SSL VPN on ASA-

Similar Questions

• Customization of SSL VPN Cisco ASA version 8

  Is there a way to customize the appearance of the SSL VPN? To change the features of the ASA custmization? To change the total look of the portal page the way we like it and not the Cisco default settings? For example, the RDP plugin has always display the help text on the right side, and we would like to show different text in this area. We were able to change it but could not import to the area of the asa.

  Import of SSL vpn customization ASA is not possible. Impossible also to change the appearance of the portal page.

• IP phone SSL VPN by ASA

  IM in the middle of configuring Ip Phone SSL VPN by ASA, is stuck on authentication... When I enter the user name and password on the phone screen, I get the message "username and password failed" on the screen. However, in the newspapers of the ASA, I see the following line

  February 16, 2011 15:12:57 725002 85.132.43.67 device 52684 complete SSL negotiation with customer vpn:85.132.*.*/52684

  February 16, 2011 15:17:26 725007 85.132.43.67 52745 SSL session with client vpn:85.132.*.*/52745 is complete.

  What it means?  How can I turn on debugging to see what is happening?

  Thank you in advance!

  Hello

  If you do not use certificates in the client authentication then the SSL handshake full until the user is prompted to authenticate with the username user and password.  If that fails authentication request, you will see the terminated SSL session immediately after this failure (as in newspapers you provided).  Note 5 seconds between the end and the SSL session establishment, it is more likely when the user is authenticated with the aaa server.  If the phone is an authentication against an external aaa server failure you'll want to investigate the logs on the server to determine the cause of the failure.  The ASA can also provide confirmation of the request for authentication/reject with the command 'display aaa-server '.  If you want to see what happens at a level of authentication protocol you can activate many debugs including "debug aaa authentication | common | internal ' and debugs specific protocol such as ' debug RADIUS user. session | all ' or 'ldap debug ".

  This has answered your question? If so, please indicate it answered!

• SSL VPN using ASA 5520 mode cluster - several problems

  I configured 2 ASA 5520 s in the load balancing cluster mode. I connect using anyconnect and I download the customer the first time and everything works well except outlook. I don't know why outlook does not work.

  The second problem is after the anyconnect client is installed on your machine, he remembers that ASA (say ASA2) he first connected and the GUI shows the address IP of ASA2 instead of the virtual IP address of the cluster. I want users always connect using the virtual IP address.

  The third problem I have is there is a default group of SSL VPN and I want all users to use this group. In the initial web page, there is a drop down menu which shows that this group, but I still want to disable this menu drop-down.

  Any suggestions?

  To disable the drop-down menu, you can turn it off with the command

  WebVPN

  no activation of tunnel-group-list

  This will take care of your last issue.

  ***************************

  You can create a profile of the Anyconnect client with the name of the server you want to connect with and that make the ASA that will solve your problem of virtual IP.

  **************************

  Regarding Outlook, do you use specific ports which allows inspection of the ASA. Take a look at the list of inspection on the SAA and perhaps try to disable inspection and see if it works.

  *****************************

• New for mapping SSL VPN ACS ASA - ASA groups

  Greetings,

  I am new to ASA, so any help is greatly appreciated.

  I just installed and installed an ASA 5520. I installed an SSL VPN. What I'm trying to achieve is to configure profiles of different groups and different users can access various resources when they access the VPN.

  Current config-

  ASA 5520 v8.3

  ACS 4.0

  Field of Windwos 2003

  I have different installation profiles in the ASA. (i.e. business Dept.) When I choose in the drop down menu, it allows me to open a session and displays the options I've chosen for this group. The problem is that I can connect in this group with any account. GBA, all windows domain users are in the default group. I guess the default group is being processed and which has hosted and user logon.

  Can anyone provide a good article or tips on how to configure the ASA and the ACS for several groups of users. We have several departments that will have to get the parameters when they connect. The ACS groups are mapped to the Windows groups that correspond to each Department

  Any help is greatly appreciated.

  Thank you

  Tim

  Hello

  I think that you need to activate locking group.

  In order to configure Group locking, send group policy name in the attribute class 25 on the Authentication Dial - In User Service (RADIUS Remote) server and choose the group to lock the user in policy.  For example, to lock the user 123 of Cisco in the RemoteGroup group, define the class of attributes 25 Internet Engineering Task Force (IETF) UO = RemotePolicy; for this user on the RADIUS server.

• CME SSL VPN with ASA

  Hi all

  We are working on a new deployment of CME 9.1 for a small office. As part of this deployment, our plan was to have several remote phones connect via SSLVPN to an ASA on our network border allowing them to communicate with the router of the CME. We bought the appropriate of the VPN to ASA and licenses of paper for phones remotely.

  I'm following the instructions in this document: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configura...

  However, the penalty, I'm having is that when I try to enter the settings for vpn-Group (page 19 of the pdf) the command is not available on my router - unrecognized command. I fear that this could mean that I'm missing a license/feature set to my router CME, is that correct? We bought a C2921CME-SRSTK9 router, but I may need the SEC/K9 license? If this is the case, can someone show me the part number or SKU, I would need to buy?

  Moreover, is anyway that I could get around to adding this to the router config - perhaps change the configuration of phone XML directly?

  Thanks in advance!

  It is correct, you will need the license of security. SKU is: L-SL-29-SEC-K9 =

  http://www.Cisco.com/c/en/us/products/collateral/routers/1900-series-int...

• site to site vpn with ASA 5500 series SSL?

  We have routers DLink DIR - 130 5505 s ASA and PIXen, all work well with our PIX 515E, we need to replace.

  We also have Internet satellite in two places. High latency makes IPsec VPN to DLinks on these very slow sites.

  We were informed by HughesNet that a SSL VPN will mitigate some of the problems of latency.

  However, we cannot use a VPN client for the biometric timeclocks in these places, the clocks need static IP addresses and are more or less "dumb terminals".

  The machine of series 5000 ASA VPN site to site similar to OpenVPN or only the most comment client-server type SSL VPN connections?

  Thank you, Tom

  Hi Thomas,

  The SSL VPN on ASAs feature is a client/server relationship where the remote computer can connect without client (browser) or clientbased (AnyConnect) to the ASA.

  Federico.

• SSL VPN Client username and passwords save

  Hello

  We use SSL VPN with ASA, we want to save the user name and password to connect to the customers in the SSL VPN client, if user only has not to type again to connect to the enterprise resources, employees normally use iPhone IOS and Android for VPN access.

  Is their a way, we can save the credentials username and password for iphone and android?

  I googled for it and found a way using URIS to pre-fill the name of user and password but I'm not sure how it works, and it will be beneficial.

  http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/ANYC...

  Hello

  You can use the URIs, if your method of methods must use WBS for the password pre-population.

  I would recommed you use certificate authentication, so they don't have to use the user name and password, and the process will be done automatically.

  You can take a look at this Document that created one of my peers:

  - https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based...

  He has the details you will need.

  Don t forget to rate and score as correct the helpful post!

  David Castro,

  Kind regards

• SSL VPN WEB cannot connect

  Hello

  I'm deploying an SSL VPN in ASA 8.0, I have access to the public interface and authentication configured radius.

  I have the debug RADIUS in asa and I see authentication is OK, I also checked Ray asa and works for the authentication test button, but

  It does work for approval.

  I've already set up a local user to the radius server.

  Thanks for your help.

  Best regards

  Fran

  You may be hitting a license limit if a few sessions have not stopped correctly and that you have only the default value of 2 licenses SSL... Do 'show worm' to see how much you have licenses webvpn. Also try "vpn-sessiondb disconnection of all" to delete all existing connections.

  -heather

• Routing IP will on SAA for SSL VPN

  I have a question let internal DHCP network is 192.168.0.0 and if you configure SSL VPN on ASA to assign the ip address of 10.0.0.0 network routing where must be configured so that the customer can route between network?

  2 lets say im using im 192.168.10.0/.20.0/.30.0 my network if I place ASA to assign 30.0 will be ther be conflict DHCP? or ASA DHCP will ONLY respond outside requests? (I mean Anyconnect)

  Hello

  You don't have to use a dynamic routing protocol if you need / want. In a simple network you could just use static routes.

  That is the way that manage you routing I don't think it really changes the configuration at all.

  This of course provided that the ASA is the default route outside of your network. Then all traffic to the networks VPN pool naturally would be always accessible from the local network as the default route would already be transfer all traffic to networks outside the local network to the ASA.

  However if the ASA is not device gateway for all Internet traffic on your network then you will need to manage the routing so that the networks/subnets used as the VPN pools would be routed to the ASA on the local network.

  -Jouni

• ASA from Site to Site and SSL VPN stop working

  Thanks in advance for any advice

  We have an ASA 5510, users were able to connect via to all connect without any problems. We opened a new office with an ASA 5505 and decided to give VPN site-to-site on IPSec. We used the basic wizard and everything went smoothly at both ends. However, users who always used SSL VPN says so that they can connect to the original site, they are no longer in their RDP virtual machines or get anywhere on the network. I don't know why something like this can happen.

  You can change the SSL VPN DHCP scope to give a different subnet for IP addresses. Maybe try 192.168.10.0 255.255.255.0. Let me know if you can and if that corrects the issue.

  Sent by Cisco Support technique iPhone App

• ASA SSL VPN with RSA authentication

  All those implemented SSL VPN on a device of the ASA using remote Securid tokens? The technical sheets indicate native RSA can be used for authentication, but this works with SSL VPN?

  Thank you

  Try this link

  http://www.Cisco.com/en/us/products/ps6120/prod_release_note09186a0080688004.html

• Same license for different ASA SSL VPN

  Hello

  I have run ASA5510 SSL VPN is installed with a license. I want to replace it with the new ASA5510 without SSL VPN license. Is it possible to copy the license from my old ASA? Can I order different license for my new box?

  THX

  Iwan

  A new license is required.

  License key is created based off the serial number of the device.

  Gilbert

  -Rate, if it helps-

• Cisco ASA AnyConnect SSL VPN - certificates + token?

  Hello

  I'm looking for an answer is it possible such configuration:

  The Cisco AnyConnect SSL VPN service with two-factor - first method is the Microsoft CA certificate local and second method - a token solution Symantec VIP password?

  I don't know if two-factor authentication is user/password from Active Directory + OTP by Symantec VIP there is no problem, because you can send the user + pass with Radius, but with certificates I do not really understand who will check the validity of the certificate, which certificate, we will send you to the RADIUS for the validation server and how the configuration of the point of view of ASA will look like.

  Thank you very much for the help!

  Hi Alex,

  I don't see a problem with having certificate + token to connect to the VPN. Certificate authentication must be performed on the SAA, see an example below:

  https://supportforums.Cisco.com/blog/152941/AnyConnect-certificate-based-authentication

  Authentication token can be specified as primary/secondary (authentication SDI) on the SAA, an example below:

  http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/anyconnect31/Administration/Guide/anyconnectadmin31/ac11authenticate.html#pgfId-1060345

  It may be useful

  -Randy-

• Cannot access internal network so AnyConnect SSL VPN, ASA 9.1 (6)

  Hello Cisco community support,

  I have a lab which consists of two virtual environments connected to a 3750-G switch that is connected to a 2901 router which is connected to an ASA 5512 - X which is connected to my ISP gateway. I configured SSL VPN using AnyConnect and can establish a VPN to the ASA from the outside but once connected, I can't access internal network resources or access the internet. My information network and ASA configuration is listed below. Thank you for any assistance you can offer.

  ISP network gateway: 10.1.10.0/24

  ASA to the router network: 10.1.40.0/30

  Pool DHCP VPN: 10.1.30.0/24

  Network of the range: 10.1.20.0/24

  Development network: 10.1.10.0/24

  : Saved
  :
  : Serial number: FCH18477CPT
  : Material: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
  :
  ASA 6,0000 Version 1
  !
  hostname ctcndasa01
  activate bcn1WtX5vuf3YzS3 encrypted password
  names of
  cnd-vpn-dhcp-pool 10.1.30.1 mask - 255.255.255.0 IP local pool 10.1.30.200
  !
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  IP 10.1.40.1 255.255.255.252
  !
  interface GigabitEthernet0/1
  nameif outside
  security-level 0
  address IP X.X.X.237 255.255.255.248
  !
  interface GigabitEthernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/5
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  boot system Disk0: / asa916-1-smp - k8.bin
  boot system Disk0: / asa912-smp - k8.bin
  passive FTP mode
  permit same-security-traffic intra-interface
  network of the NETWORK_OBJ_10.1.30.0_24 object
  10.1.30.0 subnet 255.255.255.0
  network obj_any object
  network obj_10.1.40.0 object
  10.1.40.0 subnet 255.255.255.0
  network obj_10.1.30.0 object
  10.1.30.0 subnet 255.255.255.0
  outside_access_in list extended access permitted ip object NETWORK_OBJ_10.1.30.0_24 all
  FREE access-list extended ip 10.1.40.0 NAT allow 255.255.255.0 10.1.30.0 255.255.255.0
  access-list 101 extended allow any4 any4-answer icmp echo
  access-list standard split allow 10.1.40.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  management of MTU 1500
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any inside
  ICMP allow all outside
  ASDM image disk0: / asdm - 743.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) source obj_10.1.40.0 destination obj_10.1.40.0 static static obj_10.1.30.0 obj_10.1.30.0 non-proxy-arp-search to itinerary
  NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.1.30.0_24 NETWORK_OBJ_10.1.30.0_24 non-proxy-arp-search to itinerary
  Access-group outside_access_in in interface outside
  !
  Router eigrp 1
  Network 10.1.10.0 255.255.255.0
  Network 10.1.20.0 255.255.255.0
  Network 10.1.30.0 255.255.255.0
  Network 10.1.40.0 255.255.255.252
  !
  Route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  without activating the user identity
  identity of the user by default-domain LOCAL
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 192.168.1.0 255.255.255.0 inside
  http X.X.X.238 255.255.255.255 outside
  No snmp server location
  No snmp Server contact
  Crypto ipsec pmtu aging infinite - the security association
  Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
  registration auto
  full domain name no
  name of the object CN = 10.1.30.254, CN = ctcndasa01
  ASDM_LAUNCHER key pair
  Configure CRL
  trustpool crypto ca policy
  string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
  certificate c902a155
  308201cd 30820136 a0030201 020204c 0d06092a 864886f7 0d 010105 9 02a 15530
  0500302b 31133011 06035504 03130 has 63 61736130 31311430 12060355 74636e64
  0403130 31302e31 2e33302e 32353430 1e170d31 35303731 32303530 3133315a b
  170d 3235 30373039 30353031 33315 has 30 2 b 311330 0403130a 11060355 6374636e
  64617361 30313114 30120603 55040313 0b31302e 312e3330 2e323534 30819f30
  0d06092a 864886f7 010101 05000381 8 d 0d 003081 89028181 00a47cfc 6b5f8b9e
  9b106ad6 857ec34c 01028f71 d35fb7b5 6a61ea33 569fefca 3791657f eeee91f2
  705ab2ea 09207c4f dfbbc18a 749b19ae d3ca8aa7 3370510b a5a96fd4 f9e06332
  4355 db1a4b88 475f96a1 318f7031 40668a4d afa44384 819d fa164c05 2e586ccc
  3ea59b78 5976f685 2abbdcf6 f3b448e5 30aa96a8 1ed4e178 0001300 020301 4 d d
  06092a 86 01010505 00038181 0093656f 639e138e 90b69e66 b50190fc 4886f70d
  42d9b4a8 11828da4 e0765d9c 52d84f8b 8e70747e e760de88 c43dc5eb 1808bd0f
  fd2230c1 53f68ea1 00f3e956 97eb313e 26cc49d7 25b927b5 43d8d3fa f212fcaf
  59eb8104 98e3a1d9 e05d3bcb 428cd7c6 61b530f5 fe193d15 ef8c7f08 37ad16f5
  d8966b50 917a88bb f4f30d82 6f8b58ba 61
  quit smoking
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  VPN-addr-assign local reuse / 360 time
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  Trust ASDM_Launcher_Access_TrustPoint_0 vpnlb-ip SSL-point
  SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
  WebVPN
  allow outside
  AnyConnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 4
  AnyConnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 5
  AnyConnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 6
  AnyConnect enable
  tunnel-group-list activate
  internal GroupPolicy_cnd-vpn group policy
  GroupPolicy_cnd-vpn group policy attributes
  WINS server no
  value of server DNS 8.8.8.8
  client ssl-VPN-tunnel-Protocol
  by default no
  xxxx GCOh1bma8K1tKZHa username encrypted password
  type tunnel-group cnd - vpn remote access
  tunnel-group global cnd-vpn-attributes
  address-cnd-vpn-dhcp-pool
  strategy-group-by default GroupPolicy_cnd-vpn
  tunnel-group cnd - vpn webvpn-attributes
  activation of the alias group cnd - vpn
  !
  ICMP-class class-map
  match default-inspection-traffic
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map icmp_policy
  icmp category
  inspect the icmp
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  !
  global service-policy global_policy
  service-policy icmp_policy outside interface
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:261228832f3b57983bcc2b4ed5a8a9d0
  : end
  ASDM image disk0: / asdm - 743.bin
  don't allow no asdm history

  Can you confirm that this is correct, your diagram shows your IP address public on ASA as 30 while you have assinged on 'outside' interface like 29?