URL via SSL VPn access
Dear members
Please see the diagram for an easy understanding of the issue.
I am facing a problem with the SSL VPN configured on ASA 5520. Here's the simple network topology.
customer has an ERP server inside the segment, which is runniing Apche / Tomcat 5.5 and listening on port 8204.Complete URL to access the installed application is
http://192.168.2.1:8204 / system/servlet/login
ASA connects to a router in parameter, which has a configured AS VPN remote access. Cisco VPN client users can access this URL easily when they connect via VPN, also if I create a static translation for this IP 192.168.2.1, the full URL is accessible from the outside, but the problem of SSl VPN, when I enter the URL, nothing appears, and Session expires, however if I just enter http://192.168.2.1:8204 , Apache /Tomcat Page opens menas through SSL VPN can I reach the web server running on 192.168.2.1, but this particular URL is not accessible.
Here apache on the ERP server is listening on a nonstandard port, which could be the reason, I need to create a forwarding port or "smart."
I already tried with port forwarding, but that has not solved the problem.
All entries from your side will be highly appreciated.
Thank you
Ahad
Hi Ahad,
When you access the server ( http://192.168.2.1:8204 / system/servlet/connectionURL) from the inside, the URL in the browser address bar remains the same? Or it redirects?
On the login page is a java applet?
Now, there are several things to try:
-do a "view page source" on the work (internal or via IPsec vpn) login page and again on the default (via webvpn) page and compare - that provides any suspicion?
-You can install a software like Charles SSL Proxy (http://www.charlesproxy.com/ - note this is not a product of Cisco, or approved by Cisco) to see exactly what is happening above the SSL tunnel (i.e. it will show you the HTTP request in the browser to the server and the response.) Again, you can do this for both a job and the absence of case to compare.
-as a possible solution: create a bookmark HTTP on the portal of this URL and select "smart tunnel" for her.
HTH
Herbert
Tags: Cisco Security
Similar Questions
-
Clientless SSL VPN access to HP iLO
Equipment:
ASA5505
Access without client configured for SSL VPN and it works fine for everything except the connectivity to a HP iLO. When I go to the http address, I see the redirect page, but as soon as it accesses the https page, I get the following text:
Failed connection Server 192.168.10.252 unavailable. It happens on all HP iLO web sites that I'm trying to connect.
Here is my config for debugging:
debugging html 255 webvpn
debugging webvpn request 255
debugging response 255
debugging webvpn url 255
debugging util 255 webvpn
When I try to reach the site, I get the following:
#0XCB4DC9C0 (GET). Request line:/+CSCO+0075676763663A2F2F697A7679622E716E79766176662E7962706E79++/login.htm
#0xcb4dc9c0 hand-off to CTE.
#0XCB4DC3C0 (GET). Request line:/+CSCOE+/portal.css
Start #0xcb4dc3c0 (response)
#0xcb4dc3c0 of the file to run: /+CSCOE+/portal.css
#0xcb4dc3c0 (answer) Manager open file [/ + CSCOE + / portal.css]
#0xcb4dc3c0 (answer) page treatment LUA.
#0xcb4dc3c0 (answer) finished, persistent connection.
#0XCB4DCCC0 (GET). Request line:/+CSCOU+/gradient.gif
Start #0xcb4dccc0 (response)
#0xcb4dccc0 of the file to run: /+CSCOU+/gradient.gif
#0xcb4dccc0 (answer) Manager open file [/ + CSCOU + / gradient.gif]
#0xcb4dccc0 (answer) treatment C page.
#0xcb4dccc0 (answer) finished, persistent connection.
As you can see, it does not give much information. I don't really know why it works not only with HP iLO, but it works with everything else. Any help would be greatly appreciated. Thank you.
Gus
Not exactly how the HP ilo application works, but if it calls java this will cause your question because you are only allowing http or https through the client less portal. Try and activate smart tunnel and allow the java.exe on your local computer to use the smart tunnel. This will force your local java client to be sent through tunnel via ssl (443)
Sent by Cisco Support technique iPad App
-
(Browser) clientless SSL VPN access is not allowed.
I'm trying to set up an additional Anyconnect vpn profile. I have one that is working properly but this news will not. When I try to log in to download the client or try to connect with a computer that already has the customer I can not.
The client side receives this error: "access (Browser) Clientless SSL VPN is not allowed."
On the ASA journal:
4 May 10, 2010 11:42:17 722050 group
user <> IP <10.12.x.x>Session is over: SVC is not enabled for the user
4 May 10, 2010 11:42:17 group 113019 =, Username =, IP = 0.0.0.0, disconnected Session. Session type:, time: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: unknownHe does reference the main our ipsec connection group name. I think it's very strange. Here's the part of my config that treats the ssl client.
tunnel-group type SSL - RDP remote access only
tunnel-group SSL-RDP-Only general attributes
address pool SSL_VPN_Users
authentication-server-group FUN-LDAP
Group Policy - by default-SSL-RDP
tunnel-group SSL-RDP-Only webvpn-attributes
enable VPN_FUN group-alias
allow group-url https://64.244.9.X/VPN_FUNinternal SSL - RDP group strategy
attributes of SSL - RDP group policy
value of VPN-filter RDP_only
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list RDPonlyVPN_splitTunnelAcl
WebVPN
list of URLS no
SVC request no svc default
Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
Comment by RDP_only-.x RDP access list
RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
Comment by RDP_only-.x RDP access list
RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
Comment by RDP_only-.x RDP access list
RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389mask of local pool SSL_VPN_Users 10.12.20.1 - 10.12.20.100 IP 255.255.255.255
Post edited by: kyle.southerland
After reviewing the config, the difference between groups Anyconnect and SSL-RDP-Only is the AAA server.
AnyConnect group uses the radius for authentication (RAS01) server, while the SSL-RDP-Only group uses an LDAP server for authentication (FUN-LDAP), and the configuration of the FUN-LDAP server, you configure the mapping of LDAP attributes, which is to map the group "An1meR0xs".
To test, change authentication LDAP aaa RADIUS for the newly created group.
Hope that helps.
10.12.x.x> -
INTERNET VIA REMOTE VPN ACCESS
We have a customer who wants to route all internet traffic to their remote sites of their internet connection to Headquarters. In other words, when users connect to corporate headquarters using Cisco VPN client on their PC, we need to route all internet traffic on through the firewall of the headquarters. Head office is running a ASA place all the VPN configuration. We have a number of virtual private network set up for this customer but would welcome suggestions as to the best way to configure this particular step.
Thank you very much.
Hello
This looks like back or Hairpining for VPN clients, so they could access the Internet through the tunnel.
In which case it is a ASA 8.2 or earlier:
permit same-security-traffic intra-interface
NAT (outside) 1 192.168.1.0 255.255.255.0---> range of IP addresses assigned to VPN clients.
Global 1 interface (outside)
In which case it is an ASA 8.3 or later:
permit same-security-traffic intra-interface
network vpn-pool objects
subnet 192.168.1.0 255.255.255.0
dynamic NAT interface (outdoors, outdoor)
!
On the configuration of VPN:
mypolicy group policy attributes
Split-tunnel-policy tunnelall
!
tunnel-group mytunnel General-attributesMyPolicy defaul-group-policy
!
Benefits:
1-Internet access is controlled by the ASA.
Disadvantages:
1 Internet connection of the ASA is severely affected, it will be used by VPN clients to access the Internet.
Alternative solution:
Send all traffic to a Layer 3 internal device or a server that has an external Internet connection, so the ASA forwards all traffic to this device, if this device is able to perform web filterting advance as the unit of Microsoft IIS, then you would have a powerful way to control your users and that they access, thus preventing sites such undesirable sites for adults and animation.
