Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3100
Views
10
Helpful
19
Replies

SSL Clientless WebVPN

mkazam001
Level 3
Level 3

‎09-29-2016 06:50 AM

Can anyone please help with the following, am I missing something?:

I'm trying to establish a ssl clientless vpn connection to an ASA5515 to access the web portal across the internet.

It already has IPsec site to site vpn tunnels on it.

When I put the IP address in the browser - https://IP-ADD, it tries to connect to the portal but just hangs.

I can see the hits increment on the ACE entry when I try to connect but this was supposed to bypass the ACL as I have the default command

sysopt connection permit-vpn, so not sure whats happening there.

Please see test config below:

hostname ASA1
clock set 13:48:00 28 sept 2016
domain-name test.local
crypto key generate rsa label RSA-KEY modulus 1024

crypto ca trustpoint SELF-TRUSTPOINT
 enrollment self
 fqdn asa1.test.local
 subject-name CN=asa1.test.local
 keypair RSA-KEY


crypto ca enroll SELF-TRUSTPOINT [noconfirm]
ssl trust-point SELF-TRUSTPOINT OUTSIDE
wr
 
group-policy CLIENTLESS-GP internal
group-policy CLIENTLESS-GP attributes
 vpn-tunnel-protocol webvpn

tunnel-group SSL-TUNNEL type remote-access
tunnel-group SSL-TUNNEL general-attributes
 default-group-policy CLIENTLESS-GP
 
dns server-group DefaultDNS     (not used this for now as its not needed to access the logon page)
 domain-name test.org
 name-server LAN-DNS-IP-ADD
 
tunnel-group SSL-TUNNEL webvpn-attributes
 group-url https://asa1.test.local/SSL-TUNNEL enable

username user1 password cisco1
webvpn
 enable OUTSIDE
wr

Labels:
0 Helpful
19 Replies 19

mkazam001
Level 3
Level 3
In response to mkazam001

‎10-10-2016 01:57 PM

Hello again,

You wouldn't believe it but there was another NAT rule on the ASA that I inherited.

Can now ssl to the portal from the internet....downloaded & imported the ssh plugin from cisco but the final problem I have is:

Unable to ssh from the web portal page to the server (ssh config on server works fine as I can get to it using putty from a pc on the LAN).

Do I need to do something else on the ASA to make this work?

Regards, mk

Georg Pauwen
VIP
VIP
In response to mkazam001

‎10-10-2016 11:55 PM

Hello MK,

tricky. One thing I can think of is to try to switch between SSH version 1 and 2 on the ASA, can you give that a try ?

mkazam001
Level 3
Level 3
In response to Georg Pauwen

‎10-11-2016 01:45 PM

I already tried that, now logged a call with cisco TAC but thank you for your continuous help, really appreciated it. Will award 5 stars.

Regards, mk

0 Helpful

mkazam001
Level 3
Level 3
In response to Georg Pauwen

‎10-04-2016 03:51 AM

Back at work....ran sh asp table socket: no SSL only DTLS here,

DTLS LISTEN x.x.x.x:443, where x.x.x.x is the outside interface IP Address.

Changed config:

webvpn

dtls port 444

no enable outside

port 444 (this would put ssl on this port too)

enable outside

sh asp table socket

SSL LISTEN x.x.x.x:444

DTLS LISTEN x.x.x.x:444

So now when I try to ssl to that ASA outside interface IP address on port 444 it just hangs.

Any other suggestions?

Regards, mk

0 Helpful

Georg Pauwen
VIP
VIP
In response to mkazam001

‎10-04-2016 04:14 AM

Hello,

the idea was to actually leave SSL on 443 and move just DTLS to 444, to see what happens then.

Either way, it should not need to be changed, and should work without moving DTLS. Which browsers are you using ?

I will get back to you, just checking for more info.

Can you try to disable DTLS altogether:

asa2(config-group-webvpn)# svc dtls none

0 Helpful
Customers Also Viewed These Support Documents