Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1432
Views
0
Helpful
2
Replies

Unable to Access Public Web sites through WebVPN portal

beaconservices
Level 1
Level 1

‎01-09-2012 01:49 PM

We had WebVPN setup, and users will able to navigate the (inside), and the external internet through the embedded browser (drop-down, Select http://, and then type in a public DNS address), and the WebVPN portal would redirect them to the address they "typed-in".  Since then we also setup a L2L VPN tunnel using Pre-shared keys, and it was brought to my attention that end-users who were using WebVPN portal were no longer able to browser public sites through the Portals browser (both IP/DNS). 

Could the setting up of the L2L cause the WebVPN to no longer server publice sites?

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-09-2012 08:50 PM

Hello,

There might be something overriding that previously service on the WebVPN.. Can you provide the running-configuration so we can analize it ( Please change some settings ( Ip addresses) for security purposes of the forum)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

beaconservices
Level 1
Level 1
In response to Julio Carvajal

‎01-10-2012 07:50 AM

I have attached the runnng-configs from our ASA:

ASA Version 8.2(4)

!

hostname CompanyASA1

domain-name CompanyName.local

enable password yI1seDbeR7X1IlFN encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 193.182.8.0 Spotify-193 description External Spotify IP

name 78.31.8.0 Spotify-78 description External Spotify IP

name 192.168.75.0 Company-network

name c.c.c.253 CompanyASA1

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address z.z.z.71 n.n.n.192

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address x.x.x.2 n.n.0.0

!

interface Ethernet0/2

speed 100

duplex full

nameif wireless

security-level 75

ip address w.w.w.1 n.n.n.0

!

interface Ethernet0/3

nameif dmz

security-level 15

ip address d.d.d.1 n.n.n.0

!

interface Management0/0

nameif management

security-level 100

ip address m.m.m.1 n.n.n.0

management-only

!

!

time-range BusinessHours

periodic weekdays 7:00 to 19:00

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup wireless

dns domain-lookup dmz

dns domain-lookup management

dns server-group DefaultDNS

name-server x.x.x.3

domain-name CompanyName.local

same-security-traffic permit intra-interface

object-group service weblogic-services tcp

port-object eq 5001

port-object eq 6001

port-object eq 7001

port-object eq 9001

object-group service web-services tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_0 tcp

group-object weblogic-services

group-object web-services

object-group network ftp-servers

network-object host z.z.z.72

network-object host z.z.z.75

network-object host z.z.z.90

object-group network web-servers

network-object host z.z.z.117

network-object host z.z.z.121

network-object host z.z.z.73

network-object host z.z.z.74

network-object host z.z.z.82

network-object host z.z.z.83

network-object host z.z.z.87

network-object host z.z.z.92

network-object host z.z.z.88

network-object host z.z.z.89

network-object host z.z.z.66

object-group network terminal-servers

network-object host z.z.z.75

network-object host z.z.z.77

network-object host z.z.z.90

object-group network mail-servers

network-object host z.z.z.86

object-group network lotusnotes-server

network-object host z.z.z.66

object-group network weblogic-servers

network-object host z.z.z.79

object-group service ftp-services tcp

port-object eq ftp

port-object eq ftp-data

object-group service remotedesktop-services tcp

port-object eq 3389

object-group service lotus-services tcp

port-object eq lotusnotes

port-object eq smtp

object-group icmp-type ping-services

icmp-object echo

icmp-object echo-reply

icmp-object information-reply

icmp-object information-request

icmp-object traceroute

object-group service DM_INLINE_TCP_1 tcp

group-object lotus-services

group-object web-services

object-group service DM_INLINE_TCP_3 tcp

group-object remotedesktop-services

group-object ftp-services

port-object eq ssh

object-group network remote-support

network-object host z.z.z.67

network-object host z.z.z.81

object-group service edgesync tcp

port-object eq 50636

port-object eq 3389

port-object eq 50389

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service exchange-services tcp-udp

