11-20-2012 02:58 AM
Hi,
I'm performing a migration from an ASA5520 running version 8.04 to an ASA5525-X running 8.6.
The issue I had was that whilst all of the SSL VPN portal configuration was migrated the initial portal page does does not load. I thought that this could be to do with ASDM and WebVPN both being enabled on the outside interface and so I tried changing the port used for ASDM and disabled the ASDM altogether on the outside - but still to no avail.
Could this have something to do with the fact that you can no longer just point your browser at the outside interface of the firewall to get to the ADSM? Does some configuration need to change for the ASA to accept connections on the outside interface?
The basic WebVPN access as it stands right now is:
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
With some specific dynamic access records such as the below:
dynamic-access-policy-record DfltAccessPolicy
description "Web portal"
webvpn
port-forward disable
file-browsing enable
file-entry enable
http-proxy enable
url-entry enable
svc ask enable default svc
If checked out loads of documentation but can't see why this isnt working.
Thanks, Anish
11-20-2012 02:48 PM
Hi Anish,
What do you mean by "the initial portal page does not load"?
What do you see?
Show run http?
Please do:
ASA(config)# clear configure dynamic-access-policy-record DfltAccessPolicy
HTH.
Please rate any helpful posts
11-22-2012 03:08 PM
Hi
Thanks for the response. However I worked out why the page wasnt' loading. As usual I got very little from the IE page but using google chrome gave me the following error message:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Which lead me to do a bit more digging :- if you run the sho ssl command, the output you get is something along the lines of the following:
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
As you can see the only enable SSL cipher is des-sha1. So in changing my configuration to support other methods of SSL encryption using the command below:
FW(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1
My VPN portal page burst into life!
Anish
11-22-2012 05:55 PM
Anish,
Yes, IE does not display the CIPHER mismatch.
I am glad to know you found the solution.
Please mark this post as answered so others will learn from it.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide