06-10-2013 03:45 PM
HI,
I have issues connecting to the webvpn as its asking for some certificate for authentication, I am using the self generated certificate, but when I try to connect to SSL gateway via its IP address , Browser expect me to provide the certificated, I want to tell the Browser to use the self generated certificate of ASA5505, but not sure how I do it.
I undestand when WEBVPN/SSL clientless VPN try to establish the VPN , ASA sends the certificate back to the browser to accept/authenticate it, but when I connect I don't get any certificate where I say YES to accept it.
Can I just disable certificate with SSL and just use username/password to crater a WEBVPN ?
Can anyone please advise as I have read CISCO docs but still make SSL work.
Thanks
Salman
06-11-2013 06:55 AM
What IOS version are you using?
06-11-2013 06:58 AM
ASA version 7.2 (on 5505 platform).
Thanks
Salman
06-11-2013 07:01 AM
Working sample.
Adjust necessary information and need no_nat acl:
crypto key generate rsa label sslvpnkeypair
!
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.cisco.com
subject-name CN=sslvpn.cisco.com
keypair sslvpnkeypair
crypto ca enroll localtrust noconfirm
!
ssl trust-point localtrust outside
!
!
!
webvpn
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
!
!
webvpn
enable outside
svc enable
!
!
!
ip local pool SSLClientPool 10.100.25.128-10.100.25.254
!
!
!
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.50.5
vpn-tunnel-protocol svc
default-domain value tsweb.local
address-pools value SSLClientPool
!
!
sysopt connection permit-vpn
!
!
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
!
webvpn
tunnel-group-list enable
!
!
nat (inside) 0 access-list no_nat
!
!
!
!
username abc password p@ssw0rd
username abc attributes
service-type remote-access
!
!
06-11-2013 07:03 AM
If yours look like this and still doesn't work, post your config with relevant information.
06-11-2013 07:07 AM
Thanks.
Is this config is for the webvpn ( clientless) solution ?
I just wantto enable Browser based SSL VPN to avoid users to install VPN client on PC's.
Cheers
Salman
06-11-2013 07:12 AM
!!!!!From the script you only need this change:
webvpn
no svc enable (if your config already have this line. If not, you are good)
!!!!!also no need for:
webvpn
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
!!!!!and you need to use the correct protocol in:
group-policy SSLCLientPolicy attributes
vpn-tunnel-protocol ? (I don't know the protocol options for version 7.2. You need the option for webvpn)
06-11-2013 07:14 AM
OK thanks, let me try this , I will come back with the results.
Regards
Salman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide