Showing results for 
Search instead for 
Did you mean: 

ASA Clientless SSL VPN can't access login pages on websites


When I'm doing a clientless SSL VPN to my ASA and using the ASA to browse websites, I can pretty much go on to just about any website except specificly login websites. I can go on google and yahoo but when I click the "mail" button it just gives me an error message "Connection Failed - Server (site name) unavailable. When I go onto, it says server unavailable. When I browse by entering hotmail's IP address in, it says "Bad Request." Same happens on ebay, youtube, etc. Funny thing is, the ONLY login page I can get onto is Cisco's website's login page. I tried changing DNS servers, nothing changed. Here is my configuration:

show run

: Saved


ASA Version 8.4(4)1


hostname PatG


enable password aDvdtQE/ih5t061i encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute


boot system disk0:/asa844-1-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group Comcast



dns server-group DefaultDNS




object network obj_any


pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649-103.bin

no asdm history enable

arp timeout 14400


object network obj_any

nat (inside,outside) dynamic interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server Remote1 protocol radius

aaa-server Remote1 (inside) host

key *****

radius-common-pw *****

user-identity default-domain LOCAL

aaa authentication ssh console Remote1

aaa authentication http console Remote1 LOCAL

http server enable

http inside

http outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh inside

ssh outside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd domain

dhcpd auto_config outside

dhcpd option 150 ip


dhcpd address inside

dhcpd enable inside


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


enable outside

tunnel-group-list enable

group-policy Eng internal

group-policy Eng attributes

vpn-tunnel-protocol ssl-clientless


  url-list value EngineerMarks

group-policy RemoteHTTP internal

group-policy RemoteHTTP attributes

vpn-tunnel-protocol ssl-clientless


  url-list value Test

  customization value Extra

username user1 password mbO2jYs13AXlIAGa encrypted privilege 0

tunnel-group Browser type remote-access

tunnel-group Browser general-attributes

authentication-server-group Remote1

default-group-policy RemoteHTTP

tunnel-group TEST type remote-access

tunnel-group TEST general-attributes

authentication-server-group Remote1

default-group-policy RemoteHTTP

tunnel-group TEST webvpn-attributes

group-alias testing enable

group-url enable

tunnel-group Engineering type remote-access

tunnel-group Engineering general-attributes

authentication-server-group Remote1 LOCAL

default-group-policy Eng

tunnel-group Engineering webvpn-attributes

group-alias engineering enable

group-url enable


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect http

policy-map map


service-policy global_policy global

prompt hostname context

no call-home reporting anonymous


profile CiscoTAC-1

  no active

  destination address http                                                                                                                                                             CEService

  destination address email

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

password encryption aes


: end

Can anyone please help me? Thanks

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers