How's IOS for SSL VPN

Similar Questions

• CA IOS for SSL VPN

  How you configure a ca to ios server to authenticate users of vpn SSL during the use not a domain name?

  My public IP address is (for example) 1.1.1.1. I'm not going to use this with a domain name. How my CA server / trustpoint be configured to prevent users to get errors certificate after the certificate has been installed?

  I have the ssl vpn to the top and work, I can even connect using AnyConnect2.3, but not 2.5. I know a work around for this is to modify the hosts file, but y at - it another way to circumvent it through configure the CA server or trustpoint? Thanks for the help.

  Triton.

  Hey Newt,

  To avoid warning against an inconsistency of name, make sure that the CN of the certificate contains the IP address of the gateway SSLVPN.

  for example

  cry ca trustpoint bla

  object CN = 1.1.1.1

  then (re-) register the trustpoint to get a new certificate with the correct object. If users have installed CA cert, then they don't need to change anything. If they have the installed server certificate, they will have to install a new one.

  HTH

  Herbert

• How to limit maximum SSL VPN sessions by group policy on ASA5510?

  How to limit maximum SSL VPN sessions by group policy on ASA5510?

  There are ideas?

  There are 2-Group Policy: within a maximum of 10 connections, in the second - 15 (total licenses for SSL VPN 25 connections).

  Hi Anton,.

  It is an interesting question.

  Please check the following options, depending on your scenario:

  simultaneous VPN connections

  Pour configurer configure the number of simultaneous connections allowed for a user, use the command simultaneous vpn connections in the configuration of group policy or username configuration mode. To remove the attribute from the running configuration, don't use No form of this command. This option allows inheritance of a value from another group policy. Enter 0 to disable the connection and prevent the access of the user.

  simultaneous vpn connections {integer}

  No vpn - connections

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/uz.html#wp1664777

  There is a global command, although may not be useful, I wanted to share it with you:

  VPN-sessiondb max-session-limit

  --> To specify the maximum limit of VPN session.

  Best option:

  What you can do is to create a pool of IP 10 IP addresses in one and 15 in the other, this way you let only 10 connections and 15 respectively.

  IP local pool only_10 192.168.1.1 - 192.168.1.10

  IP local pool only_15 192.168.2.1 - 192.168.1.15

  Then,

  attributes of the strategy of group only_10

  the address value only_10 pools

  !

  attributes of the strategy of group only_20

  the address value only_20 pools

• Requirements of LDAP for SSL - VPN on ASR 1002

  Hi all

  I intend to implement SSL - VPN (AnyConnect) on a rputer ASR 1002 running IOS - XE Software Version 15.1 (3) S2.

  I need to use LDAP for authentication of users and need to understand what are the requirements for RADIUS/GANYMEDE use LDAP.

  What I have to use Cisco ACS or can I use something like Microsoft IAS or free Raduis?

  Any helo will be greatly appreciated.

  Thank you

  Dmitry.

  Yes, you can use either use LDAP, Radius or Ganymede protocols to authenticate users of SSL VPN.

  You can use no matter what authentication server (doesn't have to be Cisco ACS), as long as they have either 3 supports authentication (ldap, radius or Ganymede) protocols.

  Hope that answers your question.

• RVL200 firmware 1.1.12.1 - Windows 7 still does not work for SSL VPN

  Try to connect RVL200 SSL VPN using Windows 7, IE 8.

  After update to firmware 1.1.12.1, I am able to install the webcachecleaner, but when I tried to click on the padlock on the screen, I get

  "Error: Virtual Passage not installed."  Please install as Administrator".

  I'm already the only administrator on the computer, and I installed the C++ 2005 Redistributable Package (x 64) according to the accompanying note.  Date shows the add-on XTunnel IE 3 March 2010.  The certificate is updated (expires 2011).

  Any ideas how to get around this problem?

  Thank you.  Christina

  On Windows 7 or Vista, Internet Explorer does not always run with administrator privileges. You must select the "Run As Administrator" option when you start the IEv8.

