02-24-2012 03:29 AM
Hi,
Im trying to setup WebVPN, however no matter what I try I cannot reach the HTTPS/vpn page from outside my network to be able to sign in to the ASA.
Setup is fairly simple - inside 10.0.0.0 for devices / outside PPOE to modem
No matter what I try, I cannot get a response from the HTTPS server on the outside.
Thanks in advance
Sam
SH RUN
**********************************
ASA Version 8.4(2)
!
hostname CiscoASA-01
domain-name name.ext
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 4
shutdown
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address pppoe setroute
!
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 172.16.1.1 255.0.0.0
!
interface Vlan4
nameif management
security-level 100
ip address 192.168.1.101 255.255.255.0
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name domain.ext
same-security-traffic permit intra-interface
object network insidepc
host 10.0.0.20
object service Microsoft_RDP
service tcp destination eq 3389
description Remote Desktop Access
object network ASA
host 10.0.0.1
object service VPN_https
service tcp source eq https destination eq https
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp-udp destination eq www
service-object object VPN_https
service-object tcp destination eq https
object-group service Mystery tcp
port-object eq 58627
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object tcp-udp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq www
service-object tcp destination eq https
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_access_in extended permit object Microsoft_RDP any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_3 any any
access-list outside_access_out extended permit object Microsoft_RDP object insidepc interface outside
pager lines 24
logging enable
logging buffered warnings
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (outside,any) source static any any destination static interface insidepc service Microsoft_RDP Microsoft_RDP
nat (inside,outside) source static any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=CiscoASA-01
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate ba9a424f
30820254 308201bd a0030201 020204ba 9a424f30 0d06092a 864886f7 0d010105
0500303c 31143012 06035504 03130b43 6973636f 4153412d 30313124 30220609
2a864886 f70d0109 02161543 6973636f 4153412d 30312e6c 7973746f 722e6575
301e170d 31323032 32313139 33343331 5a170d32 32303231 38313933 3433315a
303c3114 30120603 55040313 0b436973 636f4153 412d3031 31243022 06092a86
4886f70d 01090216 15436973 636f4153 412d3031 2e6c7973 746f722e 65753081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100dc 9449e0bf
c8f565b5 9cfb66db 9006a4bc 50bcf44e d38bfdb4 b81c990e 1c35f0ef e283b530
0d1854e7 6561293f 4b4115a9 beff4668 e318fe14 564dfa65 4a11d973 da4409f6
08387755 615c7151 7191a09f f1c0b5a8 49ee71b1 44243fde 9381f916 cbe1d102
2b76b58d 247e7a89 38750a3f b25f604d 376409c4 5a182d8a 632e1b02 03010001
a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04
04030201 86301f06 03551d23 04183016 8014d086 194ecf03 46f66324 08d0e51d
04b37c82 66ea301d 0603551d 0e041604 14d08619 4ecf0346 f6632408 d0e51d04
b37c8266 ea300d06 092a8648 86f70d01 01050500 03818100 11ad656d aa744314
6e761b1b de5c42cd d0c692e2 88da9710 986cf206 4555d1ef 805225be f00a1c89
24f0368a 838e9c32 54e3c39e 0d4e4859 81ecc51f 56725036 e5ad8e10 2aa37bb8
ab6982b9 e0a8b6e3 01e4d3aa 1814bbfa b6e55cc1 049971ed 6ddc9340 7ebd0709
2c109a6a f2b25500 c05cb378 68a83a3c b9a197ae 3db3add3
quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group BT request dialout pppoe
vpdn group BT localname user@isp
vpdn group BT ppp authentication chap
vpdn username user@isp password xxx store-local
dhcpd address 10.0.0.50-10.0.0.128 inside
dhcpd dns 10.0.0.10 8.8.8.8 interface inside
dhcpd wins 10.0.0.10 interface inside
dhcpd domain name.ext interface inside
dhcpd enable inside
!
dhcpd address 172.16.1.2-172.16.1.10 DMZ
dhcpd dns 8.8.8.8 interface DMZ
dhcpd enable DMZ
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect enable
group-policy Name_WebVPN internal
group-policy Name_WebVPN attributes
vpn-tunnel-protocol ssl-client ssl-clientless
webvpn
url-list value name.ext
username sName password bfIwO7SMJhE/ekQm encrypted privilege 0
username sName attributes
vpn-group-policy Name_WebVPN
tunnel-group DefaultL2LGroup general-attributes
default-group-policy Name_WebVPN
tunnel-group DefaultRAGroup general-attributes
default-group-policy Name_WebVPN
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy Name_WebVPN
tunnel-group Name_WebVPN type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:316091bfa8ba73dce98b48cccdec1f22
: end
02-24-2012 04:21 AM
Sam,
Can you post a 'sh ip address'? In your config for vlan2 you tell it to use a group called ISP but your group is called BT.
Matt
Sent from Cisco Technical Support iPhone App
02-24-2012 04:35 AM
Hi Matt,
Sorry, thats me just changing words before I posted the config to the net!
The group is indeed BT - PPOE to the outside works fine and all the devices can contact the internet ok
Sam
02-24-2012 12:01 PM
Assuming your routing is right via PPPOE, I'd guess you can't use that cert for both ikev2 and ssl.
Try generating a new trustpoint/cert, referencing that in your webvpn config. (don't mess with ASDM_Trustpoint0 if that has working ikev2)
Better yet, do a 'debug crypto ca 255' when you try to connect and see if you are getting any ssl errors. If so, then generate a new trustpoint/cert and reference it in webvpn.
--Jason
02-26-2012 04:20 AM
I generated a new cert, using a new trust point. I then went through the wizard again, but it still doesn't work.
Using the debug crypto command doesnt show anything in the buffer or console log
I would wipe the ASA and start afresh, but i've already done this once and it still doesn't work!!
:-/
Thanks
Sam
02-27-2012 09:51 AM
Sam,
I would run a packet capture to see if port 443 packets are making it to the interface. If so, run a 'debug webvpn 255' to see what, if anything, is going on when the packets hit the ASA.
--Jason
02-28-2012 12:58 AM
Hi Jason,
Thanks for the suggestion. I started afresh and created a new cert via the command line. WebVPN now works on the inside interface, so I can verify that the self signed cert appears to be working ok.
debug webvpn 255 shows activity when I access it from inside, but nothing when tried externally.
I have also changed the port to 8000, however this makes no difference. Im starting to suspect that its my modem thats interferring, but I cant see how considering as I have no other connection issues.
Sam
Edit: I monitored the comms between the client pc and my ASA with wireshark.
The grey packets are where the request to the site started. The first 4 are with IE6, and the second with FF10
03-16-2012 07:11 AM
I've still yet to get this to work, so I think I will just try to go down the AnyConnect route instead.
The only thing I have concluded is that the ASA is treating incoming 443 traffic as an attempt to connect to an internal source. If I leave the ACL off for 443 (i just had it on for a test) I can see traffic hitting the firewall on that port from the client PC I am using on another network. If I turn the ACL back on, it doesn't register any further activity.
I have checked that the ASA is set to bypass ACL's for inbound Clientless SSL connections.
My other thought is that it could be that I still have 256mb of RAM in the ASA, and that is affecting it in some way. I had to go back from 512 to 256 a while back as it seems that the stick of 512 that I was using was far too unstable and it caused the ASA to crash every day.
Has anyone any other thoughts on this issue?
Thanks
Sam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide