06-17-2011 02:00 AM
Hi All,
I have ASA 5505 with outside interface IP 206.206.206.5 I configured the SSL vpn on this but still i am getting page can not be displaed when opening https://206.206.206.5 from broadband.
Below is the related configuration in ASA.
Could someone look the configuration and suggest me where i went wrong and what needs to be done in order to able to connect SSL vpn.
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
webvpn
functions url-entry file-access file-entry file-browsing
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy GroupPolicy1
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 10.10.10.11 timeout 2 retry 2
policy-map type inspect http Http_inspect_policy
parameters
protocol-violation action drop-connection
class BlockDomainClass
reset
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect netbios
inspect rsh
inspect rtsp
inspect snmp
inspect sqlnet
inspect tftp
inspect xdmcp
inspect icmp
policy-map inside-policy
class HTTPTrafic
inspect http Http_inspect_policy
!
service-policy global-policy global
webvpn
enable outside
url-list nuk001 "abc002" cifs://10.10.10.1 1
Your help is really appreciated.
Jopeti.
06-17-2011 05:22 AM
Doesn't look like there is any connectivity to 206.206.206.5 on port 443. I am unable to telnet to port 443 on that IP Address.
Pls ensure that there is no access-list in front of the firewall that might be blocking the connection.
Also, you would need to include the webvpn procotol in your group-policy:
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
06-21-2011 06:46 AM
Hi,
Thanks for your response and support and sorry for the delay.
The IP 206.206.206.5 is a duplicate I used as per security concerns in this forum the real IP is different one.
I have enabled the webvpn on outside interface but still it is not working. Please find the below complete running config of my ASA5505.
And one morething when I tried to enable webvpn outside on another ASA (on which already I have enabled cisco easyvpn) it is giving me following error. Could you please let me know what is the alternative way in this scenario.
(config-webvpn)# enable outside
ERROR: This configuration cannot be modified with Cisco Easy VPN Remote enabled.
ASA# sh run
: Saved
:
ASA Version 7.2(4)
!
terminal width 136
hostname ASA
names
name 10.10.0.0 bejing
name 192.168.200.0 UK
!
interface Vlan1
nameif inside
security-level 100
ip address 10.50.1.10 255.255.0.0 standby 10.50.1.11
!
interface Vlan2
nameif outside
security-level 0
ip address 206.206.206.206 255.255.255.248 standby 206.206.206.207
!
interface Vlan100
description LAN Failover Interface
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 100
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
object-group network VPN-access
network-object 10.120.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_1
network-object 10.50.0.0 255.255.0.0
network-object GBK 255.255.0.0
access-list outside_access_in extended deny icmp any 206.206.206.211 255.255.255.248
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list GBVPN_splitTunnelAcl standard permit 10.20.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip object-group VPN-access 10.50.100.0 255.255.255.224
access-list inside_mpc extended permit tcp any any eq www inactive
access-list inside_nat_outbound extended permit ip object-group DM_INLINE_NETWORK_1 any
access-list inside extended permit tcp 10.50.0.0 255.255.0.0 host 217.217.285.256 eq https
no pager
logging enable
logging timestamp
logging trap informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool GBVPNpool 10.50.100.1-10.50.100.20 mask 255.255.255.224
ip local pool SSL-VPN 192.168.100.200-192.168.100.250 mask 255.255.255.0
icmp deny host 206.206.206.206 outside
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list inside_nat_outbound
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route inside 10.0.0.0 255.0.0.0 10.50.1.1 1
route outside 0.0.0.0 0.0.0.0 206.206.206.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint localtrust
enrollment self
fqdn ASA.dg.local
subject-name CN= ASA.dg.local
keypair ***************
crl configure
crypto ca certificate chain localtrust
certificate 31
308201fe 30820167 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
45311e30 1c060355 04031315 20437578 68617665 6e415341 2e72672e 6c6f6361
6c312330 2106092a 864886f7 0d010902 16144375 78686176 656e4153 412e7267
2e6c6f63 616c301e 170d3131 30363230 30363539 35325a17 0d323130 36313730
36353935 325a3045 311e301c 06035504 03131520 43757868 6176656e 4153412e
72672e6c 6f63616c 31233021 06092a86 4886f70d 01090216 14437578 68617665
6e415341 2e72672e 6c6f6361 6c30819f 300d0609 2a864886 f70d0101 01050003
818d0030 81890281 8100c0aa e5b025a0 59180e10 8f9c8d77 5d6bb492 0e8cec2c
8111f881 57645033 42dd7d86 07afc7ca 368a0ce2 8db1409f 3716eab5 e6b4ac2f
26ba29a1 ff31f8b6 6b61a5f3 37f2478e 4916d1eb d8d8ac31 75bf4855 0afc717c
0956561d 4fc44dd4 5f24a885 d231de61 8537976b abed9c18 574d864d f3ed14af
8cbd7388 d04c6647 1d0d0203 01000130 0d06092a 864886f7 0d010104 05000381
8100ab1e 39926604 72cf34cb ca0dbcfb 1a056b30 4b33f483 0c541481 502e6cba
691e83d9 71a562f7 e1a0b19c ad95cb80 61c71c4a 0fe3e82c 3a2465ae 9777c64f
3cec439f 874ef005 c480f108 33dc555f 014db4d6 b2ac32ad 2afe0c93 4aa95135
4ec4c480 336d78a7 27ab4038 d0488748 02a231dc d65aac61 e0b98945 1f3e9926 7c62
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
ssl trust-point localtrust outside
webvpn
enable outside
svc enable
group-policy DfltGrpPolicy attributes
banner none
wins-server value 10.50.2.11
dns-server value 10.50.2.31
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value SSL-VPN
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some
specific group policy, you do not have permission to use any of the VPN features. Contact your IT
administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy GBVPN internal
group-policy GBVPN attributes
wins-server value 10.50.2.11
dns-server value 10.50.2.11
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value GBVPN_splitTunnelAcl
default-domain value dg.local
group-policy Operations internal
group-policy Operations attributes
banner value Tech Op Remote Access
banner value Unauthorized access prohibited
vpn-tunnel-protocol webvpn
webvpn
homepage none
customization value DfltCustomization
svc none
username dbgij password ************* encrypted
tunnel-group GBVPN type ipsec-ra
tunnel-group GBVPN general-attributes
address-pool (inside) GBVPNpool
address-pool GBVPNpool
authentication-server-group ********* LOCAL
default-group-policy GBVPN
tunnel-group GBVPN ipsec-attributes
pre-shared-key **************
tunnel-group RA_SSL type webvpn
tunnel-group RA_SSL webvpn-attributes
group-alias RA_SSL enable
group-url https://206.206.206.206/RA_SSL enable
!
class-map global-class
match default-inspection-traffic
class-map type regex match-any DomainBlockList
match regex Youtube
class-map type inspect http match-all BlockDomainClass
match request header host regex class DomainBlockList
class-map HTTPTrafic
match access-list inside_mpc
!
!
policy-map type inspect http Http_inspect_policy
parameters
protocol-violation action drop-connection
class BlockDomainClass
reset
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect netbios
inspect rsh
inspect rtsp
inspect snmp
inspect sqlnet
inspect tftp
inspect xdmcp
inspect icmp
policy-map inside-policy
class HTTPTrafic
inspect http Http_inspect_policy
!
service-policy global-policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:ea5c8c13f6c68f0b361367f81de3bbaa
: end
Jopeti.
06-22-2011 09:46 PM
Sorry, have you changed your config? initially the group-policy is called "GroupPolicy1", however, I wasn't able to see that in the latest posted config.
Also, are you trying to run WebVPN or SSL VPN full tunnel? as I saw that you enabled "svc" as well, however, you haven't got the image for svc yet.
Here is a sample config for WebVPN:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
Here is a sample config for SSL VPN full tunnel:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml
You might want to start from scratch with the above sample config.
Also, notice that you are still running version 7.2.4 which are quite old. You might want to look into upgrading to version 8.0.x. However, with version 8.0.x onwards, it only comes with default 2 SSL license, and you would need to purchase the SSL license if you need more than 2 concurrent SSL connection. The SSL feature is hugely improved in version 8.x.
