Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2585
Views
0
Helpful
3
Replies

How to use script to redirect traffic on ASA?

jafisher
Level 1
Level 1

‎03-24-2010 09:04 AM

We have mail servers at primary/secondary site, if primary site is down, we want URL on ASA to go to secondary location.  We kind of knwo hopw to do script to do redirects but do not know where/how to invoke script on ASA for webvpn.  Anyone done anythign like this?  Thanks.

Labels:
0 Helpful
3 Replies 3

trippi
Level 1
Level 1

‎04-02-2010 10:56 AM

Can you be a little more specific regarding the 'URL on ASA'.?

0 Helpful

jafisher
Level 1
Level 1
In response to trippi

‎04-02-2010 11:04 AM

Hi,

On the ASA for webvpn, when users select an entry, we want to check to see

if our primary or secondary service is up and based on lets say a ping

result, we want to direct users to a specific URL based on the results of

script. So here are the URL statements in our ASA:

tunnel-group SSLWEBVPN webvpn-attributes

customization SSLWebLogin

group-url https://email.health.state.ny.us enable

group-url

https://email.health.state.ny.us/go/apple.health.state.ny.us/mailjump.nsf

enable

group-url

https://email.health.state.ny.us/go/apple.health.state.ny.us/mailjump2.nsf

enable

group-url

https://email.health.state.ny.us/go/portal.health.state.ny.us~ssl/https://travel.health.state.ny.us

enable

group-url

https://email.health.state.ny.us/gp/portal.health.state.ny.us~ssl enable

group-url https://email.health.state.ny.us/latsweb enable

group-url https://email.health.state.ny.us/password enable

If we wanted to run a script (sample that our Cisco local supplied us is

below) to redirect, how would we do that on ASA?

#!/usr/local/bin/perl

use CGI qw(:standard);

==some ping or up/down checking logic here===

$obj = new CGI;

If($down) {

print $obj->redirect('http://www.google.com');

}

else {

print $obj->redirect('http://www.cisco.com');

}

trippi

notreply@cisco.co To

m> JANET FISHER

04/02/2010 01:56 cc

PM

Subject

New message: "How to use

Please respond to script to redirect traffic on

"cisco-support@sg ASA?"

aur.hosted.jiveso

ftware.com"

aur.hosted.jiveso

ftware.com>

jafisher,

A new message was posted in the Discussion thread "How to use script to

redirect traffic on ASA?":

https://supportforums.cisco.com/message/3047329#3047329

Author : trippi

Profile : https://supportforums.cisco.com/people/trippi

Message:

Preview file
1 KB
0 Helpful

mciszek
Level 1
Level 1

‎04-02-2010 04:10 PM

jafisher,

The Cisco ASA has no scripting capability built into the O/S you will need to use a load balancer like the Cisco CSS or ACE appliances on the back-end.  These devices can do a much more secure job of enabling the functionality you’re looking for.  They can provide instant fail-over without compromising your security posture.  Developing a scripting solution to provide this functionality will take many hours of development and testing.  Integrating a load balancer solution will allow the group-url on the ASA to stay the same and the fail-over would be handled on the back-end.  These devices have scripting capability and support many methods of application state awareness.  A ping request alone to check the status of your email application may not give a proper state indication. The service may be stopped yet the server may be running and respond to ping requests.  Suggested load balancer topology:

If you would still like to pursue a scripting solution I would suggest the following topology:

If you have an automated way of indicating when your mail server or service is unavailable you may be able to use SecureCRT from VanDyke Software and write a VBscript that will login to the ASA via SSH and reconfigure WebVPN for the secondary mail site.  For security reasons I do not recommend that you do this, an automated process may have undesired results, and placing administrative credentials within a script is never a good idea!  However if the system owner is willing to accept the risk here are the steps to accomplish this:

1.     Backup your configuration using ASDM Tools [menu]/Backup Configurations/Backup All and save to your management workstation. (encrypting these files is a good idea)

2.     You will also need a backup of the original url-list file that will be saved on the ASAs flash file system.  This file will be used to reset the webvpn user’s url-list to the primary mail server. To do this just use the CLI interface to export the links - export webvpn url-list Users-Links Users-Links
(To see all of the url-lists currently on your ASA type: export webvpn url-list ? at the CLI)

3.     Verify the export to flash by typing in dir at the CLI. You should see the Users-Links file in the list.

4.     Now you will make a copy of the original url-list file that will be used to create the secondary mail server WebVPN url change.  This file will be used to set the webvpn user’s url-list to the secondary mail server. To do this just use the CLI interface to export the links - export webvpn url-list Users-Links Users-Links-SecondaryMail

5.     Verify the export by typing in dir at the CLI. You should see the Users-Links and Users-Links-SecondayMail files in the list.

6.     Now from the ASDM Configuration [tab] > Remote Access VPN > Client SSL VPN Access > Portal > Bookmarks page click the “Import” button. Type “Users-Links-SecondaryMail” in the Bookmark List Name and select the Flash file system option then click the “Browse Flash” button.  Find the “Users-Links-SecondaryMail” file and select it.  Click the “OK” button and then the “Import Now” button.  You should get an Entry “Users-Links-SecondaryMail has been successfully imported” message. Click “OK”

7.     From the same ASDM Configuration [tab] > Remote Access VPN > Client SSL VPN Access > Portal > Bookmarks page select the new “Users-Links-SecondaryMail” Bookmarks and click on the “Edit” button and make the any URL changes for the secondary mail server links.  Click “OK” Then “Apply” This will save your changes.

8.     Stay on the ASDM Configuration [tab] > Remote Access VPN > Client SSL VPN Access > Portal > Bookmarks page and make sure the Users-Links-SecondaryMail bookmarks are still selected.  Click the “Export” button. Select Flash file system and click “Browse Flash” find the “Users-Links-SecondaryMail” file and select it. Click “OK” you will get a “File Already Exists” message, do you want to overwrite it?  Click “OK” Then click “Export Now” You should get an Entry “Users-Links-SecondaryMail has been successfully exported” message. Click “OK”

You have now created the needed files for the VBscript to use.

SecureCRT Example Scripts  - VanDyke Scripting Essentials

also check Collin Clark's post Is there a way to update the config of multiple routers and switches?

Read page 21-23 of the "Scripting Essentials" it will explain how to automate the script execution.

Your script can run from a .cmd or .bat file and should send the following Commands to the ASA via SSH:

  • Set ASA WebVPN to run using Secondary Mail configuration - import webvpn url-list Users-Links Users-Links-SecondaryMail
  • Set ASA WebVPN back to the Primary Mail configuration - import webvpn url-list Users-Links Users-Links

Any ASA commands can be added to your scripts

Notes:

This example is based on a Windows O/S running on the management workstation, could easily be Linux, etc.

Do not test this on a production device / Do all development and testing in a lab...

Remember to backup your config!

Hope this helps,

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents