possible redirect Web SSL VPN to another external ip?

Hi, it is possible to redirect the web ssl vpn to another external ip of my external range or could I do not use the external interface?

For example:

ASA outdoors: 213.23.4.50 (https://213.23.4.50)

Redirect outside: 213.23.4.51 (https://213.23.4.51)

same question to redirect the vpn client ip address external to the other that the IP outside of asa.

concerning

Jason

Jason,

Pretty easy

BSNs-ASA5520-10 (config) # webvpn
BSNs-ASA5520-10(config-WebVPN) # port?

the WebVPN mode options/controls:
  <1-65535>The WebVPN Server SSL listening port. The TCP 443 port is the
by default.

Please note however that your users will use

https://my.domain.tld:port

to connect... even for clientless and SVC.

Marcin

Tags: Cisco Security

Similar Questions

  • Unable to connect to the site Web SSL VPN with firewall zone configured

    I recently updated my 2911 company and set up a firewall area.  This is my first experience with this and I used Cisco Configuration Professional to build the configuration of the firewall first and then edited the names to make it readable by humans.  The only problem I can't solve is to learn site Web SSL VPN from outside.  I can navigate the website and connect without problem from the inside, and even if it was useful to verify that the Routing and the site work properly it is really not what I.  I don't get anything on the syslog for drops because of the firewall server, or for any other reason but packet capture show that no response is received when you try to navigate to the outside Web site.  I am currently using a customer VPN IPSEC solution until I can get this to work and have no problem with it.  I have attached a sanitized with the included relevant lines configuration (deleted ~ 400 lines including logging, many inspections on the movement of the area to the area and the ipsec vpn, which I already mentioned).  I searched anything about this problem and no one has no problem connecting to their Web site, just to get other features to work correctly.  All thoughts are welcome.

    See the security box

    area to area

    Members of Interfaces:

    GigabitEthernet0/0.15

    GigabitEthernet0/0.30

    GigabitEthernet0/0.35

    GigabitEthernet0/0.45

    area outside zone

    Members of Interfaces:

    GigabitEthernet0/1

    sslvpn area area

    Members of Interfaces:

    Virtual-Template1

    SSLVPN-VIF0

    I tried to change the composition of the area on the interface virtual-Template1 to the outside the area nothing helps.

    See the pair area security

    Name of the pair area SSLVPN - AUX-in

    Source-Zone sslvpn-area-zone of Destination in the area

    Service-SSLVPN-AUX-IN-POLICY

    Name of the pair area IN SSLVPN

    Source-Zone in the Destination zone sslvpn-zone

    service-policy IN SSLVPN-POLICY

    Name of the pair area SELF SSLVPN

    Source-Zone sslvpn-area free-zone Destination schedule

    Service-SELF-to-SSLVPN-POLICY

    Zone-pair name IN-> AUTO

    Source-Zone in the Destination zone auto

    Service-IN-to-SELF-POLICY policy

    Name of the pair IN-> IN box

    In the Destination area source-Zone in the area

    service-policy IN IN-POLICY

    Zone-pair name SELF-> OUT

    Source-Zone auto zone of Destination outside the area

    Service-SELF-AUX-OUT-POLICY

    Name of the pair OUT zone-> AUTO

    Source-Zone out-area Destination-area auto

    Service-OUT-to-SELF-POLICY

    Zone-pair name IN-> OUT

    Source-Zone in the Destination area outside zone

    service-strategy ALLOW-ALL

    The pair OUT zone name-> IN

    Source-out-zone-time zone time Zone of Destination in the area

    Service-OUT-to-IN-POLICY

    Name of the pair area SSLVPN-to-SELF

    Source-Zone-Zone of sslvpn-area auto

    Service-SSLVPN-FOR-SELF-POLICY

    I also tried to add a pair of area for the outside zone sslvpn-zone passing all traffic and it doesn't change anything.

