cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2207
Views
10
Helpful
19
Replies

SSL Clientless WebVPN

mkazam001
Level 3
Level 3

Can anyone please help with the following, am I missing something?:

I'm trying to establish a ssl clientless vpn connection to an ASA5515 to access the web portal across the internet.

It already has IPsec site to site vpn tunnels on it.

When I put the IP address in the browser - https://IP-ADD, it tries to connect to the portal but just hangs.

I can see the hits increment on the ACE entry when I try to connect but this was supposed to bypass the ACL as I have the default command

sysopt connection permit-vpn, so not sure whats happening there.

Please see test config below:

hostname ASA1
clock set 13:48:00 28 sept 2016
domain-name test.local
crypto key generate rsa label RSA-KEY modulus 1024

crypto ca trustpoint SELF-TRUSTPOINT
 enrollment self
 fqdn asa1.test.local
 subject-name CN=asa1.test.local
 keypair RSA-KEY


crypto ca enroll SELF-TRUSTPOINT [noconfirm]
ssl trust-point SELF-TRUSTPOINT OUTSIDE
wr
 
group-policy CLIENTLESS-GP internal
group-policy CLIENTLESS-GP attributes
 vpn-tunnel-protocol webvpn

tunnel-group SSL-TUNNEL type remote-access
tunnel-group SSL-TUNNEL general-attributes
 default-group-policy CLIENTLESS-GP
 
dns server-group DefaultDNS     (not used this for now as its not needed to access the logon page)
 domain-name test.org
 name-server LAN-DNS-IP-ADD
 
tunnel-group SSL-TUNNEL webvpn-attributes
 group-url https://asa1.test.local/SSL-TUNNEL enable

username user1 password cisco1
webvpn
 enable OUTSIDE
wr

19 Replies 19

Hello,

not sure which ASA version you are using, but for SSL Clientless WebVPN access, the 'vpn-tunnel-protocol' configured under your group policy should be 'ssl-clientless':

group-policy CLIENTLESS-GP internal
group-policy CLIENTLESS-GP attributes
--> vpn-tunnel-protocol ssl-clientless

HTH

ASA ver 9.4(2).

Thanks for the suggestion but it didn't work.

I got the above config from the Cisco ASA all-in-one book btw. Thought I should mention that I can get to the webvpn portal on the inside interface.

This is my first time setting up a clientless SSL vpn on an ASA so might be worth checking the following ACE. The access-list on the Outside interface that increments whenever I try to connect from a browser states:

interface: outside

action: permit

source: our external range of public IP addresses (should this be a single public IP add?)

destination: network range of the LAN on the Inside interface (does this need to be the Outside int add?)

service: tcp/https

Do I need to setup NAT?

Regards, mk

MK,

hard to tell what you are missing, maybe you can have a look at the document below, it is sort of a step by step configuration guide.

The ACL should not take any hits since you have 'sysopt connection permit-vpn' configured (it is on by default actually)...

http://www.techrepublic.com/blog/data-center/clientless-ssl-vpn-remote-access-set-up-guide-for-the-cisco-asa/

Thanks for the advice but that config is not what I'm after. 

I've made some progress now and I can connect to the web portal on the Inside interface & the problem on the Outside interface is that it is listening on dtls port 443 but not ssl port 443, hence I can't connect via the browser which is also using ssl port 443 - https.

Regards, mk

MK,

DTLS listening on port 443 is actually the default. Try changing it to e.g. 444 and see if your browser clients can connect on port 443 then:

ciscoASA(config)#webvpn

ciscoASA(config-webvpn)# dtls port 444

Thank you for this, I will it when I get back to work on Tuesday.

I will let you know what happens.

Regards

Hello,

I did some research, and it looks like most browsers have turned off SSL by default because of security risks. The document below shows how you can enable SSL for various browsers (it actually tell you how to turn it off, so e.g. in Internet Explorer, just check the options for SSL as shown instead of unchecking them).

This is just to check if your clientless clients can connect then. 

https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/

Thanks again, so firstly, I checked that all the SSL versions were enabled on the browser & they were. Secondly, I changed only the dtls port to 444 but it still doesn't show SSL 443. Thridly, as you can see from the output below, id didn't take the command to disable dtls:

CiscoASA(config)# webvpn
CiscoASA(config-webvpn)# svc dtls none
                             ^
ERROR: % Invalid input detected at '^' marker.
CiscoASA(config-webvpn)# svc ?
ERROR: % Unrecognized command
CiscoASA(config-webvpn)# dtls ?

webvpn mode commands/options:
  port  DTLS should listen for connections on the specified port

Hello,

the option 'svc dtls none' (or 'no svc dtls enable', depending on your OS version) needs to be configured under the group:

ASA1(config)# group-policy CLIENTLESS-GP attributes
ASA1(config-group-policy)# webvpn
ASA1(config-group-webvpn)#svc dtls none OR no svc dtls enable

Thanks for the commands, the second one worked on ASA v9.x but still couldn't see SSL listening on 443. When I changed the SSL port to 4444 that worked but still unable to connect to portal via browser.

Just getting client site to check if anything is blocking these ports inbound.

Once this is fixed, would I be correct in thinking we should be able to access our DMZ server once we customise the portal, client-server plugins?

Thank you for your help, much appreciated.

Hello,

I was looking at this again, and something isn't quite right. The default settings you had originally configured should work. Check the document below to see if your browser has issues in combination with the 9.x release you are running:

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html#pgfId-235616

I checked that out & our ASA version is compatible.

Thought I'd share the solution to the SSL port not listening on 443, this was due to a nat exemption entry on the outside interface for the https service.

Unfortunately, the problem still exists for the remote connectivity. I configured another interface on secuirty-level 0 & got the site contact to connect a laptop direct to the ASA & he was able to access the web portal fine. 

On site, the ASA outside interface connects to a ISP router (confirmed no ports blocked here) which then connects to some BT equipment (might be an issue here).

Am I right in thinking that for the clientless ssl vpn, we don't need to configure an ACL or NAT on the ASA? 

Is there anything else on an ASA config that might be effecting this?

Unless I get this fixed tomorrow, I'll have to do a site visit on Monday. So, if you have any other ideas, please let me know.

Regards, mk

Hello,

NAT or ACL shouldn't be required,since the incoming connections originate from a public (that is, translated) address anyway.

I am starting too think that the problem is not with the ASA, but with the configuration of an intermediate device.

Not sure if you have, to be sure, checked the troubeshooting proposed by Cisco:

http://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html#anc12

i will investigate further....thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: