We have a new install of an ASA5510. So far everything is working fine except the VPN.
We went through the SSL VPN wizzard in ASDM and answered all questions.
Now when we try to open a VPN connection to the ASA using the URL https://asa_ip_address we first get a "There is a problem with this website's security certificate" message.
When we click Continue to this website (not recommended) we get a "403-Forbidden: Access is Denied" message indicating that the credentials are invalid. We never even got to the logon screen so we don't even know what credentials it is talking about.
Any ideas? Do you need the config posted?
OK... I will be in the office later this afternoon and I will post the config. (I'm in the Eastern time zone)
Result of the command: "show running-config"
ASA Version 8.2(5)
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxx.xxxxx encrypted
name 96.56.xxx.xxx Gateway description Default gateway
description Static IP external interface
ip address 96.56.xxx.xxx 255.255.255.248
no ip address
no ip address
ip address 10.1.1.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Internal
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object-group network inside-net
object-group service Remote_Control
description Remote administration
service-object tcp eq 987
access-list Internal_access_out remark Outgoing
access-list Internal_access_out extended permit ip any any
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq smtp
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq telnet
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq https
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq www
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq 987
access-list Internet_access_in remark VPN
access-list Internet_access_in extended permit gre any host 96.56.xxx.xxx
access-list Internet_access_in remark VPN ptptp port
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq pptp
access-list Internet_access_in remark Allow PC Anywhere to connect.
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq pcanywhere-data
access-list Internet_access_in remark Allow PC Anywhere status
access-list Internet_access_in extended permit udp any host 96.56.xxx.xxx eq pcanywhere-status
access-list Internet_access_in remark FTP access to SMSB FTP server address 10.1.1.3
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq ftp
access-list Internet_access_in extended permit tcp any host 96.56.xxx.xxx eq ftp-data
access-list Internal_nat0_outbound extended permit ip host 10.1.1.2 10.1.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu Internet 1500
mtu Internal 1500
mtu management 1500
ip local pool Clientless_VPN_Address_Pool 10.1.1.100-10.1.1.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Internet) 101 interface
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 101 0.0.0.0 0.0.0.0
static (Internal,Internet) tcp interface smtp 10.1.1.14 smtp netmask 255.255.255.255
static (Internal,Internet) tcp interface telnet 10.1.1.2 telnet netmask 255.255.255.255
static (Internal,Internet) tcp interface www 10.1.1.2 www netmask 255.255.255.255
static (Internal,Internet) tcp interface https 10.1.1.2 https netmask 255.255.255.255
static (Internal,Internet) tcp interface pcanywhere-data 10.1.1.80 pcanywhere-data netmask 255.255.255.255
static (Internal,Internet) udp interface pcanywhere-status 10.1.1.80 pcanywhere-status netmask 255.255.255.255
static (Internal,Internet) tcp interface ftp 10.1.1.3 ftp netmask 255.255.255.255
static (Internal,Internet) tcp interface ftp-data 10.1.1.3 ftp-data netmask 255.255.255.255
access-group Internet_access_in in interface Internet
access-group Internal_access_out in interface Internal
route Internet 0.0.0.0 0.0.0.0 Gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 Internal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.5-10.1.1.199 Internal
dhcpd dns 126.96.36.199 188.8.131.52 interface Internal
dhcpd domain smsbconsulting.local interface Internal
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
url-list value List_A
group-policy VPN_Group internal
group-policy VPN_Group attributes
url-list value List_A
group-policy VPN_policy_Group internal
group-policy VPN_policy_Group attributes
vpn-tunnel-protocol svc webvpn
svc dtls enable
svc mtu 1406
username xxxxx password xxxxxxxxxxxx encrypted privilege 15
username xxxxx attributes
svc ask enable default svc timeout 30
username cisco password xxxxxxxxxxxx encrypted privilege 15
tunnel-group First_VPN_Connection type remote-access
tunnel-group PTPVPN type remote-access
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
tunnel-group Clientless_VPN type remote-access
tunnel-group Clientless_VPN general-attributes
tunnel-group Clientless_VPN webvpn-attributes
group-alias Conection_Group enable
group-url https://96.56.xxx.xxx/Conection_Group enable
tunnel-group SMSB_VPN type remote-access
tunnel-group SMSB_VPN general-attributes
tunnel-group SMSB_VPN webvpn-attributes
group-alias https://96.56.xxx.xxx enable
group-url https://96.56.xxx.xxx/https://96.56.xxx.xxx enable
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
This is not realy my forté BUT
you are pointing a web client to start a webvpn client ?
My first thought was that the first problem was because of the certificate beeing selfsigned.
that will give that error since the browser does not know if it can trust the certificate or not.
but that should only account for the first part of the problem.
However I just sweeped through the config you have posted and there is one thing I think will cause problems.
you are having a static of the interface with https. ie the same port as the webvpn.
I doubt that that works just fine.
to change the webvpn port
now it will use port 4443 instead.
Thank you for your reply.
At the risk of sounding like a compete novice... (which I am) I am using the tools/command line interface from ASDM version 6.4(5)
When I enter the commands in multiple line mode and then select "send" I get the following:
Result of the command : "config t"
The command has been sent to the device.
Result of the command: "webvpn"
The command has been sent to the device.
Result of the command: "port 4443"
Error: Port changes cannot be made while WebVPN is enabled. blah blah blah
Also... no changes I make via the command line ever stick. I realize I'm not saving them but I don't know how to save them.
Also... Every tutorial I see gives a command prompt that appears to grow as you get further into the commands. For example:
I don't get anything like that... no prompt and no #. The only indication I get that I did anything is the message that says Result of command xxx The command has been sent to the device.
As you can see... I have no clue how to use the CLI and I could use very detailed help.
Its totally ok to be novice and fiddle around with tings.
BUT if this is a company firewall and not your own I must strongely advice you to go to a local cisco rep and ask them for advice on who to contact to help you with setting up your firewall.
Well you have no clue of what you are doing (no disrespect) and that in itself puts the company at risk.
and we can not help you properly with that.
This is a public forum and even though most of us here are willing to donate time and experience and will give you answers to the best of our abilities there are limitations on how much you can discuss without breaching your security to everyone.
and some of those things are best discussed under the cloac of secrecy.
So my advice would be
1) talk to cisco rep
2) buy a 5505 to fiddle with so you can learn why things are done they way its done
3) educate yourself with courses/books/this forum, and so on
Now to your questions just incase you are just fiddeling around with your own unit.
Connect to the cli (sinceyou state that you know how we will skip that part).
to save a config you write
copy running-config startup-config
When it comes to the issue that the commands grow longer. actually most of them do not.
but here is a way to visualise how things are done
You have compartments.
the interface gigabitethernet0/0 fx is one compartment
in that compartment you put all the information you need for that single compartent
in this case that would be things like
speed and duplex
and so on
same with webvpn
its a compartment holding all the information on the webvpn that is specific for the webvpn.
if you do a command
Show running-config all (or sh ru all for short)
you will get a lot more information than just sh run
also sh ru ? will give you most of the possible arguments you can do, and there you will se fx webvpn. (the compartment)
There are problems with using the ASDM
The ASDM I am sad to say is not to be trusted.
Sometimes it just outright lie to you.
and if you do use the wizzards they sometimes do not put all things where they are supposed to be or misses things.
so the ASDM is not foolproof in any way but it is nice graphics and the logging can be helpful.
so it helps you out in the beginning but when you get more advanced it bites you in the....
Hope This Helps
Thanks for your reply.
I contacted customer support... they asked for a copy of the config and I sent it.
I'm waiting for them to get back to me. No joy so far.
bTw... yes, this is a company firewall and yes I'm the one who set it up originally with a lot of help from this forum. I had some difficulty at first but since then I've always managed to get it to do what I wanted it to do. That is, until it came to setting up the VPN. The road map is pretty poor and not at all clear relative to what is needed for which type of VPN.
I found the spot in the GUI where you change the port but it won't let me change it until I disable the webvpn. I can't find anyplace in the GUI where I can disable webvpn so now I'm in wait mode for customer support to contact me.
Thanks again for your help... I'll let you know what customer support has to say.
bTw... I have the running config backed up in several places.
Customer support never got back to me but by using the information you supplied I was able to fix the problem. As you had correctly assessed earlier, port 443 was assigned to both remote administration and remote VPN. Once I learned how to disable webvpn I was able to reassign webvpn to a different port. After the port was reassigned the VPN connection on the ASA 5510 worked perfectly.
Thank you so much for your excellent advice... on all issues.
Now for my next problem....
Clients inside the network are unable to connect to an outside VPN server that we sometimes use. This is not related to the problem we just fixed... this is a separate issue. We know that the clients connection requests are getting to the outside VPN server because we have the ability to monitor it and we see the connection attempt but the responses coming back from the outside VPN server are being blocked by the ASA. I believe I created all the correct access-list entries. Any ideas as to what could be blocking inbound protocol 47 in the ASA?