [menu]/Backup Configurations/Backup All and save to your management workstation. (encrypting these files is a good idea)
2. You will also need a backup of the original url-list file that will be saved on the ASAs flash file system. This file will be used to reset the webvpn user’s url-list to the primary mail server. To do this just use the CLI interface to export the links - export webvpn url-list Users-Links Users-Links
(To see all of the url-lists currently on your ASA type: export webvpn url-list ? at the CLI)
3. Verify the export to flash by typing in dir at the CLI. You should see the Users-Links file in the list.
4. Now you will make a copy of the original url-list file that will be used to create the secondary mail server WebVPN url change. This file will be used to set the webvpn user’s url-list to the secondary mail server. To do this just use the CLI interface to export the links - export webvpn url-list Users-Links Users-Links-SecondaryMail
5. Verify the export by typing in dir at the CLI. You should see the Users-Links and Users-Links-SecondayMail files in the list.
6. Now from the ASDM Configuration [tab] > Remote Access VPN > Client SSL VPN Access > Portal > Bookmarks page click the “Import” button. Type “Users-Links-SecondaryMail” in the Bookmark List Name and select the Flash file system option then click the “Browse Flash” button. Find the “Users-Links-SecondaryMail” file and select it. Click the “OK” button and then the “Import Now” button. You should get an Entry “Users-Links-SecondaryMail has been successfully imported” message. Click “OK”
7. From the same ASDM Configuration [tab] > Remote Access VPN > Client SSL VPN Access > Portal > Bookmarks page select the new “Users-Links-SecondaryMail” Bookmarks and click on the “Edit” button and make the any URL changes for the secondary mail server links. Click “OK” Then “Apply” This will save your changes.
8. Stay on the ASDM Configuration [tab] > Remote Access VPN > Client SSL VPN Access > Portal > Bookmarks page and make sure the Users-Links-SecondaryMail bookmarks are still selected. Click the “Export” button. Select Flash file system and click “Browse Flash” find the “Users-Links-SecondaryMail” file and select it. Click “OK” you will get a “File Already Exists” message, do you want to overwrite it? Click “OK” Then click “Export Now” You should get an Entry “Users-Links-SecondaryMail has been successfully exported” message. Click “OK”
You have now created the needed files for the VBscript to use.
Read page 21-23 of the "Scripting Essentials" it will explain how to automate the script execution.
Your script can run from a .cmd or .bat file and should send the following Commands to the ASA via SSH:
Any ASA commands can be added to your scripts
This example is based on a Windows O/S running on the management workstation, could easily be Linux, etc.
Do not test this on a production device / Do all development and testing in a lab...
Remember to backup your config!
Hope this helps,