ASA: webvpn: Group-url command

Similar Questions

• ASA and group URL

  So I have the need to provide two SSL VPN environments for two different clients on the same ASA 5510 appliance.  Can I create two group policies, each with a group unique url and then assign a certificate corresponding to the Group url?  From the point of view of the intellectual property, they would all be hitting the same outside IP address.

  Ex:

  Group_policy: customer

  Group URL: https://remote.customera.com

  SSL certificate: remote.customera.com

  Group_policy: CustomerB

  Group URL: https://remote.customerb.com

  SSL certificate: remote.customerb.com

  Thank you!

  -Craig

  Hey Craig,.

  On your request, let me divide 2 parts:

  1. can you use 2 different urls on the SAA for two separate connection profiles

  2. can you use 2 separate certificates to validate the two URLS

  Regarding your first question, yes it is possible. You will need to create 2 separate group policy and 2 connection profiles Tunnel aka groups. Under each tunnel group define a separate url group and assign the corresponding group policy. Your configuration might look like this:

  In-house strategy group customer ASA (config) #.
  Strategy of customer attributes group ASA (config) #.

  .

  .

  .

  (to configure the respective attribute)

  ASA (config) # Tunnel - group customer type remote access
  ASA (config) # Tunnel - group customer General attributes
  ASA(config-tunnel-General) # by default-group-policy customer

  ASA (config) # tunnel - group customer webvpn-attributes

  ASA(config-tunnel-WebVPN) # group - url https://ASA1/remote.customera.com

  Repeat the steps above and replace "customer" by "CustomerB".

  As for your second question, you can only configure a trustpoint to be used with a single interface. If you do one of the following:

  1. get a UCC (Unified Client certificate) to your ASA:

  Get a UCC with multiple CNs / without (Subject Alternative Name extensions) for each domain COMPLETE/IP ASA. If you need a certificate of the UCC with CN to FQDN or IP and no master for each SAA: ASA-1 FQDN or IP, ASA-2 FULL FQDN or IP domain name and so on. Several suppliers PKI/certificates are supported entrust.com, verisign, UCC:godaddy.com, etc.

  Note: the ASA cannot generate a certificate request (CSR) signature with multiple WITHOUT (CSCso70867 is development requesting this capability), so you must be the seller of the PKI to submit the entry for you.

  ASA set a trustpoint "and Install/import the UCC certifcate in this trustpoint. Bind this trustpoint to the external interface.

  2 OR a certificate with wildcards. Generic certificates are discouraged in favour of the UUC certs. According to a seller, Entrust, these are the 2 main reasons:

  1. UCC is more secure than Wildcard certificates since Entrust UC Certificates specify exactly the hosts and domains must be protected
  2. UCC is more flexible than Wildcard certificates since Entrust UC certificates are not limited to a single domain

  I hope this helps.

  Kind regards

  ATRI

• the WebVPN asa8.0 portal (4): Group-url

  Hi all

  I have a problem when I try to use the group-list control to directly select the group for a ssl vpn without the drop-down list.

  Activate the command group-url https://a.a.a.a:port / test in the Tunnel-group, but even if I put it in my browser I still

  See the drop-down list.

  This happens with an ASA8.0 (4).

  I have an ASA8.2 (1) and I did not have this problem.

  I noticed this difference in the login page url after redirection:

  8.0 (4) https://a.a.a.a:port / + CSCOE + / logon.html? token = 4D6912AB72A1FCFA2643F325

  8.2 (1) https://a.a.a.a:port / + CSCOE + / logon.html? tg = test & token = 4D6912AB72A1FCFA2643F325

  Can we do any auggestion?

  Thank you in advance!

  There are a few bugs related to the group-URL in 8.0.4.  In your test above, what port you set the ASA to listen on the WebVPN connections?  If something other than port 443, you can be executed in bug CSCsu77167.

• DMP-4400 URL command to play the video/load Playlist

  I would like to be able to play a video on the DMP by launching a URL command line to do this.  I did have the chance to find the correct syntax.

  If I go to the DMP Manager-> display Actions-> playback of the media and insert the URL here, he will play immediately on the DMP.  I would like to reproduce this via the URL command line.

  Media is hosted on a DMM system: http://10.41.25.13/content/f208b20d-58ee-499b-ad82-c8f092ad19c7.mpeg

  In addition, this command can be changed to remind a playlist of the DMM instead of just a video?

  Thank you

  OK, I see what you want now.  My link was just to play a video from another web resource.  Try this on a 4400 for your DMM playlist:

  https://: 7777/set_param? init. BROWSER_CMD =http://10.41.25.13:8080 / xTAS-core/api/xml/app/playlist/start_playlist_11...

  And for your presentation of video file:

  https://: 7777/set_param? init. BROWSER_CMD =http://10.41.25.13:8080/xTAS-core/appgen/clad/clad_127_.htm&init.TVZILLA...

  Hope that helps...

  William - Appspace

• What support DH Cisco ASA 14 group and more

  What support DH Cisco ASA 14 group and more.

  Model and IOS

  Hi John,.

  You must have ASA executes code 9.1 and above for DH group 14 and this only work for ikev2 only.

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• Cisco ASA webvpn - recording of the ACL

  Hello

  I try to configure my cisco asa 5520 without customer webvpn connections get recorded. My ACEs getting hit, but no logentry is created:

  SSLVPN_Personal list of access; 2 items
  access-list SSLVPN_Personal line 1 webtype allow url https://*. XYZ. ABC.de 1 interval (hitcnt = 41) alerts

  How can I check the webvpn users do?

  Look at syslogs 716003 and 716004 http://www.cisco.com/en/US/partner/docs/security/asa/asa83/system/message/logmsgs.html#wp4776945

  716003

  Error Message   %ASA-6-716003: Group group User user IP ip WebVPN access "GRANTED: url" 

  Explanation of the WebVPN user in this group at the specified IP address has access to that URL. The user access to various locations can be controlled using WebVPN specific ACL.

  Recommended not required action.

  716004

  Error Message   %ASA-6-716004: Group group User user WebVPN access DENIED to specified location: url 

  WebVPN user explanation in this group has denied access to this URL. The user access to various places of WebVPN can be controlled using WebVPN specific ACL. In this case, a particular entry is denying access to this URL.

  Recommended not required action.

• VPN access query remote ASA - several group policies for the unique connection profile

  Hi all

  Two quick questions here that I need to help.

  1. in an ASA 5525, is it possible to have several group policies for a single connection profile?

  Scenario: A customer is running F5 Firepass to their VPN solution and this device is used by them to have multiple strategies group by the connection profile. We plan to migrate them to ASA (5525) and I don't know if the ASA can support that.

  2. in an ASA-5525 for Clientless Remote access VPN, can pass us the page to connect to an external server? For example, if I have a connection with a URL profile setup: "'https://wyz.vpn.com/ ';" for the LDAP/Radius Authentication, but for https://wyz.vpn.com/data and https://wyz.vpn.com/test I want to HTTP based authentication form and this page needs to be sent to an external server that is to say ASA step will manage this page, but rather the first page for this is served by the external server.

  Scenario: One of our clients is running F5 Firepass to their VPN solution. On the F5 they have pages of configuration such as the https://wyz.vpn.com/ that the F5 shows to the user when they connect via VPN without client; However if the user types https://wyz.vpn.com/data in the browser, the traffic comes to the F5, but F5 redirects this traffic to an external server (with an external url as well). Then it's this external server that transfers the first page of the user requesting authentication for HTTP form based authentication information.

  Thanks in advance to all!

  Hello

  You can have fallback to LOCAL only primary method.

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa90/configuration/gu...

  HTH

  Averroès.

• ASA, blocking long URL access

  Hi Forum,

  I can't seem to find an answer to my ASA blocks access to long URL. below is the only http filtering configurations I can find on my firewall. What is the default settings? How can I activate it, y at - there a better way?

  I use ASA5500.

  Thank you very much

  Paul

  http-map inbound_http

  content-length min 100 max 2000 action open

  content-type-checking match-req-rsp action open

  allow the action header-MaxLength request 100

  Open the max-uri-length 100 action

  You have any filter http commands and orders url server configured? If so, there is an option to truncate long URLS.

  In addition, bugs seem to exist in the http inspection engine in versions after 7.1 (2). Try to disable the http inspection and see if the problem goes away.

  Andrew

• Diffie-Hellman - ASA firewall groups

  Hi all

  A couple of questions I hope you can help me with that.

  Please can you tell me where I would change the Diffie-Hellman group for phase 1 on an ASA firewall and is - it possible on the ASDM?

  Also, you must enable PFS have to DH on the phase 2?

  Thank you very much

  Alex

  Hello Alex,.

  You can change the Diffie-Hellman group for phase 1 of ASA by configuring the following command:

  crypto ISAKMP policy

  Group

  To configure the same ASDM, go to the

  Configuration > VPN Site to Site > connection profiles > add/edit

  You will find in settings, IPsec, encryption algorithms. Click on 'Manage' icon on the right of "IKE policy". Click OK.

  Click on Add/Edit and there will be an option to change the Diffie-Hellman group.

  And finally, what about the PFS application, you can enable PFS to be DH in phase 2. activation of PFS will force a new Exchange of key DH for phase 2.

  Note: it is not mandatory, its optional. If its configured on one side, then it must be on the remote side as well.

  Kind regards

  Dinesh Moudgil

• Access list ASA Error | ERROR: % incomplete command

  Hi all

  I am trying to enter the following rule but I get an error message, I have a similar rule already inside the firewall, so I don't get really what is the problem and how to go about troubleshooting. Can anyone help?

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq https Journal

  (network-config) # access - list extended acl_inside permitted object-group$

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
  255.192.0 log https eq
  ^
  ERROR: % name host not valid

  SAME THING WITHOUT JOURNAL

  (network-config) # access - list extended acl_inside permitted object-group$

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
  255.192.0 eq https
  ERROR: % incomplete command

  SAME STUPID MISTAKE,

  THE SIMILAR RULE;

  # ACCess-list HS | I have 132.235.192.0
  permit for line acl_inside of access list extended 2767 tcp object-group 16/06/29 X-2 132.235.192.0 255.255.192.0 eq https

  ???????

  I'm not sure that this ensures a case of cisco?

  FW100ABCx (config) # 16-09-08F object-group network
  FW100ABCx(config-Network) # host network-object 172.191.235.136
  Add items (host to network-object 172.191.235.136) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) # host network-object 172.191.235.135
  Add items (host to network-object 172.191.235.135) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) # host network-object 172.191.235.134
  Add items (host to network-object 172.191.235.134) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) # host network-object 172.52.134.76
  Add items (host to network-object 172.52.134.76) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) #.
  FW100ABCx(config-Network) # acl_inside of access allowed object-group list $

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq 443
  ERROR: % incomplete command

  Hello Hassan.

  You're missing the key word of Protocol (tcp/udp)
  Try this:

  the object-group 16-09-08F network
  host of the object-Network 172.191.235.136

  acl_inside list extended access permitted tcp object-group 16-09-08F 132.235.192.0 255.255.192.0

  Concerning
  Dinesh Moudgil

  PS Please rate helpful messages.

• A reason any AAA limited in ASA 16 groups of servers?

  I wonder why there is a limit on all Cisco ASA models when it comes to limit the number of AAA server groups to only 16? I guess it shouldn't be that difficult allow the BONE to the ASA allow several groups of AAA servers and servers by device? Is this just because of marketing reasons or what? :)

  Oscar

  An enhancement request has been made to increase this value.

  If you open a tac case and ask that it be attached to the bug:

  CSCsh23977 Capacity of more than 15 groups of servers AAA on the SAA

  This will put more weight on this improvement and it is more likely to be processed quickly.

  That should help with your problem.

• Homepage default value ASA WebVPN (8.03) howto

  Hello

  I sent an Asa 5505 (8.0.3) with webvpn. When I was able to connect the device via the web, I get on the personalized homepage. But it goes directly to "Anyconnect" instead of the "Home" page How can I change this? I think it's something simple, but I can't find it! See the screenshot for more details.

  Thnx!

  Check if the policy called is the right. The following link can help you

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/WebVPN.html

• ASA WebVPN/SSL Client licenses

  The licenses for the client SSL on the SAA requires a key to install? We have 5 remote sites using an ASA5510 and requiring a small number of WebVPN connections (more than others). What I want to know is can I buy the 100 user license and split the users among the ASAs 5 as required? or do I have to buy five separate licenses?

  You cannot divide a single 100 user license. You get 2 with the base license and then you can get 10,25,50 and 100, 250 licenses increments by device according to Cisco.

• ASA WebVPN with SSO on OWA 2010 Exchange

  Hello, I was using WebVPN (clientless) with SSO on Exchange OWA 2003 and it worked very well with these UNIQUE POST authentication settings:

  URL: / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Tabla normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;} https:// /exchweb/bin/auth/owaauth.dll

  destination https:///exchange/
  Flags 0

  user domain\\user name / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Tabla normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;} CSCO_WEBVPN_USERNAME

  password / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Tabla normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;} CSCO_WEBVPN_PASSWORD

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Tabla normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;} SubmitCreds Log + we

  forcedownlevel 0

  trust 0

  Now, I'm trying to do the same thing with OWA 2010 and it doesn't work. I always get an error on the user credentials

  For Exchange 2010, I use these settings:

  URL: https:///owa/auth.owa

  https:///owa/ destination
  Flags 0

  username DOMAIN\CSCO_WEBVPN_USERNAME

  password CSCO_WEBVPN_PASSWORD

  SubmitCreds Log + we

  forcedownlevel 0

  trust 0

  Anyone know how to fix?
  Someone at - it work?

  Any help?

  Thank you

  In this configuration, I had to change to HTTP (associated client). It also works well on HTTPS.

  Download this tool http://www.fiddler2.com/fiddler2/.

  URL: http://internal-mail-server-ip/owa/auth/owaauth.dll

  post parameter:

  destination: http://internal-mail-server-ip/owa/

  flags: 0

  forcedownlevel: 0

  Trust: 0

  username: CSCO_WEBVPN_USERNAME

  password: CSCO_WEBVPN_PASSWORD

  isUtf8: 1

  http://internal-mail-server-ip/owa/auth/owaauth.dll]] >

  http://internal-mail-server-IP/OWA/
  destination

  0
  flags

  0
  forcedownlevel

  0
  Trust

  CSCO_WEBVPN_USERNAME
  username

  CSCO_WEBVPN_PASSWORD
  password

  1
  isUtf8

  Welcome,

  Norbert

  Hope this helps... Please note so useful

• ASA WebVPN SSO with cactus

  Hello

  I use SSO with HTTP POST parameters for SINGLE sign-on for web applications behind my ASA.

  I am currently playing with cactus.

  My settings are:

  action = login

  login_username = CSCO_WEBVPN_USERNAME

  login_password = CSCO_WEBVPN_PASSWORD

  Realm = ldap

  The connection works fine, but after the post OFFICE, the Web server sends a HTTP "302 OK code." Normally, it should be "302 moved" or "200 OK".

  The ASA does not include what to do, to do nothing and replies with an error "Server is not available >.

  When I press the 'Home' button and click again on the bookmark of cactus, I'm connected to cactus. It seems that there is a cookie or something missing.

  When I do exactly the same with a browser, it sends after the "302 OK" normal GET and I am connected.

  Me seems a mistake in cactus, but I'm not also sure if ASA does not respond properly?

  Also, when I change the type of bookmark of https to post, it works! BUT: post plugin only supports http and not https, so my connections has send in clear on the internal network.

  Any ideas?

  Thank you

  MB

  configure the POST plugin for HTTPS by using the csco_proto=https parameter
  
  in the Post-Plugin URL