05-03-2012 01:47 PM
Hello all
We have a new install of an ASA5510. So far everything is working fine except the VPN.
We went through the SSL VPN wizzard in ASDM and answered all questions.
Now when we try to open a VPN connection to the ASA using the URL https://asa_ip_address we first get a "There is a problem with this website's security certificate" message.
When we click Continue to this website (not recommended) we get a "403-Forbidden: Access is Denied" message indicating that the credentials are invalid. We never even got to the logon screen so we don't even know what credentials it is talking about.
Any ideas? Do you need the config posted?
Thanks
Ed
05-04-2012 01:40 AM
Hello Edward,
Yes please post the config.
AMatahen
05-04-2012 05:07 AM
OK... I will be in the office later this afternoon and I will post the config. (I'm in the Eastern time zone)
Thank you
05-04-2012 11:31 AM
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name smsbconsulting
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxx.xxxxx encrypted
names
name 96.56.xxx.xxx Gateway description Default gateway
!
interface Ethernet0/0
description Static IP external interface
nameif Internet
security-level 0
ip address 96.56.xxx.xxx 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif Internal
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Internal
dns server-group DefaultDNS
name-server 10.1.1.2
domain-name smsbconsulting
same-security-traffic permit intra-interface
object-group network inside-net
object-group service Remote_Control
description Remote administration
service-object tcp eq 987
access-list Internal_access_out remark Outgoing
access-list Internal_access_out extended permit ip any any
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq smtp
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq telnet
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq https
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq www
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq 987
access-list Internet_access_in remark VPN
access-list Internet_access_in extended permit gre any host 96.56.xxx.xxx
access-list Internet_access_in remark VPN ptptp port
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq pptp
access-list Internet_access_in remark Allow PC Anywhere to connect.
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq pcanywhere-data
access-list Internet_access_in remark Allow PC Anywhere status
access-list Internet_access_in extended permit udp any host 96.56.xxx.xxx eq pcanywhere-status
access-list Internet_access_in remark FTP access to SMSB FTP server address 10.1.1.3
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq ftp
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq ftp-data
access-list Internal_nat0_outbound extended permit ip host 10.1.1.2 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Internet 1500
mtu Internal 1500
mtu management 1500
ip local pool Clientless_VPN_Address_Pool 10.1.1.100-10.1.1.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (Internet) 101 interface
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 101 0.0.0.0 0.0.0.0
static (Internal,Internet) tcp interface smtp 10.1.1.14 smtp netmask 255.255.255.255
static (Internal,Internet) tcp interface telnet 10.1.1.2 telnet netmask 255.255.255.255
static (Internal,Internet) tcp interface www 10.1.1.2 www netmask 255.255.255.255
static (Internal,Internet) tcp interface https 10.1.1.2 https netmask 255.255.255.255
static (Internal,Internet) tcp interface pcanywhere-data 10.1.1.80 pcanywhere-data netmask 255.255.255.255
static (Internal,Internet) udp interface pcanywhere-status 10.1.1.80 pcanywhere-status netmask 255.255.255.255
static (Internal,Internet) tcp interface ftp 10.1.1.3 ftp netmask 255.255.255.255
static (Internal,Internet) tcp interface ftp-data 10.1.1.3 ftp-data netmask 255.255.255.255
access-group Internet_access_in in interface Internet
access-group Internal_access_out in interface Internal
route Internet 0.0.0.0 0.0.0.0 Gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 Internal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.5-10.1.1.199 Internal
dhcpd dns 167.206.254.2 167.206.254.1 interface Internal
dhcpd domain smsbconsulting.local interface Internal
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Internet
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
url-list value List_A
group-policy VPN_Group internal
group-policy VPN_Group attributes
vpn-tunnel-protocol webvpn
webvpn
url-list value List_A
group-policy VPN_policy_Group internal
group-policy VPN_policy_Group attributes
vpn-tunnel-protocol svc webvpn
webvpn
svc dtls enable
svc mtu 1406
username xxxxx password xxxxxxxxxxxx encrypted privilege 15
username xxxxx attributes
vpn-group-policy DfltGrpPolicy
vpn-tunnel-protocol svc
webvpn
svc ask enable default svc timeout 30
username cisco password xxxxxxxxxxxx encrypted privilege 15
tunnel-group First_VPN_Connection type remote-access
tunnel-group PTPVPN type remote-access
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
default-group-policy VPN_Group
tunnel-group Clientless_VPN type remote-access
tunnel-group Clientless_VPN general-attributes
address-pool Clientless_VPN_Address_Pool
default-group-policy VPN_policy_Group
tunnel-group Clientless_VPN webvpn-attributes
group-alias Conection_Group enable
group-url https://96.56.xxx.xxx/Conection_Group enable
tunnel-group SMSB_VPN type remote-access
tunnel-group SMSB_VPN general-attributes
address-pool Clientless_VPN_Address_Pool
tunnel-group SMSB_VPN webvpn-attributes
group-alias https://96.56.xxx.xxx enable
group-url https://96.56.xxx.xxx/https://96.56.xxx.xxx enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:463a28bc75562411ef403da1bc02dca0
: end
05-07-2012 03:26 PM
Somebody must know.
05-08-2012 11:34 AM
Anybody?
05-08-2012 12:03 PM
Hi
This is not realy my forté BUT
you are pointing a web client to start a webvpn client ?
My first thought was that the first problem was because of the certificate beeing selfsigned.
that will give that error since the browser does not know if it can trust the certificate or not.
but that should only account for the first part of the problem.
However I just sweeped through the config you have posted and there is one thing I think will cause problems.
you are having a static of the interface with https. ie the same port as the webvpn.
I doubt that that works just fine.
to change the webvpn port
conf t
webvpn
port 4443
now it will use port 4443 instead.
good luck
HTH
05-08-2012 03:44 PM
Thank you for your reply.
At the risk of sounding like a compete novice... (which I am) I am using the tools/command line interface from ASDM version 6.4(5)
When I enter the commands in multiple line mode and then select "send" I get the following:
Result of the command : "config t"
The command has been sent to the device.
Result of the command: "webvpn"
The command has been sent to the device.
Result of the command: "port 4443"
Error: Port changes cannot be made while WebVPN is enabled. blah blah blah
Also... no changes I make via the command line ever stick. I realize I'm not saving them but I don't know how to save them.
Also... Every tutorial I see gives a command prompt that appears to grow as you get further into the commands. For example:
then
then
I don't get anything like that... no prompt and no #. The only indication I get that I did anything is the message that says Result of command xxx The command has been sent to the device.
As you can see... I have no clue how to use the CLI and I could use very detailed help.
Thanks
Ed
05-09-2012 12:00 AM
Hi
Its totally ok to be novice and fiddle around with tings.
BUT if this is a company firewall and not your own I must strongely advice you to go to a local cisco rep and ask them for advice on who to contact to help you with setting up your firewall.
Why ?
Well you have no clue of what you are doing (no disrespect) and that in itself puts the company at risk.
and we can not help you properly with that.
This is a public forum and even though most of us here are willing to donate time and experience and will give you answers to the best of our abilities there are limitations on how much you can discuss without breaching your security to everyone.
and some of those things are best discussed under the cloac of secrecy.
So my advice would be
1) talk to cisco rep
2) buy a 5505 to fiddle with so you can learn why things are done they way its done
3) educate yourself with courses/books/this forum, and so on
Now to your questions just incase you are just fiddeling around with your own unit.
Connect to the cli (sinceyou state that you know how we will skip that part).
to save a config you write
write mem
OR
copy running-config startup-config
When it comes to the issue that the commands grow longer. actually most of them do not.
but here is a way to visualise how things are done
You have compartments.
the interface gigabitethernet0/0 fx is one compartment
in that compartment you put all the information you need for that single compartent
in this case that would be things like
ip address
subnet mask
interface name
security level.
speed and duplex
and so on
same with webvpn
its a compartment holding all the information on the webvpn that is specific for the webvpn.
if you do a command
Show running-config all (or sh ru all for short)
you will get a lot more information than just sh run
also sh ru ? will give you most of the possible arguments you can do, and there you will se fx webvpn. (the compartment)
There are problems with using the ASDM
The ASDM I am sad to say is not to be trusted.
Sometimes it just outright lie to you.
and if you do use the wizzards they sometimes do not put all things where they are supposed to be or misses things.
so the ASDM is not foolproof in any way but it is nice graphics and the logging can be helpful.
so it helps you out in the beginning but when you get more advanced it bites you in the....
Good luck
Hope This Helps
05-09-2012 09:35 AM
Thanks for your reply.
I contacted customer support... they asked for a copy of the config and I sent it.
I'm waiting for them to get back to me. No joy so far.
bTw... yes, this is a company firewall and yes I'm the one who set it up originally with a lot of help from this forum. I had some difficulty at first but since then I've always managed to get it to do what I wanted it to do. That is, until it came to setting up the VPN. The road map is pretty poor and not at all clear relative to what is needed for which type of VPN.
I found the spot in the GUI where you change the port but it won't let me change it until I disable the webvpn. I can't find anyplace in the GUI where I can disable webvpn so now I'm in wait mode for customer support to contact me.
Thanks again for your help... I'll let you know what customer support has to say.
Ed
bTw... I have the running config backed up in several places.
05-09-2012 01:56 PM
Success!
Customer support never got back to me but by using the information you supplied I was able to fix the problem. As you had correctly assessed earlier, port 443 was assigned to both remote administration and remote VPN. Once I learned how to disable webvpn I was able to reassign webvpn to a different port. After the port was reassigned the VPN connection on the ASA 5510 worked perfectly.
Thank you so much for your excellent advice... on all issues.
Now for my next problem....
Clients inside the network are unable to connect to an outside VPN server that we sometimes use. This is not related to the problem we just fixed... this is a separate issue. We know that the clients connection requests are getting to the outside VPN server because we have the ability to monitor it and we see the connection attempt but the responses coming back from the outside VPN server are being blocked by the ASA. I believe I created all the correct access-list entries. Any ideas as to what could be blocking inbound protocol 47 in the ASA?
Ed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide