New Install anyclient VPN on ASA5510 can't connect.

Unanswered Question
May 3rd, 2012

Hello all

We have a new install of an ASA5510.  So far everything is working fine except the VPN.

We went through the SSL VPN wizzard in ASDM and answered all questions.

Now when we try to open a VPN connection to the ASA using the URL https://asa_ip_address  we first get a "There is a problem with this website's security certificate" message. 

When we click Continue to this website (not recommended) we get a "403-Forbidden: Access is Denied" message indicating that the credentials are invalid.  We never even got to the logon screen so we don't even know what credentials it is talking about.

Any ideas?  Do you need the config posted?

Thanks

Ed

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
smsbconsulting Fri, 05/04/2012 - 05:07

OK... I will be in the office later this afternoon and I will post the config.  (I'm in the Eastern time zone)

Thank you

smsbconsulting Fri, 05/04/2012 - 11:31

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name smsbconsulting
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxx.xxxxx encrypted
names
name 96.56.xxx.xxx Gateway description Default gateway
!
interface Ethernet0/0
description Static IP external interface
nameif Internet
security-level 0
ip address 96.56.xxx.xxx 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif Internal
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Internal
dns server-group DefaultDNS
name-server 10.1.1.2
domain-name smsbconsulting
same-security-traffic permit intra-interface
object-group network inside-net
object-group service Remote_Control
description Remote administration
service-object tcp eq 987
access-list Internal_access_out remark Outgoing
access-list Internal_access_out extended permit ip any any
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq smtp
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq telnet
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq https
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq www
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq 987
access-list Internet_access_in remark VPN
access-list Internet_access_in extended permit gre any host 96.56.xxx.xxx
access-list Internet_access_in remark VPN ptptp port
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq pptp
access-list Internet_access_in remark Allow PC Anywhere to connect.
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq pcanywhere-data
access-list Internet_access_in remark Allow PC Anywhere status
access-list Internet_access_in extended permit udp any host 96.56.xxx.xxx eq pcanywhere-status
access-list Internet_access_in remark FTP access to SMSB FTP server address 10.1.1.3
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq ftp
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq ftp-data
access-list Internal_nat0_outbound extended permit ip host 10.1.1.2 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Internet 1500
mtu Internal 1500
mtu management 1500
ip local pool Clientless_VPN_Address_Pool 10.1.1.100-10.1.1.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (Internet) 101 interface
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 101 0.0.0.0 0.0.0.0
static (Internal,Internet) tcp interface smtp 10.1.1.14 smtp netmask 255.255.255.255
static (Internal,Internet) tcp interface telnet 10.1.1.2 telnet netmask 255.255.255.255
static (Internal,Internet) tcp interface www 10.1.1.2 www netmask 255.255.255.255
static (Internal,Internet) tcp interface https 10.1.1.2 https netmask 255.255.255.255
static (Internal,Internet) tcp interface pcanywhere-data 10.1.1.80 pcanywhere-data netmask 255.255.255.255
static (Internal,Internet) udp interface pcanywhere-status 10.1.1.80 pcanywhere-status netmask 255.255.255.255
static (Internal,Internet) tcp interface ftp 10.1.1.3 ftp netmask 255.255.255.255
static (Internal,Internet) tcp interface ftp-data 10.1.1.3 ftp-data netmask 255.255.255.255
access-group Internet_access_in in interface Internet
access-group Internal_access_out in interface Internal
route Internet 0.0.0.0 0.0.0.0 Gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 Internal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.5-10.1.1.199 Internal
dhcpd dns 167.206.254.2 167.206.254.1 interface Internal
dhcpd domain smsbconsulting.local interface Internal
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Internet
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
  url-list value List_A
group-policy VPN_Group internal
group-policy VPN_Group attributes
vpn-tunnel-protocol webvpn
webvpn
  url-list value List_A
group-policy VPN_policy_Group internal
group-policy VPN_policy_Group attributes
vpn-tunnel-protocol svc webvpn
webvpn
  svc dtls enable
  svc mtu 1406
username xxxxx password xxxxxxxxxxxx encrypted privilege 15
username xxxxx attributes
vpn-group-policy DfltGrpPolicy
vpn-tunnel-protocol svc
webvpn
  svc ask enable default svc timeout 30
username cisco password xxxxxxxxxxxx encrypted privilege 15
tunnel-group First_VPN_Connection type remote-access
tunnel-group PTPVPN type remote-access
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
default-group-policy VPN_Group
tunnel-group Clientless_VPN type remote-access
tunnel-group Clientless_VPN general-attributes
address-pool Clientless_VPN_Address_Pool
default-group-policy VPN_policy_Group
tunnel-group Clientless_VPN webvpn-attributes
group-alias Conection_Group enable
group-url https://96.56.xxx.xxx/Conection_Group enable
tunnel-group SMSB_VPN type remote-access
tunnel-group SMSB_VPN general-attributes
address-pool Clientless_VPN_Address_Pool
tunnel-group SMSB_VPN webvpn-attributes
group-alias https://96.56.xxx.xxx enable
group-url https://96.56.xxx.xxx/https://96.56.xxx.xxx enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:463a28bc75562411ef403da1bc02dca0
: end

hobbe Tue, 05/08/2012 - 12:03

Hi

This is not realy my forté BUT

you are pointing a web client to start a webvpn client ?

