WebVPN - Allow users to reach HTTPS servers

[JamesKing]

Hi All,

I've setup WebVPN on an 877 with IOS 12.4(15)T8. Clientless WebVPN users can connect and access the SMB shares and internal HTTP websites no problem at all.

However, a few applications are delivered over HTTPS and when attempting to reach those the clients' receive nothing in the new window, it just times out after a while. There's nothing in the router log that seems relevant.

I guess IOS won't connect to the websites as it can't validate the certificate used? How do I confirm that? Is there anyway to tell IOS to simply ignore/trust the cert for certain sites (or all sites)?

Thanks for any help,

James

 

[silverhairb]

I know the answer in terms of SSL certificate authentication / entity authentication / session management, but not sure of the commands. There appears to be a "session fail on authentication fail" somewhere. (IIRC, Cisco routers use OpenSSL)

My suggestion is to try different sites. Also, try to install the root of the signing authority into the router for the sites that fail access to see if that helps.

I can't remember the specifics, but we developed an access control for hardware clients using a PIRMA control in the router. Sounds like this kind of configuration might be preventing access.

[the other] Bill

 

[burtsbees]

Post a sh run.

Burt

 

[JamesKing]

Bill,

Thanks - I'll try adding the authority certificate for a public site and test. Unfortunately, some of the internal apps are self signed or on appliances where I can't change the cert or grab the authority cert - so I could really do with just turning off validation if at all possible.

Burt,

A somewhat sanitised conf follows...

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname RouterName
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-15.T8.bin
boot system flash c870-advipservicesk9-mz.124-20.T.bin
boot-end-marker
!
logging buffered 4096
logging console emergencies
logging monitor notifications
enable secret 5 <snip>
enable password 7 <snip>
!
aaa new-model
!
!
!
!
aaa session-id common
clock save interval 24
!
crypto pki trustpoint TP-self-signed-2498082145
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2498082145
revocation-check none
rsakeypair TP-self-signed-2498082145
!
!
crypto pki certificate chain TP-self-signed-2498082145
certificate self-signed 01
<snip>
quit
dot11 syslog
dot11 activity-timeout unknown default 300
dot11 activity-timeout client default 300 maximum 600
!
dot11 ssid <snip>
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 <snip>
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address <snip>
ip dhcp excluded-address <snip>
!
ip dhcp pool dhcp_inside
network <snip>
domain-name RouterName.local
default-router <snip>
dns-server <snip>
!
ip dhcp pool dp_static
host <snip>
client-identifier <snip>
!
!
ip dhcp update dns
no ip bootp server
ip host <snip> <snip>
ip host RouterName <snip>
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect tcp idle-time 300
ip inspect tcp synwait-time 10
ip inspect name OUTBOUND tcp router-traffic
ip inspect name OUTBOUND udp router-traffic
ip inspect name OUTBOUND ftp
ip inspect name OUTBOUND icmp router-traffic
ip inspect name OUTBOUND ssh
ip inspect name OUTBOUND smtp
ip inspect name OUTBOUND https
ip inspect name OUTBOUND dns
ip inspect name OUTBOUND ntp
ip ddns update method dyndns
HTTP
add

http://<snip>

interval maximum 1 0 0 0
!
!
multilink bundle-name authenticated
!
!
username <snip> privilege 15 password 7 <snip>
!
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
bridge irb
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption mode ciphers aes-ccm tkip
!
broadcast-key change 3600
!
!
ssid <snip>
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
world-mode dot11d country GB indoor
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal
no ip address
ip virtual-reassembly
bridge-group 1
!
interface Dialer0
description <snip>
ip ddns update hostname <snip>
ip ddns update dyndns
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect OUTBOUND out
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
random-detect
no cdp enable
ppp authentication chap callin
ppp chap hostname <snip>
ppp chap password 7 <snip>
!
interface BVI1
ip address <snip> <snip>
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
ip local pool sslvpn <snip>
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 30
ip nat translation dns-timeout 5
ip nat inside source list 100 interface Dialer0 overload
!
access-list 1 permit <snip> 0.0.0.255
access-list 100 deny tcp any any eq smtp
access-list 100 remark NAT internal
access-list 100 permit ip <snip> <snip> any
access-list 100 permit icmp any any
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 deny ip any any log
access-list 102 remark SSH Access
access-list 102 permit tcp <snip> any eq 22
access-list 102 permit tcp host <snip> any eq 22
access-list 102 permit tcp host <snip> any eq 22
access-list 102 permit tcp host <snip> any eq 22
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner motd ^C
******************************************
* Unauthorized access prohibited *
******************************************
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 102 in
password 7 <snip>
transport input ssh
!
scheduler max-task-time 5000
scheduler process-watchdog reload
ntp clock-period 17175031
ntp server 212.3.228.111
ntp server 78.47.136.197
ntp server 85.158.108.151
!
webvpn gateway MyGateway
ip interface Dialer0 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2498082145
inservice
!
webvpn context webvpn
secondary-color white
text-color black
ssl authenticate verify all
!
url-list "urllist"
heading "Internal"
url-text "NAS" url-value "

https://nas"

!
nbns-list "WINS"
nbns-server <snip> master
!
cifs-url-list "cifslist"
heading "CIFS-List"
url-text "ReadyNAS" url-value "//nas"
!
policy group policy_1
url-list "urllist"
cifs-url-list "cifslist"
nbns-list "WINS"
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
banner "This system is for private use only"
timeout idle 300
svc address-pool "sslvpn"
svc wins-server primary <snip>
default-group-policy policy_1
gateway MyGateway
max-users 2
inservice
!
end

Both, thanks again, much appreciated.