SSL VPN WEB cannot connect

Hello

I'm deploying an SSL VPN in ASA 8.0, I have access to the public interface and authentication configured radius.

I have the debug RADIUS in asa and I see authentication is OK, I also checked Ray asa and works for the authentication test button, but

It does work for approval.

I've already set up a local user to the radius server.

Thanks for your help.

Best regards

Fran

You may be hitting a license limit if a few sessions have not stopped correctly and that you have only the default value of 2 licenses SSL... Do 'show worm' to see how much you have licenses webvpn. Also try "vpn-sessiondb disconnection of all" to delete all existing connections.

-heather

Tags: Cisco Security

Similar Questions

SSL - VPN can not connect - Windows 10

Hello

Our office has a SonicWall TZ105, with a more recent firmware, and now with Windows 10, we are unable to connect via SSL - VPN. The user name and password are correct, and I can connect with the Android app. But in Windows 10, I tried the MobileConnect App, the more recent mysonicwall NetExtender, used the terminal to create the VPN connection and just manually made a VPN connection and nothing works.

The President of our company just got a new laptop and there 10 Windows, and I'm hitting a wall in the world, but need to get its connected to our office.

Other VPN connections to other VPN servers work on this laptop, but not at our office. He used to work with the same settings of router on Windows 7.

Each different method of connection attempt is to give a different error. The more strange to me, it's "the specified port is already open." But there is no other connection to that port, and I am still able to connect using my phone.

Any ideas? Thanks in advance!

I was able to solve the problem using the NetExtender 7.0.203, version downloaded from mysonicwall.com. It was the only version (back to 5.0.?) that has been successfully can connect to our TZ105 with a laptop Win10 with all updates.

I hope this helps someone else, I was pretty nearly pulling my hair out...

SSL VPN ASA 5510 connect Any

Hello

I want to configure SSL VPN for mobile users on ASA 5510 I have following requirements

> What are the condition of licence on ASA 5510 VPN with Anyconnect SSL?

> VPN users have full access to the local network via ASA

> Authentication method preferred, Local or AD (LDAP)

> users use not laptops should be limited to the Clientless SSL VPN

> How to add a URL is visible to users in the Web page

> Can someone view example configuration for the above requirements

TIA

Hitesh Vinzoda

> If you need both AnyConnect and WebVPN (Clientless SSL VPN), you can buy the AnyConnect Premium license (and this is a base user license). The ASA would come with default 2 SSL VPN license.

> To have full access to the local network, you must use AnyConnect SSL VPN. Here is an example of configuration:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808efbd2.shtml

> You can authenticate to AD or Local or RADIUS, etc. By default, this would be local authentication.

> Here's some example configuration for clientless SSL VPN:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008072462a.shtml

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00806ea271.shtml

Hope that helps.

CSCun53913 ISA500: SSL VPN stops accepting connections.

Since the beginning when put into production ISA570 had this problem (SSL VPN stops and the solution is to reboot the device) used 3 new firmwares and none of them has solved this problem.
I don't understand the company like CISCO not solving this problem in an acceptable time.
When I bought the ISA570, the cisco to the Portugal told me it was ideal solution to use SSL VPN AnyConnect, omitted this question.

And now, I request this is a serious company?
Who is responsible?

Thank you

JL

I have the same problem.

But I do not restart the unit. I changed the service (such as 444) ssl port, I stop the service; I starts the service and in replace port 443.

A few days later, the problem is back.

Thanks for solving the problem.

SSL VPN - ASA - Active Directory LDAP

Hello

Scenario: ASA 8.0 (3) running SSL VPN for remote users. LDAP also authenticates access and connect to the ASA.

For some reason any (we had a power failure, but the problem may be caused by other reasons as well), I can not connect to the ASA, as my login ID does not work, and remote users get connection error when trying to authenticate via SSL VPN web gui.

I have rebooted the ASA and AD without any change in the situation. This service worked very well before and the problem happened suddenly. No one has all the changes for the configs. Customer do not have a backup configuration. Any suggestion on what would be the best next action to solve this problem? I'm not expert on the Microsoft LDAP configuration, and if anyone knows where I can check in Microsoft windows server 2003 for the possible LDAP problem, that would be greatly appreciated.

Thank you

rdianat

the ldap bind account is just a normal user account. He didn't need even administrative permissions. If you want to use ldap for password changes he needs to password change permissions, but otherwise just a normal user account - make sure it cannot be locked in AD or the password never expires none of this things. you will see the name of the ldap account in the config of the SAA.

LDAP-login-password *.

LDAP-connection-dn *.

SSL VPN and Windows 7 32 bit

I wonder if it is possible to have 2 SSL VPN client running simultaneously at the same time. When I'm working out of the site, I have to do the following:

1. I call Array SSL VPN network to connect to the corporate network. I need it to be able to read emails.

2. I invoke some other developed internal SSL VPN client to connect to the customer's network. This is necessary to get access to access the Citrix customer environment.

When I run the 2nd SSL VPN, my vision behaves erratically as the gel or the loss of connection to the exchange server.

SSL VPN network table is a SSL VPN split, which means that it routes web traffic of the company and nothing else.

Developed internal SSL VPN is configured to route specific IP range.

I wonder if there is any limitation in Windows 7 32 - bit OS that prevent me to simultaneously run 2 SSL VPN clients.

Appreciate your comments and your support.

Hi SamPersis,

Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. Appropriate in the TechNet forums.

Please post your question in the Windows 7 IT Pro TechNet Forums: http://social.technet.microsoft.com/Forums/windows/en-US/home?category=w7itpro

Thank you.

Help, please! Cannot access the web after connected to the VPN

Hello

I'm a newbie on Cisco products. I configured a Cisco ASA 5505 with VPN firewall. However, I can't access the web after I connected to the remote IPSec VPN. I also cannot connect to the bands using the intellectual property. But I can connect to the internal servers in the office with no problems.

Here is my setup, can someone help please? Thank you very much

ASA Version 8.2 (5)

!

host name asa

xxxxxxxxx.com domain name

enable the encrypted password xxxxxxxxxxx

xxxxxxxxxxx encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address dhcp setroute

!

passive FTP mode

area of zone clock - 8 schedule

clock summer-time recurring PDT 1 Sun Apr 02:00 last Sun Oct 02:00

DNS lookup field inside

DNS server-group DefaultDNS

Server name 107.204.233.222

name-server 192.168.1.3

xxxxxxxxx.com domain name

inside_nat0_outbound list of allowed ip extended access all 192.168.1.96 255.255.255.240

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool sc-192.168.1.100 - 192.168.1.110 mask 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 192.168.1.0 255.255.255.0

NAT (inside) 1 0.0.0.0 0.0.0.0

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 192.168.1.0 255.255.255.0 inside

SSH timeout 5

Console timeout 0

interface ID client DHCP-client to the outside

dhcpd outside auto_config

!

dhcpd address 192.168.1.5 - 192.168.1.36 inside

dhcpd dns 107.204.233.222 inside the 192.168.1.3 interface

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal strategy group xxxxxxxx-sc

attributes of xxxxxxxx-sc group policy

value of 107.204.233.222 DNS server 192.168.1.3

Protocol-tunnel-VPN IPSec

XXXXXXXXXX.com value by default-field

xxxxx xxxxxxxxxxx encrypted password username

Strategy Group-VPN-xxxxxxxx-sc

remote access to tunnel-group xxxxxxxx-sc type

attributes global-tunnel-group xxxxxxxx-sc

address sc-pool pool

Group Policy - by default-xxxxxxxx-sc

tunnel-group xxxxxxxx-sc ipsec-attributes

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

call-home service

anonymous reporting remote call

call-home

contact-email-addr [email protected] / * /

Profile of CiscoTAC-1

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:5c1c99b09fb26fcc36a8bf7206af8e02

: end

Hello

Try adding the following commands

permit same-security-traffic intra-interface

NAT (outside) 1 192.168.1.96 255.255.255.240

Is there are always problems with VPN then I would maybe change VPN pool to anything other than something that comes into conflict with the LAN.

In this case, these configurations should do the trick

In order from top to bottom, they would do the following things
- First remove the pool VPN and VPN configurations
- Then remove the VPN pool
- Remake of the VPN Pool with different network
- Reattach the VPN pool for VPN configurations
- Configure NAT0 to the new cluster of VPN
- Remove the old line of the ACL of the configuration of NAT0
attributes global-tunnel-group xxxxxxxx-sc

no address-sc-swimming pool

no ip local pool sc 192.168.1.100 - 192.168.1.110 mask 255.255.255.0

IP local pool sc-192.168.2.10 - 192.168.2.254 mask 255.255.255.0

attributes global-tunnel-group xxxxxxxx-sc

address sc-pool pool

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0

no access list inside_nat0_outbound extended permits all ip 192.168.1.96 255.255.255.240

Of course you also have the NAT configuration for VPN pools new Internet traffic

NAT (outside) 1 192.168.2.0 255.255.255.0

Please rate if the information has been useful if this resolved the issue as mark responded.

-Jouni

Unable to connect to the site Web SSL VPN with firewall zone configured

I recently updated my 2911 company and set up a firewall area. This is my first experience with this and I used Cisco Configuration Professional to build the configuration of the firewall first and then edited the names to make it readable by humans. The only problem I can't solve is to learn site Web SSL VPN from outside. I can navigate the website and connect without problem from the inside, and even if it was useful to verify that the Routing and the site work properly it is really not what I. I don't get anything on the syslog for drops because of the firewall server, or for any other reason but packet capture show that no response is received when you try to navigate to the outside Web site. I am currently using a customer VPN IPSEC solution until I can get this to work and have no problem with it. I have attached a sanitized with the included relevant lines configuration (deleted ~ 400 lines including logging, many inspections on the movement of the area to the area and the ipsec vpn, which I already mentioned). I searched anything about this problem and no one has no problem connecting to their Web site, just to get other features to work correctly. All thoughts are welcome.

See the security box

area to area

Members of Interfaces:

GigabitEthernet0/0.15

GigabitEthernet0/0.30

GigabitEthernet0/0.35

GigabitEthernet0/0.45

area outside zone

Members of Interfaces:

GigabitEthernet0/1

sslvpn area area

Members of Interfaces:

Virtual-Template1

SSLVPN-VIF0

I tried to change the composition of the area on the interface virtual-Template1 to the outside the area nothing helps.

See the pair area security

Name of the pair area SSLVPN - AUX-in

Source-Zone sslvpn-area-zone of Destination in the area

Service-SSLVPN-AUX-IN-POLICY

Name of the pair area IN SSLVPN

Source-Zone in the Destination zone sslvpn-zone

service-policy IN SSLVPN-POLICY

Name of the pair area SELF SSLVPN

Source-Zone sslvpn-area free-zone Destination schedule

Service-SELF-to-SSLVPN-POLICY

Zone-pair name IN-> AUTO

Source-Zone in the Destination zone auto

Service-IN-to-SELF-POLICY policy

Name of the pair IN-> IN box

In the Destination area source-Zone in the area

service-policy IN IN-POLICY

Zone-pair name SELF-> OUT

Source-Zone auto zone of Destination outside the area

Service-SELF-AUX-OUT-POLICY

Name of the pair OUT zone-> AUTO

Source-Zone out-area Destination-area auto

Service-OUT-to-SELF-POLICY

Zone-pair name IN-> OUT

Source-Zone in the Destination area outside zone

service-strategy ALLOW-ALL

The pair OUT zone name-> IN

Source-out-zone-time zone time Zone of Destination in the area

Service-OUT-to-IN-POLICY

Name of the pair area SSLVPN-to-SELF

Source-Zone-Zone of sslvpn-area auto

Service-SSLVPN-FOR-SELF-POLICY

I also tried to add a pair of area for the outside zone sslvpn-zone passing all traffic and it doesn't change anything.

The area of networks

G0/0.15

172.16.0.1 26

G0/0.30

172.16.0.65/26

G0/0.35

172.16.0.129/25

G0/0.45

172.18.0.1 28

Pool of SSL VPN

172.20.0.1 - 172.20.0.14

Latest Version of IOS:

Cisco IOS software, software C2900 (C2900-UNIVERSALK9-M), Version 15.0 (1) M10, RELEASE SOFTWARE (fc1)

Glad works now. Weird question, no doubt.

I guess that on the deployment guide said that the firewall will not support inspection of TCP to the free zone, however, class nested maps are used to accomplish this, to be completely honest, I think it's a mess and the best thing to do is action past to auto for the protocols that you want and then drop the rest.

Let us know if you have any other problems.

Mike

Problem IBM Lotus iNotes 8.5 ssl clientless web vpn - ASA5510 v.8.2(2) OS

Hello

I have problems to display Lotus iNotes through Domino 8.5 correctly a page Web the VPN without client in my Cisco ASA5510.

One of our customers has implemented Lotus Domino 8.5 and have portals of the individual user so that the user can each access their e-mail, calendar, journals, debates, etc.. Everything works fine on the internal network, as well as on a real SSL VPN as Anyconnect client... it is the Web page of the VPN without client that gives me a problem.

The occurrence of beginning of questions when I configure a VPN page without client for users first access, fill in a username/password general name, and then they are taken to their first iNotes login page. The iNotes login page looks very good, and when they connect in iNotes everything seems fine. However, when they start clicking around in different tabs or to open an email (all nested in the VPN page without customer), things don't arise, and error occurred on the page of iNotes as "a problem has occurred that may have caused the operation to fail. When I click on "Show Console" to get more details, I'm presented with:

-----------------------------------------

Domino version 8.5.1FP3 (Windows NT/Intel)
$HaikuForm - 304.5
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729 .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2;. NET4.0C)

2010-07-30 12:31:13 a problem has occurred that may have caused the operation to fail.
2010-07-30 12:31:13 ' CSCO_Util.parse_url (...). path ' is null or not an object
2010-07-30 12:31:13 https:/// + CSCOL + / cte.js: 9
2010-07-30 12:31:13 [GBy]-[(token) {var c = HTMLParserUtils; if(this._cur_segment==null) {ADAPT] ([object Object])
30/07/2010 12:32:08 [dojo - 1.3.2] failed to load http://mail1.fake.comdomjs/dojo-1.3.2/dojo/... /IBM/iNotes/widget/layout/DWASidebarContainer.js with error: [object Error]
30/07/2010-12:32:08 a problem has occurred that may have caused the operation to fail.
30/07/2010 12:32:08 failed to load "ibm.iNotes.widget.layout.DWASidebarContainer"; Finally tried '... ' /IBM/iNotes/widget/layout/DWASidebarContainer.js
30/07/2010-12:32:08 https:/// CSCO + 00756767633A2F2F7A6E7679312E656E71706E616762612E70627A ++ / domjs/dojo-1.3.2/dojo/dojo.js: 20
30/07/2010 12:32:08 [GBy] - [(_51,_52) {_52 = this ._global_omit_module_check: _52; var _53 = this. _}]("ibm.iNotes.widget.layout.DWASidebarContainer")

-----------------------------------------

Users cannot open emails or create new email, neither can they do a lot of other primary functions in iNotes through this VPN without client. Looks like the redirection to URL of the ASA's corrupting what you looking for the Domino server. It does not work very well unlike what documentation Cisco says is "optimized for Lotus iNotes.

Does anyone have any suggestions? , I like to stay out of the way using a single SSL certificate (loser 2-factor of authentication, and must make an exception of firewall directly on the server on the network) and stay out of the way using Anyconnect if I can help it. I also want to emphasize the iNotes specifically that gives me this problem, not the Lotus Notes client part full I could do work using Smart Tunnels.

Troubleshooting steps, I made:

DNS servers appropriate 1.) are defined in the firewall

2.) I tried both full / lite of iNotes and produce both the same mistakes.

(3.) I tried Firefox 3.6.8 IE6, IE8 on Windows 7 and Windows XP. I think I have slightly better results than other browsers Firefox, but it is not error-free.