port-object eq 110

port-object eq 143

port-object eq 25

port-object eq 443

port-object eq 465

port-object eq 587

port-object eq 993

port-object eq 995

port-object eq www

object-group network DM_INLINE_NETWORK_1

network-object host d.d.d.40

network-object host d.d.d.74

object-group service SMB tcp

port-object eq 445

object-group service GRE tcp

port-object eq 47

object-group network DM_INLINE_NETWORK_2

network-object Spotify-193 n.n.248.0

network-object Spotify-78 n.n.248.0

object-group network DM_INLINE_NETWORK_3

network-object Spotify-193 n.n.248.0

network-object Spotify-78 n.n.248.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object tcp

object-group service DM_INLINE_TCP_5 tcp

group-object exchange-services

group-object web-services

object-group network CompanySubnet

object-group network Comcast

access-list outside extended permit tcp any host z.z.z.90 object-group ftp-services

access-list outside extended permit tcp any host z.z.z.84 object-group DM_INLINE_TCP_5

access-list outside extended permit tcp any object-group ftp-servers object-group DM_INLINE_TCP_3

access-list outside extended permit tcp any object-group mail-servers eq smtp

access-list outside extended permit tcp any object-group terminal-servers object-group remotedesktop-services

access-list outside extended permit tcp any object-group web-servers object-group web-services

access-list outside extended permit tcp any object-group weblogic-servers object-group DM_INLINE_TCP_0

access-list outside extended permit tcp any host z.z.z.66 eq lotusnotes

access-list outside extended permit tcp object-group mail-servers host z.z.z.66 object-group DM_INLINE_TCP_1

access-list outside remark Allowing SMTP, POP3, IMAP4, HTTPS and ActiveSync

access-list outside extended permit object-group TCPUDP any host z.z.z.115 object-group exchange-services

access-list outside extended permit tcp any host z.z.z.72 object-group web-services

access-list outside extended permit tcp any host z.z.z.73 object-group web-services

access-list outside extended permit tcp any host z.z.z.74 object-group web-services

access-list outside extended permit tcp any host z.z.z.75 object-group remotedesktop-services

access-list outside extended permit tcp any host z.z.z.77 object-group remotedesktop-services

access-list outside extended permit tcp any host z.z.z.79 object-group weblogic-services

access-list outside extended permit tcp any host z.z.z.80 object-group web-services

access-list outside extended permit tcp any host z.z.z.81 object-group web-services

access-list outside extended permit tcp any host z.z.z.82 object-group web-services

access-list outside extended permit tcp any host z.z.z.83 object-group web-services

access-list outside extended permit tcp any host z.z.z.88 object-group web-services

access-list outside extended permit tcp any host z.z.z.87 object-group web-services

access-list outside extended permit tcp any host z.z.z.89 object-group web-services

access-list outside extended permit tcp any host z.z.z.92 object-group web-services

access-list outside extended permit tcp any host z.z.z.117 object-group web-services

access-list outside extended permit tcp any host z.z.z.121 object-group web-services

access-list outside extended permit icmp any any

access-list outside extended deny ip object-group DM_INLINE_NETWORK_1 any

access-list outside extended permit tcp any host z.z.z.69 eq pptp

access-list inside remark Internal Users accessing Spotify services.

access-list inside extended permit object-group DM_INLINE_PROTOCOL_1 i.i.0.0 n.n.0.0 object-group DM_INLINE_NETWORK_2

access-list inside extended permit ip any any

access-list inside extended permit gre any any

access-list inside extended permit tcp any any eq pptp

access-list dmz extended permit ip any any

access-list inside_mpc extended permit object-group DM_INLINE_PROTOCOL_2 i.i.0.0 n.n.0.0 object-group DM_INLINE_NETWORK_3 time-range BusinessHours

access-list CompanyVPN-Client_splitTunnelAcl standard permit i.i.0.0 n.n.0.0

access-list inside_nat0_outbound extended permit ip i.i.0.0 n.n.0.0 v.v.v.0 n.n.n.0

access-list inside_nat0_outbound extended permit ip i.i.0.0 n.n.0.0 Company-network n.n.n.0

access-list outside_1_cryptomap remark To Encrypt Traffic from i.i.0.0/16 to 192.168.75.0/24

