Solved

Mozilla Firefox not work on Cisco WEBVPN

Posted on 2009-07-13
10
1,319 Views
Last Modified: 2012-05-07
IW work great, but when I test with FIrefox, the bookmarked pages do not work.. The page starts to open but does not complete
domain-name asa.com

enable password  encrypted

passwd  encrypted

names

!

interface GigabitEthernet0/0

 description Inside Interface

 nameif inside

 security-level 100

 ip address ccc.ccc.231.55 255.255.255.0 

!

interface GigabitEthernet0/1

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/2

 shutdown

 no nameif

no security-level

 no ip address

!

interface GigabitEthernet0/3

 description Outside interface

 nameif outside

 security-level 0

 ip address ddd.ddd.176.53 255.255.255.224 

!

interface Management0/0

 shutdown

 nameif management

 security-level 100

 no ip address

 management-only

!

!

time-range WorkHours

 periodic weekdays 6:00 to 18:00

!

boot system disk0:/asa804-32-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup management

dns server-group DefaultDNS

 name-server eee.eee.96.1

 name-server eee.eee.96.15

 domain-name email.com

access-list outside_access_in remark TW

access-list outside_access_in extended permit ip host fff.fff.155.236 any time-range WorkHours 

access-list outside_access_in extended deny ip any any 

access-list inside_authentication remark Radius Authentication Rule

access-list inside_authentication extended permit tcp host fff.fff.155.236 any time-range WorkHours 

access-list inside_authentication extended permit udp any host ccc.ccc.231.62 

access-list webvpn-list webtype permit tcp host eee.eee.58.140 eq https

access-list webvpn-list webtype permit tcp host eee.eee.4.37 eq https

access-list webvpn-list webtype permit tcp eee.eee.4.64 255.255.255.192 eq lotusnotes

access-list webvpn-list webtype permit tcp eee.eee.4.64 255.255.255.192 eq www

access-list webvpn-list webtype permit tcp host eee.eee.68.59 eq www

access-list webvpn-list webtype permit tcp host eee.eee.4.2 eq www

access-list webvpn-list webtype permit tcp host 199.184.31.50 eq www

access-list webvpn-list webtype permit tcp host 199.184.31.51 eq www

access-list webvpn-list webtype permit tcp host eee.eee.6.2 eq https

access-list webvpn-list webtype permit tcp host ccc.ccc.0.44 eq https

access-list webvpn-list webtype permit tcp ccc.ccc.14.112 255.255.255.240 eq www

access-list webvpn-list webtype permit tcp host eee.eee.6.4 eq https

access-list webvpn-list webtype permit tcp host eee.eee.4.10 eq www

access-list webvpn-list webtype permit tcp host ddd.ddd.176.8 eq https

access-list webvpn-list webtype permit tcp host ccc.ccc.14.107 eq www

access-list webvpn-list webtype permit tcp host ccc.ccc.14.107 eq https

access-list webvpn-list webtype permit tcp host ccc.ccc.14.107 range 7008 7009

access-list webvpn-list webtype permit tcp host eee.eee.4.2 eq https

access-list webvpn-list webtype permit tcp host eee.eee.4.45 eq https

access-list webvpn-list webtype permit tcp host eee.eee.4.121 eq 4001

access-list webvpn-list webtype permit tcp host eee.eee.4.142 eq www

access-list webvpn-list webtype permit tcp host eee.eee.4.142 eq https

access-list webvpn-list webtype permit tcp host eee.eee.4.142 range 7008 7009

access-list webvpn-list webtype permit tcp host ccc.ccc.14.17 eq www

access-list webvpn-list webtype permit tcp host ccc.ccc.14.17 eq https

access-list webvpn-list webtype permit tcp host ccc.ccc.14.17 range 7008 7009

access-list webvpn-list webtype permit tcp host eee.eee.4.22 eq 9090

access-list webvpn-list webtype permit tcp host eee.eee.4.24 eq 9090

access-list webvpn-list webtype permit tcp host eee.eee.6.5 eq https log default

access-list webvpn-list webtype permit tcp host eee.eee.12.6 eq www log default

access-list webvpn-list webtype permit tcp host eee.eee.4.211 eq https log default

access-list webvpn-list webtype deny tcp any log default

access-list webvpn-list webtype deny url any log default

pager lines 24

logging enable

logging timestamp

logging monitor notifications

logging buffered notifications

logging trap debugging

logging history debugging

logging asdm notifications

logging host inside ccc.ccc.231.8

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-621.bin

asdm history enable

arp timeout 14400

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ddd.ddd.176.227 1

route inside eee.eee.0.0 255.255.0.0 ccc.ccc.231.62 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server Radius protocol radius

 accounting-mode simultaneous

 interim-accounting-update

aaa-server Radius (inside) host eee.eee.4.7

 timeout 30

 key see/rad

aaa-server Radius (inside) host ccc.ccc.14.84

 timeout 30

 key see/rad

aaa authentication match inside_authentication inside Radius

http server enable

http eee.eee.0.0 255.255.0.0 inside

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no crypto isakmp nat-traversal

telnet eee.eee.97.26 255.255.255.255 inside

telnet eee.eee.97.136 255.255.255.255 inside

telnet eee.eee.96.3 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server ccc.ccc.231.62 source inside prefer

webvpn

 enable outside

group-policy SSLWEBVPN internal

group-policy SSLWEBVPN attributes

 vpn-tunnel-protocol l2tp-ipsec webvpn

 webvpn

  url-list value Shortcuts

  filter value webvpn-list

  customization value SSLWebLogin

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

group-policy DOHWebVPN internal

group-policy DOHWebVPN attributes

 vpn-tunnel-protocol webvpn

tunnel-group DefaultRAGroup general-attributes

 authentication-server-group Radius

 default-group-policy SSLWEBVPN

tunnel-group DefaultWEBVPNGroup general-attributes

 authentication-server-group Radius LOCAL

 default-group-policy SSLWEBVPN

tunnel-group SSLWEBVPN type remote-access

tunnel-group SSLWEBVPN general-attributes

 authentication-server-group Radius LOCAL

 default-group-policy SSLWEBVPN

tunnel-group SSLWEBVPN webvpn-attributes

 customization SSLWebLogin

 group-url https://email.email.com enable

 group-url https://email.email.com/go/apple.email.com/mailjump.nsf enable

 group-url https://email.email.com/go/apple.email.com/mailjump2.nsf enable

 group-url https://email.email.com/go/portal.email.com~ssl/https://travel.email.com enable

 group-url https://email.email.com/gp/portal.email.com~ssl enable

 group-url https://email.email.com/latsweb enable

 group-url https://email.email.com/password enable

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context

Open in new window

0
Comment
Question by:axl13
  • 7
  • 3
10 Comments
 
LVL 15

Expert Comment

by:bignewf
Comment Utility
what version of firefox? Have you tried upgrading it to the latest version, including the latest java updates? I use firefox all the time with webvpn without issues.
Could you post some errors from the event logs when this happens?
0
 

Author Comment

by:axl13
Comment Utility
I am running version 3.5... I believe this is the lastest version... When I do get a pop message box stating to enable JAVA, but that option is already checked...
0
 

Author Comment

by:axl13
Comment Utility
not sure where the event log is???
0
 
LVL 15

Expert Comment

by:bignewf
Comment Utility
windows event log- right-click on my computer>manage>event viewer>application

also enable logging in the pix/asa
in the asdm gui go to logging>enable logging>enable logging for webvpn.
post the output
0
 

Author Comment

by:axl13
Comment Utility
Here is the logs for the asa:

Jul 14 10:23:08 192.168.231.55 Jul 14 2009 10:23:08: %ASA-6-302014: Teardown TCP connection 30975 for outside:24.97.155.236/1838 to identity:192.135.176.53/443 duration 0:00:10 bytes 15350 TCP Reset-O
Jul 14 10:23:08 xx.xx.231.55 Jul 14 2009 10:23:08: %ASA-6-302014: Teardown TCP connection 30975 for outside:xx.xx.155.236/1838 to identity:xx.xx.176.53/443 duration 0:00:10 bytes 15350 TCP Reset-O
Jul 14 10:23:08 xx.xx.231.55 Jul 14 2009 10:23:08: %ASA-6-725007: SSL session with client outside:xx.xx.155.236/1838 terminated.
Jul 14 10:23:08 xx.xx.231.55 Jul 14 2009 10:23:08: %ASA-6-725007: SSL session with client outside:xx.xx.155.236/1838 terminated.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:axl13
Comment Utility
I think this has something to do with the smart tunnaling... The bookmarks all have smart tunning enabled, but the address bar does not....And when I use the address bar, it works....
0
 

Author Comment

by:axl13
Comment Utility
Looks like smart tunneling only work s for FIrefox 1.X... Is there a work around...
0
 
LVL 15

Accepted Solution

by:
bignewf earned 500 total points
Comment Utility
depending on how your webvpn is configured, smart tunnelling is a separate option. You can configure links in webvpn to work directly from the browser by publishing website links linked to webvpn tunnel groups. A user would not need smart tunneling, and would only have to click on the bookmark. This works fine with firefox, even works with firefox on linux distros. Smart tunneling is more useful for rdp access without having to configure port forwarding.

I have smarttunnel working with firefox 3.011 with no issues on both vista and win xp, so it sounds like it is a browser issue. Have you tried different firefox versions .1.X  on the pc's you are testing? I recommend updated to version 3.0
0
 

Author Comment

by:axl13
Comment Utility
I was able to get firefox to work before your post.. I installed 1.0 and then 2.0, then I reinstalled 3.5 and it worked... As for the smart tuneling, I needed to do this so that when a user click on a bookmark, a new window would open up... That is the way our security dept wants to do it... Unless there is another way to pop up the window???
0
 

Author Closing Comment

by:axl13
Comment Utility
I will give you credit for the answer... I had o reinstall firefox 3.5 and it started working... Thanks
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now