03-19-2009 03:30 PM - edited 02-21-2020 04:11 PM
I'm trying to configure clients to access company wide network files via WebVPN and CIFS through a central ASA 5520 in the main location. However, even though the branch offices are connected via site to site vpn's, only the directly connected network can be accessed via CIFS. When accesing remote servers, I get an error message "error contacting host". I enabled same security intra-interface. I was just wondering if there is a limitation in ASA 8 code. I did this successfully with PIX firewalls and a central VPN 3005 concentrator. Any advice would be greatly appreciated.
03-23-2009 04:01 AM
Hi
can u please tell the network setup. as far as i get it. there is central site with asa 5520. branches are connected to the asa via site to site ipsec vpns.
there are users from the internet who are using clientless ssl vpn to access the cifs servers.
where are these servers hosted are they hosted on the central site behind the asa or in the remote branches .
let me know.
Regards
sushil
03-23-2009 06:41 PM
Thanks for the reply Sushil.
There is a central asa and there are branches connected via site to site ipsec vpns.
There are servers in the central site and all remote branches as well.
Users are required to login to the central site via clientless ssl vpn and browse servers in all sites.
Now, only servers at the central site are accessible even though the netbios master browser is correctly configured.
I'm wondering is the mechanics behind webvpn do not check internal crypo maps or access lists.
Rgds,
Mark
03-25-2009 11:55 PM
Hi mark,
remember in clientless ssl vpn there is no ip given to the end users. if u know in clientless ssl vpn the client request is sent to the asa who relays the traffic to the internal resource like ur win servers using cifs.here on the servers the source ip would be seen as the internal ip address of the asa initiating the connection.
so u want these users to access the servers wich are located on the remote site which are connected over ipsec vpns.
so now when u are trying to access the servers in the remote site the traffic comes till the asa and then the asa tries to initate the connection to the remote servers. the source ip address will be of the asa and not of the end users. so ur crypto-maps will not match this traffic.
one way of addressing this is using ssl vpn client.
i hope this helps.
Regards
Sushil
03-25-2009 11:43 AM
Double check your ASA version for known CIFS bugs. I was running 8.0.4 with a WebVPN portal for CIFS access, and after a certain amount of time had elapsed (30 days?) I'd get this error. A reboot fixes it temporarily, but an update to 8.0.4(16) fixes it permanently.
FWIW, I have about 15 5510's running that flavor with no issues.
Please double-check the Releases notes first, though.
03-26-2009 02:51 AM
Hello
can you tell me where I can download this version. Only I have the version 8.0(4)19 and the offical 8.0(4) but not the 8.0.4(16). The version 8.0(4)19 is not functional!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: