Your HTTP server is running on 4043.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of kamran shakil Sent: Sunday, January 30, 2011 11:35 PM To: [email protected] Subject: [OSL | CCIE_Security] [help plz] ASA SSL Clientless VPN - stuck !!! NOT working ( page is not showing / loading up !!! ) Dears, I have a simple setup of ASA with 1 inside and 1 outside interface and even no nat-control is enabled. Following is what i am having :- The browser FIREFOX or IE do not open the page when i try to browse either http://1.1.1.1 or https://1.1.1.1 !!!! [But when i try to telnet 1.1.1.1 443 it connects and gives me the clue that 443 is not blocked on 1.1.1.1 IP Address ] MY ASA VERSION IS : 8.2(1) , and on WINDOWS 7 PC , used IE version 8.0.7600.16385 + FIREFOX version 3.6.13 FOLLOWING IS THE CONFIG: ====================== hostname SSL-VPNBOX enable password 2KFQnbNIdI.2KYOU encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface GigabitEthernet0/0 nameif outside description *** NETWORK facing the OUTSIDE WORLD - directly coneccted to my test pc 1.1.1.2/24*** security-level 0 ip address 1.1.1.1 255.255.255.0 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 2.2.2.2 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! ftp mode passive dns domain-lookup inside dns server-group WEBVPN name-server 136.1.121.1 domain-name cisco.com same-security-traffic permit inter-interface access-list SSL extended permit tcp any any log access-list SSL extended permit icmp any any log access-list SSL extended permit udp any any log access-list WEBACCESS webtype permit url http://*.com:80 pager lines 24 logging enable mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-621.bin no asdm history enable arp timeout 14400 no nat-control access-group SSL in interface outside aaa authentication http console LOCAL http server enable 4043 http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1 svc enable tunnel-group-list enable group-policy WEBVPN internal group-policy WEBVPN attributes vpn-tunnel-protocol webvpn webvpn filter value WEBACCESS url-entry enable username WEBVPN password ioz3dgMc0MXqzvzX encrypted username WEBVPN attributes group-lock value WEBVPN username kamran password mk2g0NZxPq/cd0UW encrypted username cisco password 3USUcOPFUiMCO4Jk encrypted tunnel-group WEBVPN type remote-access tunnel-group WEBVPN general-attributes default-group-policy WEBVPN tunnel-group WEBVPN webvpn-attributes group-alias WEBVPN enable dns-group WEBVPN ! class-map inspection_default match default-inspection-traffic ! ! route outside 0 0 1.1.1.2 policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp DEBUG OUTPUT : ================ When i run the command # debug webvpn , i get the following ERRORS on ASA Console : SSL-VPNBOX(config)# SSL-VPNBOX(config)# %ASA-6-302014: Teardown TCP connection 81 for outside:1.1.1.2/1091 to identity:1.1.1.1/443 duration 0:01:58 bytes 0 TCP Reset-I %ASA-7-609002: Teardown local-host outside:1.1.1.2 duration 0:01:58 %ASA-7-609002: Teardown local-host identity:1.1.1.1 duration 0:01:58 %ASA-7-609001: Built local-host outside:1.1.1.2 %ASA-7-609001: Built local-host identity:1.1.1.1 %ASA-6-302013: Built inbound TCP connection 82 for outside:1.1.1.2/1093 (1.1.1.2/1093) to identity:1.1.1.1/443 (1.1.1.1/443) %ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/1093 for TLSv1session. %ASA-7-725010: Device supports the following 1 cipher(s). %ASA-7-725011: Cipher[1] : DES-CBC-SHA %ASA-7-725008: SSL client outside:1.1.1.2/1093 proposes the following 8 cipher(s). %ASA-7-725011: Cipher[1] : AES128-SHA %ASA-7-725011: Cipher[2] : AES256-SHA %ASA-7-725011: Cipher[3] : RC4-SHA %ASA-7-725011: Cipher[4] : DES-CBC3-SHA %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA %ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA %ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA %ASA-7-725011: Cipher[8] : RC4-MD5 %ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher %ASA-6-302014: Teardown TCP connection 82 for outside:1.1.1.2/1093 to identity:1.1.1.1/443 duration 0:00:00 bytes 7 TCP Reset-I regards, Kamran....
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