4.) I studied corruption cookie by removing all the stories and turn off any browser plugins and accelerators

Thank you!

Have you tried to use the smart tunnels for the DWA bookmark? Can u also try mode lite with the active smart tunnel?

Also in the description of your problem, when you say produces better results than IE Firefox, this exactly what you get?

SSL VPN Tunnel mode, "page cannot be found" - Urgent!

Hi experts,

I am trying to configure a tunnel mode SSL VPN (the one who downloads the client to your PC to give full access to the network) and the urgent need of your help, sorry for the emergency, but my client needs this as soon as possible and my wife due our second baby from last Monday so time is of the essence

I get an invalid certificate Internet explore when I navigate to http://publicip/remote, which is very well that it is a self cert signed, but when I click on 'continue' I get an error "page cannot be found".

Did I miss something in the config or if I'm away from Flash (web files) files?

I have attached the config but also a worm and dir flash sh.

I ran the SDM to configure and as such he has inserted an ACL of the IP allowed the host publicip, I don't like this good and want to remove it, can advise you?

Thank you very much

Dave

Hello

Try to change this command in your context:

Gateway gateway_1 domain domain.com

TO

Gateway gateway_1

'domain' indicated that here is not real estate, but a part after the URL. With the configuration you have, you will need to connect to the following url for a Web page:

https://publicip/domain.com

Which is probably why you get an error when you simply browse to https://publicip

-Jason

access of entrepreneurs and employees of the web site in-house using clientless ssl vpn.

We have a layout of web SSL VPN without customer who allow employees and suppliers of connection and internal display web page. I wonder if possible separate employees and contractors to access internal pages. The internal web page has no authentication of users. They would like to see if it is possible that traffic employees get proxy behind interface INSIDE IP de ASA and entrepreneur behind a different IP address proxy traffic. Thus, the internal web page can check IP to contractor and only give them access to view certain web page, but not all pages.

Hello

Creating a group policy for each user group will be a good option, you can also use DAP to assign an ACL web to the user who logs on the portal without client, you can use the Radius, LDAP or Cisco attributes to associate the DAP for the user. For example, if you are using LDAP, you can create 2 groups separated here for employees and entrepreneurs and based on the LDAP user group membership, they will be assigned to specific web acl configured according to their access restrictions.

You can follow this link to set up an acl of web:

http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa83/asdm63/Configura...

Once the ACL is ready, you can follow this guide to configure the DAP Protocol: "check the web for acls figure10.

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

Thank you, please note!

RVL200 SSL VPN: cannot access a remote LAN with iPad2

RVL200 firmware 1.1.12.1

iPad2 cannot access any device on the Remote LAN despite the closed padlock icon.

Is there another App needed? Or how to debug SSL VPN?

Emmanuel,

Were you able to access the LAN devices? Also, have you connected using a Mac or a PC successfully to verify that the devices are available? Sometimes antivirus and firewall software can block access to devices from a remote IP address.

possible redirect Web SSL VPN to another external ip?

Hi, it is possible to redirect the web ssl vpn to another external ip of my external range or could I do not use the external interface?

For example:

ASA outdoors: 213.23.4.50 (https://213.23.4.50)

Redirect outside: 213.23.4.51 (https://213.23.4.51)

same question to redirect the vpn client ip address external to the other that the IP outside of asa.

concerning

Jason

Jason,

Pretty easy

BSNs-ASA5520-10 (config) # webvpn
BSNs-ASA5520-10(config-WebVPN) # port?

the WebVPN mode options/controls:
<1-65535>The WebVPN Server SSL listening port. The TCP 443 port is the
by default.

Please note however that your users will use

https://my.domain.tld:port

to connect... even for clientless and SVC.

