SSL VPN Portal Page - frequent disconnects

Hi all

I've implemented two firewalls to two DCs - London and Swindon. Now, I'm traffic to these two firewalls by using a URL to load balancing. When users try to connect to the URL (which indeed resolves to the IP address of the two firewalls Internet oriented interface), they faced frequent disconnects. The portal will be open for a few minutes, and as they are by clicking on the bookmarks on the page they get automatically disconnected. It is completely random and there is no model it.

However, I wrote the following:

1 if I clear my cache and Temp files and then try to access to the portal by using the URL, it works fine for a little longer (maybe 15-20 minutes) and then the same disconnect start all over again

2. If I try to access all the IP addresses of the firewall (do not use Uruguay Round), it seems to work fine.

Can someone let me know what could be causing the problem?

Thank you!

Hey riri,.

You can check the activation of the ASA connects and debugs, a 'see the connection' and ' debug webvpn 255 "will be useful to check if the SAA is disconnect the session.»

Alternative, you can run wireshark on a computer and make sure the IP reset is coming,

See you soon,.

-Randy-

Tags: Cisco Security

Similar Questions

Problem SSL VPN Portal

I have 2 Configuration of the SAA for AnyConnect, both are running 8.4 (2) 9. The issue I'm having is one of them opens the SSL Portal when the user passes the URL of the Group and the other does not. I don't want the portal to open the connection.

I have a group policy configuration that inherits the AnyConnect of DfltGrpPolicy connection parameters. Connection parameter DfltGrpPolicy are

Connection setting post "do not ask a user to choose" and

'Download AnyConnect Client' default Post Login selection

On the page of connection profiles AnyConnect I unchecked "allow the user to select the connection profile...". »

and under the profile itself, I created a URL group which seems to work.

When a user accesses the URL the portal opens and the client starts downloading immediately. On the other ASA when a user accesses the URL the gate does not open, but the client still downloads as expected.

I know I'm missing a setting but I can't.

Is there one setting other than the Post Login of group policy that would cause the VPN portal open?

I'm looking at the same question. I know it is something we are looking. I had to go into the profiles Clientless and disable all tunneling protocols, except the SSL Client.

It is under Clientless, group, general policy, more options, tunnelling protocols

NSX API: Download ESG SSL VPN Portal logo

I currently use the NSX API to supply an edge on our device of NSX Manager. I was able to do everything with the exception of downloading a custom portal logo, I have included the information from the documents below, but it does not contain what the body of the request should look like. I feel with this information, I would be able to complete the request. Someone had to work with it before, or anyone is VMware be able to answer this question?
Would also be nice to see the updated documentation with how to upload files to the REST API a bit more in detail...
Configure Portal layouts
You can configure the web page related to the SSL VPN client layout.
Download Logo Portal
Download the logo of Portal from the given local path.
Example 8-150. Download logo Portal
Request: POST https:///API/4.0/edges//sslvpn/config/layout/images/portallogo/
Download the Phat banner
Download the banner of the given local path phat client. Phat banner image should in bmp format.
Example 8-151. Download the banner phat request: POST https:///api/4.0/edges//sslvpn/config/layout/images/phatbanner
I have tried different methods... including base64 encoded image as a body and mulipart of form data but all fail with the error below.
HTTP status 400-
type of Status report
Message
Description The request sent by the client is syntactically incorrect.

Sorry for the delay on this one there... replace layoutFile by banner.

Questions about clientless SSL VPN portals

If you use the portal for RDP Remote Desktop access, you have to use the Remote Desktop plugin that works through your browser, or you can also use a regular Remote Desktop RDP application running on your device once the connection is established?

Allow clientless VPN through the web portal the same client checks membership to the domain, check the mac address, authentication certificate etc. you can do when a customer uses the AnyConnect client?

Make the client control and use of the web portal are based on the client that connects to a Windows operating system and Java or ActiveX?

If you use the portal for RDP Remote Desktop access, you have to use the Remote Desktop plugin that works through your browser, or you can also use a regular Remote Desktop RDP application running on your device once the connection is established?

You will need to use the RDP plugin. If you want to use the normal application of the RDP, then you must use the AnyConnect VPN client.

Allow clientless VPN through the web portal the same client checks membership to the domain, check the mac address, authentication certificate etc. you can do when a customer uses the AnyConnect client?

It supports certificate authentication. Regarding controls field of membership, do you want to say in what concerns the client authentication when you use RADIUS or GANYMEDE +? I don't think the MAC authentication is supported.

Make the client control and use of the web portal are based on the client that connects to a Windows operating system and Java or ActiveX?

For the VPN without client operating system is irrelevant, but the browser is. I think that the supported browser is Internet Explorer, Firefox and Safari. Java is required.

http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa83/asdm63/configuration_guide/config/vpn_proc.html

--

Please do not forget to select a correct answer and rate useful posts

After Windows Update ActiveX RDP through SSL VPN KB2675157 stops working

We have a Cisco ASA 5510 with Clientless SSL VPN portal. I just found out that after installing the latest Microsoft Updates, bookmarks RDP has stopped working. He continues to ask that I should install Cisco Portforwarder control and then returns to the home page. I changed all the security settings, tried to install control manually, but nothing works. Finally, I found that after you uninstall Internet Explorer 8 update KB2675157 it works again.

Is this a known issue?

I just tested it on Windows XP with IE 8, I don't know if the problem occurs in other platforms.

Good afternoon

The issue you are running into is not caused by KB2675157. This behavior was deliberately introduced by KB

2695962.

As stated in:

http://Tools.Cisco.com/Security/Center/content/CiscoSecurityAdvisory/Cisco-SA-20120314-AsaClient

The Cisco PSIRT asked Microsoft to set the global Kill Bit for the control of redirector Port Cisco ActiveX on March 14, 2012. Microsoft pushed the bit kill for the vulnerable control in may, 2012 batch of patches Microsoft Tuesday (May 8, 2012).

Clients must go to one of the recommendations listed or such later versions listed below. The recommended versions include fixes for issues disclosed in Cisco Security Advisory: Cisco ASA 5500 series Adaptive Security Appliance Clientless VPN ActiveX control Remote Code execution vulnerability of as well as those identified in the notice to Client of ASA.

Affected version	First version fixed	Recommended version
Cisco ASA 7.0	Not vulnerable	Migrate to 7.2 or later
Cisco ASA 7.1	Vulnerable	Vulnerable people; Migrate to 7.2 or later
Cisco ASA 7.2	7.2 (5.6)	7.2 (5.7)
Cisco ASA 8.0	8.0 (5.26)	Migrate to 8.2 (5.26) or later version
Cisco ASA 8.1	8.1 (2.53)	Migrate to 8.2 (5.26) or later version
Cisco ASA 8.2	8.2 (5.18)	8.2 (5.26)
Cisco ASA 8.3	8.3 (2.28)	Migrate to 8.4 (3.8) or later version
Cisco ASA 8.4	8.4 (2.16)	8.4 (3.8)

Cisco ASA 8.5	Not vulnerable	8.5 (1.7)
Cisco ASA 8.6	8.6 (1.1)	8.6 (1.1)

Once the affected control has been improved by starting a VPN session without client on an ASA that contains the fixed software, it will be used in all sessions. This including those with ASA devices that cannot run the software updated.

See you soon,.

-Troy

Groups without SSL VPN client

Greetings. I currently have an ASA5520 in place running 8.0 (2) IOS. We have configured a clientless SSL VPN portal that we currently use as a 'test '. We try to solve the question deals with the use of the SSL VPN connection page groups. Currently, the ASA is set to authenicate names of username/password to a Microsoft Windows 2003 using IAS (RADIUS) server. It works very well.

What we want to do, is to "lock" the user account to a group alias in the VPN SSL ASA login page. For example, our SSL VPN connection page displays two options for 'Group', 'sales and 'tech'. In its current form, a sales user can select one of the displayed groups and always be authenicated. Anyway is to deny the login information if a user does not select the appropriate menu GROUP drop-down? It would certainly help to ensure that users choose the right GROUP in the menu dropdown.

Any information would be greatly appreciated.

Joe

In order to put the user in the appropriate group, set the attribute RADIUS 25 as OU = ASAGroupPolicyName. then try the locking of group control to lock the users.

http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/gh_72.html

Try to customize login page for ASA 5505 SSL - VPN

Nice day

I'm looking for help to customize the login page for the ssl - vpn as mentioned. When the vpn is configured, the default template allows my customers to connect with this: IMAGE 1

While trying to change the login page, I have to create a new customization without CLIENT SSL VPN ACCESS-> PORTAL-> CUSTOMIZATION file in the ASDM. When I do this and I'm trying to change the login page, it comes up with 2 forms of authentication and a fast internal password like this: IMAGE 2

How can I change the login page, I created so that users only see the fields username and password for regular as the default template?

Thank you all for your time and assistance

Joel

Hi Joel,

What you see is just the preview, right?

Preview displays the purpose of customization, since the password internal and the second authentication controls are the features that are activated in different parts of the configuration.

WebVPN

allow outside

internal-password enable

!

attributes global-tunnel-group DefaultWEBVPNGroup

secondary-authentication-server-group second_authentication_server

INFO: This command applies only to the SSL VPN - Clientless and AnyConnect.

So I recommend to assign this object of customization to a group policy and test access to the content of the specific connection profile.

Thank you.

Portu.

Please note all useful posts

SSL VPN client anyconnect - login page does not appear

I have an ASA5510 I am setting up for remote access using SSL VPN with the anyconnect client. I followed the guides of configuration on the Cisco's Web site and elsewhere on the internet without success configuration guides.

When you go to https://(outsdie interface ip address), I get nothing, the browser never loads a page. Here are the commands I entered:

WebVPN

allow outside

SVC disk0:/anyconnect-win-2.5.3046-k9.pkg 1 image

SVC disk0:/anyconnect-macosx-powerpc-2.5.3046-k9.pkg 2 image

Picture disk0:/anyconnect-macosx-i386-2.5.3046-k9.pkg 3 SVC

enable SVC

tunnel-group-list activate

in-house VRx-WebVPN group policy

Group Policy attributes VRx-WebVPN

Server DNS 192.168.100.11 value

VPN-tunnel-Protocol svc

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value split

VRX.NET value by default-field

WebVPN

SVC Dungeon-Installer installed

time to generate a new key of SVC 30

SVC generate a new method ssl key

SVC request no svc default

remote type tunnel-group VRx-WebVPN access

attributes global-tunnel-group VRx-WebVPN

address value vpn_pool pool

authentication-server-group VRxAD

Group Policy - by default-VRx-WebVPN

tunnel-group VRx-WebVPN webvpn-attributes

enable VRx-WebVPN group-alias

We never seen this before - any ideas or what would be useful in troubleshooting this?

Thank you in advance!

Dave

Hello David,.

Hmm... I'll do a quick true lab setup for this.

Edit: My own work without problem, it be something else on the configuration that is not allowing you to get the anyconnect portal.

I used the same image anyconnect and the same ASA image.

Julio

SSL VPN Tunnel mode, "page cannot be found" - Urgent!

Hi experts,

I am trying to configure a tunnel mode SSL VPN (the one who downloads the client to your PC to give full access to the network) and the urgent need of your help, sorry for the emergency, but my client needs this as soon as possible and my wife due our second baby from last Monday so time is of the essence

I get an invalid certificate Internet explore when I navigate to http://publicip/remote, which is very well that it is a self cert signed, but when I click on 'continue' I get an error "page cannot be found".

Did I miss something in the config or if I'm away from Flash (web files) files?

I have attached the config but also a worm and dir flash sh.

I ran the SDM to configure and as such he has inserted an ACL of the IP allowed the host publicip, I don't like this good and want to remove it, can advise you?

Thank you very much

Dave

Hello

Try to change this command in your context:

Gateway gateway_1 domain domain.com

TO

Gateway gateway_1

'domain' indicated that here is not real estate, but a part after the URL. With the configuration you have, you will need to connect to the following url for a Web page:

https://publicip/domain.com

Which is probably why you get an error when you simply browse to https://publicip

-Jason

Unable to connect to the internal network of SSL VPN

Setting the time first ASA 5512 and I did a lot of research to solve my problem but no luck. I really appreciate if I can get help.

After having successfully connected to ASA via SSL VPN. I am only able to ping to the outside interface (10.2.11.4).

Please check my config and I would like to know what the problem is. Thank you

: Saved
:
ASA 9.1 Version 2
!
hostname asa-01
domain corporate.local
activate t8tpEme73dn9e0.9 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
t8tpEme73dn9e0.9 encrypted passwd
names of
sslvpn-ip-pool 10.255.255.1 mask - 255.255.255.0 IP local pool 10.255.255.100
!
interface GigabitEthernet0/0
nameif outside
security-level 50
IP 10.2.11.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 10.2.255.18 255.255.255.248
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 0
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa912-smp - k8.bin
passive FTP mode
clock timezone STD - 7
clock to summer time recurring MDT
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
Server name 10.2.9.23
10.2.1.1 server name
Server name 10.2.9.24
domain corporate.local
network of Trusted subject
10.2.0.0 subnet 255.255.0.0
the object to the outside network
10.2.11.0 subnet 255.255.255.0
network ss object
10.2.11.0 subnet 255.255.255.0
network of the VPNlocalIP object
10.255.255.0 subnet 255.255.255.0
the object of the LAN network
10.2.9.0 subnet 255.255.255.0
network of the VPN-INSIDE object
subnet 10.2.255.16 255.255.255.248
tcp4433 tcp service object-group
port-object eq 4433
standard access list permits 10.2.255.16 SPLIT-TUNNEL 255.255.255.248
standard access list permits 10.2.11.0 SPLIT-TUNNEL 255.255.255.0
host of access TUNNEL of SPLIT standard allowed 10.2.9.0 list
global_access list extended access allowed object VPNlocalIP object LAN ip
global_access list extended access permitted ip LAN VPNlocalIP object
pager lines 24
Enable logging
asdm of logging of information
host of logging inside the 10.2.8.8
Debugging trace record
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 713.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
Static NAT to destination for LAN LAN static VPNlocalIP VPNlocalIP source (indoor, outdoor)
Access-Group global global_access
Route outside 0.0.0.0 0.0.0.0 10.2.11.1 1
Route inside 10.2.0.0 255.255.0.0 10.2.255.17 1
Route inside 10.255.255.0 255.255.255.0 10.2.255.17 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
CA-Kerberos kerberos protocol AAA-server
CA-Kerberos (inside) host 10.2.9.24 AAA-server
Corp.PRI Kerberos realm
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
http server enable 4431
http 192.168.1.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 outside
redirect http inside 80
redirect http outside 80
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ciscoasa
Keypairs 4151
Proxy-loc-transmitter
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
Terminal registration
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint2
Terminal registration
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint3
Terminal registration
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint4
Terminal registration
name of the object CN = vpn.corp.com
ASA_PKC_One key pair
Configure CRL
trustpool crypto ca policy

IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Telnet timeout 15
SSH 10.2.0.0 255.255.0.0 inside
SSH timeout 15
SSH group dh-Group1-sha1 key exchange
Console timeout 0
outside access management
management of 192.168.1.2 - dhcpd addresses 192.168.1.10
enable dhcpd management
!
a basic threat threat detection
host of statistical threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 10.2.9.23 source outdoors
SSL cipher aes128-sha1-3des-sha1
management of SSL trust-point ASDM_TrustPoint4
SSL-trust outside ASDM_TrustPoint4 point
SSL-trust ASDM_TrustPoint4 inside point
WebVPN
allow outside
No anyconnect essentials
AnyConnect image disk0:/anyconnect-win-3.1.04063-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
list of chip-tunnel TerminalServer mstsc.exe Terminal windows platform
attributes of Group Policy DfltGrpPolicy
value of server DNS 10.2.9.23
L2TP ipsec VPN-tunnel-Protocol ikev1
field default value corp.com
WebVPN
value of customization DfltCustomization
internal group CA-SSLVPN-TEST strategy
attributes of CA-SSLVPN-TEST-group policy
WINS server no
value of server DNS 10.2.9.23
client ssl-VPN-tunnel-Protocol
field default value corp.com
internal group CA-CLIENTLESS-TEST strategy
attributes of group CA-CLIENTLESS-TEST policy
clientless ssl VPN tunnel-Protocol
WebVPN
value of URL-list of the contractors list
chip-tunnel enable TerminalServer
ssluser nS2GfPhvrmh.I/qL encrypted password username
username ssluser attributes
Group-VPN-CA-SSLVPN-TEST strategy
client ssl-VPN-tunnel-Protocol
group-lock AnySSLVPN-TEST value
type of remote access service
username admin privilege 15 encrypted password f4JufzEgsqDt05cH
cluser 3mAXWbcK2ZdaFXHb encrypted password username
cluser attributes username
Group-VPN-CA-CLIENTLESS-TEST strategy
clientless ssl VPN tunnel-Protocol
value of locking group OLY-Clientless
type of remote access service
attributes global-tunnel-group DefaultRAGroup
Group-CA LOCAL Kerberos authentication server
tunnel-group DefaultRAGroup webvpn-attributes
CA-ClientLess-portal customization
attributes global-tunnel-group DefaultWEBVPNGroup
sslvpn-pool ip address pool
Group-CA LOCAL Kerberos authentication server
tunnel-group DefaultWEBVPNGroup webvpn-attributes
CA-ClientLess-portal customization
remote access to tunnel-group AnySSLVPN-TEST type
tunnel-group AnySSLVPN-TEST general attributes
sslvpn-pool ip address pool
CA-group-Kerberos authentication server
CA-SSLVPN-TEST of the policy by default-group
tunnel-group AnySSLVPN-TEST webvpn-attributes
OLY-portal customization
Disable Group-alias AnySSLVPN-TEST
Disable AnySSLVPN-TEST-group-alias aliases
OLY-SSLVPN disable group-alias
enable SSLVPN group-alias
type tunnel-group OLY-Clientless Remote access
OLY-Clientless General attributes tunnel-group
CA-group-Kerberos authentication server
Group Policy - by default-CA-CLIENTLESS-TEST
OLY-Clientless webvpn-attributes tunnel-group
CA-ClientLess-portal customization
try to master timeout NBNS-server 10.2.9.23 2 2
Group-alias Clientless enable
Group-aka cl disable

!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
class class by default
Statistical accounting of user
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group 3 monthly periodic inventory
Subscribe to alert-group configuration periodic monthly 3
daily periodic subscribe to alert-group telemetry
Cryptochecksum:ceea6b06a18781a23e6b5dde6b591704
: end
ASDM image disk0: / asdm - 713.bin
don't allow no asdm history

Hello

I'm glad to hear it works

Please do not forget to mark a reply as the right answer or useful answers to rate

-Jouni

access of entrepreneurs and employees of the web site in-house using clientless ssl vpn.

We have a layout of web SSL VPN without customer who allow employees and suppliers of connection and internal display web page. I wonder if possible separate employees and contractors to access internal pages. The internal web page has no authentication of users. They would like to see if it is possible that traffic employees get proxy behind interface INSIDE IP de ASA and entrepreneur behind a different IP address proxy traffic. Thus, the internal web page can check IP to contractor and only give them access to view certain web page, but not all pages.

Hello

Creating a group policy for each user group will be a good option, you can also use DAP to assign an ACL web to the user who logs on the portal without client, you can use the Radius, LDAP or Cisco attributes to associate the DAP for the user. For example, if you are using LDAP, you can create 2 groups separated here for employees and entrepreneurs and based on the LDAP user group membership, they will be assigned to specific web acl configured according to their access restrictions.

You can follow this link to set up an acl of web:

http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa83/asdm63/Configura...

Once the ACL is ready, you can follow this guide to configure the DAP Protocol: "check the web for acls figure10.

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

Thank you, please note!

