save the config and reload is it failover scenario?
Regards, Piotr 2011/1/31 kamran shakil <[email protected]> > Dears, > I have a simple setup of ASA with 1 inside and 1 outside interface and even > no nat-control is enabled. Following is what i am having :- > > The browser FIREFOX or IE do not open the page when i try to browse either > http://1.1.1.1 or https://1.1.1.1 !!!! > [But when i try to telnet 1.1.1.1 443 it connects and gives me the clue > that 443 is not blocked on 1.1.1.1 IP Address ] > > > MY ASA VERSION IS : 8.2(1) , and on WINDOWS 7 PC , used IE version > 8.0.7600.16385 + FIREFOX version 3.6.13 > > > FOLLOWING IS THE CONFIG: > ====================== > > hostname SSL-VPNBOX > enable password 2KFQnbNIdI.2KYOU encrypted > passwd 2KFQnbNIdI.2KYOU encrypted > names > ! > interface GigabitEthernet0/0 > nameif outside > description *** NETWORK facing the OUTSIDE WORLD - directly coneccted to > my test pc 1.1.1.2/24*** > security-level 0 > ip address 1.1.1.1 255.255.255.0 > ! > interface GigabitEthernet0/1 > nameif inside > security-level 100 > ip address 2.2.2.2 255.255.255.0 > ! > interface GigabitEthernet0/2 > shutdown > no nameif > no security-level > no ip address > ! > interface GigabitEthernet0/3 > shutdown > no nameif > no security-level > no ip address > ! > interface Management0/0 > shutdown > no nameif > no security-level > no ip address > ! > ftp mode passive > dns domain-lookup inside > dns server-group WEBVPN > name-server 136.1.121.1 > domain-name cisco.com > same-security-traffic permit inter-interface > access-list SSL extended permit tcp any any log > access-list SSL extended permit icmp any any log > access-list SSL extended permit udp any any log > access-list WEBACCESS webtype permit url http://*.com:80 > pager lines 24 > logging enable > mtu outside 1500 > mtu inside 1500 > no failover > icmp unreachable rate-limit 1 burst-size 1 > asdm image disk0:/asdm-621.bin > no asdm history enable > arp timeout 14400 > no nat-control > access-group SSL in interface outside > aaa authentication http console LOCAL > http server enable 4043 > http 0.0.0.0 0.0.0.0 outside > no snmp-server location > no snmp-server contact > snmp-server enable traps snmp authentication linkup linkdown coldstart > crypto ipsec security-association lifetime seconds 28800 > crypto ipsec security-association lifetime kilobytes 4608000 > telnet timeout 5 > ssh timeout 5 > console timeout 0 > threat-detection basic-threat > threat-detection statistics access-list > no threat-detection statistics tcp-intercept > webvpn > enable outside > svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1 > svc enable > tunnel-group-list enable > group-policy WEBVPN internal > group-policy WEBVPN attributes > vpn-tunnel-protocol webvpn > webvpn > filter value WEBACCESS > url-entry enable > username WEBVPN password ioz3dgMc0MXqzvzX encrypted > username WEBVPN attributes > group-lock value WEBVPN > username kamran password mk2g0NZxPq/cd0UW encrypted > username cisco password 3USUcOPFUiMCO4Jk encrypted > tunnel-group WEBVPN type remote-access > tunnel-group WEBVPN general-attributes > default-group-policy WEBVPN > tunnel-group WEBVPN webvpn-attributes > group-alias WEBVPN enable > dns-group WEBVPN > ! > class-map inspection_default > match default-inspection-traffic > ! > ! > > route outside 0 0 1.1.1.2 > > > policy-map type inspect dns preset_dns_map > parameters > message-length maximum 512 > policy-map global_policy > class inspection_default > inspect dns preset_dns_map > inspect ftp > inspect h323 h225 > inspect h323 ras > inspect netbios > inspect rsh > inspect rtsp > inspect skinny > inspect esmtp > inspect sqlnet > inspect sunrpc > inspect tftp > inspect sip > inspect xdmcp > inspect icmp > > > > > > > > > > DEBUG OUTPUT : > ================ > > When i run the command # debug webvpn , i get the following ERRORS on ASA > Console : > > SSL-VPNBOX(config)# > SSL-VPNBOX(config)# %ASA-6-302014: Teardown TCP connection 81 for outside: > 1.1.1.2/1091 to identity:1.1.1.1/443 duration 0:01:58 bytes 0 TCP Reset-I > %ASA-7-609002: Teardown local-host outside:1.1.1.2 duration 0:01:58 > %ASA-7-609002: Teardown local-host identity:1.1.1.1 duration 0:01:58 > %ASA-7-609001: Built local-host outside:1.1.1.2 > %ASA-7-609001: Built local-host identity:1.1.1.1 > %ASA-6-302013: Built inbound TCP connection 82 for outside:1.1.1.2/1093 ( > 1.1.1.2/1093) to identity:1.1.1.1/443 (1.1.1.1/443) > %ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/1093 for > TLSv1session. > %ASA-7-725010: Device supports the following 1 cipher(s). > %ASA-7-725011: Cipher[1] : DES-CBC-SHA > %ASA-7-725008: SSL client outside:1.1.1.2/1093 proposes the following 8 > cipher(s). > %ASA-7-725011: Cipher[1] : AES128-SHA > %ASA-7-725011: Cipher[2] : AES256-SHA > %ASA-7-725011: Cipher[3] : RC4-SHA > %ASA-7-725011: Cipher[4] : DES-CBC3-SHA > %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA > %ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA > %ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA > %ASA-7-725011: Cipher[8] : RC4-MD5 > %ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no > shared cipher > %ASA-6-302014: Teardown TCP connection 82 for outside:1.1.1.2/1093 to > identity:1.1.1.1/443 duration 0:00:00 bytes 7 TCP Reset-I > > > > regards, > Kamran.... > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
