I am testing ASA5540 ver 7.1(1). I have got two problems:
1. Once I enabled web type ACL and Port Forwarding together, the port forwarding application stopped working. When I disabled the web type acl, port forwarding just work fine. I tried following applications: SSH, RDP and FTP. I have some running configuration about this part below:
1. This would be expected behaviour I believe. With the "filter" option on the "functions" command-line you're saying that I want the specified filter to be applied to all those functions. However your filter/ACL only allows access to URL's, because there is always an implicit "deny everything" at the end of any type of ACL. If you want to also allow SSH, FTP, etc through then you need to add that to the end of the same ACL, so something like this should work for you:
This will have the same effect of filtering out yahoo.com, but will allow everything else after that.
2. This is also expected. When you see this error you can save the certifictae off to a file on your PC, then open it up and install it into the certifictae store on your machine. The next time you use WebVPN you shouldn't see this error. The message is simply telling you that it received a certificate from the ASA that it doesn't know if it should trust or not, you have to tell it to trust it by adding it into your store.
Did you ever get part 2 resolved? I'd like to make this message go away if possible. I installed the cert to my trusted root CA store on my PC but I still get the 2 messages with warnings that make me view the cert then accept it.
This is the single biggest problem we face with the SSL VPN SVC deployment. Different browsers, or even browsers with different settings will act differently for this certificate. This is not covered in the documehtation at all.
(on my soapbox)
In my opinion, the actual expected browser settings need to be documented by Cisco, or SSL VPN SVC will not succeed in the marketplace.
(off my soapbox)
We will be purchasing a certificate to get around part of this (the address not matching the device name and the certificate being from an untrusted source).
But browser settings can still make the certificate hard to import, and each Cisco customer deploying SSL VNP SVC ends up trying to document this horror show themselves.
(on my soapbox)
Cisco could easily provide sample documentation to make deployment much easier.
Documentation is an essential part of the product.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :