possible redirect Web SSL VPN to another external ip?
Hi, it is possible to redirect the web ssl vpn to another external ip of my external range or could I do not use the external interface?
For example:
ASA outdoors: 213.23.4.50 (https://213.23.4.50)
Redirect outside: 213.23.4.51 (https://213.23.4.51)
same question to redirect the vpn client ip address external to the other that the IP outside of asa.
concerning
Jason
Jason,
Pretty easy
BSNs-ASA5520-10 (config) # webvpn
BSNs-ASA5520-10(config-WebVPN) # port?
the WebVPN mode options/controls:
<1-65535>The WebVPN Server SSL listening port. The TCP 443 port is the
by default.
Please note however that your users will use
to connect... even for clientless and SVC.
Marcin
1-65535>
Tags: Cisco Security
Similar Questions
-
Unable to connect to the site Web SSL VPN with firewall zone configured
I recently updated my 2911 company and set up a firewall area. This is my first experience with this and I used Cisco Configuration Professional to build the configuration of the firewall first and then edited the names to make it readable by humans. The only problem I can't solve is to learn site Web SSL VPN from outside. I can navigate the website and connect without problem from the inside, and even if it was useful to verify that the Routing and the site work properly it is really not what I. I don't get anything on the syslog for drops because of the firewall server, or for any other reason but packet capture show that no response is received when you try to navigate to the outside Web site. I am currently using a customer VPN IPSEC solution until I can get this to work and have no problem with it. I have attached a sanitized with the included relevant lines configuration (deleted ~ 400 lines including logging, many inspections on the movement of the area to the area and the ipsec vpn, which I already mentioned). I searched anything about this problem and no one has no problem connecting to their Web site, just to get other features to work correctly. All thoughts are welcome.
See the security box
area to area
Members of Interfaces:
GigabitEthernet0/0.15
GigabitEthernet0/0.30
GigabitEthernet0/0.35
GigabitEthernet0/0.45
area outside zone
Members of Interfaces:
GigabitEthernet0/1
sslvpn area area
Members of Interfaces:
Virtual-Template1
SSLVPN-VIF0
I tried to change the composition of the area on the interface virtual-Template1 to the outside the area nothing helps.
See the pair area security
Name of the pair area SSLVPN - AUX-in
Source-Zone sslvpn-area-zone of Destination in the area
Service-SSLVPN-AUX-IN-POLICY
Name of the pair area IN SSLVPN
Source-Zone in the Destination zone sslvpn-zone
service-policy IN SSLVPN-POLICY
Name of the pair area SELF SSLVPN
Source-Zone sslvpn-area free-zone Destination schedule
Service-SELF-to-SSLVPN-POLICY
Zone-pair name IN-> AUTO
Source-Zone in the Destination zone auto
Service-IN-to-SELF-POLICY policy
Name of the pair IN-> IN box
In the Destination area source-Zone in the area
service-policy IN IN-POLICY
Zone-pair name SELF-> OUT
Source-Zone auto zone of Destination outside the area
Service-SELF-AUX-OUT-POLICY
Name of the pair OUT zone-> AUTO
Source-Zone out-area Destination-area auto
Service-OUT-to-SELF-POLICY
Zone-pair name IN-> OUT
Source-Zone in the Destination area outside zone
service-strategy ALLOW-ALL
The pair OUT zone name-> IN
Source-out-zone-time zone time Zone of Destination in the area
Service-OUT-to-IN-POLICY
Name of the pair area SSLVPN-to-SELF
Source-Zone-Zone of sslvpn-area auto
Service-SSLVPN-FOR-SELF-POLICY
I also tried to add a pair of area for the outside zone sslvpn-zone passing all traffic and it doesn't change anything.
The area of networks
G0/0.15
172.16.0.1 26
G0/0.30
172.16.0.65/26
G0/0.35
172.16.0.129/25
G0/0.45
172.18.0.1 28
Pool of SSL VPN
172.20.0.1 - 172.20.0.14
Latest Version of IOS:
Cisco IOS software, software C2900 (C2900-UNIVERSALK9-M), Version 15.0 (1) M10, RELEASE SOFTWARE (fc1)
Glad works now. Weird question, no doubt.
I guess that on the deployment guide said that the firewall will not support inspection of TCP to the free zone, however, class nested maps are used to accomplish this, to be completely honest, I think it's a mess and the best thing to do is action past to auto for the protocols that you want and then drop the rest.
Let us know if you have any other problems.
Mike
-
access of entrepreneurs and employees of the web site in-house using clientless ssl vpn.
We have a layout of web SSL VPN without customer who allow employees and suppliers of connection and internal display web page. I wonder if possible separate employees and contractors to access internal pages. The internal web page has no authentication of users. They would like to see if it is possible that traffic employees get proxy behind interface INSIDE IP de ASA and entrepreneur behind a different IP address proxy traffic. Thus, the internal web page can check IP to contractor and only give them access to view certain web page, but not all pages.
Hello
Creating a group policy for each user group will be a good option, you can also use DAP to assign an ACL web to the user who logs on the portal without client, you can use the Radius, LDAP or Cisco attributes to associate the DAP for the user. For example, if you are using LDAP, you can create 2 groups separated here for employees and entrepreneurs and based on the LDAP user group membership, they will be assigned to specific web acl configured according to their access restrictions.
You can follow this link to set up an acl of web:
http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa83/asdm63/Configura...
Once the ACL is ready, you can follow this guide to configure the DAP Protocol: "check the web for acls figure10.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Thank you, please note!
-
Hello
I wonder if it is possible to have SSL VPN users sign on to Active Directory, instead of (ASA) VPN gateway.
Sending a link, if the scenario is possible would be appreciated.
Thank you
Mike
Yes, it is possible.
Here is the sample configuration for your reference:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008067e9ff.shtml
Hope that helps.
-
SSL VPN, is possible for the failing show the "untrusted site" warning when connecting
SSL VPN, is possible for the not display the warning "untrusted site" when connecting. I trust 3rd cert left installed on the SAA. Is it possible, when I connect to it via the Web for the not give users the below page and just go to the connection. If they hit to continue it works but we are looking for a way to remove this error.
There is a problem with this Web site's secure certificate.
The security certificate presented by this website was not issued by an approved certification authority.
A site address different Web issued the security certificate presented by this website.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not make this Web site.
Click here to close this webpage.
Continue to this website (not recommended).
More information
Hi Jason,
Follow these steps:
1-no ssl trustpoint outside ssl.axisbu.com.trustpoint
2 - webvpn
no activation outside
output
3 - ssl trustpoint outside ASDM_TrustPoint3
4 - webpvn
allow outside
It seems that he does not have the right certificate, probably the self-signed is stuck, please follow the steps and let me know.
Thank you.
Portu.
-
Order SSL VPN with Cisco Cloud Web Security
We have implemented Cisco Cloud Web Security with the connector of the ASA and transfer all traffic port 80 and 443 to the Tower of the CCW. We have enabled HTTPS inspection, and I was wondering if there was anything, we can add in the configuration that would allow us to control (allow/block) SSL VPN?
#Clientless SSL VPN is not supported with Cloud Security Web; don't forget to exempt all SSL VPN traffic without client service ASA for Cloud Web Security Strategy.
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/gu...
-
SSL vpn through the same internet connection to another site
Hi, I have a network with a box of Juniper SSL that connect to port DMZ ASA5510, wher outside the ASA is the same outside the box of SSL vpn.
To access issues eno hav network internal at all.
Now, I need VPN SSL Juniper box remote users and internal conenct o my remote sites, who take the client connection through an internet router (Cisco throug site to site vpn IPSec) again to the th eremote site.
Is it possible, my hunch is Yes "can be done."
Currently, I'm fitting get no where, I get no hits ASA DMZ ACL if I try to access the remote site of the SSL vpn client resources.
Schema attached
Any help would be appreciated
Shouldn't be a problem.
On the Juniper SSL, you must check if the roads has been added to the remote IPSec LAN point to the ip address DMZ ASA instead of pointing to the internet through the Juniper SSL box.
You need to configure NAT exemption on the ASA box between the pool SSL subnet to the Remote LAN of IPSec. As a result, you must also include the SSL subnet to Remote LAN subnets in the crypto ACL and mirror image ACL on the remote site ACL Cryptography.
Hope that helps.
-
Clientless VPN SSL - policy of another LDAP authentication group
Hi all
I am currently working with Clientless SSL VPN. I have a problem with the creation of access to the different or blocking of users.
I created tunnel/connection-profile (WEB-VPN-TEST-Profil2) and create group WEB-VPN-TEST2. I joined with the LDAP server. I also create a map LDAP attribute to provide only specific users to access. I havn't create an address pool
What I'm trying to do is give access to the 'IL DBA' team and stop access to all the others in my organization. But to the login page when I give my password, I am able to connected even if I'm in the team "IT Network". Here's what I've done, (think I work for abcxyz.com)
=======================================================
AAA-server BL_AD protocol ldap
AAA-server BL_AD (inside) host 172.16.1.1
OR base LDAP-dn = abcxyz, DC = abcxyz, DC = com
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn [email protected] / * /
microsoft server type
LDAP-attribute-map CL-SSL-ATT-map
=======================================================
LDAP attribute-map CL-SSL-ATT-map
name of the memberOf IETF-Radius-class card
map-value memberOf 'CN = IT s/n, OU = abcxyz, DC = abcxyz, DC = com' WEB-VPN-TEST2
========================================================
WebVPN
allow inside
tunnel-group-list activate
internal-password enable
========================================================
internal strategy group WEB-VPN-TEST2
Group WEB-VPN-TEST2 policy attributes
VPN-tunnel-Protocol webvpn
group-lock value WEB-VPN-TEST-Profil2
WebVPN
value of the URL-list WEB-VPN-TEST-BOOKMARK
value of personalization WEB-VPN-TEST2
========================================================
remote access of tunnel-group WEB-VPN-TEST-Profil2 type
attributes global-tunnel-group WEB-VPN-TEST-Profil2
authentication-server-group abcxyz_AD
Group Policy - by default-WEB-VPN-TEST2
tunnel-group WEB-VPN-TEST-Profil2 webvpn-attributes
enable WEB-VPN-TEST-Profil2 group-alias
=========================================================
Please let me know if there is a question or let me know why I am still able to access the same if I did my attribure to match only with "IT"DBA ".
Thanks in advance.
BR.
Adnan
Hello Adnan,
That's what you do:
internal group WITHOUT ACCESS strategy
attributes of non-group policy
VPN - concurrent connections 0
attributes global-tunnel-group WEB-VPN-TEST-Profil2
Group Policy - by default-NO-ACCESS
Group WEB-VPN-TEST2 policy attributes
VPN - connections 3
Kind regards
-
L2 VPN and SSL VPN-Plus server on the same edge is not possible
Hello
Today, I was busy trying to test the L2 VPN functionality and I got an error message that I had no right to allow the 'L2 VPN server' when the SSL VPN-Plus feature is enabled on the server VPN of L2.
Is it possible that these two can run concurrently?
And what is the reason for which (technical) why it does not work, or may not work at the moment?
The L2 VPN as well as the VPN-Plus SSL enabled overall feature works very well elsewhere, but with the server it does not work...
OK, I should have been more precise here. It is using the same service on the GSS. You cannot activate both at the same time. This is how it is. Maybe this will change later.
-
Hello
I'm deploying an SSL VPN in ASA 8.0, I have access to the public interface and authentication configured radius.
I have the debug RADIUS in asa and I see authentication is OK, I also checked Ray asa and works for the authentication test button, but
It does work for approval.
I've already set up a local user to the radius server.
Thanks for your help.
Best regards
Fran
You may be hitting a license limit if a few sessions have not stopped correctly and that you have only the default value of 2 licenses SSL... Do 'show worm' to see how much you have licenses webvpn. Also try "vpn-sessiondb disconnection of all" to delete all existing connections.
-heather
-
I work on the AnyConnect SSL VPN deployment and seeks to secure the connection with a certificate that is NOT provided by the internal CA of the ASA or a 3rd party. What I would do, is our domain CA (MS) approve the certificate - in this way, all users of portable computers that connect to the VPN will accept the certificate without asking for confirmation.
Is there any type of document from Cisco that describes this case? I looked at the Cisco configuration documents that show:
-install manually 3rd party SSL VPN vendor certs (IE. VeriSign)-to obtain digital certificates for a MS CA ASA (it emits only IPSec certificates for users - the lancers ASA an error on the EKU without specifying the role of authentication server)
-renew/install the certificate SSL with ADSM (applies only to the self-signed certificates)
-examined the anyconnect Administrator's guide
I found two similar positions in the community, but there is no answer from anyone whether or not this is possible.
https://supportforums.Cisco.com/message/259286#259286
https://supportforums.Cisco.com/message/1324901#1324901
I would be grateful for any feedback. I may end up copying the certificate self-signed ASA on all laptops users VPN: S
Greg
You treat the SSL VPN as a web server... Create a 3rd party application signing, load it onto your MS CA and select Web server profile... You will need the CA cert so the cert of identification. You load the CA cert first then the cert of the identity.
You then attach the cert to an interface.
I did it on my internal interface so that the customization pages would stop sent me some errors in my browser... I went with a cert of public own party 3rd for the external interface given that I expect no area machines to connect and telling users how to install certificates is a pain.
-
Essential AnyConnect SSL VPN?
Hello
I'm a bit confused. What is the difference between licenses(L-ASA-SSL-PR-25=) SSL VPN and Anyconnect Essential(L-ASA-AC-E-5510=)? I'm trying to be more objective and confused about what to buy.
1 allow users to VPN through SSL and telnet on the unix system.
2. allow users to use RDP sessions, once connected to the windows system.
3 allow users to leave their outlook to connect to the Exchange once connected server.
I need a solution that would download the client (just the browser to https://x.x.x.x) and let the customer gets pushed. I also need another VPN profile that uninstalls all customer downloaded when you are offline. The second profile is for people who are using public PC of the trip.
Also, do I need license Anyconnect Mobile wanted to use iPhone or iPad to access vpn SSL url?
Any response would be greatly appreciated.
Thank you
Sam
Clientless SSL means you are tunneling SSL to the ASA without (AnyConnect) client.
In other words, the remote computer needs only a browser to establish the secure HTTPS connection and access a potal web that may redirect access to internal resources. This type of connection (without customer) allows access to web applications and via port-forwarding to enable access to other TCP applications.
When you need full network access (imitating the IPsec VPN client) you need the connection SSL (AnyConnect) Client-centred.
This does not require a Web portal, provides with a complete full network access.
If you use AnyConnect, the client can be pushed from the ASA to the customer via the HTTPS connection (and kept on the remote system or removed) depending on the configuration.
If you are looking for a remote SSL connection that can access a portal and newspaper via telnet/RDP, you can use clientless SSL with port forwarding.
If you want to that remote clients have full network access (everything as if they are sitting in the local network), will need you the AnyConnect.
Federico.
-
SSL VPN - Bypass DefaultWEBVPNGroup
Hi all
I use the tunnel-group by default and group policy for my general community of users. I want to apply a filter to this group and have a case of special use for another group that bypasses the filter. My goal: for people reaching the "RAS_Engineering" group policy, I want to bypass the filter applied to 'DfltGrpPolicy '.
Is it possible for me to configure Group policy so that it does not pick up the default settings? Here's what I (output omitted to reduce the lines):
# sh svc detail session vpn name amy.eryilmaz filter
Session type: detailed SVC
User name: amy.eryilmaz index: 13568
Assigned IP: my.vpn.assigned.ip public IP address: my.pub.lic.ip
....
Group Policy: Group RAS_Engineering Tunnel: DefaultWEBVPNGroup
...
The Tunnels without customer: 1
SSL-Tunnel Tunnels: 1
Without a client:
Tunnel ID: 13568.1
Public IP address: my.pub.lic.ip
...
AUTH Mode: userPassword
Idle Time Out: 30 Minutes idling left: 29 Minutes
Type of client: Web browser
Client Ver: AnyConnect 2.5.3046 Windows
TX Bytes: 11456 byte Rx: 3986
SSL-Tunnel:
Tunnel ID: 13568.2
Assigned IP: my.vpn.assigned.ip public IP address: my.pub.lic.ip
....
Type of client: SSL VPN Client
Client ver: Cisco AnyConnect VPN Agent for Windows 2.5.3046
....
Name of the filter: filter-vpn-by default
-----------------------------------------------------------
attributes of Group Policy DfltGrpPolicy
value xx.xx.xx.xx WINS server
Server DNS value xx.xx.xx.xx
DHCP-network-scope xx.xx.xx.xx
VPN-value by default-vpn-filter
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
field default value mondomaine.fr
WebVPN
SVC request no svc default
internal RAS_Engineering group strategy
attributes of Group Policy RAS_Engineering
value xx.xx.xx.xx WINS server
Server DNS value xx.xx.xx.xx
DHCP-network-scope xx.xx.xx.xx
Protocol-tunnel-VPN l2tp ipsec svc
WebVPN
SVC request no svc default
-----------------------------------------------------------------
# sh run all tunnel-group DefaultWEBVPNGroup
type tunnel-group DefaultWEBVPNGroup remote access
attributes global-tunnel-group DefaultWEBVPNGroup
No address pool
No ipv6 address pool
authentication-server-group my_radius
secondary-authentication-server-group no
no accounting server group
Group Policy - by default-DfltGrpPolicy
Server DHCP xx.xx.xx.xx
No band Kingdom
no password-management
No substitution-disabling the account
No band group
gap required
certificate-CN user name OR
secondary username-certificate CN OR
authentication-attr-of primary server
authenticated-session-user principal name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
myCustom customization
the aaa authentication
No substitution-svc-download
No message of rejection-RADIUS-
no proxy-auth sdi
no pre-fill-username-ssl client
no pre-fill-username without client
No school-pre-fill-name user-customer ssl
No school-pre-fill-user without customer name
DNS-Group DefaultDNS
not without CSD
IPSec-attributes tunnel-group DefaultWEBVPNGroup
no pre shared key
by the peer-id-validate req
no chain
no point of trust
ISAKMP retry threshold 300 keepalive 2
no RADIUS-sdi-xauth
ISAKMP xauth user ikev1-authentication
Hello
By default, you will inherit any implicit value of default group policy.
To stop him coming into the "vpn-filter' do it please:
attributes of Group Policy RAS_Engineering
VPN-filter no
It goes the same for another function within group policy, make sure that you set explicitly all the parameters according to the specific requirements.
Thank you.
Portu.
Please note all useful messages.
-
Dear members
Please see the diagram for an easy understanding of the issue.
I am facing a problem with the SSL VPN configured on ASA 5520. Here's the simple network topology.
customer has an ERP server inside the segment, which is runniing Apche / Tomcat 5.5 and listening on port 8204.Complete URL to access the installed application is
http://192.168.2.1:8204 / system/servlet/login
ASA connects to a router in parameter, which has a configured AS VPN remote access. Cisco VPN client users can access this URL easily when they connect via VPN, also if I create a static translation for this IP 192.168.2.1, the full URL is accessible from the outside, but the problem of SSl VPN, when I enter the URL, nothing appears, and Session expires, however if I just enter http://192.168.2.1:8204 , Apache /Tomcat Page opens menas through SSL VPN can I reach the web server running on 192.168.2.1, but this particular URL is not accessible.