My first thought was that the first problem was because of the certificate beeing selfsigned.

that will give that error since the browser does not know if it can trust the certificate or not.

but that should only account for the first part of the problem.

However I just sweeped through the config you have posted and there is one thing I think will cause problems.

you are having a static of the interface with https. ie the same port as the webvpn.

I doubt that that works just fine.

to change the webvpn port

conf t

webvpn

port 4443

now it will use port 4443 instead.

good luck

HTH

smsbconsulting Tue, 05/08/2012 - 15:44

Thank you for your reply.

At the risk of sounding like a compete novice... (which I am)  I am using the tools/command line interface from ASDM version 6.4(5)

When I enter the commands in multiple line mode and then select "send" I get the following:

Result of the command : "config t"

The command has been sent to the device.

Result of the command: "webvpn"

The command has been sent to the device.

Result of the command: "port 4443"

Error: Port changes cannot be made while WebVPN is enabled. blah blah blah

Also... no changes I make via the command line ever stick.  I realize I'm not saving them but I don't know how to save them.

Also... Every tutorial I see gives a command prompt that appears to grow as you get further into the commands.  For example:  #Config t

then #webvpn

then and so on.  The prompt grows larger with each successive command (always preceded with a #) .

I don't get anything like that... no prompt and no #.  The only indication I get that I did anything is the message that says Result of command xxx  The command has been sent to the device.

As you can see... I have no clue how to use the CLI and I could use very detailed help.

Thanks

Ed

hobbe Wed, 05/09/2012 - 00:00

Hi

Its totally ok to be novice and fiddle around with tings.

BUT if this is a company firewall and not your own I must strongely advice you to go to a local cisco rep and ask them for advice on who to contact to help you with setting up your firewall.

Why ?

Well you have no clue of what you are doing (no disrespect) and that in itself puts the company at risk.

and we can not help you properly with that.

This is a public forum and even though most of us here are willing to donate time and experience and will give you answers to the best of our abilities there are limitations on how much you can discuss without breaching your security to everyone.

and some of those things are best discussed under the cloac of secrecy.

So my advice would be

1) talk to cisco rep

2) buy a 5505 to fiddle with so you can learn why things are done they way its done

3) educate yourself with courses/books/this forum, and so on

Now to your questions just incase you are just fiddeling around with your own unit.

Connect to the cli (sinceyou state that you know how we will skip that part).

to save a config you write

write mem

OR

copy running-config startup-config

When it comes to the issue that the commands grow longer. actually most of them do not.

but here is a way to visualise how things are done

You have compartments.

the interface gigabitethernet0/0 fx is one compartment

in that compartment you put all the information you need for that single compartent

in this case that would be things like

ip address

subnet mask

interface name

security level.

speed and duplex

and so on

same with webvpn

its a compartment holding all the information on the webvpn that is specific for the webvpn.

if you do a command

Show running-config all (or sh ru all for short)

you will get a lot more information than just sh run

also sh ru ? will give you most of the possible arguments you can do, and there you will se fx webvpn. (the compartment)

There are problems with using the ASDM

The ASDM I am sad to say is not to be trusted.

Sometimes it just outright lie to you.

and if you do use the wizzards they sometimes do not put all things where they are supposed to be or misses things.

so the ASDM is not foolproof in any way but it is nice graphics and the logging can be helpful.

so it helps you out in the beginning but when you get more advanced it bites you in the....

Good luck

Hope This Helps

smsbconsulting Wed, 05/09/2012 - 09:35

Thanks for your reply.

I contacted customer support... they asked for a copy of the config and I sent it.

I'm waiting for them to get back to me.  No joy so far.

bTw... yes, this is a company firewall and yes I'm the one who set it up originally with a lot of help from this forum.  I had some difficulty at first but since then I've always managed to get it to do what I wanted it to do.  That is, until it came to setting up the VPN.  The road map is pretty poor and not at all clear relative to what is needed for which type of VPN.

I found the spot in the GUI where you change the port but it won't let me change it until I disable the webvpn.  I can't find anyplace in the GUI where I can disable webvpn so now I'm in wait mode for customer support to contact me.

Thanks again for your help... I'll let you know what customer support has to say.

Ed

bTw... I have the running config backed up in several places.    

smsbconsulting Wed, 05/09/2012 - 13:56

Success!

Customer support never got back to me but by using the information you supplied I was able to fix the problem.  As you had correctly assessed earlier, port 443 was assigned to both remote administration and remote VPN.  Once I learned how to disable webvpn I was able to reassign webvpn to a different port.  After the port was reassigned the VPN connection on the ASA 5510 worked perfectly.

Thank you so much for your excellent advice... on all issues.

Now for my next problem....

Clients inside the network are unable to connect to an outside VPN server that we sometimes use.  This is not related  to the problem we just fixed... this is a separate issue.  We know that the clients connection requests are getting to the outside VPN server because we have the ability to monitor it and we see the connection attempt but the responses coming back from the outside VPN server are being blocked by the ASA.  I believe I created all the correct access-list entries.  Any ideas as to what could be blocking inbound protocol 47 in the ASA?

Ed

Actions

Login or Register to take actions

This Discussion

Posted May 3, 2012 at 1:47 PM
Stats:
Replies:10 Avg. Rating:
Views:1397 Votes:0
Shares:0
Categories: ASA
+

Related Content

Discussions Leaderboard