Clientless SSL VPN (WebVPN) allows for limited but valuable secure
access to the corporate network from any location. Users can achieve secure
browser-based access to corporate resources at anytime. This document provides
a straightforward configuration for the Cisco Adaptive Security Appliance (ASA)
5500 series to allow Clientless SSL VPN access to internal network
The SSL VPN technology can be utilized in three ways: Clientless SSL
VPN, Thin-Client SSL VPN (Port Forwarding), and SSL VPN Client (SVC Tunnel
Mode). Each has its own advantages and unique access to resources.
1. Clientless SSL VPN
A remote client needs only an SSL-enabled web browser to access http-
or https-enabled web servers on the corporate LAN. Access is also available to
browse for Windows files with the Common Internet File System (CIFS). A good
example of http access is the Outlook Web Access (OWA) client.
2. Thin-Client SSL VPN (Port Forwarding)
A remote client must download a small, Java-based applet for secure
access of TCP applications that use static port numbers. UDP is not supported.
Examples include access to POP3, SMTP, IMAP, SSH, and Telnet. The user needs
local administrative privileges because changes are made to files on the local
machine. This method of SSL VPN does not work with applications that use
dynamic port assignments, for example, several FTP applications.
SSL VPN (WebVPN) on ASA using ASDM Configuration Example in order to
learn more about the Thin-Client SSL VPN.
3. SSL VPN Client (SVC-Tunnel Mode)
The SSL VPN Client downloads a small client to the remote workstation
and allows full, secure access to the resources on the internal corporate
network. The SVC can be downloaded permanently to the remote station, or it can
be removed after the secure session ends.
Clientless SSL VPN can be configured on the Cisco VPN Concentrator 3000
and specific Cisco IOS® routers with Version
12.4(6)T and higher. Clientless SSL VPN access can also be configured on the
Cisco ASA at the Command Line Interface (CLI) or with the Adaptive Security
Device Manager (ASDM). The ASDM usage makes configurations more
Clientless SSL VPN and ASDM must not be enabled on the same ASA
interface. It is possible for the two technologies to coexist on the same
interface if changes are made to the port numbers. It is highly recommended
that ASDM is enabled on the inside interface, so WebVPN
can be enabled on the outside interface.
VPN Client (SVC) on ASA Using ASDM Configuration Example in order to
know more details about the SSL VPN Client.
Clientless SSL VPN enables secure access to these resources on the
HTTP and HTTPS to internal web servers
Windows file access and browsing
Citrix Servers with the Citrix thin client
The Cisco ASA adopts the role of a secure proxy for client computers
which can then access pre-selected resources on the corporate LAN.
This document demonstrates a simple configuration with ASDM to enable
the use of Clientless SSL VPN on the Cisco ASA. No client configuration is
necessary if the client already has an SSL-enabled web browser. Most web
browsers already have the capability to invoke SSL/TLS sessions. The resultant
Cisco ASA command lines are also shown in this document.
Ensure that you meet these requirements before you attempt this
Client-SSL enabled browser, for example, Internet Explorer, Netscape,
ASA with Version 7.1 or higher
TCP port 443, which must not be blocked along the path from the
client to the ASA
The information in this document is based on these software and
The information in this document was created from the devices in a
specific lab environment. All the devices used in this document began with a
cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Refer to the
Technical Tips Conventions for more information on document
At this stage, you can issue the https://inside _IP
Address from a web browser to access the ASDM application. Once ASDM
has loaded, begin the configuration for WebVPN.
This section contains the information needed to configure the features
described within this document.
Note: Use the
Command Lookup Tool
(registered customers only)
to obtain more information about
the commands used in this section.
This document uses this network setup:
Configure the WebVPN on the ASA with four major steps:
Enable the WebVPN on an ASA interface.
Create a list of servers and/or URLs for WebVPN
Create a group policy for WebVPN users.
Apply the new group policy to a Tunnel
In ASDM, choose Configuration >
VPN > WebVPN > WebVPN
Choose the interface to terminate WebVPN users >
Choose Servers and URLs > Add.
Enter a name for the list of servers accessible by WebVPN. Click
the Add button. The Add Server or URL dialogue box displays.
Enter the name of each server. This is the name that the client sees. Choose
the URL drop-down menu for each server and choose the appropriate protocol. Add
servers to your list from the Add Server or URL dialogue box and click
Click Apply >
Expand General in the left menu of ASDM. Choose
Group Policy >
Choose the Tunnel Group in the left column. Click
the Edit button.
Click the Group Policy drop-down menu. Choose the
policy that was created in Step 3.
It is important to note that if new Group Policies and Tunnel
Groups are not created, the defaults are GroupPolicy 1 and
DefaultWEBVPNGroup. Click the WebVPN
Choose NetBIOS Servers. Click the
Add button. Fill in the IP address of the WINS/NBNS server.
Click OK > OK. Follow the prompts Apply > Save
> Yes to write the configuration.
This configuration reflects the changes ASDM made to enable
ASA Version 7.2(1)
enable password 9jNfZuG3TC5tCVH0 encrypted
ip address 172.22.1.160 255.255.255.0
ip address 10.2.2.1 255.255.255.0
no ip address
description For Mgt only
ip address 10.10.10.1 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu Mgt 1500
icmp permit any outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.2.2.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.22.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
!--- group policy configurations
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
functions url-entry file-access file-entry file-browsing mapi port-forward filter
http-proxy auto-download citrix
username cisco password 53QNetqK.Kqqfshe encrypted
!--- asdm configurations
http server enable
http 10.2.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!--- tunnel group configurations
tunnel-group DefaultWEBVPNGroup general-attributes
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 10.2.2.2 master timeout 2 retry 2
telnet timeout 5
ssh 172.22.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
!--- webvpn configurations
url-list ServerList "WSHAWLAP" cifs://10.2.2.2 1
url-list ServerList "FOCUS_SRV_1" https://10.2.2.3 2
url-list ServerList "FOCUS_SRV_2" http://10.2.2.4 3
prompt hostname context
Clientless SSL VPN macro substitutions let you configure users for
access to personalized resources that contain the user ID and password or other
input parameters. Examples of such resources include bookmark entries, URL
lists, and file shares.
Note: For security reasons, password substitutions are disabled for
file-access URLs (cifs://).
Note: Also for security reasons, use caution when you introduce password
substitutions for web links, especially for non-SSL instances.
These macro substitutions are supported:
CSCO_WEBVPN_USERNAME - SSL VPN user login ID
CSCO_WEBVPN_PASSWORD - SSL VPN user login password
CSCO_WEBVPN_INTERNAL_PASSWORD - SSL VPN user
internal resource password
CSCO_WEBVPN_CONNECTION_PROFILE - SSL VPN user login
group drop-down, a group alias within the connection profile
CSCO_WEBVPN_MACRO1 - Set through RADIUS/LDAP
CSCO_WEBVPN_MACRO2 - Set through RADIUS/LDAP
In order to know more about macro substitutions, refer to
SSL VPN Macro Substitutions.
Use this section to confirm that your configuration works
Establish a connection to your ASA device from an outside client to
The client receives a Cisco WebVPN page that allows access to the
corporate LAN in a secure fashion. The client is allowed only the access that
is listed in the newly created group policy.
Authentication:A simple login and password was created
on the ASA for this lab proof of concept. If a single and seamless sign-on to a
domain for the WebVPN users is preferred, refer to this URL:
with WebVPN and Single Sign-on using ASDM and NTLMv1 Configuration
This section provides information you can use to troubleshoot your
Note: Do not interrupt the Copy File to Server
command or navigate to a different screen while the copy process is in
progress. If the operation is interrupted, it can cause an incomplete file to
be saved on the server.
Note: Users can upload and download the new files with the WEBVPN client,
but the user is not allowed to overwrite the files in CIFS on WEB VPN with the
Copy File to Server command. When the user attempts
to replace a file on the server, the user receives this message:
"Unable to add the file."
Follow these instructions to troubleshoot your configuration.
In ASDM, choose Monitoring >
Logging > Real-time Log Viewer >
View. When a client connects to the ASA, note the
establishment and termination of SSL and TLS sessions in the real-time logs.
In ASDM, choose Monitoring >
VPN > VPN Statistics >
Sessions. Look for the new WebVPN session. Be sure to choose
the WebVPN filter and click Filter. If a problem occurs,
temporarily bypass the ASA device to ensure that clients can access the desired
network resources. Review the configuration steps listed in this
Output Interpreter Tool
(registered customers only)
(OIT) supports certain
show commands. Use the OIT to view an analysis of
show command output.
Note: Refer to
Information on Debug Commands before the use of
show webvpn ?—There are many
show commands associated with WebVPN. In order to
see the use of show commands in detail, refer to the
reference section of the Cisco Security Appliance.
debug webvpn ?—The use of
debug commands can adversely impact the ASA. In
order to see the use of debug commands in more
detail, refer to the
reference section of the Cisco Security
Only three WEB VPN clients can connect to ASA/PIX; the connection for
the fourth client fails.
In most cases, this issue is related to a simultaneous login setting
within the group policy.
Use this illustration to configure the desired number of simultaneous
logins. In this example, the desired value was 20.
ciscoasa(config)# group-policy Bryan attributes
ciscoasa(config-group-policy)# vpn-simultaneous-logins 20
If these bookmarks were configured for users to sign in to the
clientless VPN, but, on the home screen under "Web Applications" they show up
as grayed out, how can I enable these HTTP links so that the users are able to
click them and go into the particular URL?
You should first make sure that the ASA can resolve the websites
through DNS. Try to ping the websites by name. If the ASA cannot resolve the
name, the link is grayed out. If the DNS servers are internal to your network,
configure the DNS domain-lookup private interface.
The error message "the ica client received a corrupt ica
file." occurs for Citrix over WEBVPN.
If you use the secure gateway mode for Citrix
connection through WebVPN, the ICA file can corrupt. Because the ASA is not
compatible with this mode of operation, create a new ICA file in the Direct
Mode (non-secure mode).
When accessing CIFS links on the clientless WebVPN portal, users are
prompted for credentials after clicking the bookmark. LDAP is used to
authenticate both the resources and the users already have entered LDAP
credentials to login to the VPN session.
You can use the auto-signon feature in this case. Under the specific
group-policy being used and under its WebVPN attributes, configure this:
auto-signon allow uri cifs://X.X.X.X/* auth-type all
where X.X.X.X=IP of the CIFS server and
*=rest of the path to reach the share
file/folder in question.
An example configuration snippet is shown here:
hostname(config)# group-policy ExamplePolicy attributes
hostname(config-group-webvpn)# auto-signon allow uri https://*.example.com/* auth-type all
For more information about this, refer to
SSO with HTTP Basic or NTLM Authentication.