access-list outside_1_cryptomap extended permit ip i.i.0.0 n.n.0.0 Company-network n.n.n.0

pager lines 24

logging enable

logging asdm warnings

logging from-address email@CompanyName.com

logging recipient-address email1@CompanyName.com level errors

logging class auth asdm debugging

logging class vpn asdm debugging

logging class vpnc asdm debugging

logging class vpnfo asdm debugging

logging class vpnlb asdm debugging

logging class webvpn asdm debugging

mtu outside 1500

mtu inside 1500

mtu wireless 1500

mtu dmz 1500

mtu management 1500

ip local pool VPN-Pool v.v.v.5-v.v.v.254 mask n.n.n.0

no failover

failover timeout -1

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

icmp permit any wireless

icmp permit any dmz

asdm image disk0:/asdm-635.bin

asdm location Spotify-78 n.n.248.0 inside

asdm location Spotify-193 n.n.248.0 inside

asdm location Company-network n.n.n.0 inside

asdm location CompanyASA1 n.n.n.255 inside

asdm history enable

arp timeout 14400

global (outside) 1 z.z.z.67

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 i.i.0.0 n.n.0.0

nat (wireless) 1 w.w.w.0 n.n.n.0

nat (dmz) 1 d.d.d.0 n.n.n.0

static (inside,outside) tcp interface 8999 z.z.z.67 8999 netmask n.n.n.255

static (inside,outside) z.z.z.86 x.x.x.6 netmask n.n.n.255

static (inside,outside) z.z.z.115 x.x.x.57 netmask n.n.n.255

static (inside,outside) z.z.z.84 x.x.x.58 netmask n.n.n.255

static (inside,outside) z.z.z.66 x.x.x.62 netmask n.n.n.255

static (inside,outside) z.z.z.82 x.x.x.106 netmask n.n.n.255

static (inside,outside) z.z.z.83 x.x.x.107 netmask n.n.n.255

static (inside,outside) z.z.z.92 x.x.x.108 netmask n.n.n.255

static (inside,outside) z.z.z.79 x.x.x.109 netmask n.n.n.255

static (inside,outside) z.z.z.117 x.x.x.110 netmask n.n.n.255

static (inside,outside) z.z.z.87 x.x.x.111 netmask n.n.n.255

static (inside,outside) z.z.z.74 x.x.x.112 netmask n.n.n.255

static (inside,outside) z.z.z.121 x.x.x.113 netmask n.n.n.255

static (inside,outside) z.z.z.80 x.x.x.100 netmask n.n.n.255

static (inside,outside) z.z.z.75 x.x.x.75 netmask n.n.n.255

static (inside,outside) z.z.z.77 x.x.x.77 netmask n.n.n.255

static (inside,outside) z.z.z.73 x.x.x.101 netmask n.n.n.255

static (inside,outside) z.z.z.88 x.x.x.102 netmask n.n.n.255

static (inside,outside) z.z.z.89 x.x.x.103 netmask n.n.n.255

static (inside,outside) z.z.z.72 x.x.x.105 netmask n.n.n.255

static (inside,dmz) i.i.0.0 i.i.0.0 netmask n.n.0.0

static (inside,outside) z.z.z.69 x.x.x.8 netmask n.n.n.255

static (inside,outside) z.z.z.81 x.x.x.80 netmask n.n.n.255

static (inside,outside) z.z.z.90 x.x.x.82 netmask n.n.n.255

static (inside,outside) z.z.z.85 x.x.x.59 netmask n.n.n.255

access-group outside in interface outside

access-group inside in interface inside

access-group dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 z.z.z.65 1

route inside 0.0.0.0 0.0.0.0 z.z.z.71 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

ldap attribute-map CompanyMap

  map-name  memberOf Group-Policy

  map-value memberOf "CN=VPN Users,OU=Access,OU=Groups,OU=Company,DC=CompanyName,DC=local" CompanyVPNPolicy

dynamic-access-policy-record DfltAccessPolicy

aaa-server CompanyLDAP protocol ldap

aaa-server CompanyLDAP (inside) host x.x.x.94

timeout 5

ldap-base-dn DC=CompanyName,DC=local

ldap-scope subtree

server-type auto-detect

aaa-server LDAPauthenticate protocol ldap

aaa-server LDAPauthenticate (inside) host x.x.x.3

ldap-base-dn dc=CompanyName,dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password

ldap-login-dn cn=Admin,ou=Admin Accounts,ou=Users,ou=Company,dc=CompanyName,dc=local

server-type microsoft

ldap-attribute-map CompanyMap

aaa-server LDAPauthorize protocol ldap

aaa-server LDAPauthorize (inside) host x.x.x.3

server-port 636

ldap-base-dn dc=CompanyName,dc=local

ldap-scope subtree

ldap-naming-attribute cn

ldap-login-password

ldap-login-dn cn=Admin,ou=Admin Accounts,ou=Users,ou=Company,dc=CompanyName,dc=local

sasl-mechanism digest-md5

ldap-over-ssl enable

server-type microsoft

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http m.m.m.0 n.n.n.0 management

snmp-server location MyTown, AL, USA

snmp-server contact Users Name, ###-###-####, email@CompanyName.com

snmp-server community Company

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer CompanyASA1

crypto map outside_map 1 set transform-set AES-SHA ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp enable wireless

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet i.i.0.0 n.n.0.0 inside

telnet timeout 60

ssh i.i.0.0 n.n.0.0 inside

ssh timeout 60

console timeout 0

management-access management

dhcpd address m.m.m.11-m.m.m.20 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 206.246.122.250 source outside

ntp server 64.90.182.55 source outside prefer

ntp server 96.47.67.105 source outside

ntp server 126.6.15.29 source outside

ntp server 129.6.15.28 source outside

tftp-server inside x.x.x.90 C:\TFTP-Root

webvpn

enable outside

tunnel-group-list enable

group-policy NoAccess internal

group-policy NoAccess attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

group-policy web1 external server-group LDAPauthorize

group-policy CompanyVPN-Client internal

group-policy CompanyVPN-Client attributes

dns-server value x.x.x.3 x.x.x.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value CompanyVPN-Client_splitTunnelAcl

default-domain value CompanyName.local

group-policy CompanyVPNPolicy internal

group-policy CompanyVPNPolicy attributes

vpn-simultaneous-logins 25

vpn-tunnel-protocol webvpn

group-lock value CompanyVPN

webvpn

  url-list value CompanyBookmark

username user2 password sS5u3RUdRWfZ5jw2 encrypted

username user1 password sS5u3RUdRWfZ5jw2 encrypted privilege 15

tunnel-group CompanyVPN type remote-access

tunnel-group CompanyVPN general-attributes

authentication-server-group LDAPauthenticate

default-group-policy NoAccess

tunnel-group CompanyVPN webvpn-attributes

group-alias CompanyVPN enable

tunnel-group CompanyVPN-Client type remote-access

tunnel-group CompanyVPN-Client general-attributes

address-pool VPN-Pool

default-group-policy CompanyVPN-Client

tunnel-group CompanyVPN-Client ipsec-attributes

pre-shared-key

tunnel-group c.c.c.253 type ipsec-l2l

tunnel-group c.c.c.253 ipsec-attributes

pre-shared-key

!

class-map Spotify-limit

description Limit bandwidth to Spotify users

match access-list inside_mpc

class-map inspection_default

match default-inspection-traffic

class-map class_pptp

match port tcp eq pptp

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect http

class class_pptp

  inspect pptp

policy-map Spotify-access

description Policy for Company users accessing Spotify media services

class Spotify-limit

  police input 218000 27308

  police output 218000 27308

policy-map tcp_policy

class class_pptp

  inspect pptp

!

service-policy global_policy global

service-policy tcp_policy interface outside

service-policy Spotify-access interface inside

smtp-server x.x.x.57

prompt hostname context

Cryptochecksum:96f3b533ddef283f6cded303c6848700

: end

0 Helpful
Customers Also Viewed These Support Documents