Marcin

established - VPN connection, but cannot connect to the server?

vpn connection AnyConnect is implemented - but cannot connect to the server? The server IP is 192.168.0.4

Thank you

ASA Version 8.2 (1)

!

hostname ciscoasa5505

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.0.3 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 208.0.0.162 255.255.255.248

!

interface Vlan5

Shutdown

prior to interface Vlan1

nameif dmz

security-level 50

IP address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

clock timezone PST - 8

clock summer-time recurring PDT

DNS lookup field inside

DNS server-group DefaultDNS

192.168.0.4 server name

Server name 208.0.0.11

permit same-security-traffic intra-interface

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

object-group service TS-780-tcp - udp

port-object eq 780

object-group service Graphon tcp - udp

port-object eq 491

Allworx-2088 udp service object-group

port-object eq 2088

object-group service allworx-15000 udp

15000 15511 object-port Beach

object-group service udp allworx-2088

port-object eq 2088

object-group service allworx-5060 udp

port-object eq sip

object-group service allworx-8081 tcp

EQ port 8081 object

object-group service web-allworx tcp

EQ object of port 8080

allworx udp service object-group

16001 16010 object-port Beach

object-group service allworx-udp

object-port range 16384-16393

object-group service remote tcp - udp

port-object eq 779

object-group service billing1 tcp - udp

EQ object of port 8080

object-group service billing-1521 tcp - udp

port-object eq 1521

object-group service billing-6233 tcp - udp

6233 6234 object-port Beach

object-group service billing2-3389 tcp - udp

EQ port 3389 object

object-group service olivia-3389 tcp - udp

EQ port 3389 object

object-group service olivia-777-tcp - udp

port-object eq 777

netgroup group of objects

network-object host 192.168.0.15

network-object host 192.168.0.4

object-group service allworx1 tcp - udp

8080 description

EQ object of port 8080

allworx_15000 udp service object-group

15000 15511 object-port Beach

allworx_16384 udp service object-group

object-port range 16384-16393

DM_INLINE_UDP_1 udp service object-group

purpose of group allworx_16384

object-port range 16384 16403

object-group service allworx-5061 udp

range of object-port 5061 5062

object-group service ananit tcp - udp

port-object eq 880

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-6233

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-1521

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing2-3389

outside_access_in list extended access permit tcp any host 208.0.0.164 eq https

outside_access_in list extended access permit tcp any host 208.0.0.164 eq www

outside_access_in list extended access permit tcp any host 208.0.0.164 eq ftp

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing1

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 EQ field

outside_access_in list extended access permit tcp any host 208.0.0.162 eq www

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 remote object-group

outside_access_in list extended access permit tcp any host 208.0.0.162 eq smtp

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 object-group olivia-777

outside_access_in list extended access permit udp any host 208.0.0.162 - group Allworx-2088 idle object

outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5060

outside_access_in list extended access permit tcp any host 208.0.0.162 object-group web-allworx inactive

outside_access_in list extended access permit tcp any host 208.0.0.162 object-group inactive allworx-8081

outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-15000

outside_access_in list extended access permit udp any host 208.0.0.162 DM_INLINE_UDP_1 idle object-group

outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5061

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 inactive ananit object-group

outside_access_in list extended access deny ip host 151.1.68.194 208.0.0.164

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

permit access ip 192.168.0.0 scope list outside_20_cryptomap 255.255.255.0 172.16.0.0 255.255.0.0

Ping list extended access permit icmp any any echo response

inside_access_in of access allowed any ip an extended list

permit access ip 192.168.0.0 scope list outside_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0

access-list 1 standard allow 192.168.0.0 255.255.255.0

pager lines 24

Enable logging

logging buffered stored notifications

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

MTU 1500 dmz

IP local pool 192.168.100.30 - 192.168.100.60 mask 255.255.255.0 remote_pool

192.168.0.20 mask - distance local pool 255.255.255.0 IP 192.168.0.50

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (outside) 1 192.168.0.0 255.255.255.0

alias (inside) 192.168.0.4 99.63.129.65 255.255.255.255

public static tcp (indoor, outdoor) interface 192.168.0.4 smtp smtp netmask 255.255.255.255

public static tcp (indoor, outdoor) interface field 192.168.0.4 netmask 255.255.255.255 area

public static tcp (indoor, outdoor) interface 192.168.0.4 www www netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 777 192.168.0.15 777 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 779 192.168.0.4 779 netmask 255.255.255.255

public static (inside, outside) udp interface field 192.168.0.4 netmask 255.255.255.255 area

public static tcp (indoor, outdoor) interface 880 192.168.0.16 880 netmask 255.255.255.255

static (inside, outside) 208.0.0.164 tcp 3389 192.168.0.185 3389 netmask 255.255.255.255

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 208.0.0.161 1

Route inside 192.168.50.0 255.255.255.0 192.168.0.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.0.0 255.255.255.0 inside

http 192.168.0.3 255.255.255.255 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Sysopt noproxyarp inside

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 1 match address outside_cryptomap

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 108.0.0.97

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

card crypto outside_map 20 match address outside_20_cryptomap

card crypto outside_map 20 set pfs

peer set card crypto outside_map 20 69.0.0.54

outside_map crypto 20 card value transform-set ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life no

crypto ISAKMP policy 30

preshared authentication

3des encryption

sha hash

Group 1

life no

Telnet timeout 5

SSH timeout 5

Console timeout 0

identifying client DHCP-client interface dmz

dhcpd outside auto_config

!

dhcpd address 192.168.0.20 - 192.168.0.50 inside

dhcpd dns 192.168.0.4 208.0.0.11 interface inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow outside

SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

enable SVC

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

internal group anyconnect strategy

attributes of the strategy group anyconnect

VPN-tunnel-Protocol svc webvpn

WebVPN

list of URLS no

SVC request enable

encrypted olivia Zta1M8bCsJst9NAs password username

username of graciela CdnZ0hm9o72q6Ddj encrypted password

tunnel-group 69.0.0.54 type ipsec-l2l

IPSec-attributes tunnel-group 69.0.0.54

pre-shared-key *.

tunnel-group 108.0.0.97 type ipsec-l2l

IPSec-attributes tunnel-group 108.0.0.97

pre-shared-key *.

tunnel-group anyconnect type remote access

tunnel-group anyconnect General attributes

remote address pool

strategy-group-by default anyconnect

tunnel-group anyconnect webvpn-attributes

Group-alias anyconnect enable

!

Global class-card class

match default-inspection-traffic

!

!

World-Policy policy-map

Global category

inspect the icmp

!

service-policy-international policy global

: end

ASDM location 208.0.0.164 255.255.255.255 inside

ASDM location 192.168.0.15 255.255.255.255 inside

ASDM location 192.168.50.0 255.255.255.0 inside

ASDM location 192.168.1.0 255.255.255.0 inside

don't allow no asdm history

Right now your nat 0 (NAT exemption) follows the access list:

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

Traffic back from your server to 192.168.0.4 in the pool of VPN (192.168.0.20 - 50) not correspond to this access list and thus be NATted. The TCP connection will not develop due to the failure of the Reverse Path Forwarding (RPF) - traffic is asymmetric NATted.

Then try to add an entry to the list of access as:

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.0.0 255.255.255.0

It's a bit paradoxical but necessary that your VPN pool is cut out in your interior space network. You could also do like André offers below and use a separate network, but you would still have to add an access list entry to exempt outgoing NAT traffic.

SSL VPN, is possible for the failing show the "untrusted site" warning when connecting

SSL VPN, is possible for the not display the warning "untrusted site" when connecting. I trust 3rd cert left installed on the SAA. Is it possible, when I connect to it via the Web for the not give users the below page and just go to the connection. If they hit to continue it works but we are looking for a way to remove this error.

There is a problem with this Web site's secure certificate.

The security certificate presented by this website was not issued by an approved certification authority.

A site address different Web issued the security certificate presented by this website.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

We recommend that you close this webpage and do not make this Web site.

Click here to close this webpage.

Continue to this website (not recommended).

More information

Hi Jason,

Follow these steps:

1-no ssl trustpoint outside ssl.axisbu.com.trustpoint

2 - webvpn

no activation outside

output

3 - ssl trustpoint outside ASDM_TrustPoint3

4 - webpvn

allow outside

It seems that he does not have the right certificate, probably the self-signed is stuck, please follow the steps and let me know.

Thank you.

Portu.

SSL VPN WEB cannot connect

Similar Questions

Maybe you are looking for