To do this, all you need is:
Route within 0 0 192.168.10.1 tunnele---> where the 192.168.10.1 corresponds to the internal device responsible for providing Internet.
* Remember that this device must have an external connection for Internet access, not on the SAA.
Let me know.
Portu.
Please note any workstation that will be useful.
Post edited by: Javier Portuguez
-
Download of documents via SSL VPN problems
Hello
We have customers from downloading documents (usually less than 3 MB in size from PDF files) to a web (using http only) interface on an internal web server. They customers are using the latest version of AnyConnect for windows and connecting to an ASA5510 running the latest firmware of 8.3. They connect from their home network on a cable or DSL connection.
I disabled the detection of threats and you don't see anything blocked by the firewall. What are our user seems to work perfectly.
I ran a packet capture with wireshark and noticed a lot of packet loss. I have attached a screenshot.
Any advice would be greatly appreciated.
Is it possible that there is another cause of network problem?
Check the settings for duplex/top speed of Web server, check the errors of interface on the ports, etc. Duplicate acknowledgments are caused by lost packets, out-of-order packets, etc.
-
Hello world
I was testing the few things at my lab at home.
PC - running ssl vpn - sw - router - ISP - ASA (anyconnect ssl)
AnyConnect ssl works very well and I am also able to access the internet.
I use full tunnel
I have ACLs on the external interface of the ASA
1 True any any intellectual property Deny 0 By default [] I know that the ACL is used to traffic passing by ASA.
I need to understand the flow of traffic for internet via ssl vpn access. ?
Concerning
MAhesh
As you correctly say, the ACL interface is not important for that because the VPN traffic is not inspected by the ACL. Of the at least not by default.
You can control the traffic with a different ACL that is applied to the group policy with the command "vpn-filter". And of course you need a NAT rule that translates your traffic when running to the internet. This rule should work on the pair of interface (outside, outside).
-
Unable to connect to the internal network of SSL VPN
Setting the time first ASA 5512 and I did a lot of research to solve my problem but no luck. I really appreciate if I can get help.
After having successfully connected to ASA via SSL VPN. I am only able to ping to the outside interface (10.2.11.4).
Please check my config and I would like to know what the problem is. Thank you
: Saved
:
ASA 9.1 Version 2
!
hostname asa-01
domain corporate.local
activate t8tpEme73dn9e0.9 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
t8tpEme73dn9e0.9 encrypted passwd
names of
sslvpn-ip-pool 10.255.255.1 mask - 255.255.255.0 IP local pool 10.255.255.100
!
interface GigabitEthernet0/0
nameif outside
security-level 50
IP 10.2.11.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 10.2.255.18 255.255.255.248
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 0
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa912-smp - k8.bin
passive FTP mode
clock timezone STD - 7
clock to summer time recurring MDT
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
Server name 10.2.9.23
10.2.1.1 server name
Server name 10.2.9.24
domain corporate.local
network of Trusted subject
10.2.0.0 subnet 255.255.0.0
the object to the outside network
10.2.11.0 subnet 255.255.255.0
network ss object
10.2.11.0 subnet 255.255.255.0
network of the VPNlocalIP object
10.255.255.0 subnet 255.255.255.0
the object of the LAN network
10.2.9.0 subnet 255.255.255.0
network of the VPN-INSIDE object
subnet 10.2.255.16 255.255.255.248
tcp4433 tcp service object-group
port-object eq 4433
standard access list permits 10.2.255.16 SPLIT-TUNNEL 255.255.255.248
standard access list permits 10.2.11.0 SPLIT-TUNNEL 255.255.255.0
host of access TUNNEL of SPLIT standard allowed 10.2.9.0 list
global_access list extended access allowed object VPNlocalIP object LAN ip
global_access list extended access permitted ip LAN VPNlocalIP object
pager lines 24
Enable logging
asdm of logging of information
host of logging inside the 10.2.8.8
Debugging trace record
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 713.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
Static NAT to destination for LAN LAN static VPNlocalIP VPNlocalIP source (indoor, outdoor)
Access-Group global global_access
Route outside 0.0.0.0 0.0.0.0 10.2.11.1 1
Route inside 10.2.0.0 255.255.0.0 10.2.255.17 1
Route inside 10.255.255.0 255.255.255.0 10.2.255.17 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
CA-Kerberos kerberos protocol AAA-server
CA-Kerberos (inside) host 10.2.9.24 AAA-server
Corp.PRI Kerberos realm
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
http server enable 4431
http 192.168.1.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 outside
redirect http inside 80
redirect http outside 80
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ciscoasa
Keypairs 4151
Proxy-loc-transmitter
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
Terminal registration
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint2
Terminal registration
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint3
Terminal registration
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint4
Terminal registration
name of the object CN = vpn.corp.com
ASA_PKC_One key pair
Configure CRL
trustpool crypto ca policyIKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Telnet timeout 15
SSH 10.2.0.0 255.255.0.0 inside
SSH timeout 15
SSH group dh-Group1-sha1 key exchange
Console timeout 0
outside access management
management of 192.168.1.2 - dhcpd addresses 192.168.1.10
enable dhcpd management
!
a basic threat threat detection
host of statistical threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 10.2.9.23 source outdoors
SSL cipher aes128-sha1-3des-sha1
management of SSL trust-point ASDM_TrustPoint4
SSL-trust outside ASDM_TrustPoint4 point
SSL-trust ASDM_TrustPoint4 inside point
WebVPN
allow outside
No anyconnect essentials
AnyConnect image disk0:/anyconnect-win-3.1.04063-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
list of chip-tunnel TerminalServer mstsc.exe Terminal windows platform
attributes of Group Policy DfltGrpPolicy
value of server DNS 10.2.9.23
L2TP ipsec VPN-tunnel-Protocol ikev1
field default value corp.com
WebVPN
value of customization DfltCustomization
internal group CA-SSLVPN-TEST strategy
attributes of CA-SSLVPN-TEST-group policy
WINS server no
value of server DNS 10.2.9.23
client ssl-VPN-tunnel-Protocol
field default value corp.com
internal group CA-CLIENTLESS-TEST strategy
attributes of group CA-CLIENTLESS-TEST policy
clientless ssl VPN tunnel-Protocol
WebVPN
value of URL-list of the contractors list
chip-tunnel enable TerminalServer
ssluser nS2GfPhvrmh.I/qL encrypted password username
username ssluser attributes
Group-VPN-CA-SSLVPN-TEST strategy
client ssl-VPN-tunnel-Protocol
group-lock AnySSLVPN-TEST value
type of remote access service
username admin privilege 15 encrypted password f4JufzEgsqDt05cH
cluser 3mAXWbcK2ZdaFXHb encrypted password username
cluser attributes username
Group-VPN-CA-CLIENTLESS-TEST strategy
clientless ssl VPN tunnel-Protocol
value of locking group OLY-Clientless
type of remote access service
attributes global-tunnel-group DefaultRAGroup
Group-CA LOCAL Kerberos authentication server
tunnel-group DefaultRAGroup webvpn-attributes
CA-ClientLess-portal customization
attributes global-tunnel-group DefaultWEBVPNGroup
sslvpn-pool ip address pool
Group-CA LOCAL Kerberos authentication server
tunnel-group DefaultWEBVPNGroup webvpn-attributes
CA-ClientLess-portal customization
remote access to tunnel-group AnySSLVPN-TEST type
tunnel-group AnySSLVPN-TEST general attributes
sslvpn-pool ip address pool
CA-group-Kerberos authentication server
CA-SSLVPN-TEST of the policy by default-group
tunnel-group AnySSLVPN-TEST webvpn-attributes
OLY-portal customization
Disable Group-alias AnySSLVPN-TEST
Disable AnySSLVPN-TEST-group-alias aliases
OLY-SSLVPN disable group-alias
enable SSLVPN group-alias
type tunnel-group OLY-Clientless Remote access
OLY-Clientless General attributes tunnel-group
CA-group-Kerberos authentication server
Group Policy - by default-CA-CLIENTLESS-TEST
OLY-Clientless webvpn-attributes tunnel-group
CA-ClientLess-portal customization
try to master timeout NBNS-server 10.2.9.23 2 2
Group-alias Clientless enable
Group-aka cl disable!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
class class by default
Statistical accounting of user
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group 3 monthly periodic inventory
Subscribe to alert-group configuration periodic monthly 3
daily periodic subscribe to alert-group telemetry
Cryptochecksum:ceea6b06a18781a23e6b5dde6b591704
: end
ASDM image disk0: / asdm - 713.bin
don't allow no asdm historyHello
I'm glad to hear it works
Please do not forget to mark a reply as the right answer or useful answers to rate
-Jouni
-
RVL200 - SSL VPN and firewall rules
Forgive my ignorance, but I have been immersed in the configuration of this device RVL200 to allow Remoting SSL VPN to a customer site, sight unseen. I have the basics of the VPN set up in config, but now move the firewall rules. We want to block all internal devices to access the Internet, but I don't want to cripple the remote clients that will be borrowed by blocking their return via the SSL VPN traffic. This leads to my questions:
(1) a rule of DENIAL of coverage for all traffic OUTBOUND will prevent the primary function of the VPN (to allow the administration away from machines on the local network)?
(2) if the answer to #1 is 'Yes', what ports/services do I need to open the side LAN?
(3) building # 2, configuring authorized outbound rules apply only for VPN clients, rather than all the hosts on LAN?
(4) as the default INCOMING traffic rule is to REFUSE EVERYTHING, do I have to create a rule to allow the VPN tunnel, or guess that in the configuration of the router?
Here are some other details:
- The LAN behind the RVL200 is also isolated LAN in a manufacturing environment
- All hosts on this network have a static IP address on a single subnet.
- The RVL200 has been configured with a static, public IP on the WAN/INTERNET side.
- DHCP has been disabled on the RVL200
- Authentication to the device will use a local database.
- There is no such thing as no DNS server on the local network
- The device upstream of the RVL200 is a modem using PPPoE DSL, and the device has been configured for this setting.
- Several database of local users accounts were created to facilitate the SSL VPN access.
I worked with other aspects of it for a long time, but limited experience with VPN and the associated firewall rules and zero with this family of aircraft. Any help will be greatly appreciated.
aponikikay, there is no port forwarding necessary to the function of the RVL200 SSL - VPN.
Topic 1. That is not proven. It shouldn't do. The router should automatically make sure that the SSL - VPN router service is functional and accessible.
Re 2. No transfer necessary. In addition, never before TCP/UDP port 47 or 50 for VPN functions. The TCP 1723 port is used for PPTP. UDP 500 is used for ISAKMP. You usually also to transmit TCP/UDP 4500 port for IPSec encapsulation.
Let's not port 47. ERM is an IP protocol that is used for virtual private networks. It is a TCP or UDP protocol. GRE has 47 IP protocol number. It has nothing to do with TCP or UDP port 47. TCP and UDP are completely different protocols of free WILL.
It goes the same for 50: ESP is the payload for IPSec tunnels. ESP is the Protocol IP 50. It has nothing to do with TCP or UDP port 50.
'Transfer' of the GRE is configured with PPTP passthrough option.
'Transfer' of the ESP is configured with IPSec passthrough option.
-
SSL VPN - ASA - Active Directory LDAP
Hello
Scenario: ASA 8.0 (3) running SSL VPN for remote users. LDAP also authenticates access and connect to the ASA.
For some reason any (we had a power failure, but the problem may be caused by other reasons as well), I can not connect to the ASA, as my login ID does not work, and remote users get connection error when trying to authenticate via SSL VPN web gui.
I have rebooted the ASA and AD without any change in the situation. This service worked very well before and the problem happened suddenly. No one has all the changes for the configs. Customer do not have a backup configuration. Any suggestion on what would be the best next action to solve this problem? I'm not expert on the Microsoft LDAP configuration, and if anyone knows where I can check in Microsoft windows server 2003 for the possible LDAP problem, that would be greatly appreciated.
Thank you
rdianat
the ldap bind account is just a normal user account. He didn't need even administrative permissions. If you want to use ldap for password changes he needs to password change permissions, but otherwise just a normal user account - make sure it cannot be locked in AD or the password never expires none of this things. you will see the name of the ldap account in the config of the SAA.
LDAP-login-password *.
LDAP-connection-dn *.
-
Change the prompt 'Password required' SSL VPN
Someone knows how to change the prompt 'Password required' SSL VPN? If it is editable via ASDM I can't! I've been everywhere set it up-> remote access VPN-> clientless SSL VPN access-> Portal-> section of personalization but cannot find where this particular part of the text is changed. The problem is that the text that exists doesn't accurately reflect strategy of password of my organization.
See the image file as an attachment to the exact section of the text, I would like to change.
Thank you
Ben Posner
Hi Ben,
ASDM > Configuration > VPN remote access > location of language
Expand models--> select webvpn--> export--> save the file
Now find the msgid you want to edit and write your own string under msgdtr as follows:
#: Mummy.c:5758
#, c-format
msgid "password expired in %s day (s), if you want to change now enter a new password with length minimum %s. '.
msgstr "insert your string here."
Now import it to the same page of the ASDMLanguage: enTranslation: webvpn
You should now see your custom string.
Ivan
-
images of the SSL vpn-html-content filtering
Hello
I'm trying to do content filtering via ssl VPN (clientless) on ASA 5505
Above command is supposed to block anything with the html img tag, but it seems not to do.
# sh run Group Policy
Group without internal customer-grp-policy policy
attributes without customer-grp-policy-group policy
value of server DNS 8.8.8.8
VPN-tunnel-Protocol webvpn
Split-tunnel-policy tunnelall
WebVPN
bookmark URL-list value
filtering the content-HTML-java images cookies
SVC request to enable default webvpn
#sh run tunnel-group
Remote clientless-tunnel tunnel-group type
attributes global-tunnel-group clientless-tunnel
without client group policy - by default-grp-policy
tunnel-group clientless-tunnel webvpn-attributes
Group-alias clientless-alias enable
What I'm missing here? or am I just misunderstood how it works?
Thank you!
Hello
How it works for you?
Thank you.
Portu.
-
AnyConnect SSL VPN Split tunneling problem
Hello
We have home users that VPN in on a regular basis, but when they VPN in they cannot print locally or to connect to local resources. Is there a way to activate the split for all remote users VPN tunneling? It is not possible to add all the remote subnets, especially since I don't know which subnets are used and it would be a question of management. I noticed that when I connect to the House a new route is added to my PC, who prefers the VPN link.
I noticed one of the options with the client Anyconnect is 'enable local LAN access (if configured) '. Can I use?
Thanks in advance.
Hello
According to my understanding, you need to connect to your local printers while you are connected to the ASA via SSL VPN.
You can do this by creating a policy of exclusion of tunnel split on SAA and the local lan access on the client option, or you can use the profile AnyConnect allowing local lan access.
Please find the link below: -.
I hope it helps.
Thank you
Shilpa
-
you are not sure if it's possible/Device asa 5550 - but a customer can establish SSL VPN to the remote network and devices on the local network to access remote network printers?
so you have a network client that creates an SSL VPN to network B network B configurable so that the automatic work met the same vpn ssl to a different IP address?
I don't know if its just me, but I don't understand what you mean with that:
so you have a network client that creates an SSL VPN to network B network B configurable so that the automatic work met the same vpn ssl to a different IP address?
You can try to explain once more?
Now I think tell you the following, please look at this:
HQ - ASA - INTERNET - office2
Now the office2 will a clientless vpn SSL to the ASA and subsequently, you want HQ in order to communicate with certain printers or servers to Desktop 2 via SSL vpn without customer... If that's the question the answer is no. clientless vpn SSL will only allow traffic to go from office2 at HQ and not all traffic , this will depend on which allows you to configure the clientless ssl (Smart tunnels, Port-forwarding, Plugins).
Yet once I don't know if that is the question.
Kind regards
Julio
Note all useful posts
-
Hey guys,.
I'm working on a solution. I have a Home Office with my data center being there while my DR site is my plant and she nearly 20 users. I have a third place, which is a branch offices with only 2 people.
I intend to deploy a VPN Site to Site between the data center and DR Site while branches can connect via SSL VPN. Please confirm whether this solution is viable or not. Where do I go to a Site for the office too.
Thank you
If we knew more about your environment so we might be able to give more complete answers. But base on what you've described, I believe that a VPN site-to site between the data center and the disaster recovery site and VPN for remote access of the branch is an appropriate solution.
HTH
Rick
-
SSL - VPN can not connect - Windows 10
Hello
Our office has a SonicWall TZ105, with a more recent firmware, and now with Windows 10, we are unable to connect via SSL - VPN. The user name and password are correct, and I can connect with the Android app. But in Windows 10, I tried the MobileConnect App, the more recent mysonicwall NetExtender, used the terminal to create the VPN connection and just manually made a VPN connection and nothing works.
The President of our company just got a new laptop and there 10 Windows, and I'm hitting a wall in the world, but need to get its connected to our office.
Other VPN connections to other VPN servers work on this laptop, but not at our office. He used to work with the same settings of router on Windows 7.
Each different method of connection attempt is to give a different error. The more strange to me, it's "the specified port is already open." But there is no other connection to that port, and I am still able to connect using my phone.
Any ideas? Thanks in advance!
I was able to solve the problem using the NetExtender 7.0.203, version downloaded from mysonicwall.com. It was the only version (back to 5.0.?) that has been successfully can connect to our TZ105 with a laptop Win10 with all updates.
I hope this helps someone else, I was pretty nearly pulling my hair out...
Maybe you are looking for
-
Could not connect more than 4 devices to time capsule
Hello. I have the latest generation 3 TB Time Capsule. Since last week I can´t connect more than 4 devices to transport CANADA. Before that, I had 2 iPhones, iPad 1 air connection 2, an iMac, a macbook, the appleTV to generation 4 and a PS4. I tried
-
Replace the DVD/CD-RW a DVDRW on Satellite 5000-204?
I just bought a new NEC ND - 6650A mounted in my Toshiba Satellite 5000-204. It fits well, despite the wedge had to be cut in a corner, but everything fits perfectly. Before I bought it, I called Toshiba and they said, that it will not work, I would
-
G42-415DX: Serial Bus controller drivers universal need for G42-415DX
Just reinstalled Win & recovery disks and is doing well, with the exception of all U.S. ports does not. There is an exclamation point under all Bus USB controllers. Thur internet, I downloaded a Lenovo Web site link to the Intel file to install the d
-
AutoPlay does not open when opening a CD or a DVD.
my dvd writer opens to install the software but will not play a cd or a dvd unless I do it manually, would it be the registry Original title: my dvd burner that opens upward to install software but will not play a cd or dvd unless I do it manually
-
I HAVE a PROBLEM where the letters on the key edge that a number number only of central unit of the screen no letters for example k2 l3 if I hold down the fn key chicken that they wor2