Solved

WebVPN logon Assistance

Posted on 2007-12-06
4
2,922 Views
Last Modified: 2013-11-16
I am attempting to set this up to allow remote access to an SBS 2003 server.  I am trying to use WebVPN with  SVC.  I have got it to the point where i can hit the outside interface from the Web but when i enter the login info  I get "login failed" and nothing happens.  I would like to use the SBS to authenticate and have radius set up.  When i test authentication from the ASA it works but i can't login.  I would be happy with local authentication if i could get that to work but no matter which method i chose i get the same results.  

I have some limited (mostly lab environment) experience with CISCO devices and this is my first experience with the ASA.  I have reconfigured it a number of times following the  guides from cisco.com.

Any help would be great. I am pulling my hair out!

Thanks
: Saved

:

ASA Version 7.2(2) 

!

hostname ASASherwood

domain-name xxxxxx.local

enable password FoveiR9xhgXB3gY1 encrypted

names

name 192.168.xxx.xxx xxxxx-server

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.xxx.xxx.xxx 255.255.xxx.xxx 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address xxx.xxx.xxx.xxx 255.255.xxx.xxx 

!

interface Vlan3

 nameif dmz

 security-level 50

 ip address 192.168.xxx.xxx 255.255.xxx.xxx 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

 switchport access vlan 3

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

 name-server xxxxxx-server

 name-server 4.2.2.2

 name-server 4.3.3.3

 domain-name xxxxxxxxx.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network xxxxxxxx

 description Internal Lan

 network-object 192.168.xxx.xxx 255.xxx.xxx.xxx

access-list inside_nat0_outbound extended permit ip any 192.168.xxx.xxx 255.255.xxx.xxx 

access-list inside_nat0_outbound extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.xxx.xxx 255.255.xxx.xxx 

access-list inside_nat0_outbound extended permit ip host xxxxxx-server 192.168.xxx.xxx 255.255.xxx.xxx

access-list dmz_access_in extended permit tcp interface outside interface dmz 

access-list dmz_access_out extended permit tcp interface dmz interface outside 

access-list outside_access_in extended permit tcp any eq https host scs-server eq https 

access-list outside_nat0_outbound extended permit ip host scs-server 192.168.xxx.xxx 255.255.xxx.xxx 

access-list dmz_nat0_outbound extended permit ip host scs-server 192.168.1.0 255.255.xxx.xxx 

access-list outside_authentication extended permit tcp interface outside host xxxxx-server 

access-list outside_authentication extended permit udp interface outside host xxxxx-server 

access-list outside_authentication_1 extended permit tcp interface outside host xxxxx-server 

access-list outside_authentication_1 extended permit udp interface outside host xxxxx-server 

access-list SCS_VPN webtype permit tcp host 192.168.xxx.xxx eq cifs log default

access-list SCS_VPN webtype permit tcp host 192.168.xxx.xxx eq https log default

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool SCS_VPN 192.168.xxx.xxx-192.168.xxx.xxx mask 255.xxx.xxx.xxx

no failover

monitor-interface inside

monitor-interface outside

monitor-interface dmz

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0_outbound

nat (dmz) 0 access-list dmz_nat0_outbound

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

access-group dmz_access_out out interface dmz

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

!

router ospf 10

 log-adj-changes

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server SCSRadius protocol radius

aaa-server SCSRadius host xxxxxx-server

 timeout 5

 key xxxxxx

group-policy SCS_VPN internal

group-policy SCS_VPN attributes

 dns-server value 192.168.xxx.xxx

 vpn-tunnel-protocol IPSec 

 default-domain value xxxxxxxx.local

group-policy SCS_WebVPN internal

group-policy SCS_WebVPN attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 webvpn

  svc enable

  svc keep-installer installed

  svc rekey time 30

  svc rekey method ssl

  svc dpd-interval client 500

  svc dpd-interval gateway 500

group-policy DfltGrpPolicy attributes

 banner none

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs disable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list none

 default-domain none

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name none

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc enable

  svc keep-installer installed

  svc keepalive none

  svc rekey time 15

  svc rekey method ssl

  svc dpd-interval client none

  svc dpd-interval gateway 300

  svc compression deflate

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 webvpn

  svc enable

  svc keep-installer installed

  svc rekey time 30

  svc rekey method ssl

username xxxxxx password I0ymMcGlAxUuCsOT encrypted

username xxxxxx attributes

 vpn-group-policy SCS_WebVPN

aaa authentication match outside_authentication outside SCSRadius

aaa authentication match outside_authentication_1 outside LOCAL

aaa authorization command LOCAL 

http server enable

http 192.168.xxx.xxx 255.xxx.xxx.xxx inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set Trans_ESP_3DES_MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set Trans_ESP_3DES_MD5 mode transport

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs 

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs 

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 80 set pfs 

crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside_dyn_map 100 set pfs 

crypto dynamic-map outside_dyn_map 100 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside_dyn_map 120 set pfs 

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set pfs 

crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 160 set pfs 

crypto dynamic-map outside_dyn_map 160 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside_dyn_map 180 set pfs 

crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA

crypto dynamic-map dmz_dyn_map 20 set pfs 

crypto dynamic-map dmz_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map dmz_map 65535 ipsec-isakmp dynamic dmz_dyn_map

crypto map dmz_map interface dmz

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp enable dmz

crypto isakmp policy 10

 authentication crack

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultRAGroup general-attributes

 authentication-server-group SCSRadius

 accounting-server-group SCSRadius

 dhcp-server scs-server

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

 no authentication chap

 authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

 address-pool SCS_VPN

 authentication-server-group SCSRadius

tunnel-group DefaultWEBVPNGroup webvpn-attributes

tunnel-group SCS_VPN type ipsec-ra

tunnel-group SCS_VPN general-attributes

 address-pool SCS_VPN

 authentication-server-group SCSRadius

 default-group-policy SCS_VPN

tunnel-group SCS_VPN ipsec-attributes

 pre-shared-key *

tunnel-group SCS_WebVPN type webvpn

tunnel-group SCS_WebVPN general-attributes

 address-pool SCS_VPN

 default-group-policy SCS_WebVPN

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh timeout 5

console timeout 15

dhcpd auto_config outside

!

dhcpd address 192.168.xxx.xxx-192.xxx.xxx.xxx inside

!
 

!

!

!

policy-map global-policy

 description Allow VPN

 class class-default

  inspect pptp 

!

service-policy global-policy global

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5

webvpn

 enable outside

 csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg

 svc image disk0:/sslclient-win-1.1.0.154.pkg 1

 svc enable

pop3s

 port 25

 outstanding 30

 default-group-policy DfltGrpPolicy

smtps

 port 110

 outstanding 30

 default-group-policy DfltGrpPolicy

prompt hostname context 

Cryptochecksum:9805cb23f10e9417b98784c64e86578f

: end

asdm image disk0:/asdm-522.bin

no asdm history enable

Open in new window

0
Comment
Question by:bconkencmit
  • 2
  • 2
4 Comments
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 20424625
 Hi bconkencmit
     Try following
webvpn
auto-signon allow ip radiusip 255.255.255.255 auth-type all
quit

    If doesnt work try following

aaa-server DC protocol nt
aaa-server DC (inside) host SBSserverIP
  nt-auth-domain-controller SBSHostname
webvpn
auto-signon allow ip SBSserverIP 255.255.255.255 auth-type ntlm
quit
tunnel-group SCS_WebVPN general-attributes
    authentication-server-group  DC LOCAL
quit

Regards
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20425988
 Also keep in mind that, If the web VPN max peers in license is reached, authentication fails.
0
 

Author Comment

by:bconkencmit
ID: 20427770
Thanks I'll gives those a shot and let you know how it goes.  Right now i am the only one attempting to login this way so i don't think it is a license issue (yet).
0
 

Author Closing Comment

by:bconkencmit
ID: 31413222
Thanks MrHusy,
Sorry for the delay, i haven't had much time to work on it.  I believe it was the second half of the solution that worked.  I was still having issues until i realized that it was still authenticating through the defaultWebVpnGroup intead of the group that i created (not entirely sure why) which was not using the DC settings for authentication.  Once i changed the authentication method of the defaultWebVPNGroup to DC it worked.  

Thanks again
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now