We have mail servers at primary/secondary site, if primary site is down, we want URL on ASA to go to secondary location. We kind of knwo hopw to do script to do redirects but do not know where/how to invoke script on ASA for webvpn. Anyone done anythign like this? Thanks.
The Cisco ASA has no scripting capability built into the O/S you will need to use a load balancer like the Cisco CSS or ACE appliances on the back-end.These devices can do a much more secure job of enabling the functionality you’re looking for.They can provide instant fail-over without compromising your security posture.Developing a scripting solution to provide this functionality will take many hours of development and testing.Integrating a load balancer solution will allow the group-url on the ASA to stay the same and the fail-over would be handled on the back-end.These devices have scripting capability and support many methods of application state awareness. A ping request alone to check the status of your email application may not give a proper state indication. The service may be stopped yet the server may be running and respond to ping requests.Suggested load balancer topology:
If you would still like to pursue a scripting solution I would suggest the following topology:
If you have an automated way of indicating when your mail server or service is unavailable you may be able to use SecureCRT from VanDyke Software and write a VBscript that will login to the ASA via SSH and reconfigure WebVPN for the secondary mail site. For security reasons I do not recommend that you do this, an automated process may have undesired results, and placing administrative credentials within a script is never a good idea! However if the system owner is willing to accept the risk here are the steps to accomplish this:
1.Backup your configuration using ASDMTools [menu]/Backup Configurations/Backup All and save to your management workstation. (encrypting these files is a good idea)
2.You will also need a backup of the original url-list file that will be saved on the ASAs flash file system. This file will be used to reset the webvpn user’s url-list to the primary mail server. To do this just use the CLI interface to export the links - export webvpn url-list Users-Links Users-Links (To see all of the url-lists currently on your ASA type: export webvpn url-list ? at the CLI)
3.Verify the export to flash by typing in dir at the CLI. You should see the Users-Links file in the list.
4.Now you will make a copy of the original url-list file that will be used to create the secondary mail server WebVPN url change.This file will be used to set the webvpn user’s url-list to the secondary mail server. To do this just use the CLI interface to export the links - export webvpn url-list Users-Links Users-Links-SecondaryMail
5.Verify the export by typing in dir at the CLI. You should see the Users-Links and Users-Links-SecondayMail files in the list.
6.Now from the ASDM Configuration [tab] > Remote Access VPN > Client SSL VPN Access > Portal > Bookmarks page click the “Import” button. Type “Users-Links-SecondaryMail” in the Bookmark List Name and select the Flash file system option then click the “Browse Flash” button.Find the “Users-Links-SecondaryMail” file and select it.Click the “OK” button and then the “Import Now” button.You should get an Entry “Users-Links-SecondaryMail has been successfully imported” message. Click “OK”
7.From the same ASDM Configuration [tab] > Remote Access VPN > Client SSL VPN Access > Portal > Bookmarks page select the new “Users-Links-SecondaryMail” Bookmarks and click on the “Edit” button and make the any URL changes for the secondary mail server links.Click “OK” Then “Apply” This will save your changes.
8.Stay on the ASDM Configuration [tab] > Remote Access VPN > Client SSL VPN Access > Portal > Bookmarks page and make sure the Users-Links-SecondaryMail bookmarks are still selected.Click the “Export” button. Select Flash file system and click “Browse Flash” find the “Users-Links-SecondaryMail” file and select it. Click “OK” you will get a “File Already Exists” message, do you want to overwrite it?Click “OK” Then click “Export Now” You should get an Entry “Users-Links-SecondaryMail has been successfully exported” message. Click “OK”
You have now created the needed files for the VBscript to use.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...