Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SSL VPN setup

Status
Not open for further replies.
dvannoy

dvannoy

MIS
May 4, 2001
2,765
US
I am going to try and setup SSL VPN on a 5510. I did a search for "SSL VPN Setup" and found the below config(from Supergrrover). my question is, do I need to have another public IP to point to? how would I setup the external url to access the SSL Vpn sign-in?

any help or updated config would be appreciated.


Quick example for WebVPN (clientless):

http server enable
url-list [ServerList] "Server" cifs://10.10.10.10/share
url-list [ServerList] "Server#2" cifs://AnotherServer/share
group-policy SSLVPNusers internal
group-policy SSLVPNusers attributes
banner value Welcome to ####### Remote Access Services !!!
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec webvpn
webvpn
functions file-access file-entry file-browsing filter
url-list value [ServerList]
ssl encryption 3des-sha1
webvpn
enable outside
nbns-server [WINSServerIP] master timeout 4 retry 2
default-group-policy SSLVPNusers

 
Sort by date Sort by votes
You just have to attach to the external IP of the pix/asa interface with https.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
OK,

so create an "A" record and point a public IP to something like sslvpn.mydomain.com
correct.

if I already have IPSec VPN setup using the cisco client that username is good for SSLVpn correct?

thanks for your help.

 
Upvote 0 Downvote
cannot get the SSL VPN to work below is my config

: Saved
:
ASA Version 7.2(2)
!
hostname hostname
domain-name mydomain.local
enable password xxxxx encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 64.x.x.x 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.x.x.x 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.20.11.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.x.1 255.255.255.0
management-only
!
passwd xxxx encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name mydomain.local
same-security-traffic permit intra-interface
access-list outside_in extended permit tcp any host 64.x.x.x eq www
access-list outside_in extended permit tcp any host 64.x.x.x eq www
access-list outside_in extended permit tcp any host 64.x.x.x eq smtp
access-list outside_in extended permit tcp any host 64.x.x.x eq www
access-list outside_in extended permit tcp any host 64.x.x.x eq https
access-list outside_in extended permit tcp any host 64.x.x.x eq pop3 inactive
access-list outside_in extended permit tcp any host 64.x.x.x eq https

access-list outside_in extended permit tcp any host 64.x.x.x eq https - THIS MY ADDRESS FROM OUTSIDE THAT I"M TRYING TO USE FOR THE SSL


access-list dmz_in extended permit tcp host 10.x.x.0 host 10.x.x.0 eq 1433
access-list dmz_in extended permit tcp host 10.x.x.0 host 10.x.x.0 eq 1433
access-list dmz_in extended permit tcp host 10.x.x.0 host 10.x.x.0 eq 1433
access-list dmz_in extended permit tcp host 10.x.x.0 host 10.x.x.0 eq 1433
access-list dmz_in extended permit ip 10.x.x.0 255.255.255.0 any
access-list split extended permit ip 10.x.x.0 255.255.255.0 192.168.x.0 255.255.255.0
access-list split extended permit ip 10.x.x.0 255.255.255.0 192.168.x.0 255.255.255.0
access-list nonat extended permit ip 10.x.x.0 255.255.255.0 192.168.x.0 255.255.255.0
access-list nonat extended permit ip 10.x.x.0 255.255.255.0 192.168.x.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool vpnpool1 192.168.x.100-192.168.x.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.x.x.0 255.255.255.0
nat (dmz) 0 access-list nonat
nat (dmz) 1 10.x.x.0 255.255.255.0
static (inside,dmz) 10.x.x.0 10.x.x.0 netmask 255.255.255.0
static (dmz,outside) x.x.x.x 10.x.x.x netmask 255.255.255.255
static (dmz,outside) x.x.x.x 10.x.x.x netmask 255.255.255.255
static (inside,outside) x.x.x.x 10.x.x.x netmask 255.255.255.255
access-group outside_in in interface outside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy SSLVPNusers internal
group-policy SSLVPNusers attributes
banner value Welcome to the blaaaaaa
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec webvpn
webvpn
functions file-access file-entry file-browsing filter
group-policy clmvpn internal
group-policy clmvpn attributes
dns-server value 10.x.x.x
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value mydomain.com
username xxx password xxx encrypted
http server enable
http 10.x.x.0 255.255.255.0 inside
http 192.168.x.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
crypto dynamic-map dynmap1 20 set transform-set set1
crypto dynamic-map dynmap1 20 set reverse-route
crypto map clmmap 20 ipsec-isakmp dynamic dynmap1
crypto map clmmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy SSLVPNusers
tunnel-group clmvpn type ipsec-ra
tunnel-group clmvpn general-attributes
address-pool vpnpool1
default-group-policy clmvpn
tunnel-group clmvpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh x.x.x.x 255.255.255.248 outside
ssh 10.x.x.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.x.x-192.168.x.x management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
ssl encryption 3des-sha1
webvpn
enable outside
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable
prompt hostname context
Cryptochecksum:5fc7675820613ed46aff29d2870e4ba4
: end
asdm image disk0:/asdm-522.bin
no asdm history enable



 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
728
Shmid
Shmid
intel233
  • Locked
  • Question
ASA5510 - SSL Cert
Replies
0
Views
448
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
590
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
210
gkittelson
gkittelson
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
160
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top