Cisco ASA 5505 Clientless SSL VPN setup

Need some help setting up Clientless SSL VPN with internal access to servers the web and fileshares.

I also need the webpage to be on a random port since i have OWA setup.  Code is below
Result of the command: "show running-config" 
 
: Saved 
: 
ASA Version 8.2(2)  
! 
hostname ciscoasa 
enable password  encrypted 
passwd  encrypted 
names 
! 
interface Vlan1 
 nameif inside 
 security-level 100 
 ip address 192.168.1.1 255.255.255.0  
! 
interface Vlan2 
 nameif outside 
 security-level 0 
 ip address dhcp setroute  
! 
interface Ethernet0/0 
 switchport access vlan 2 
! 
interface Ethernet0/1 
! 
interface Ethernet0/2 
! 
interface Ethernet0/3 
! 
interface Ethernet0/4 
! 
interface Ethernet0/5 
! 
interface Ethernet0/6 
! 
interface Ethernet0/7 
! 
boot system disk0:/asa822-k8.bin 
ftp mode passive 
access-list outside_access_in extended permit tcp any interface outside eq https  
access-list outside_access_in extended permit tcp any interface outside eq 3389  
access-list outside_access_in extended permit tcp any interface outside eq smtp  
access-list outside_access_in extended permit tcp any interface outside eq 587  
access-list RA_VPN_ACL extended permit ip any 172.30.30.0 255.255.255.0  
access-list RA_VPN_SplitTunnel_ACL standard permit 172.25.25.0 255.255.255.0  
access-list NoNAT_ACL extended permit ip 172.25.25.0 255.255.255.0 172.30.30.0 255.255.255.0  
pager lines 24 
logging enable 
logging asdm informational 
mtu inside 1500 
mtu outside 1500 
ip local pool RA_VPN_POOL 172.30.30.100-172.30.30.200 
icmp unreachable rate-limit 1 burst-size 1 
asdm image disk0:/asdm-623.bin 
no asdm history enable 
arp timeout 14400 
global (outside) 1 interface 
nat (inside) 0 access-list NoNAT_ACL 
nat (inside) 1 0.0.0.0 0.0.0.0 
static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255  
static (inside,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255  
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255  
static (inside,outside) tcp interface 587 192.168.1.5 587 netmask 255.255.255.255  
access-group outside_access_in in interface outside 
timeout xlate 3:00:00 
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute 
timeout tcp-proxy-reassembly 0:01:00 
dynamic-access-policy-record DfltAccessPolicy 
http server enable 
http 192.168.1.0 255.255.255.0 inside 
http 174.54.14.72 255.255.255.255 outside 
no snmp-server location 
no snmp-server contact 
snmp-server enable traps snmp authentication linkup linkdown coldstart 
crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac  
crypto ipsec security-association lifetime seconds 28800 
crypto ipsec security-association lifetime kilobytes 4608000 
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL 
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET 
crypto dynamic-map RA_VPN_MAP 1 set reverse-route 
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP 
crypto map RA_VPN interface outside 
crypto isakmp enable outside 
crypto isakmp policy 65535 
 authentication pre-share 
 encryption 3des 
 hash sha 
 group 2 
 lifetime 86400 
telnet timeout 5 
ssh timeout 5 
console timeout 0 
dhcpd auto_config outside 
! 
dhcpd address 192.168.1.2-192.168.1.33 inside 
dhcpd enable inside 
! 
 
