Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL VPN message "This (client) machine does not have the web access privilege."

Hello!

I am trying to configure the SSL VPN (WebVPN) and I am almost done but when clicking on the URL's I configured in the bookmarks, I get the message "This (client) machine does not have the web access privilege. Please contact your SSLVPN provider for assistance." I looked through the many tutorials and guides in existence and none talks about such error and the fix for it. In fact, if I search the net for this error message I get only one match, in the Cisco website, where is say that "The client computer does not meet the security criteria of having web access functionality through the SSL VPN gateway." and as fix it gave this tip "Check the URL to the gateway or contact the administrator if it persists." So, nothing on the website about what this issue is and how to fix it. I will provide my IOS configuration and hopefully someone will spot the issue. Here it goes:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 $1$1LLX$u7aTc8XfNqPZhPVGwEF/J0
enable password xxxxxxxx
!
aaa new-model
!
!
aaa authentication login userAuthen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1279712955
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1279712955
revocation-check none
rsakeypair TP-self-signed-1279712955
!
!
crypto pki certificate chain TP-self-signed-1279712955
certificate self-signed 01
  3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31323739 37313239 3535301E 170D3130 30333233 31313030
  33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373937
  31323935 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A8EF 34E3E792 36660498 9801F934 E8A41865 3599EA35 B073AC91 D7A53AF4
  A4390D2F CB3DB2DE 936B28F0 A25F3CE1 6F40FD9E E79096F2 F89620E0 B31A7B34
  649BBA22 AE44CB55 9F38BF0C 2F2770CF 8380C167 C17D760C 380E28E4 FF7D6874
  9EFC310A 2AA60835 F1AA384F CD1A0173 19C98192 EBFBD531 24CB9203 EA9E7D54
  B2C30203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
  551D1104 06300482 02523130 1F060355 1D230418 30168014 0D9D62EC DA77EAF3
  11ABF64D 933633F9 2BA362DC 301D0603 551D0E04 1604140D 9D62ECDA 77EAF311
  ABF64D93 3633F92B A362DC30 0D06092A 864886F7 0D010104 05000381 81006853
  48ED4E3E 5721C653 D9A2547C 36E4F0CB A6764B29 9AFFD30A 1B382C8C C6FDAA55
  265BCF6C 51023F5D 4AF6E177 C76C4560 57DE5259 40DE4254 E79B3E13 ABD0A78D
  7E0B623A 0F2D9C01 E72EF37D 5BAB72FF 65A176A1 E3709758 0229A66B 510F9AA2
  495CBB4B 2CD721A7 D6F6EB43 65538BE6 B45550D7 A80A4504 E529D092 73CD
   quit
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool myPOOL
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 87.216.1.65 87.216.1.66
!
!
ip cef
ip name-server 87.216.1.65
ip name-server 87.216.1.66
ip ddns update method mydyndnsupdate
HTTP
  add http://username:password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 1 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group pppoe
request-dialin
  protocol pppoe
!
!
!
username cisco privilege 15 password 0 xxxxxxxx
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
!
crypto isakmp client configuration group vpnclient
key cisco123
domain selfip.net
pool ippool
acl 110
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userAuthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
  hidekeys
!
!
!
!
!
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Loopback2
description SSL VPN Website IP address
ip address 10.10.10.1 255.255.255.0
!
interface Loopback1
description SSL DHCP Pool Gateway Address
ip address 192.168.250.1 255.255.255.0
!
interface FastEthernet0
description $ES_LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
!
interface Vlan1
no ip address
!
interface Dialer1
ip ddns update hostname myserver.selfip.net
ip ddns update mydyndnsupdate host members.dyndns.org
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip policy route-map VPN-Client
dialer pool 1
ppp chap hostname xxx

ppp chap password 0 xxxx

ppp pap sent-username xxx password 0 xxxx
crypto map clientmap
!
ip local pool ippool 192.168.50.100 192.168.50.200
ip local pool sslvpnpool 192.168.250.2 192.168.250.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source static tcp 192.168.0.2 21 interface Dialer1 790
ip nat inside source static tcp 192.168.0.15 21 interface Dialer1 789
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.1 443 interface Dialer1 443
ip nat inside source static tcp 10.10.10.1 80 interface Dialer1 80
!
access-list 102 deny   ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 144 permit ip 192.168.50.0 0.0.0.255 any
!
!
!
!
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
!
!
!
!
control-plane
!
banner motd ^C
================================================================

                UNAUTHORISED ACCESS IS PROHIBITED!!!

=================================================================
^C
!
line con 0
line aux 0
line vty 0 4
password mypassword
transport input telnet ssh
!
!
webvpn gateway MyGateway
ip address 10.10.10.1 port 443 
http-redirect port 80
ssl trustpoint TP-self-signed-1279712955
inservice
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
!
webvpn install csd flash:/webvpn/sdesktop.pkg
!
webvpn context SecureMeContext
title "My SSL VPN Service"
secondary-color #C0C0C0
title-color #808080
ssl authenticate verify all
!
url-list "MyServers"
   heading "My Intranet"
   url-text "Cisco" url-value "http://192.168.0.2"
   url-text "NetGear" url-value "http://192.168.0.3"
!
login-message "Welcome to My VPN"
!
policy group MyDefaultPolicy
   url-list "MyServers"
   functions svc-enabled
   svc address-pool "sslvpnpool"
   svc keep-client-installed
default-group-policy MyDefaultPolicy
aaa authentication list userAuthen
gateway MyGateway domain testvpn
max-users 100
csd enable
inservice
!
end

Thank you!

692
Views
0
Helpful
0
Replies