The latest version of ASA is currently 8.4.x, so you are quite a number of versions behind. In any case, if you like to upgrade, i would recommend to go to 8.0.x first, as 8.2 requires more memory, and 8.3 onwards have major changes to the ACL and NAT.
06-22-2011 09:47 PM
Oh, and you can't run WebVPN or terminates any other VPN if the ASA is configured as an Easy VPN client.
Since it's a client, it will only be acting as a client. Can't terminate any other VPN as a VPN server.
07-12-2011 01:04 AM
Hi Jennifer,
Sorry for the delay as I was in vacation.
I tried on the different ASA where only cisco client vpn is configured.
I followed the link for SSL VPN tunnel config and completed the config.
But still I am getting "page cannot be displayed when entered the ASA_outside IP in the ssl vpn enabled browser.
Please see the below running config and let me know what needs to be done.
Note: The outside interface IP I have changed in this post for security reasons.
ASA# sh run
: Saved
:
ASA Version 7.2(4)
!
terminal width 136
hostname ASA
domain-name default.domain.invalid
names
name 10.46.0.0 MGMT
!
interface Vlan1
nameif inside
security-level 100
ip address 10.49.1.10 255.255.0.0 standby 10.49.1.11
!
interface Vlan2
nameif outside
security-level 0
ip address 206.206.206.226 255.255.255.248 standby 206.206.206.227
!
interface Vlan100
description LAN Failover Interface
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 100
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
access-list outside_access_in extended deny icmp any 206.206.206.224 255.255.255.248
access-list inside_nat0_outbound extended permit ip object-group VPN-access 10.49.100.0 255.255.255.224
access-list inside_mpc extended permit tcp any any eq www inactive
access-list inside_nat_outbound extended permit ip object-group DM_INLINE_NETWORK_1 any
access-list inside extended permit tcp 10.49.0.0 255.255.0.0 host 203.13.168.38 eq https
no pager
logging enable
logging timestamp
logging trap informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLvpn 10.49.100.21-10.49.100.25 mask 255.255.255.192
icmp unreachable rate-limit 1 burst-size 1
icmp deny host 206.206.206.226 outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 206.206.206.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server ASAAUTH protocol radius
http server enable
http 10.46.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
webvpn
enable outside
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
webvpn
svc enable
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value GLVPN_splitTunnelAcl
default-domain value rg.local
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSLvpn
!
class-map global-class
match default-inspection-traffic
class-map type regex match-any DomainBlockList
match regex Youtube
class-map type inspect http match-all BlockDomainClass
match request header host regex class DomainBlockList
class-map HTTPTrafic
match access-list inside_mpc
!
!
policy-map type inspect http Http_inspect_policy
parameters
protocol-violation action drop-connection
class BlockDomainClass
reset
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect netbios
inspect rsh
inspect rtsp
inspect snmp
inspect sqlnet
inspect tftp
inspect xdmcp
inspect icmp
policy-map inside-policy
class HTTPTrafic
inspect http Http_inspect_policy
!
service-policy global-policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:ea5c8c13f6c68f0b361367f81de3bbaa
: end
ASA#
07-12-2011 01:28 AM
Sorry, but you have not completed all the configuration as per the sample config. There are a few missing configuration lines.
Please add the following:
webvpn
svc enable
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol webvpn IPSec l2tp-ipsec
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy GroupPolicy1
You might want to open a TAC case so an engineer can assist you live. Since your outside IP address is sensitive on the forum, I can't test connectivity, and TAC case would be the way to go to further troubleshoot the issue.
07-12-2011 03:30 AM
Thanks for your help.
I added the below config but still getting page cannot be displayed.
Here is my outside interface IP: 194.177.227.226 and standby 194.177.227.227
Please check and update me if anything needs to modify or add.
webvpn
enable outside
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
webvpn
svc enable
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSLvpn
default-group-policy GroupPolicy1
07-12-2011 04:29 AM
Is there any firewall or ACL in front of the ASA firewall that might be blocking the access?
I am not even able to telnet to 194.177.227.226 on port 443. That means there is no connectivity on port 443 towards that IP address. Something in front of the firewall might be blocking the connection.
07-12-2011 05:09 AM
The internet link is directly connected to this ASA Firewall.
There is no any other firewalls infront of the ASA Firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide