12-16-2014 10:38 PM
I am unable to access the SSL WebVPN login html page. I tried using FF, Chrome, and IE via https://24.43.XXX.XXX. All I get is "Page cannot be displayed". I am stumped here, any help would be greatly appreciated.
PLAN-FW# show run
: Saved
:
ASA Version 9.1(1)
!
hostname PLAN-FW
domain-name intranet.example.com
enable password s9HtiQv6kkqqiJhc encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN-Clients 192.168.5.2-192.168.5.220 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 24.43.XXX.XXX 255.255.255.252
!
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Port-channel1
nameif DR-01
security-level 100
ip address 10.0.0.1 255.255.255.252
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2
domain-name intranet.example.com
object network obj-internet
subnet 0.0.0.0 0.0.0.0
object network obj-vlan100
subnet 10.0.100.0 255.255.254.0
object network NETWORK_OBJ_192.168.5.0_24
subnet 192.168.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu DR-01 1500
mtu Management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (DR-01,outside) source static any any destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 no-proxy-arp route-lookup
!
object network obj-vlan100
nat (DR-01,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 24.43.XXX.XXX 1
route DR-01 10.0.0.0 255.255.255.252 10.0.0.2 1
route DR-01 10.0.100.0 255.255.254.0 10.0.0.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint SELF-TP
enrollment self
fqdn intranet.example.com
subject-name CN=intranet.example.com
keypair myrsakey
crl configure
crypto ca trustpool policy
crypto ca certificate chain SELF-TP
certificate 4fb08954
30820203 3082016c a0030201 0202044f b0895430 0d06092a 864886f7 0d010105
05003046 311e301c 06035504 03131569 6e747261 6e65742e 70656c61 74726f6e
2e636f6d 31243022 06092a86 4886f70d 01090216 15696e74 72616e65 742e7065
6c617472 6f6e2e63 6f6d301e 170d3134 31323136 31313237 32315a17 0d323431
32313331 31323732 315a3046 311e301c 06035504 03131569 6e747261 6e65742e
70656c61 74726f6e 2e636f6d 31243022 06092a86 4886f70d 01090216 15696e74
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint SELF-TP
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point SELF-TP outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect profiles Example_Intranet_client_profile disk0:/Example_Intranet_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy "GroupPolicy_Example Intranet" internal
group-policy "GroupPolicy_Example Intranet" attributes
wins-server none
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol ikev2 ssl-client
default-domain value intranet.example.com
webvpn
anyconnect profiles value Example_Intranet_client_profile type user
username test1 password GxmPkeumVbHvz58J encrypted privilege 15
username test2 password t.GxS9C3hRYHni61 encrypted
username test3 password M9Szy/s33Cm6Crby encrypted
username test4 password hMXxQZTu8agZnzki encrypted
tunnel-group "Example Intranet" type remote-access
tunnel-group "Example Intranet" general-attributes
address-pool VPN-Clients
default-group-policy "GroupPolicy_Example Intranet"
tunnel-group "Example Intranet" webvpn-attributes
group-alias "Example Intranet" enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 10
subscribe-to-alert-group configuration periodic monthly 10
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4976c27fbf11ae4589d27b4f16107a41
: end
-----------------------------------------------------------------
Directory of disk0:/
10 drwx 4096 08:15:36 Sep 19 2014 log
20 drwx 4096 08:16:04 Sep 19 2014 crypto_archive
21 drwx 4096 08:16:12 Sep 19 2014 coredumpinfo
114 -rwx 37416960 08:24:28 Sep 19 2014 asa911-smp-k8.bin
115 -rwx 18097844 08:26:28 Sep 19 2014 asdm-713.bin
116 -rwx 69318656 08:27:50 Sep 19 2014 asacx-5500x-boot-9.1.1-1-RelWithDebInfo.x86_64.img
117 -rwx 12998641 08:47:34 Sep 19 2014 csd_3.5.2008-k9.pkg
118 drwx 4096 08:47:36 Sep 19 2014 sdesktop
119 -rwx 6487517 08:47:38 Sep 19 2014 anyconnect-macosx-i386-2.5.2014-k9.pkg
120 -rwx 6689498 08:47:40 Sep 19 2014 anyconnect-linux-2.5.2014-k9.pkg
121 -rwx 4678691 08:47:42 Sep 19 2014 anyconnect-win-2.5.2014-k9.pkg
122 -rwx 200 14:26:42 Dec 08 2014 upgrade_startup_errors_201412081426.log
129 -rwx 338 11:59:35 Dec 16 2014 Example_Intranet_client_profile.xml
8238202880 bytes total (4860497920 bytes free)
-----------------------------------------------------------------
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(3)
Compiled on Wed 28-Nov-12 11:15 PST by builders
System image file is "disk0:/asa911-smp-k8.bin"
Config file at boot was "startup-config"
PLAN-FW up 5 days 5 hours
Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020
IPSec microcode : CNPx-MC-IPSEC-MAIN-0022
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 100 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5515 Security Plus license.
12-17-2014 09:21 AM
Hi Nathan,
Are you using Ikev2 to connect. If not then can you please remove the following command and then try again:
no crypto ikev2 enable outside client-services port 443
Thanks
Jeet Kumar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: