CA IOS for SSL VPN
How you configure a ca to ios server to authenticate users of vpn SSL during the use not a domain name?
My public IP address is (for example) 1.1.1.1. I'm not going to use this with a domain name. How my CA server / trustpoint be configured to prevent users to get errors certificate after the certificate has been installed?
I have the ssl vpn to the top and work, I can even connect using AnyConnect2.3, but not 2.5. I know a work around for this is to modify the hosts file, but y at - it another way to circumvent it through configure the CA server or trustpoint? Thanks for the help.
Triton.
Hey Newt,
To avoid warning against an inconsistency of name, make sure that the CN of the certificate contains the IP address of the gateway SSLVPN.
for example
cry ca trustpoint bla
object CN = 1.1.1.1
then (re-) register the trustpoint to get a new certificate with the correct object. If users have installed CA cert, then they don't need to change anything. If they have the installed server certificate, they will have to install a new one.
HTH
Herbert
Tags: Cisco Security
Similar Questions
-
Dear all,
I have ASA 5510 and Version 8. I want to know IOS for SSL VPN, but I don't know which...
Please help me show...
HQ-ASA5510 # HS, fla
path-# - length - time -.
177 14137344 January 1, 2003 00:06:12 asa804 - k8.bin
75 4096 November 21, 2008 12:17:46 log
79 4096 crypto_archive November 21, 2008 12:18
178 7562988 November 21, 2008 12:19:30 Amps - 613.bin
180 4863904 November 21, 2008 12:21:10 securedesktop_asa_3_3_0_129.pkg.zip
181 4096 November 21, 2008 12:21:10 sdesktop
188 1462 November 21, 2008 12:21:10 sdesktop/data.xml
182 2153936 November 21, 2008 12:21:10 anyconnect-victory - 2.2.0133 - k9.pkg
183 3446540 November 21, 2008 12:21:12 anyconnect-macosx-powerpc - 2.2.0133 - k9.pkg
184 3412549 November 21, 2008 12:21:16 anyconnect-macosx-i386 - 2.2.0133 - k9.pkg
185 3756345 November 21, 2008 12:21:16 anyconnect-linux - 2.2.0133 - k9.pkg
For Version 7. he say the ssl VPN.
Please help me which line as SSL VPN.
Best regards
Rechard
Richard, you already have the code that supports SSL webvpn on your ASA.
See page medium low SSL VPN VPN/Web for more detailed examples, which provides all the necessary information for any additional/optional
plug-ins needed.
http://www.Cisco.com/en/us/products/ps6120/prod_configuration_examples_list.html
Details of the sample SSL VPN configuration and types... but all the SSL.
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00806ea271.shtml
What you have in your directory ASA applies the Anyconnect client who is also driven SSL but is a bit different from plain SSL webvpn, I suggest you go to the configuration examples of link that can provide information on the implementation of SSL vpn varios.
Concerning
-
Requirements of LDAP for SSL - VPN on ASR 1002
Hi all
I intend to implement SSL - VPN (AnyConnect) on a rputer ASR 1002 running IOS - XE Software Version 15.1 (3) S2.
I need to use LDAP for authentication of users and need to understand what are the requirements for RADIUS/GANYMEDE use LDAP.
What I have to use Cisco ACS or can I use something like Microsoft IAS or free Raduis?
Any helo will be greatly appreciated.
Thank you
Dmitry.
Yes, you can use either use LDAP, Radius or Ganymede protocols to authenticate users of SSL VPN.
You can use no matter what authentication server (doesn't have to be Cisco ACS), as long as they have either 3 supports authentication (ldap, radius or Ganymede) protocols.
Hope that answers your question.
-
Routing IP will on SAA for SSL VPN
I have a question let internal DHCP network is 192.168.0.0 and if you configure SSL VPN on ASA to assign the ip address of 10.0.0.0 network routing where must be configured so that the customer can route between network?
2 lets say im using im 192.168.10.0/.20.0/.30.0 my network if I place ASA to assign 30.0 will be ther be conflict DHCP? or ASA DHCP will ONLY respond outside requests? (I mean Anyconnect)
Hello
You don't have to use a dynamic routing protocol if you need / want. In a simple network you could just use static routes.
That is the way that manage you routing I don't think it really changes the configuration at all.
This of course provided that the ASA is the default route outside of your network. Then all traffic to the networks VPN pool naturally would be always accessible from the local network as the default route would already be transfer all traffic to networks outside the local network to the ASA.
However if the ASA is not device gateway for all Internet traffic on your network then you will need to manage the routing so that the networks/subnets used as the VPN pools would be routed to the ASA on the local network.
-Jouni
-
RVL200 firmware 1.1.12.1 - Windows 7 still does not work for SSL VPN
Try to connect RVL200 SSL VPN using Windows 7, IE 8.
After update to firmware 1.1.12.1, I am able to install the webcachecleaner, but when I tried to click on the padlock on the screen, I get
"Error: Virtual Passage not installed." Please install as Administrator".
I'm already the only administrator on the computer, and I installed the C++ 2005 Redistributable Package (x 64) according to the accompanying note. Date shows the add-on XTunnel IE 3 March 2010. The certificate is updated (expires 2011).
Any ideas how to get around this problem?
Thank you. Christina
On Windows 7 or Vista, Internet Explorer does not always run with administrator privileges. You must select the "Run As Administrator" option when you start the IEv8.
-
SHA - 256 signed Cert for SSL VPN
I get an error when you try to install an identity certificate that is signed with SHA256 on an ASA 5520 with 8.3 (2) running. I get "ERROR: cannot analyse or check the imported certificate.» The correct string of authority is in place, and if I install a cert signed SHA1 of the same company with the same string, it works fine. Are the ASAs able to import CERT signed SHA256? Must the CSR be generated differently if you want to import a certificate signed SHA256?
Hello
The ASA are not currently able to import signed SHA256 certificates in the 8.3 code. It should be available some time soon - talk to your team account for more details.
-Jason
-
SSL VPN IP address other than the IP address of the interface?
Hi,
Is it possibe to use a differnt IP Address from the same Subnet of OUTSIDE
INTERFACE? Instead of Interface IP Address itself. The Idea behind is,
Clients should not use OUTSIDE Interface IP Address for SSL VPN, but whereas they can
use from the IP Address Pool of OUTSIDE Interface.Regards
Brassart Abbas
If SSL is completed on an ASA firewall, you can finish it on all other ip addresses but the external interface.
If it is completed on a router IOS, Yes, you can use a different ip address to put an end to the SSL VPN connection.
Hope that answers your question.
-
I have a couple of site to site VPN working properly on an ASA 5515. Don't know what is on the other side, as I haven't seen them. I configured a SSL vpn for remote users who must be able to access resources on remote sites. I got access to the network of site without any problems and and have added the range of IP addresses for remote users to links from site to site, but I am unable to connect. Anyone who has this performance, it would be greatly appreciated if you can help.
Hi mbluemel,
You need to configure the remote side to allow traffic from the remote side for SSL VPN users.
This list of documents the measures taken to achieve this: -.http://www.petenetlive.com/kb/article/0000040.htm
For more information: -.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
not having to ssl vpn login prompt
Hi all
This is the configuration for SSL vpn on our ASA 5510. . If we made the reference to the site configuration, we are unable to get the login prompt. could you please check and suggest you do the work of SSL vpn
Configuration
===========
WebVPN
allow outside
back to url-list Test webvpn
import webvpn url-list SSL_Bookmarks disk0: / tmpAsdmImportFile1646955469
delete /noconfirm disk0: / tmpAsdmImportFile1646955469
internal SSL_users group strategy
attributes of Group Policy SSL_users
VPN-tunnel-Protocol webvpn
WebVPN
the value of the URL - list SSL_Bookmarks
type tunnel-group SSL_VPN remote access
attributes global-tunnel-group SSL_VPN
Group Policy - by default-SSL_users
Group-RADIUS authentication server
attributes of Group Policy SSL_users
VPN-tunnel-Protocol svc webvpn
tunnel-group SSL_VPN webvpn-attributes
enable AnyConnect group-alias
WebVPN
tunnel-group-list activate============================
Version
======
ASA-5510-1 # sh ver
Cisco Adaptive Security Appliance Version 8.2 software (1)
Version 6.2 Device Manager (1)Updated Wednesday, 5 May 09 22:45 by manufacturers
System image file is "disk0: / asa821 - k8.bin.
The configuration file to the startup was "startup-config '.ASA-5510-1 up to 57 days 9 hours
Material: ASA5510, 256 MB of RAM, processor Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256 MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024 KBHardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)
Start firmware: CN1000-MC-BOOT - 2.00
SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.04
0: Ext: Ethernet0/0: the address is 0027.0d38.034e, irq 9
1: Ext: Ethernet0/1: the address is 0027.0d38.034f, irq 9
2: Ext: Ethernet0/2: the address is 0027.0d38.0350, irq 9
3: Ext: Ethernet0/3: the address is 0027.0d38.0351, irq 9
4: Ext: Management0/0: the address is 0027.0d38.0352, irq 11
5: Int: internal-Data0/0: the address is 0000.0001.0002, irq 11
6: Int: internal-Control0/0: the address is 0000.0001.0001, irq 5The devices allowed for this platform:
The maximum physical Interfaces: unlimited
VLAN maximum: 100
Internal hosts: unlimited
Failover: Active/active
VPN - A: enabled
VPN-3DES-AES: disabled
Security contexts: 2
GTP/GPRS: disabled
SSL VPN peers: 2
The VPN peers total: 250
Sharing license: disabled
AnyConnect for Mobile: disabled
AnyConnect for Linksys phone: disabled
AnyConnect Essentials: disabled
Assessment of Advanced endpoint: disabled
Proxy sessions for the UC phone: 2
Total number of Sessions of Proxy UC: 2
Botnet traffic filter: disabledThis platform includes an ASA 5510 Security Plus license.
Serial number: JMX1350L04D
Activation key running: 0xef04c544 0xf4999c16 0xf4c19950 0x85684c50 0x442c3292
Registry configuration is 0x1
Modified configuration of enable_15 to 06:55:11.349 UAE Thursday, November 18, 2010
ASA-5510-1 #.===================
Thanks in adavnce
You can get the activation key for 3des from the license page (it's free):
https://Tools.Cisco.com/swift/licensing/PrivateRegistrationServlet?DemoKeys=Y
(Click on Cisco ASA 3DES/AES license)
It can work with just, however, your browser might not support SOME. The browser asks political there and see if ASA has set up, but I know that a lot of the new browser will not load more, but feel free to try.
-
SSL VPN 25 user license - impossible to get more than 2 SSL VPN connections
Hello
I just installed a user license user Premium 25 for SSL VPN on my Cisco ASA5505. Even though it states that the license is installed I get still only two client Anyconnect SSL VPN connections and the third fails systematically. What Miss me?
Thanks for posting to the forum and that the problem has been resolved, and what caused the problem and what has been done to solve the problem. It's the most useful forum when people can read on a problem and can also read what the problem turned out to be and what was done to solve the problem, I think that it is also a good example to remind us that sometimes, the problem is not in our configuration, or even in the area that we administer. So sometimes we have to look beyond our normal home to find the source of the problem.
The question mark it resolved makes it even more obvious to readers that they will find a solution to the problem. So thank you to mark the issue as resolved.
HTH
Rick
-
How to limit maximum SSL VPN sessions by group policy on ASA5510?
How to limit maximum SSL VPN sessions by group policy on ASA5510?
There are ideas?
There are 2-Group Policy: within a maximum of 10 connections, in the second - 15 (total licenses for SSL VPN 25 connections).
Hi Anton,.
It is an interesting question.
Please check the following options, depending on your scenario:
simultaneous VPN connections
Pour configurer configure the number of simultaneous connections allowed for a user, use the command simultaneous vpn connections in the configuration of group policy or username configuration mode. To remove the attribute from the running configuration, don't use No form of this command. This option allows inheritance of a value from another group policy. Enter 0 to disable the connection and prevent the access of the user.
simultaneous vpn connections {integer}
No vpn - connections
http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/uz.html#wp1664777
There is a global command, although may not be useful, I wanted to share it with you:
VPN-sessiondb max-session-limit
--> To specify the maximum limit of VPN session.
Best option:
What you can do is to create a pool of IP 10 IP addresses in one and 15 in the other, this way you let only 10 connections and 15 respectively.
IP local pool only_10 192.168.1.1 - 192.168.1.10
IP local pool only_15 192.168.2.1 - 192.168.1.15
Then,
attributes of the strategy of group only_10
the address value only_10 pools
!
attributes of the strategy of group only_20
the address value only_20 pools
-
Clientless SSL VPN access to HP iLO
Equipment:
ASA5505
Access without client configured for SSL VPN and it works fine for everything except the connectivity to a HP iLO. When I go to the http address, I see the redirect page, but as soon as it accesses the https page, I get the following text:
Failed connection Server 192.168.10.252 unavailable. It happens on all HP iLO web sites that I'm trying to connect.
Here is my config for debugging:
debugging html 255 webvpn
debugging webvpn request 255
debugging response 255
debugging webvpn url 255
debugging util 255 webvpn
When I try to reach the site, I get the following:
#0XCB4DC9C0 (GET). Request line:/+CSCO+0075676763663A2F2F697A7679622E716E79766176662E7962706E79++/login.htm
#0xcb4dc9c0 hand-off to CTE.
#0XCB4DC3C0 (GET). Request line:/+CSCOE+/portal.css
Start #0xcb4dc3c0 (response)
#0xcb4dc3c0 of the file to run: /+CSCOE+/portal.css
#0xcb4dc3c0 (answer) Manager open file [/ + CSCOE + / portal.css]
#0xcb4dc3c0 (answer) page treatment LUA.
#0xcb4dc3c0 (answer) finished, persistent connection.
#0XCB4DCCC0 (GET). Request line:/+CSCOU+/gradient.gif
Start #0xcb4dccc0 (response)
#0xcb4dccc0 of the file to run: /+CSCOU+/gradient.gif
#0xcb4dccc0 (answer) Manager open file [/ + CSCOU + / gradient.gif]
#0xcb4dccc0 (answer) treatment C page.
#0xcb4dccc0 (answer) finished, persistent connection.
As you can see, it does not give much information. I don't really know why it works not only with HP iLO, but it works with everything else. Any help would be greatly appreciated. Thank you.
Gus
Not exactly how the HP ilo application works, but if it calls java this will cause your question because you are only allowing http or https through the client less portal. Try and activate smart tunnel and allow the java.exe on your local computer to use the smart tunnel. This will force your local java client to be sent through tunnel via ssl (443)
Sent by Cisco Support technique iPad App
-
I'm trying to configure an SSL VPN on a 2811. I believe I have the part SSL VPN, but I can't tell because I get stuck on the certificate server, ca trustpoint configuration and the identity of trustpoint.
Does anyone know of a guide that walks you through the cert CA, Cert ca trustpoint and identitiy trustpoint iOS SSL VPN server? For some reason, I'm having a problem to enter the configuration of the certificate.
Thanks for the help
Triton.
Follow these steps:
> Add the host SSLVPN.securemeinc.com file to the user (client)
> When you open the SSL VPN page on the user's browser. Right click... Select "Properties..." 'See Ceriticate' and then save/open the certificate on the computer companies.
> Make sure the time is synchronized between the VPN server and client
Concerning
Farrukh
-
Router WAN double with SSL VPN inaccessible for customers
I have a configured in a Dual WAN setup Cisco 888. There is an ADSL link connected to the VLAN 100 and a SDSL link associated with the Dialer0. The customer wishes to use the ADSL link to the normal navigation and external SSL VPN users to complete on the SDSL connection. I tried to configure the link failover for the ADSL SDSL.
What works:
-Access to the Internet for clients the
What does not work:
-The ADSL SDSL connection failover.
-Access SSL VPN for customers. Surf to the external IP address will cause only a page by default HTTP. Specification webvpn.html results in a 404 not found error.
Here is my configuration:
version 15.0
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
host name x
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 x
!
AAA new-model
!
!
AAA authentication login local sslvpn
!
!
!
!
!
AAA - the id of the joint session
iomem 10 memory size
!
Crypto pki trustpoint TP-self-signed-3964912732
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 3964912732
revocation checking no
rsakeypair TP-self-signed-3964912732
!
!
TP-self-signed-3964912732 crypto pki certificate chain
self-signed certificate 03
x
quit smoking
IP source-route
!
!
IP dhcp excluded-address 192.168.10.254
DHCP excluded-address IP 192.168.10.10 192.168.10.20
!
DHCP IP CCP-pool
import all
network 192.168.10.0 255.255.255.0
default router 192.168.10.254
DNS-server 213.75.63.36 213.75.63.70
Rental 2 0
!
!
IP cef
no ip domain search
property intellectual name x
No ipv6 cef
!
!
udi pid CISCO888-K9 sn x license
!
!
username secret privilege 15 ciscoadmin 5 x
username password vpnuser 0 x
!
!
LAN controller 0
atm mode
Annex symmetrical shdsl DSL-mode B
!
interface Loopback1
Gateway SSL dhcp pool address description
IP 192.168.250.1 255.255.255.0
!
interface Loopback2
Description address IP VPN SSL
IP 10.10.10.1 255.255.255.0
route PBR_SSL card intellectual property policy
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
Multidrop ISDN endpoint
!
ATM0 interface
no ip address
load-interval 30
No atm ilmi-keepalive
PVC KPN 2/32
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface FastEthernet0
switchport access vlan 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
LAN description
IP address 192.168.10.254 255.255.255.0
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1300
!
interface Vlan100
Description KPN ADSL 20/1
DHCP IP address
NAT outside IP
IP virtual-reassembly
!
interface Dialer0
Description KPN SDSL 2/2
the negotiated IP address
IP access-group INTERNET_ACL in
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP pap sent-username password 0 x x
No cdp enable
!
IP local pool sslvpnpool 192.168.250.2 192.168.250.100
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
pool nat SSLVPN SDSL 10.10.10.1 IP 10.10.10.1 netmask 255.255.255.0
IP nat inside source static tcp 10.10.10.1 443 interface Dialer0 443
IP nat inside source static tcp 10.10.10.1 80 Dialer0 80 interface
IP nat inside source overload map route NAT_ADSL Vlan100 interface
IP nat inside source overload map route NAT_SDSL pool SSLVPN SDSL
IP route 0.0.0.0 0.0.0.0 x.x.x.x
IP route 0.0.0.0 0.0.0.0 Dialer0 10
!
INTERNET_ACL extended IP access list
Note: used with CBAC
allow all all unreachable icmp
allow icmp all a package-too-big
allow icmp all once exceed
allow any host 92.64.32.169 eq 443 tcp www
deny ip any any newspaper
Extended access LAN IP-list
permit ip 192.168.10.0 0.0.0.255 any
refuse an entire ip
!
Dialer-list 1 ip protocol allow
not run cdp
!
!
!
!
NAT_SDSL allowed 10 route map
match the LAN ip address
match interface Dialer0
!
NAT_ADSL allowed 10 route map
match the LAN ip address
match interface Vlan100
!
PBR_SSL allowed 10 route map
set interface Dialer0
!
!
control plan
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
max-task-time 5000 Planner
!
WebVPN MyGateway gateway
hostname d0c
IP address 10.10.10.1 port 443
redirect http port 80
SSL trustpoint TP-self-signed-3964912732
development
!
WebVPN install svc flash:/webvpn/anyconnect-dart-win-2.5.0217-k9.pkg sequence 1
!
WebVPN install svc flash:/webvpn/anyconnect-macosx-i386-2.5.0217-k9.pkg sequence 2
!
WebVPN install svc flash:/webvpn/anyconnect-macosx-powerpc-2.5.0217-k9.pkg sequence 3
!
WebVPN context SecureMeContext
title "SSL VPN Service"
secondary-color #C0C0C0
title-color #808080
SSL authentication check all
!
login message "VPN".
!
Group Policy MyDefaultPolicy
functions compatible svc
SVC-pool of addresses "sslvpnpool."
SVC Dungeon-client-installed
Group Policy - by default-MyDefaultPolicy
AAA authentication list sslvpn
Gateway MyGateway
development
!
end
Any suggestions on where to look?
Hello
It works for me. When the client tries to resolve the fqdn for the domain specified in "svc split dns.." he will contact the DNS server assigned through the Tunnel. For all other questions, he contacts the DNS outside the Tunnel.
You can run a capture of packets on the physical interface on the Client to see the query DNS leaving?
Also in some routers, DNS is designated as the router itself (who is usually address 192.168.X.X), if you want to make sure that assigned DNS server doesn't not part of the Split Tunnel.
Naman
-
Hello
I want to know can I use the Cisco IOS SSL VPN on the use of mobile client Anyconnect. If yes what is the prerequisite, is there any kind of additional license required.
Thank you
In the following article:
http://www.Cisco.com/c/en/us/support/docs/security/AnyConnect-VPN-client...
Q. is possible to connect the iPad, iPod or iPhone AnyConnect VPN Client to a Cisco IOS router?
A. No. it is not possible to connect the iPad, iPod or iPhone AnyConnect VPN Client to a Cisco IOS router. AnyConnect on iPad/iPhone can connect only to an ASA that is running version 3,0000.1 or a later version. Cisco IOS is not supported by the AnyConnect VPN Client for Apple iOS. For more information, refer to the section security devices and software support to the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3.
--
Please do not forget to rate and choose a good answer
Maybe you are looking for
-
I just want to go on a specific site where I have a dial-up connection and type my username in the username every time box instead of having semi-automatic before entry to come. I don't want my username to be cached and I would like to delete the cac
-
Satellite M300: speech recognition only works with external usb hub
Hi all I have the Satellite M300 I could run the speech recognition program before you have the motherboard replaced due to failure of the usb. I found using the headset, I can not reach high enough quality to operate it.The only way I can use the Wo
-
I was told that 3 TB hard drive is not as reliable as the 2 TB drive. True?
I was told that 3 TB hard drive is not as reliable as the 2 TB drive. True?
-
Windows cannot find C:\WINDOWS\system32\rundll32.exe
Hello Can someone help me, I am trying to open files and folders, and all I get is Windows can't find C;\WINDOWS\system32\rundll32.exe and stop me so gains access. I was told that I could find the file on another computer stick in my memory stick and
-
Can't send or receive email on Windows Mail
Account: 'pop.oneandone.co.uk', server: 'pop.oneandone.co.uk', Protocol: POP3, server response: '-ERR failed authentication ', Port: 110, secure (SSL): no, Server error: 0x800CCC90, error number: 0x800CCC92 When you try to send and receive e-mails, m