State the problem
Identify possibilities
Use the tools to isolate
Correct without causing harm
Existing Config :
connection-profile : eng-con
connection-profile alias : eng-con-alias
user: end-user
Group: eng-group
1st step: check route and reachability to ASA from user
ping asa1.cbtnuggets.com : name resolution is working but no connectivity
Check interfaces on ASA
int g0/0
no shut
ping from ASA to user
its working
In client browser issue:
https://asa1.cbtnuggets.com
provide conn-profile , username and password
Issue :
We are able to login but web bookmarks are not accessible
close this browser completely and open once again
https://asa1.cbtnuggets.com
now we are able to access SSH still web bookmarks are greyed out
show vpn-sessiondb webvpn
check group associated with conn-profile in ASDM
Monitoring -> VPN -> VPN statistics -> sessions
Now verify group policy
Configuration -> Remote access VPN -> Clienteles SSL VPN Access -> Group policies
eng-group
Now check book-mark list
go to portal -> book-marks
Go to eng-group -> more options
you can see web type ACL is configured.
Remove web type ACL
log off and long on
eng-con-alias
user
password
Still, cisco’s public web server is greyed out
go to the bookmark list, to access cisco website we are using url instead of ip.
In conn profile -> servers ->
use google DNS name-server 8.8.8.8
Now cisco url is accessible
We can disable the content re-write for all http traffic
Configuration -> Remote access VPN -> Clienteles SSL VPN Access -> Advanced -> content rewrite
uncheck the enable content rewrite
rule number 1
no-hhtp
http://*
Issue :
Say we have 10000 SSL clients. 9000 are able to connect and rest 1000 are not able to connect but able to ping.
Check
Configuration -> Remote access VPN -> Clienteles SSL VPN Access -> Advanced -> SSL settings
check if browser support all kind of configured ciphers
Issue :
using the wrong conn profile and a valid username
since username is tied to correct group he will be able to login
we don’t want this user to come to wrong conn-profile
we can lock down the user if he don’t come in using eng-conn profile
Configuration -> Remote access VPN -> AAA/Local Users -> Local Users
Now user will not able to login in with wrong conn-profile
No comments:
Post a Comment