06-29-2012 01:22 PM
Hi All,
I have my SSL-VPN (SONICWALL) box behind Cisco ASA box, I have done the Static NAT for the SSL BOX Im able to ping the box from internet, but not able to login to the ssl vpn webpage. Previously SSL box was working with the static public ip.
Any suggestions would be great
06-29-2012 08:11 PM
Can you share the config pls.
Do you have access-list that allowed the inbound access on the SSL VPN ports?
06-30-2012 04:35 PM
Hi Jennifer,
i have written access-list like below
object network SSL-Host
host 172.16.1.16
access-list acl_in permit ip host SSL-Host any
object network SSL-Host-Pub
host 182.x.x.x
access-list acl_out permit any host SSL-Host-Pub
Any suggestions?
06-30-2012 08:12 PM
The acl should be:
access-list acl_out permit any host SSL-Host
07-04-2012 06:05 AM
Hi,
can you explain me, how can we put the private ip permit in acl_out.
07-04-2012 06:09 AM
There is changes on access-list from version 8.3 onwards where you should use the real IP in the access-list instead of the NATed IP.
here is the doc for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp460665
(check out row: "Use of Real IP addresses in access lists instead of translated addresses" under Firewall Features section.
07-04-2012 10:20 AM
Hi Jennifer,
So the configuration should be like this
object network SSL-Host
host 172.16.1.16
access-list acl_in permit ip host SSL-Host any
object network SSL-Host-Pub
host 182.x.x.x
access-list acl_out permit any host SSL-Host
object network SSL-Host
nat (Inside,Outside) static 182.x.x.x
correct me if I am wrong...
07-05-2012 06:25 AM
Yes, that is correct.
07-07-2012 05:58 PM
Hi Jennifer,
I've been beating my head against this problem and doesn't seem the obvious reason why it doesn't work.
3945 router running c3900-universalk9-mz.SPA.151-3.T.bin
is configured for SSL VPN. In the status line of AnyConnect Client I see "Unable to process response from x.x.x.x"
aaa new-model
aaa authentication login sslvpn local
aaa session-id common
!
username xxxxx privilege 15 secret xxxxxxx
!
!
!
interface Loopback50
description SSL DHCP Pool Gateway Address
ip address 192.168.50.1 255.255.255.0
!
interface Loopback10
description SSL VPN Website IP address
ip address x.x.x.164 255.255.255.255
!
ip local pool new 192.168.50.2 192.168.50.100
!
ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended VTY_ACL
permit ip 192.168.10.0 0.0.0.255 any
deny ip any any log
!
line vty 0 4
access-class VTY_ACL in
logging synchronous
transport input telnet ssh
transport output all
!
webvpn gateway MyGateway
ip address x.x.x.164 port 443
http-redirect port 80
ssl trustpoint
inservice
!
webvpn install svc flash0:/anyconnect-win-2.4.1012-k9.pkg
!
webvpn context SecureMeContext
title "My SSL VPN Service"
secondary-color #C0C0C0
title-color #808080
ssl authenticate verify all
!
login-message "Welcome to VPN"
!
policy group MyDefaultPolicy
functions svc-enabled
svc address-pool "sslvpnpool"
svc keep-client-installed
default-group-policy MyDefaultPolicy
aaa authentication list sslvpn
gateway MyGateway domain testvpn
max-users 100
inservice
!
pls help me out on this.
07-07-2012 06:38 PM
You don't need to configure loopback 10 with the same ip address as the SSL VPN termination ip address. Please remove loopback10 and see if that resolves the issue.
Also this ip address: x.x.x.164, is it being routed towards the 3945?
07-08-2012 06:56 AM
Hi Jennifer,
IP add x.x.x.164 been routed towards my router i have tested the same by login to the router from public.
removed loopback10 still no luck
any suggestion?
07-08-2012 07:17 AM
Can you share the router full config pls, and also are you able to telnet on port 443 from the outside towards the public ip?
07-08-2012 08:05 AM
Hi Jennifer,
i am able to telnet to 443 port from outside. If you have any working ssl vpn config on router pls share.
07-08-2012 07:07 PM
Here is a sample config:
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080af314a.shtml
Seems like you already got all the config configured.
07-09-2012 03:13 AM
Hi Jennifer,
I followed the same link to config. any suggestion?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: