Hello rene,
please can you help me i configured sslvpn!
but i can’t get the router on https:// gateway IP addd
can you help me
Hello Abdou
You can find out more about SSL VPN in several lessons found within Unit 6 of the ASA Firewal course:
Take a look at the content there and see if it is helpful for you. If you have any more specific questions, you know where to find us!
I hope this has been helpful!
Laz
Hello dear LAZAROS,
thanks for replying .
but i am using cisco2900 router to configure the SSL VPN
Hi LAZAROS,
after configuring the SSL VPN on asa
the client user can’t access to the Lan network how can allow it!
thanks
Hello Abdou
For more information on how to set up a Cisco 2900 router to function as an SSL VPN concentrator, take a look at the following Cisco documentation:
Keep in mind that for IOS version 15.0(1)M and later, you will be required to have a seat license to enable it on the 2900, otherwise you won’t be able to configure it. In general, it is preferrable to set this up on an ASA rather than the 2900 because it has more features, and it can be easier to configure using the graphical user interface.
This can be due to many reasons. First of all ensure that you have followed the same steps as those found in the lesson. If the problem persists, can you give us some more information on your particular configuration and the problem you are facing?
I hope this has been helpful!
Laz
Hello Abdou
When you configure the webvpn gateway configuration in your router, you are telling the router to act as a proxy for connections to protected resources. So any HTTPS connections with a destination IP of the router are forwarded to the 41.78.118.6 address using port 443. This means that HTTPS access to the router itself is no longer possible.
You can find more information at the following Cisco command reference document:
I hope this has been helpful!
Laz
Hi Rene & Laz
My vpn allow only one network range i try to add another network in split tunnel list but it is not working with can help me please in this issue
Hello Mohamed
Using the method in the lesson, you can specify which networks you want to reach through the tunnel. You do this by using an access list. Within this access list, you can specify whatever networks you like. In the lesson, the 192.168.1.0/24 network is specified, but you can add to this list.
Now if you added a second range and it is not working, there may be various things that could be causing this. In order to help you further, let me ask some questions.
- Did you get split tunnelling to work with one network range in the ACL? If not, then troubleshooting should take place first to ensure that it works with one subnet. Follow the lesson for step by step instructions.
- If it was working with one network, how did you add the second network? It should be added as another statement within the same ACL.
- When you say it doesn’t work, do you mean both the old and the new networks don’t work? Split tunneling doesn’t work?
- I suggest you take a look at the following lesson that will help you to determine the reason for packet drops on an ASA:
Let us know how you get along in your troubleshooting process!
I hope this has been helpful!
Laz
Hallo Rene ,
I configured the same example on Gns3 windows 7 , but I recieve this error :
failed to get configuration because anyconnect can not confirm it is connected to your secure gateway . contact your system Administrator
can you please help me .Thanks .
Hello Mohammad
Unfortunately, there is no single reason why this error may appear. There may be several reasons, and you will have to do a little bit of troubleshooting. This thread in the Cisco Community gives some of the reasons why this would be the case.
You’ll have to check the various options as described there and hopefully, it will give you some more insight for further troubleshooting.
I hope this has been helpful!
Laz
where can I find SSL VPN topic?
Hello Shashang
You can find information about this topic here:
I hope this has been helpful!
Laz
Hi,
I have an ASA-5512 and i’ve just setup anyconnect, when i try to connect it connects without any issues and split-tunneling is also working, but i can’t ping any internal subnets, they’re all windows clients and firewall is disabled on all.
Any help would be appreciated.
Hello Irfan
This lesson goes through the configuration of Anyconnect with the specific requirements you mentioned. Take a look and compare your work to this one, and maybe you’ll find the reason for the lack of connectivity:
If the problem persists, feel free to let us know with as much detail as possible so that we can help you in the troubleshooting process.
I hope this has been helpful!
Laz
Hi, can I verify the below.
-
The VPN tunnel begins at the user PC and terminates at the outside interface of ASA.
-
Once the packet is in the “inside” interface, it will be decrypted, the user PC will be using a IP from the 10.10.10.x subnet, instead of the assigned pool of 192.168.10.100 to 200.
-
Only from the “Outside” interface will the user PC be using the 192.168.10.X range for the tunnel connection.
Thanks very much,
Desmond
Hello Desmond
Yes, as you can see from the AnyConnect client, it is connected to 10.10.10.1 which is the outside interface of the ASA.
Not quite. Remember that this is a VPN, which means that there is tunneling going on. The communication between the PC and the outside interface use the 10.10.10.0/24 subnet. However, tunnelled within those IP packets is another IP header which carries the 192.168.10.100 source address. Once the packets reach the outside interface of the ASA and are decrypted, from the point of view of R1, the IP address of the VPN Client PC is 192.168.10.100. Internally, the 10.10.10.0/24 subnet is nowhere to be seen.
Once again, the 192.168.10.100 IP address is used by the VPN Client PC within the VPN tunnel, and once packets reach the ASA, they are decrypted, removed from the tunnel, and the 192.168.10.100 address is seen by all devices within the internal network as the address of the VPN Client PC.
I hope this has been helpful!
Laz
Hi Sir,
Thanks for the tutorial I’ve followed the procedures in the tutorial, but when I type my asa outside ip address in my browser, I get a “This site can’t be reached error”. Meanwhile when I ping the ip address I get replies.
I’ve downloaded and installed the anyconnect client, but when I try to connect I also get a “Connection attempt has failed due to server communication errors. Please retry the connection” error. Below is my configuration:
!
hostname ggcfw03
enable password BEUtrMgEU4ogO94l encrypted
passwd BEUtrMgEU4ogO94l encrypted
names
name 138.0.0.0 ABBSE
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 198.157.127.136 255.255.255.0
!
interface Ethernet0/1
description CONNECTION TO ggcsw04
nameif inside
security-level 100
ip address 192.168.60.2 255.255.255.0
!
interface Ethernet0/2
channel-group 3 mode active
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
interface Port-channel3
description CONNECTIVITY TO LAN
shutdown
no nameif
security-level 100
ip address 172.18.100.14 255.255.255.252
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPN_POOL
subnet 192.168.110.0 255.255.255.0
object network SUPPORT_LAN
subnet 192.168.60.0 255.255.255.0
object network INTERNET_LAN
subnet 0.0.0.0 0.0.0.0
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip 138.0.0.0 255.0.0.0 any
access-list tunnel-1 standard permit 192.168.60.0 255.255.255.0
no pager
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool ABBvpn1-pool 192.168.110.3-192.168.110.12 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static SUPPORT_LAN SUPPORT_LAN destination static VPN_POOL VPN_POOL
!
object network SUPPORT_LAN
nat (inside,outside) dynamic interface
object network INTERNET_LAN
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 198.157.127.134 1
route inside 192.168.0.0 255.255.0.0 192.168.60.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 4
http server enable
http 192.168.1.0 255.255.255.0 management
http ABBSE 255.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1 aes128-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value tunnel-1
webvpn
anyconnect keep-installer installed
anyconnect dpd-interval client 30
anyconnect ask none default anyconnect
username ABBuser1 password PepnuXjRnL11zfNU encrypted
username ABBuser1 attributes
service-type remote-access
username admin password GJzJpdcByb2MXHKL encrypted
username andber password ggcAdmin"SSS7979 encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool ABBvpn1-pool
tunnel-group abbvpn1 type remote-access
tunnel-group abbvpn1 general-attributes
address-pool ABBvpn1-pool
default-group-policy ANYCONNECT_POLICY
tunnel-group abbvpn1 webvpn-attributes
group-alias ABB_USERS enable
tunnel-group ACME-VPN type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
Hello Alhassan
At first glance, I don’t find anything specific that is wrong with your config that would cause such a behaviour. However, the best way to troubleshoot such an issue is to use debug while attempting to connect. The debug http 255 command will allow you to see the reason for the failed attempts. The number at the end is the level of detail that is displayed, and can range from 1 to 255 with 255 displaying the most detail.
Try it out and let us know your results!
I hope this has been helpful!
Laz
Hi Laz,
I did the debug http 255
And this is the result when I type http://myOutIP in explorer browser:
ggcfw03(config)# debug http 255
debug http enabled at level 255.
ggcfw03(config)# HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0)
I get a “This site can’t be reached” error in chrome , and “Cannot securely connect to this page” on windows explorer.
Thank you.
Hello Alhassan
Hmm, that’s interesting. I did some more research into this and found that some others have had similar problems, especially when trying to use ASDM, which uses the same HTTP connectivity. The following Cisco community thread follows several troubleshooting steps that you may find helpful including wireshark captures as well. In their particular case, it turned out to be a bug, but you can research it yourself and see if you come up with the same issues.
If you need help along the way, you know where to find us!
I hope this has been helpful!
Laz
HI I want to configure entire traffic should go through tunnel.
no split tunnel which they use internet traffic
what configuration need to be done