Cannot access internal network so AnyConnect SSL VPN, ASA 9.1 (6)

Hello Cisco community support,

I have a lab which consists of two virtual environments connected to a 3750-G switch that is connected to a 2901 router which is connected to an ASA 5512 - X which is connected to my ISP gateway. I configured SSL VPN using AnyConnect and can establish a VPN to the ASA from the outside but once connected, I can't access internal network resources or access the internet. My information network and ASA configuration is listed below. Thank you for any assistance you can offer.

ISP network gateway: 10.1.10.0/24

ASA to the router network: 10.1.40.0/30

Pool DHCP VPN: 10.1.30.0/24

Network of the range: 10.1.20.0/24

Development network: 10.1.10.0/24

: Saved
:
: Serial number: FCH18477CPT
: Material: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA 6,0000 Version 1
!
hostname ctcndasa01
activate bcn1WtX5vuf3YzS3 encrypted password
names of
cnd-vpn-dhcp-pool 10.1.30.1 mask - 255.255.255.0 IP local pool 10.1.30.200
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 10.1.40.1 255.255.255.252
!
interface GigabitEthernet0/1
nameif outside
security-level 0
address IP X.X.X.237 255.255.255.248
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa916-1-smp - k8.bin
boot system Disk0: / asa912-smp - k8.bin
passive FTP mode
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_10.1.30.0_24 object
10.1.30.0 subnet 255.255.255.0
network obj_any object
network obj_10.1.40.0 object
10.1.40.0 subnet 255.255.255.0
network obj_10.1.30.0 object
10.1.30.0 subnet 255.255.255.0
outside_access_in list extended access permitted ip object NETWORK_OBJ_10.1.30.0_24 all
FREE access-list extended ip 10.1.40.0 NAT allow 255.255.255.0 10.1.30.0 255.255.255.0
access-list 101 extended allow any4 any4-answer icmp echo
access-list standard split allow 10.1.40.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source obj_10.1.40.0 destination obj_10.1.40.0 static static obj_10.1.30.0 obj_10.1.30.0 non-proxy-arp-search to itinerary
NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.1.30.0_24 NETWORK_OBJ_10.1.30.0_24 non-proxy-arp-search to itinerary
Access-group outside_access_in in interface outside
!
Router eigrp 1
Network 10.1.10.0 255.255.255.0
Network 10.1.20.0 255.255.255.0
Network 10.1.30.0 255.255.255.0
Network 10.1.40.0 255.255.255.252
!
Route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
without activating the user identity
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
http X.X.X.238 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
full domain name no
name of the object CN = 10.1.30.254, CN = ctcndasa01
ASDM_LAUNCHER key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate c902a155
308201cd 30820136 a0030201 020204c 0d06092a 864886f7 0d 010105 9 02a 15530
0500302b 31133011 06035504 03130 has 63 61736130 31311430 12060355 74636e64
0403130 31302e31 2e33302e 32353430 1e170d31 35303731 32303530 3133315a b
170d 3235 30373039 30353031 33315 has 30 2 b 311330 0403130a 11060355 6374636e
64617361 30313114 30120603 55040313 0b31302e 312e3330 2e323534 30819f30
0d06092a 864886f7 010101 05000381 8 d 0d 003081 89028181 00a47cfc 6b5f8b9e
9b106ad6 857ec34c 01028f71 d35fb7b5 6a61ea33 569fefca 3791657f eeee91f2
705ab2ea 09207c4f dfbbc18a 749b19ae d3ca8aa7 3370510b a5a96fd4 f9e06332
4355 db1a4b88 475f96a1 318f7031 40668a4d afa44384 819d fa164c05 2e586ccc
3ea59b78 5976f685 2abbdcf6 f3b448e5 30aa96a8 1ed4e178 0001300 020301 4 d d
06092a 86 01010505 00038181 0093656f 639e138e 90b69e66 b50190fc 4886f70d
42d9b4a8 11828da4 e0765d9c 52d84f8b 8e70747e e760de88 c43dc5eb 1808bd0f
fd2230c1 53f68ea1 00f3e956 97eb313e 26cc49d7 25b927b5 43d8d3fa f212fcaf
59eb8104 98e3a1d9 e05d3bcb 428cd7c6 61b530f5 fe193d15 ef8c7f08 37ad16f5
d8966b50 917a88bb f4f30d82 6f8b58ba 61
quit smoking
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
VPN-addr-assign local reuse / 360 time
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Trust ASDM_Launcher_Access_TrustPoint_0 vpnlb-ip SSL-point
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 4
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 5
AnyConnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 6
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_cnd-vpn group policy
GroupPolicy_cnd-vpn group policy attributes
WINS server no
value of server DNS 8.8.8.8
client ssl-VPN-tunnel-Protocol
by default no
xxxx GCOh1bma8K1tKZHa username encrypted password
type tunnel-group cnd - vpn remote access
tunnel-group global cnd-vpn-attributes
address-cnd-vpn-dhcp-pool
strategy-group-by default GroupPolicy_cnd-vpn
tunnel-group cnd - vpn webvpn-attributes
activation of the alias group cnd - vpn
!
ICMP-class class-map
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map icmp_policy
icmp category
inspect the icmp
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
service-policy icmp_policy outside interface
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:261228832f3b57983bcc2b4ed5a8a9d0
: end
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history

Can you confirm that this is correct, your diagram shows your IP address public on ASA as 30 while you have assinged on 'outside' interface like 29?

Customization of SSL VPN Cisco ASA version 8

Is there a way to customize the appearance of the SSL VPN? To change the features of the ASA custmization? To change the total look of the portal page the way we like it and not the Cisco default settings? For example, the RDP plugin has always display the help text on the right side, and we would like to show different text in this area. We were able to change it but could not import to the area of the asa.

Import of SSL vpn customization ASA is not possible. Impossible also to change the appearance of the portal page.

9.1 ASA + ACS 5.4 SSL Web portal bookmarks according to the ad group.

Hello.

Having some problems with ssl vpn on ASA 5515-X.

I have ASA (9.1) connected to the web portal without client ssl ACS (5.4) and set up mobile client anyconnect. ACS also have connection to Active Directory.

So he has set up this group AD users, for example, the VPN_clients connect via the anyconnect client or no client via SSL web page. And it works very well.

My goal is to make different bookmarks portals SSL (in terms of strategies of different group ASA) according to the users AD Group.

For example: I have 3 groups in AD: VPN_admin, VPN_Finance, VPN_Logistic. I want that the users in the group after authentication to SSL web portal would see only their own bookmarks available only for their group.

As I inderstand once ACS authentication process must respond to ASA which the user consist of ad groups and ASA should choose the group policy right for the user, but I have no experience how to do that?

Hello Ivan,.

You're right, ACS can leave the ASA what group policy is to assign based on the RADIUS of the 25 attribute.

Measures on the ACS:

1 - definition of ad groups:

2 set the authorization profile tab elements of the policy:

3. create the policy and authorization access criteria:

Then, on the ASA:

1 create a group policy and name it.

2. through the ASDM, create and assign bookmarks to this group policy.

3 - once a user authenticates, the ACS sends 25 attribute, which contains the string 'OU = it'.

4 - ASA seeks group it strategy and assigns it to the user's session.

Let me know if you have any questions.

HTH.

Please note all useful messages.

Change the prompt 'Password required' SSL VPN

Someone knows how to change the prompt 'Password required' SSL VPN? If it is editable via ASDM I can't! I've been everywhere set it up-> remote access VPN-> clientless SSL VPN access-> Portal-> section of personalization but cannot find where this particular part of the text is changed. The problem is that the text that exists doesn't accurately reflect strategy of password of my organization.

See the image file as an attachment to the exact section of the text, I would like to change.

Thank you

Ben Posner

Hi Ben,

ASDM > Configuration > VPN remote access > location of language

Expand models--> select webvpn--> export--> save the file

Now find the msgid you want to edit and write your own string under msgdtr as follows:

#: Mummy.c:5758

#, c-format

msgid "password expired in %s day (s), if you want to change now enter a new password with length minimum %s. '.

msgstr "insert your string here."

Now import it to the same page of the ASDM

Language: en

Translation: webvpn

You should now see your custom string.

Ivan

SSL VPN Portal Page - frequent disconnects

Similar Questions

HTTP status 400-

Maybe you are looking for