    The area of networks

    G0/0.15

    172.16.0.1 26

    G0/0.30

    172.16.0.65/26

    G0/0.35

    172.16.0.129/25

    G0/0.45

    172.18.0.1 28

    Pool of SSL VPN

    172.20.0.1 - 172.20.0.14

    Latest Version of IOS:

    Cisco IOS software, software C2900 (C2900-UNIVERSALK9-M), Version 15.0 (1) M10, RELEASE SOFTWARE (fc1)

    Glad works now. Weird question, no doubt.

    I guess that on the deployment guide said that the firewall will not support inspection of TCP to the free zone, however, class nested maps are used to accomplish this, to be completely honest, I think it's a mess and the best thing to do is action past to auto for the protocols that you want and then drop the rest.

    Let us know if you have any other problems.

    Mike

  • access of entrepreneurs and employees of the web site in-house using clientless ssl vpn.

    We have a layout of web SSL VPN without customer who allow employees and suppliers of connection and internal display web page.  I wonder if possible separate employees and contractors to access internal pages.  The internal web page has no authentication of users.  They would like to see if it is possible that traffic employees get proxy behind interface INSIDE IP de ASA and entrepreneur behind a different IP address proxy traffic.  Thus, the internal web page can check IP to contractor and only give them access to view certain web page, but not all pages.

    Hello

    Creating a group policy for each user group will be a good option, you can also use DAP to assign an ACL web to the user who logs on the portal without client, you can use the Radius, LDAP or Cisco attributes to associate the DAP for the user. For example, if you are using LDAP, you can create 2 groups separated here for employees and entrepreneurs and based on the LDAP user group membership, they will be assigned to specific web acl configured according to their access restrictions.

    You can follow this link to set up an acl of web:

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa83/asdm63/Configura...

    Once the ACL is ready, you can follow this guide to configure the DAP Protocol: "check the web for acls figure10.

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

    Thank you, please note!

  • SSL VPN SSO with AD/LDAP

    Hello

    I wonder if it is possible to have SSL VPN users sign on to Active Directory, instead of (ASA) VPN gateway.

    Sending a link, if the scenario is possible would be appreciated.

    Thank you

    Mike

    Yes, it is possible.

    Here is the sample configuration for your reference:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008067e9ff.shtml

    Hope that helps.

  • SSL VPN, is possible for the failing show the "untrusted site" warning when connecting

    SSL VPN, is possible for the not display the warning "untrusted site" when connecting. I trust 3rd cert left installed on the SAA. Is it possible, when I connect to it via the Web for the not give users the below page and just go to the connection. If they hit to continue it works but we are looking for a way to remove this error.

    There is a problem with this Web site's secure certificate.

    The security certificate presented by this website was not issued by an approved certification authority.

    A site address different Web issued the security certificate presented by this website.

    Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

    We recommend that you close this webpage and do not make this Web site.

    Click here to close this webpage.

    Continue to this website (not recommended).

    More information

    Hi Jason,

    Follow these steps:

    1-no ssl trustpoint outside ssl.axisbu.com.trustpoint

    2 - webvpn

    no activation outside

    output

    3 - ssl trustpoint outside ASDM_TrustPoint3

    4 - webpvn

    allow outside

    It seems that he does not have the right certificate, probably the self-signed is stuck, please follow the steps and let me know.

    Thank you.

    Portu.

  • Order SSL VPN with Cisco Cloud Web Security

    We have implemented Cisco Cloud Web Security with the connector of the ASA and transfer all traffic port 80 and 443 to the Tower of the CCW. We have enabled HTTPS inspection, and I was wondering if there was anything, we can add in the configuration that would allow us to control (allow/block) SSL VPN?

    #Clientless SSL VPN is not supported with Cloud Security Web; don't forget to exempt all SSL VPN traffic without client service ASA for Cloud Web Security Strategy.

    Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/gu...

  • SSL vpn through the same internet connection to another site

    Hi, I have a network with a box of Juniper SSL that connect to port DMZ ASA5510, wher outside the ASA is the same outside the box of SSL vpn.

    To access issues eno hav network internal at all.

    Now, I need VPN SSL Juniper box remote users and internal conenct o my remote sites, who take the client connection through an internet router (Cisco throug site to site vpn IPSec) again to the th eremote site.

    Is it possible, my hunch is Yes "can be done."

    Currently, I'm fitting get no where, I get no hits ASA DMZ ACL if I try to access the remote site of the SSL vpn client resources.

    Schema attached

    Any help would be appreciated

    Shouldn't be a problem.

    On the Juniper SSL, you must check if the roads has been added to the remote IPSec LAN point to the ip address DMZ ASA instead of pointing to the internet through the Juniper SSL box.

    You need to configure NAT exemption on the ASA box between the pool SSL subnet to the Remote LAN of IPSec. As a result, you must also include the SSL subnet to Remote LAN subnets in the crypto ACL and mirror image ACL on the remote site ACL Cryptography.

    Hope that helps.

  • Clientless VPN SSL - policy of another LDAP authentication group

    Hi all

    I am currently working with Clientless SSL VPN. I have a problem with the creation of access to the different or blocking of users.

    I created tunnel/connection-profile (WEB-VPN-TEST-Profil2) and create group WEB-VPN-TEST2. I joined with the LDAP server. I also create a map LDAP attribute to provide only specific users to access. I havn't create an address pool

    What I'm trying to do is give access to the 'IL DBA' team and stop access to all the others in my organization. But to the login page when I give my password, I am able to connected even if I'm in the team "IT Network". Here's what I've done, (think I work for abcxyz.com)

    =======================================================

    AAA-server BL_AD protocol ldap

    AAA-server BL_AD (inside) host 172.16.1.1

    OR base LDAP-dn = abcxyz, DC = abcxyz, DC = com

    LDAP-naming-attribute sAMAccountName

    LDAP-login-password *.

    LDAP-connection-dn [email protected] / * /

    microsoft server type

    LDAP-attribute-map CL-SSL-ATT-map

    =======================================================

    LDAP attribute-map CL-SSL-ATT-map

    name of the memberOf IETF-Radius-class card

    map-value memberOf 'CN = IT s/n, OU = abcxyz, DC = abcxyz, DC = com' WEB-VPN-TEST2

    ========================================================

    WebVPN

    allow inside

    tunnel-group-list activate

    internal-password enable

    ========================================================

    internal strategy group WEB-VPN-TEST2

    Group WEB-VPN-TEST2 policy attributes

    VPN-tunnel-Protocol webvpn

    group-lock value WEB-VPN-TEST-Profil2

    WebVPN

    value of the URL-list WEB-VPN-TEST-BOOKMARK

    value of personalization WEB-VPN-TEST2

    ========================================================

    remote access of tunnel-group WEB-VPN-TEST-Profil2 type

    attributes global-tunnel-group WEB-VPN-TEST-Profil2

    authentication-server-group abcxyz_AD

    Group Policy - by default-WEB-VPN-TEST2

    tunnel-group WEB-VPN-TEST-Profil2 webvpn-attributes

    enable WEB-VPN-TEST-Profil2 group-alias

    =========================================================

    Please let me know if there is a question or let me know why I am still able to access the same if I did my attribure to match only with "IT"DBA ".

    Thanks in advance.

    BR.

    Adnan

    Hello Adnan,

    That's what you do:

    internal group WITHOUT ACCESS strategy

    attributes of non-group policy

    VPN - concurrent connections 0

    attributes global-tunnel-group WEB-VPN-TEST-Profil2

    Group Policy - by default-NO-ACCESS

    Group WEB-VPN-TEST2 policy attributes

    VPN - connections 3

    Kind regards

  • L2 VPN and SSL VPN-Plus server on the same edge is not possible

    Hello

    Today, I was busy trying to test the L2 VPN functionality and I got an error message that I had no right to allow the 'L2 VPN server' when the SSL VPN-Plus feature is enabled on the server VPN of L2.

    Is it possible that these two can run concurrently?

    And what is the reason for which (technical) why it does not work, or may not work at the moment?

    The L2 VPN as well as the VPN-Plus SSL enabled overall feature works very well elsewhere, but with the server it does not work...

    OK, I should have been more precise here. It is using the same service on the GSS. You cannot activate both at the same time. This is how it is. Maybe this will change later.

  • SSL VPN WEB cannot connect

    Hello

    I'm deploying an SSL VPN in ASA 8.0, I have access to the public interface and authentication configured radius.

    I have the debug RADIUS in asa and I see authentication is OK, I also checked Ray asa and works for the authentication test button, but

    It does work for approval.

    I've already set up a local user to the radius server.

    Thanks for your help.

    Best regards

    Fran

    You may be hitting a license limit if a few sessions have not stopped correctly and that you have only the default value of 2 licenses SSL... Do 'show worm' to see how much you have licenses webvpn. Also try "vpn-sessiondb disconnection of all" to delete all existing connections.

    -heather

  • SSL VPN using MS CA

    I work on the AnyConnect SSL VPN deployment and seeks to secure the connection with a certificate that is NOT provided by the internal CA of the ASA or a 3rd party. What I would do, is our domain CA (MS) approve the certificate - in this way, all users of portable computers that connect to the VPN will accept the certificate without asking for confirmation.

    Is there any type of document from Cisco that describes this case? I looked at the Cisco configuration documents that show:
    -install manually 3rd party SSL VPN vendor certs (IE. VeriSign)

    -to obtain digital certificates for a MS CA ASA (it emits only IPSec certificates for users - the lancers ASA an error on the EKU without specifying the role of authentication server)

    -renew/install the certificate SSL with ADSM (applies only to the self-signed certificates)

    -examined the anyconnect Administrator's guide

    I found two similar positions in the community, but there is no answer from anyone whether or not this is possible.

    https://supportforums.Cisco.com/message/259286#259286

    https://supportforums.Cisco.com/message/1324901#1324901

    I would be grateful for any feedback. I may end up copying the certificate self-signed ASA on all laptops users VPN: S

    Greg

    You treat the SSL VPN as a web server... Create a 3rd party application signing, load it onto your MS CA and select Web server profile... You will need the CA cert so the cert of identification. You load the CA cert first then the cert of the identity.

    You then attach the cert to an interface.

    I did it on my internal interface so that the customization pages would stop sent me some errors in my browser... I went with a cert of public own party 3rd for the external interface given that I expect no area machines to connect and telling users how to install certificates is a pain.

  • Essential AnyConnect SSL VPN?

    Hello

    I'm a bit confused. What is the difference between licenses(L-ASA-SSL-PR-25=) SSL VPN and Anyconnect Essential(L-ASA-AC-E-5510=)? I'm trying to be more objective and confused about what to buy.

    1 allow users to VPN through SSL and telnet on the unix system.

    2. allow users to use RDP sessions, once connected to the windows system.

    3 allow users to leave their outlook to connect to the Exchange once connected server.

    I need a solution that would download the client (just the browser to https://x.x.x.x) and let the customer gets pushed. I also need another VPN profile that uninstalls all customer downloaded when you are offline. The second profile is for people who are using public PC of the trip.

    Also, do I need license Anyconnect Mobile wanted to use iPhone or iPad to access vpn SSL url?

    Any response would be greatly appreciated.

    Thank you

    Sam

    Clientless SSL means you are tunneling SSL to the ASA without (AnyConnect) client.

    In other words, the remote computer needs only a browser to establish the secure HTTPS connection and access a potal web that may redirect access to internal resources. This type of connection (without customer) allows access to web applications and via port-forwarding to enable access to other TCP applications.

    When you need full network access (imitating the IPsec VPN client) you need the connection SSL (AnyConnect) Client-centred.

    This does not require a Web portal, provides with a complete full network access.

    If you use AnyConnect, the client can be pushed from the ASA to the customer via the HTTPS connection (and kept on the remote system or removed) depending on the configuration.

    If you are looking for a remote SSL connection that can access a portal and newspaper via telnet/RDP, you can use clientless SSL with port forwarding.

    If you want to that remote clients have full network access (everything as if they are sitting in the local network), will need you the AnyConnect.

    Federico.

  • SSL VPN - Bypass DefaultWEBVPNGroup

    Hi all

    I use the tunnel-group by default and group policy for my general community of users. I want to apply a filter to this group and have a case of special use for another group that bypasses the filter. My goal: for people reaching the "RAS_Engineering" group policy, I want to bypass the filter applied to 'DfltGrpPolicy '.

    Is it possible for me to configure Group policy so that it does not pick up the default settings? Here's what I (output omitted to reduce the lines):

    # sh svc detail session vpn name amy.eryilmaz filter

    Session type: detailed SVC

    User name: amy.eryilmaz index: 13568

    Assigned IP: my.vpn.assigned.ip public IP address: my.pub.lic.ip

    ....

    Group Policy: Group RAS_Engineering Tunnel: DefaultWEBVPNGroup

    ...

    The Tunnels without customer: 1

    SSL-Tunnel Tunnels: 1

    Without a client:

    Tunnel ID: 13568.1

    Public IP address: my.pub.lic.ip

    ...

    AUTH Mode: userPassword

    Idle Time Out: 30 Minutes idling left: 29 Minutes

    Type of client: Web browser

    Client Ver: AnyConnect 2.5.3046 Windows

    TX Bytes: 11456 byte Rx: 3986

    SSL-Tunnel:

    Tunnel ID: 13568.2

    Assigned IP: my.vpn.assigned.ip public IP address: my.pub.lic.ip

    ....

    Type of client: SSL VPN Client

    Client ver: Cisco AnyConnect VPN Agent for Windows 2.5.3046

    ....

    Name of the filter: filter-vpn-by default

    -----------------------------------------------------------

    attributes of Group Policy DfltGrpPolicy

    value xx.xx.xx.xx WINS server

    Server DNS value xx.xx.xx.xx

    DHCP-network-scope xx.xx.xx.xx

    VPN-value by default-vpn-filter

    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

    field default value mondomaine.fr

    WebVPN

    SVC request no svc default

    internal RAS_Engineering group strategy

    attributes of Group Policy RAS_Engineering

    value xx.xx.xx.xx WINS server

    Server DNS value xx.xx.xx.xx

    DHCP-network-scope xx.xx.xx.xx

    Protocol-tunnel-VPN l2tp ipsec svc

    WebVPN

    SVC request no svc default

    -----------------------------------------------------------------

    # sh run all tunnel-group DefaultWEBVPNGroup

    type tunnel-group DefaultWEBVPNGroup remote access

    attributes global-tunnel-group DefaultWEBVPNGroup

    No address pool

    No ipv6 address pool

    authentication-server-group my_radius

    secondary-authentication-server-group no

    no accounting server group

    Group Policy - by default-DfltGrpPolicy

    Server DHCP xx.xx.xx.xx

    No band Kingdom

    no password-management

    No substitution-disabling the account

    No band group

    gap required

    certificate-CN user name OR

    secondary username-certificate CN OR

    authentication-attr-of primary server

    authenticated-session-user principal name

    tunnel-group DefaultWEBVPNGroup webvpn-attributes

    myCustom customization

    the aaa authentication

    No substitution-svc-download

    No message of rejection-RADIUS-

    no proxy-auth sdi

    no pre-fill-username-ssl client

    no pre-fill-username without client

    No school-pre-fill-name user-customer ssl

    No school-pre-fill-user without customer name

    DNS-Group DefaultDNS

    not without CSD

    IPSec-attributes tunnel-group DefaultWEBVPNGroup

    no pre shared key

    by the peer-id-validate req

    no chain

    no point of trust

    ISAKMP retry threshold 300 keepalive 2

    no RADIUS-sdi-xauth

    ISAKMP xauth user ikev1-authentication

    Hello

    By default, you will inherit any implicit value of default group policy.

    To stop him coming into the "vpn-filter' do it please:

    attributes of Group Policy RAS_Engineering

    VPN-filter no

    It goes the same for another function within group policy, make sure that you set explicitly all the parameters according to the specific requirements.

    Thank you.

    Portu.

    Please note all useful messages.

  • URL via SSL VPn access

    Dear members

    Please see the diagram for an easy understanding of the issue.

    I am facing a problem with the SSL VPN configured on ASA 5520. Here's the simple network topology.

    customer has an ERP server inside the segment, which is runniing Apche / Tomcat 5.5 and listening on port 8204.Complete URL to access the installed application is

    http://192.168.2.1:8204 / system/servlet/login

    ASA connects to a router in parameter, which has a configured AS VPN remote access. Cisco VPN client users can access this URL easily when they connect via VPN, also if I create a static translation for this IP 192.168.2.1, the full URL is accessible from the outside, but the problem of SSl VPN, when I enter the URL, nothing appears, and Session expires, however if I just enter http://192.168.2.1:8204 , Apache /Tomcat Page opens menas through SSL VPN can I reach the web server running on 192.168.2.1, but this particular URL is not accessible.

    Here apache on the ERP server is listening on a nonstandard port, which could be the reason, I need to create a forwarding port or "smart."

    I already tried with port forwarding, but that has not solved the problem.

    All entries from your side will be highly appreciated.

    Thank you

    Ahad

    Hi Ahad,

    When you access the server ( http://192.168.2.1:8204 / system/servlet/connectionURL) from the inside, the URL in the browser address bar remains the same? Or it redirects?

    On the login page is a java applet?

    Now, there are several things to try:

    -do a "view page source" on the work (internal or via IPsec vpn) login page and again on the default (via webvpn) page and compare - that provides any suspicion?

    -You can install a software like Charles SSL Proxy (http://www.charlesproxy.com/ - note this is not a product of Cisco, or approved by Cisco) to see exactly what is happening above the SSL tunnel (i.e. it will show you the HTTP request in the browser to the server and the response.) Again, you can do this for both a job and the absence of case to compare.

    -as a possible solution: create a bookmark HTTP on the portal of this URL and select "smart tunnel" for her.

    HTH

    Herbert

  • RVL200 ssl vpn, I'm not able to access resources network or ping of the Home Office

    I had installed a Linksys router using port forwarding to allow remote access to the server desktop remotely. I had some problems with it and I've always wanted a vpn connection to the office, but I could not ' operate. So I bought the RVL200 after that I read on it and ssl vpn.

    I have the router installed right after the modem cable to the office. I'm able to hit the external ip address of the House. I have the router to access the Server Active directory for connections. The connection works fine, all the different active directory accounts have access to the vpn through this. I am also able to make administration of the router remotely. I am able to connect to the vpn and get connected virtual passage. The icon in the systray says that everything is good. With all this, I'm not able to ping every address on the remote network. I can't reach all the network resources as \\pdrserver\irms or my print server ip address. I can't use network XP Favorites to find anything on the remote network.

    Someone has an idea what I am doing wrong? I appreciate the help.

    I thought about it. I was using the same IP for the home and office. It was confusing. I changed my IP to another system. Home office and now 12.4.4.X now 11.4.4.X. After that, everything worked as it should. Readers without mapped problem, ping remote computers. I could access the remote print servers. Works well. So make sure that you do not use the same IP addresses on both sides of the VPN.

Maybe you are looking for