• Routing IP will on SAA for SSL VPN

  I have a question let internal DHCP network is 192.168.0.0 and if you configure SSL VPN on ASA to assign the ip address of 10.0.0.0 network routing where must be configured so that the customer can route between network?

  2 lets say im using im 192.168.10.0/.20.0/.30.0 my network if I place ASA to assign 30.0 will be ther be conflict DHCP? or ASA DHCP will ONLY respond outside requests? (I mean Anyconnect)

  Hello

  You don't have to use a dynamic routing protocol if you need / want. In a simple network you could just use static routes.

  That is the way that manage you routing I don't think it really changes the configuration at all.

  This of course provided that the ASA is the default route outside of your network. Then all traffic to the networks VPN pool naturally would be always accessible from the local network as the default route would already be transfer all traffic to networks outside the local network to the ASA.

  However if the ASA is not device gateway for all Internet traffic on your network then you will need to manage the routing so that the networks/subnets used as the VPN pools would be routed to the ASA on the local network.

  -Jouni

• SHA - 256 signed Cert for SSL VPN

  I get an error when you try to install an identity certificate that is signed with SHA256 on an ASA 5520 with 8.3 (2) running.  I get "ERROR: cannot analyse or check the imported certificate.»  The correct string of authority is in place, and if I install a cert signed SHA1 of the same company with the same string, it works fine.  Are the ASAs able to import CERT signed SHA256?  Must the CSR be generated differently if you want to import a certificate signed SHA256?

  Hello

  The ASA are not currently able to import signed SHA256 certificates in the 8.3 code.    It should be available some time soon - talk to your team account for more details.

  -Jason

• SSL VPN IP address other than the IP address of the interface?

  Hi,
  
  Is it possibe to use a differnt IP Address from the same Subnet of OUTSIDE
  
  INTERFACE? Instead of Interface IP Address itself. The Idea behind is,
  
  Clients should not use OUTSIDE Interface IP Address for SSL VPN, but whereas they can
  
  use from the IP Address Pool of OUTSIDE Interface.
  Regards

  Brassart Abbas

  If SSL is completed on an ASA firewall, you can finish it on all other ip addresses but the external interface.

  If it is completed on a router IOS, Yes, you can use a different ip address to put an end to the SSL VPN connection.

  Hope that answers your question.

• Clientless SSL VPN access to HP iLO

  Equipment:

  ASA5505

  Access without client configured for SSL VPN and it works fine for everything except the connectivity to a HP iLO.  When I go to the http address, I see the redirect page, but as soon as it accesses the https page, I get the following text:

  Failed connection

  Server 192.168.10.252 unavailable.

  It happens on all HP iLO web sites that I'm trying to connect.

  Here is my config for debugging:

  debugging html 255 webvpn

  debugging webvpn request 255

  debugging response 255

  debugging webvpn url 255

  debugging util 255 webvpn

  When I try to reach the site, I get the following:

  #0XCB4DC9C0 (GET). Request line:/+CSCO+0075676763663A2F2F697A7679622E716E79766176662E7962706E79++/login.htm

  #0xcb4dc9c0 hand-off to CTE.

  #0XCB4DC3C0 (GET). Request line:/+CSCOE+/portal.css

  Start #0xcb4dc3c0 (response)

  #0xcb4dc3c0 of the file to run: /+CSCOE+/portal.css

  #0xcb4dc3c0 (answer) Manager open file [/ + CSCOE + / portal.css]

  #0xcb4dc3c0 (answer) page treatment LUA.

  #0xcb4dc3c0 (answer) finished, persistent connection.

  #0XCB4DCCC0 (GET). Request line:/+CSCOU+/gradient.gif

  Start #0xcb4dccc0 (response)

  #0xcb4dccc0 of the file to run: /+CSCOU+/gradient.gif

  #0xcb4dccc0 (answer) Manager open file [/ + CSCOU + / gradient.gif]

  #0xcb4dccc0 (answer) treatment C page.

  #0xcb4dccc0 (answer) finished, persistent connection.

  As you can see, it does not give much information.  I don't really know why it works not only with HP iLO, but it works with everything else.  Any help would be greatly appreciated.  Thank you.

  Gus

  Not exactly how the HP ilo application works, but if it calls java this will cause your question because you are only allowing http or https through the client less portal. Try and activate smart tunnel and allow the java.exe on your local computer to use the smart tunnel. This will force your local java client to be sent through tunnel via ssl (443)

  Sent by Cisco Support technique iPad App

• SSL vpn site to site vpn

  I have a couple of site to site VPN working properly on an ASA 5515. Don't know what is on the other side, as I haven't seen them. I configured a SSL vpn for remote users who must be able to access resources on remote sites. I got access to the network of site without any problems and and have added the range of IP addresses for remote users to links from site to site, but I am unable to connect. Anyone who has this performance, it would be greatly appreciated if you can help.

  Hi mbluemel,

  You need to configure the remote side to allow traffic from the remote side for SSL VPN users.
  This list of documents the measures taken to achieve this: -.

  http://www.petenetlive.com/kb/article/0000040.htm

  For more information: -.
  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• not having to ssl vpn login prompt

  Hi all

  This is the configuration for SSL vpn on our ASA 5510.   . If we made the reference to the site configuration, we are unable to get the login prompt. could you please check and suggest you do the work of SSL vpn

  Configuration

  ===========

  WebVPN
  allow outside
  back to url-list Test webvpn
  import webvpn url-list SSL_Bookmarks disk0: / tmpAsdmImportFile1646955469
  delete /noconfirm disk0: / tmpAsdmImportFile1646955469
  internal SSL_users group strategy
  attributes of Group Policy SSL_users
  VPN-tunnel-Protocol webvpn
  WebVPN
  the value of the URL - list SSL_Bookmarks
  type tunnel-group SSL_VPN remote access
  attributes global-tunnel-group SSL_VPN
  Group Policy - by default-SSL_users
  Group-RADIUS authentication server
  attributes of Group Policy SSL_users
  VPN-tunnel-Protocol svc webvpn
  tunnel-group SSL_VPN webvpn-attributes
  enable AnyConnect group-alias
  WebVPN
  tunnel-group-list activate

  ============================

  Version

  ======

  ASA-5510-1 # sh ver

  Cisco Adaptive Security Appliance Version 8.2 software (1)
  Version 6.2 Device Manager (1)

  Updated Wednesday, 5 May 09 22:45 by manufacturers
  System image file is "disk0: / asa821 - k8.bin.
  The configuration file to the startup was "startup-config '.

  ASA-5510-1 up to 57 days 9 hours

  Material: ASA5510, 256 MB of RAM, processor Pentium 4 Celeron 1600 MHz
  Internal ATA Compact Flash, 256 MB
  BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

  Hardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)
  Start firmware: CN1000-MC-BOOT - 2.00
  SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
  Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.04
  0: Ext: Ethernet0/0: the address is 0027.0d38.034e, irq 9
  1: Ext: Ethernet0/1: the address is 0027.0d38.034f, irq 9
  2: Ext: Ethernet0/2: the address is 0027.0d38.0350, irq 9
  3: Ext: Ethernet0/3: the address is 0027.0d38.0351, irq 9
  4: Ext: Management0/0: the address is 0027.0d38.0352, irq 11
  5: Int: internal-Data0/0: the address is 0000.0001.0002, irq 11
  6: Int: internal-Control0/0: the address is 0000.0001.0001, irq 5

  The devices allowed for this platform:
  The maximum physical Interfaces: unlimited
  VLAN maximum: 100
  Internal hosts: unlimited
  Failover: Active/active
  VPN - A: enabled
  VPN-3DES-AES: disabled
  Security contexts: 2
  GTP/GPRS: disabled
  SSL VPN peers: 2
  The VPN peers total: 250
  Sharing license: disabled
  AnyConnect for Mobile: disabled
  AnyConnect for Linksys phone: disabled
  AnyConnect Essentials: disabled
  Assessment of Advanced endpoint: disabled
  Proxy sessions for the UC phone: 2
  Total number of Sessions of Proxy UC: 2
  Botnet traffic filter: disabled

  This platform includes an ASA 5510 Security Plus license.

  Serial number: JMX1350L04D
  Activation key running: 0xef04c544 0xf4999c16 0xf4c19950 0x85684c50 0x442c3292
  Registry configuration is 0x1
  Modified configuration of enable_15 to 06:55:11.349 UAE Thursday, November 18, 2010
  ASA-5510-1 #.

  ===================

  Thanks in adavnce

  You can get the activation key for 3des from the license page (it's free):

  https://Tools.Cisco.com/swift/licensing/PrivateRegistrationServlet?DemoKeys=Y

  (Click on Cisco ASA 3DES/AES license)

  It can work with just, however, your browser might not support SOME. The browser asks political there and see if ASA has set up, but I know that a lot of the new browser will not load more, but feel free to try.

• SSL VPN 25 user license - impossible to get more than 2 SSL VPN connections

  Hello

  I just installed a user license user Premium 25 for SSL VPN on my Cisco ASA5505.  Even though it states that the license is installed I get still only two client Anyconnect SSL VPN connections and the third fails systematically.  What Miss me?

  Thanks for posting to the forum and that the problem has been resolved, and what caused the problem and what has been done to solve the problem. It's the most useful forum when people can read on a problem and can also read what the problem turned out to be and what was done to solve the problem, I think that it is also a good example to remind us that sometimes, the problem is not in our configuration, or even in the area that we administer. So sometimes we have to look beyond our normal home to find the source of the problem.

  The question mark it resolved makes it even more obvious to readers that they will find a solution to the problem. So thank you to mark the issue as resolved.

  HTH

  Rick

• How SSL VPN packages for two ASAs clustered licenses

  Hi all!

  If I have installed two Cisco ASA 5550 (ASA5550-BUN-K9) in failover mode, which I know support only 2 concurrent sessions of SSL VPN and you want to upgrade my boxes to support 15 AnyConnect SSL VPN sessions, how many licenses packages I need to buy?

  An ASA5500-SSL-25 for both boxes or two ASA5500-SSL-25 for one per box?

  Depends on what version of ASA you are running.

  If you are running version 8.3 and above, then you just buy 1 ASA5500-SSL-25 for a failover pair and it would work. If you buy 2 ASA5500-SSL-25, one license per box in failover pair, then the license gets grouped into 50 SSL user license.

  Here is the license information for ASA version 8.3 for failover pair:

  http://www.Cisco.com/en/us/docs/security/ASA/asa83/license_standalone/license_management/license.html#wp1315746

  For ASA running version 8.2 and below, you are required to buy 2 ASA5500-SSL-25 (one of each ASA in the failover pair) as the license should be exactly the same for the pair to failover to work, in the earlier version of the SAA.

  Hope that makes sense.

• Portion of IOS SSL VPN PKI

  I'm trying to configure an SSL VPN on a 2811. I believe I have the part SSL VPN, but I can't tell because I get stuck on the certificate server, ca trustpoint configuration and the identity of trustpoint.

  Does anyone know of a guide that walks you through the cert CA, Cert ca trustpoint and identitiy trustpoint iOS SSL VPN server? For some reason, I'm having a problem to enter the configuration of the certificate.

  Thanks for the help

  Triton.

  Follow these steps:

  > Add the host SSLVPN.securemeinc.com file to the user (client)

  > When you open the SSL VPN page on the user's browser. Right click... Select "Properties..." 'See Ceriticate' and then save/open the certificate on the computer companies.

  > Make sure the time is synchronized between the VPN server and client

  Concerning

  Farrukh

• SSL VPN license for ASA

  It must be an easy question - but I'm having a hard time finding an answer. How are the SSL VPN to the end user a license?

  Let's say I have 300 users, SSL, but only 20 concurrent SSL at any time. Do I need licenses for the 300 full or 20 competitors?

  Thank you

  Jim

  Hey Jim,.

  SSL licenses for only simultaneous connections. The only limitation you will encounter is how SSL sessions each platform supports (i.e. 750 concurrent sessions on an ASA5520).