threat-detection basic-threat 
threat-detection statistics access-list 
no threat-detection statistics tcp-intercept 
webvpn 
group-policy RA_VPN_Policy internal 
group-policy RA_VPN_Policy attributes 
 dns-server value 192.168.1.5 
 vpn-tunnel-protocol IPSec  
 split-tunnel-policy tunnelspecified 
 split-tunnel-network-list value RA_VPN_SplitTunnel_ACL 
 split-dns value DOMAIN.COM 
username xxxxxx password xxxxxxxxx encrypted 
tunnel-group RA_VPN type remote-access 
tunnel-group RA_VPN general-attributes 
 address-pool RA_VPN_POOL 
 default-group-policy RA_VPN_Policy 
tunnel-group RA_VPN ipsec-attributes 
 pre-shared-key ***** 
! 
class-map inspection_default 
 match default-inspection-traffic 
! 
! 
policy-map type inspect dns preset_dns_map 
 parameters 
  message-length maximum 512 
policy-map global_policy 
 class inspection_default 
  inspect dns preset_dns_map  
  inspect ftp  
  inspect h323 h225  
  inspect h323 ras  
  inspect rsh  
  inspect rtsp  
  inspect esmtp  
  inspect sqlnet  
  inspect skinny   
  inspect sunrpc  
  inspect xdmcp  
  inspect sip   
  inspect netbios  
  inspect tftp  
  inspect ip-options  
! 
service-policy global_policy global 
prompt hostname context  
call-home 
 profile CiscoTAC-1 
  no active 
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService 
  destination address email callhome@cisco.com 
  destination transport-method http 
  subscribe-to-alert-group diagnostic 
  subscribe-to-alert-group environment 
  subscribe-to-alert-group inventory periodic monthly 
  subscribe-to-alert-group configuration periodic monthly 
  subscribe-to-alert-group telemetry periodic daily 
Cryptochecksum:99c1a6d7dce55ac6463f4afba1540164 
: end

Open in new window

balintonAsked:
Who is Participating?
 
Istvan KalmarConnect With a Mentor Head of IT Security Division Commented:
Hi,

Here is the example for you:

http://www.petenetlive.com/KB/Article/0000069.htm
0
 
balintonAuthor Commented:
Any help with this would be appreciated if you could send me the cli commands to enable this and get it working i am familar enough to get that working.
0
 
balintonAuthor Commented:
SSL VPN Is setup and working with the anyconnect client i can get connected but all of my bookmarks are not accessible and say DNS resolution problem or something similiar.  I am not able to resolve internaly by IP or by name.

Code is below
Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2) 
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq https 
access-list outside_access_in extended permit tcp any interface outside eq 3389 
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any interface outside eq 587 
access-list RA_VPN_ACL extended permit ip any 172.30.30.0 255.255.255.0 
access-list RA_VPN_SplitTunnel_ACL standard permit 172.25.25.0 255.255.255.0 
access-list NoNAT_ACL extended permit ip 172.25.25.0 255.255.255.0 172.30.30.0 255.255.255.0 
access-list outside_in extended permit icmp any any 
access-list outside_in extended permit tcp any any 
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host inside 192.168.1.5 format emblem
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool RA_VPN_POOL 172.30.30.100-172.30.30.200
ip local pool SSL_Pool 172.16.253.1-172.16.253.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 587 192.168.1.5 587 netmask 255.255.255.255 
static (inside,outside) 192.168.1.5 0.0.0.0.0 netmask 255.255.255.255 
static (inside,inside) 192.168.1.5 0.0.0.0.0.0 netmask 255.255.255.255 
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WindowsIAS protocol radius
aaa-server WindowsIAS (inside) host 192.168.1.8
 key *****
 radius-common-pw *****
http server enable 4443
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0.0.0 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set reverse-route
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.5 192.168.1.1
dhcpd domain domain.com
dhcpd auto_config outside
dhcpd update dns both override 
!
dhcpd address 192.168.1.6-192.168.1.35 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 port 8443
 enable outside
 dtls port 8443
 csd image disk0:/securedesktop_asa_3_2_1_103.pkg.zip
 svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSL_Policy internal
group-policy SSL_Policy attributes
 vpn-tunnel-protocol svc webvpn
 webvpn
  svc ask enable
group-policy SSL-Users internal
group-policy SSL-Users attributes
 vpn-tunnel-protocol svc webvpn
 webvpn
  url-list value Webmail
  svc ask enable
group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
 dns-server value 192.168.1.5
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
 split-dns value domain.com
username balinton password xxxxxxxxxxxxxx encrypted privilege 0
username balinton attributes
 vpn-group-policy SSL_Policy
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
 address-pool RA_VPN_POOL
 default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
 pre-shared-key *****
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
 address-pool SSL_Pool
 default-group-policy SSL-Users
tunnel-group SSLVPN webvpn-attributes
 group-alias Anyconnect enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:793c39f58455ab27a07790dfbbeaf1c3
: end

Open in new window

0
All Courses

From novice to tech pro — start learning today.