Here apache on the ERP server is listening on a nonstandard port, which could be the reason, I need to create a forwarding port or "smart."
I already tried with port forwarding, but that has not solved the problem.
All entries from your side will be highly appreciated.
Thank you
Ahad
Hi Ahad,
When you access the server ( http://192.168.2.1:8204 / system/servlet/connectionURL) from the inside, the URL in the browser address bar remains the same? Or it redirects?
On the login page is a java applet?
Now, there are several things to try:
-do a "view page source" on the work (internal or via IPsec vpn) login page and again on the default (via webvpn) page and compare - that provides any suspicion?
-You can install a software like Charles SSL Proxy (http://www.charlesproxy.com/ - note this is not a product of Cisco, or approved by Cisco) to see exactly what is happening above the SSL tunnel (i.e. it will show you the HTTP request in the browser to the server and the response.) Again, you can do this for both a job and the absence of case to compare.
-as a possible solution: create a bookmark HTTP on the portal of this URL and select "smart tunnel" for her.
HTH
Herbert
-
RVL200 ssl vpn, I'm not able to access resources network or ping of the Home Office
I had installed a Linksys router using port forwarding to allow remote access to the server desktop remotely. I had some problems with it and I've always wanted a vpn connection to the office, but I could not ' operate. So I bought the RVL200 after that I read on it and ssl vpn.
I have the router installed right after the modem cable to the office. I'm able to hit the external ip address of the House. I have the router to access the Server Active directory for connections. The connection works fine, all the different active directory accounts have access to the vpn through this. I am also able to make administration of the router remotely. I am able to connect to the vpn and get connected virtual passage. The icon in the systray says that everything is good. With all this, I'm not able to ping every address on the remote network. I can't reach all the network resources as \\pdrserver\irms or my print server ip address. I can't use network XP Favorites to find anything on the remote network.
Someone has an idea what I am doing wrong? I appreciate the help.
I thought about it. I was using the same IP for the home and office. It was confusing. I changed my IP to another system. Home office and now 12.4.4.X now 11.4.4.X. After that, everything worked as it should. Readers without mapped problem, ping remote computers. I could access the remote print servers. Works well. So make sure that you do not use the same IP addresses on both sides of the VPN.
Maybe you are looking for
-
Battery discharge even if Satellite P850-12Z is DISABLED
Hello I have a Satellite P850-12Z bought a few months ago (3 or 4). I noticed that if the battery is charged to 100% and I turn off the computer for a few days, when I turn on the battery is completely gone or almost gone if it takes me a little long
-
Use 4 GB of ram on Satellite L500/049
Satellite L500/049Part Number - PSLS3A-049002 My Notebook model is this one. When I bought this computer on last December. I have 32-bit installation of Windows 7. Then I discovered the only used 2.84 GB ram. So, I followed the toshiba Web page to re
-
HP Color LaserJet MFP M277 Pro: LaserJet MFP M277dw announces its own wireless network
I just installed a new HP Color LaserJet M277dw MFP Pro and noticed that it creates its own network wireless with the name ' HP-Setup > LaserJet 5 c-277. Even if the WiFi is turned off. I don't want the printer to make her presence known on WiFi and
-
HP pavilion dv7-6b55dx - line quarter inch Horizontal gray in the middle of the screen
Recently bought a HP pavilion dv7-6b55dx notebook from Best Buy. Recently, the screen started to have a quarter inch gray horizontal line in the middle of it. Gray line has more grey lines inside. 6 month warranty just expired. Y at - it 'easy' f
-
Problem os7 BB9900 banner, home screen and lock screen theme
Problem BB9900 os7, banner, the home screen and lock screen, someone at - he advice me please.