WebVPN logon Assistance
I am attempting to set this up to allow remote access to an SBS 2003 server. I am trying to use WebVPN with SVC. I have got it to the point where i can hit the outside interface from the Web but when i enter the login info I get "login failed" and nothing happens. I would like to use the SBS to authenticate and have radius set up. When i test authentication from the ASA it works but i can't login. I would be happy with local authentication if i could get that to work but no matter which method i chose i get the same results.
I have some limited (mostly lab environment) experience with CISCO devices and this is my first experience with the ASA. I have reconfigured it a number of times following the guides from cisco.com.
Any help would be great. I am pulling my hair out!
Thanks
I have some limited (mostly lab environment) experience with CISCO devices and this is my first experience with the ASA. I have reconfigured it a number of times following the guides from cisco.com.
Any help would be great. I am pulling my hair out!
Thanks
: Saved
:
ASA Version 7.2(2)
!
hostname ASASherwood
domain-name xxxxxx.local
enable password FoveiR9xhgXB3gY1 encrypted
names
name 192.168.xxx.xxx xxxxx-server
!
interface Vlan1
nameif inside
security-level 100
ip address 192.xxx.xxx.xxx 255.255.xxx.xxx
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.xxx.xxx
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.xxx.xxx 255.255.xxx.xxx
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server xxxxxx-server
name-server 4.2.2.2
name-server 4.3.3.3
domain-name xxxxxxxxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network xxxxxxxx
description Internal Lan
network-object 192.168.xxx.xxx 255.xxx.xxx.xxx
access-list inside_nat0_outbound extended permit ip any 192.168.xxx.xxx 255.255.xxx.xxx
access-list inside_nat0_outbound extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.xxx.xxx 255.255.xxx.xxx
access-list inside_nat0_outbound extended permit ip host xxxxxx-server 192.168.xxx.xxx 255.255.xxx.xxx
access-list dmz_access_in extended permit tcp interface outside interface dmz
access-list dmz_access_out extended permit tcp interface dmz interface outside
access-list outside_access_in extended permit tcp any eq https host scs-server eq https
access-list outside_nat0_outbound extended permit ip host scs-server 192.168.xxx.xxx 255.255.xxx.xxx
access-list dmz_nat0_outbound extended permit ip host scs-server 192.168.1.0 255.255.xxx.xxx
access-list outside_authentication extended permit tcp interface outside host xxxxx-server
access-list outside_authentication extended permit udp interface outside host xxxxx-server
access-list outside_authentication_1 extended permit tcp interface outside host xxxxx-server
access-list outside_authentication_1 extended permit udp interface outside host xxxxx-server
access-list SCS_VPN webtype permit tcp host 192.168.xxx.xxx eq cifs log default
access-list SCS_VPN webtype permit tcp host 192.168.xxx.xxx eq https log default
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SCS_VPN 192.168.xxx.xxx-192.168.xxx.xxx mask 255.xxx.xxx.xxx
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
nat (dmz) 0 access-list dmz_nat0_outbound
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
!
router ospf 10
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server SCSRadius protocol radius
aaa-server SCSRadius host xxxxxx-server
timeout 5
key xxxxxx
group-policy SCS_VPN internal
group-policy SCS_VPN attributes
dns-server value 192.168.xxx.xxx
vpn-tunnel-protocol IPSec
default-domain value xxxxxxxx.local
group-policy SCS_WebVPN internal
group-policy SCS_WebVPN attributes
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
webvpn
svc enable
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc dpd-interval client 500
svc dpd-interval gateway 500
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name none
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc enable
svc keep-installer installed
svc keepalive none
svc rekey time 15
svc rekey method ssl
svc dpd-interval client none
svc dpd-interval gateway 300
svc compression deflate
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
webvpn
svc enable
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
username xxxxxx password I0ymMcGlAxUuCsOT encrypted
username xxxxxx attributes
vpn-group-policy SCS_WebVPN
aaa authentication match outside_authentication outside SCSRadius
aaa authentication match outside_authentication_1 outside LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.xxx.xxx 255.xxx.xxx.xxx inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set Trans_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set Trans_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map dmz_dyn_map 20 set pfs
crypto dynamic-map dmz_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map dmz_map 65535 ipsec-isakmp dynamic dmz_dyn_map
crypto map dmz_map interface dmz
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable dmz
crypto isakmp policy 10
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
authentication-server-group SCSRadius
accounting-server-group SCSRadius
dhcp-server scs-server
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SCS_VPN
authentication-server-group SCSRadius
tunnel-group DefaultWEBVPNGroup webvpn-attributes
tunnel-group SCS_VPN type ipsec-ra
tunnel-group SCS_VPN general-attributes
address-pool SCS_VPN
authentication-server-group SCSRadius
default-group-policy SCS_VPN
tunnel-group SCS_VPN ipsec-attributes
pre-shared-key *
tunnel-group SCS_WebVPN type webvpn
tunnel-group SCS_WebVPN general-attributes
address-pool SCS_VPN
default-group-policy SCS_WebVPN
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 15
dhcpd auto_config outside
!
dhcpd address 192.168.xxx.xxx-192.xxx.xxx.xxx inside
!
!
!
!
policy-map global-policy
description Allow VPN
class class-default
inspect pptp
!
service-policy global-policy global
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5
webvpn
enable outside
csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable
pop3s
port 25
outstanding 30
default-group-policy DfltGrpPolicy
smtps
port 110
outstanding 30
default-group-policy DfltGrpPolicy
prompt hostname context
Cryptochecksum:9805cb23f10e9417b98784c64e86578f
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Alan Huseyin Kayahan
Also keep in mind that, If the web VPN max peers in license is reached, authentication fails.
ASKER
Thanks I'll gives those a shot and let you know how it goes. Right now i am the only one attempting to login this way so i don't think it is a license issue (yet).
ASKER
Thanks MrHusy,
Sorry for the delay, i haven't had much time to work on it. I believe it was the second half of the solution that worked. I was still having issues until i realized that it was still authenticating through the defaultWebVpnGroup intead of the group that i created (not entirely sure why) which was not using the DC settings for authentication. Once i changed the authentication method of the defaultWebVPNGroup to DC it worked.
Thanks again
Sorry for the delay, i haven't had much time to work on it. I believe it was the second half of the solution that worked. I was still having issues until i realized that it was still authenticating through the defaultWebVpnGroup intead of the group that i created (not entirely sure why) which was not using the DC settings for authentication. Once i changed the authentication method of the defaultWebVPNGroup to DC it worked.
Thanks again