I have a Cisco ASA5505 installed. config is below:
pb-gw2# sh run
ASA Version 8.0(2)
enable password mjgSKfuQzL4x1LLu encrypted
ip address 192.168.10.5 255.255.255.0
ip address 126.96.36.199 255.255.255.248
switchport access vlan 2
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 188.8.131.52 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
username admin password RS6hkLNrh/9fCzGC encrypted privilege 15
prompt hostname context
We are establishing a connection with Cisco VPN Client ver. 5.0.07.0290 to the external VPN Host 184.108.40.206. Connection is established successfully, then we try to open link https://x.x.x.x:7777/accr. This is the link to the system where you are authenticated with a certificate already installed i personal certificate store. Certificate is valid.
Thing is, that if we are trying to do this while behind the ASA - internet explorer displays his favourite "Internet Explorer cannot display the webpage".
If we connect the laptop directly to the internet with public ip address - everything works fine. As I undesrtand the problem is localized - something is missing from ASA configuration. The question is - what?
Will appreciate any help.
Thanks a lot in advance.
OK, I understand what the problem is now.
There is nothing wrong with the ASA 5505. However, because ASA is only doing PAT, then you would need NAT-T to be enabled on the VPN device (220.127.116.11), so the VPN traffic (ESP) is encapsulated into UDP or TCP.
Alternatively, if you have spare public ip address, you can also configure static NAT for the PC where you have the vpn client (192.168.10.83) as follows:
static (inside,outside) 81.21.95.x 192.168.10.83 netmask 255.255.255.255
"x" would be a spare public ip address that you have. Then "clear xlate" after the changes.
If you don't have a spare public IP address, then you would need to ask the remote VPN device to enable NAT-T.