Ssl-vpn configuration

deacongibsondeacongibson Posts: 8Member ■□□□□□□□□□
Can some help please:
The subject is SSL VPN (Using GNS3)
I have setup an ssl vpn and his working using AAA authentication method in my GNS3 lab. But have not be able to get it to work using certificate authentication method. In fact I am now confuse, I need someone who can give me a working ASA configuration excluding the Microsoft server configuration (that is working very fine. As I can issue certificate): See here under for my setup:


1. ASA 5520 with IOS 8.4
- inside interface: 192.168.100.0/24
- outside interface: 192.168.137.0/24
- dmz interface: 172.100.100.0/24

2. Microsoft Windows server 2008 as domain controller and active directory
3. Microsoft Windows server 2003 as member server hosting the certificate services
- Domain server IP: 172.100.100.2
- certificate server IP: 172.100.100.3
4. Windows XP sp3 as client machines
IP: 192.168.100.0/24
5. SSL VPN configuration
a. NAT configuration
b. Address pool 192.168.100.100 – 192.168.100.150
c. Split tunnel option: Tunnel network list below
d. Access-list implementation


Note: I will appreciate any already existing working SSL-VPN configuration.
Deacon Gibson

Comments

  • have you issued identity certificate for ASA?
    have you imported root certificate to ASA?
  • deacongibsondeacongibson Posts: 8Member ■□□□□□□□□□
    See hereunder for My lab Scenerio:


    1. I have setup Anyconnect SSL-VPN in my ASA with IOS 8.4
    2. I have enrolled the ASA with SCEP to get it ROOT and IDENTITY certificate from windows server 2003 certificate server
    3. I have also deployed a ROOT and IDENTITY certificate from the windows server 2003 certificate server to my windows XP SP3 computer
    4. I can established a SSL-VPN connection from the anyconnect client software installed in the XP machine to the ASA using Local authentication method.
    5. I have not be be able to establish a connection using a certificate authentication method. Each time i try i get the message "no valid certificates available for authentication"
  • Try to gather the DART logs.
  • deacongibsondeacongibson Posts: 8Member ■□□□□□□□□□
    I have gather the DART logs. what should I do next?
  • Maced129Maced129 Posts: 78Member ■■□□□□□□□□
    is time synced? between all devices in your topology?
Sign In or Register to comment.