Clientless SSL VPN and remote branch browsing via CIFS

Unanswered Question
Mar 19th, 2009
User Badges:

I'm trying to configure clients to access company wide network files via WebVPN and CIFS through a central ASA 5520 in the main location. However, even though the branch offices are connected via site to site vpn's, only the directly connected network can be accessed via CIFS. When accesing remote servers, I get an error message "error contacting host". I enabled same security intra-interface. I was just wondering if there is a limitation in ASA 8 code. I did this successfully with PIX firewalls and a central VPN 3005 concentrator. Any advice would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
sushilmenon Mon, 03/23/2009 - 04:01
User Badges:

Hi


can u please tell the network setup. as far as i get it. there is central site with asa 5520. branches are connected to the asa via site to site ipsec vpns.


there are users from the internet who are using clientless ssl vpn to access the cifs servers.


where are these servers hosted are they hosted on the central site behind the asa or in the remote branches .


let me know.


Regards


sushil

m.martinovic Mon, 03/23/2009 - 18:41
User Badges:

Thanks for the reply Sushil.


There is a central asa and there are branches connected via site to site ipsec vpns.


There are servers in the central site and all remote branches as well.


Users are required to login to the central site via clientless ssl vpn and browse servers in all sites.


Now, only servers at the central site are accessible even though the netbios master browser is correctly configured.


I'm wondering is the mechanics behind webvpn do not check internal crypo maps or access lists.


Rgds,

Mark

sushilmenon Wed, 03/25/2009 - 23:55
User Badges:

Hi mark,


remember in clientless ssl vpn there is no ip given to the end users. if u know in clientless ssl vpn the client request is sent to the asa who relays the traffic to the internal resource like ur win servers using cifs.here on the servers the source ip would be seen as the internal ip address of the asa initiating the connection.


so u want these users to access the servers wich are located on the remote site which are connected over ipsec vpns.


so now when u are trying to access the servers in the remote site the traffic comes till the asa and then the asa tries to initate the connection to the remote servers. the source ip address will be of the asa and not of the end users. so ur crypto-maps will not match this traffic.


one way of addressing this is using ssl vpn client.


i hope this helps.


Regards


Sushil

clausonna Wed, 03/25/2009 - 11:43
User Badges:
  • Bronze, 100 points or more

Double check your ASA version for known CIFS bugs. I was running 8.0.4 with a WebVPN portal for CIFS access, and after a certain amount of time had elapsed (30 days?) I'd get this error. A reboot fixes it temporarily, but an update to 8.0.4(16) fixes it permanently.


FWIW, I have about 15 5510's running that flavor with no issues.


Please double-check the Releases notes first, though.

christianschorr Thu, 03/26/2009 - 02:51
User Badges:

Hello

can you tell me where I can download this version. Only I have the version 8.0(4)19 and the offical 8.0(4) but not the 8.0.4(16). The version 8.0(4)19 is not functional!

Actions

This Discussion