service-policy pptp_policy interface outside

I found that here: http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/i2.html#wp1761500

As per my previous post, I have mentioned that Anyconnect has comaptibility issue with Kaspersky, after doing lots of googlings, I found a blog site where one of the users has mentioned that he/she manged to get around this by unchecking port 443 on Kaspersky port monitor settings. This of course did work for me too.
However still having issues when enabling Secure Desktop, which works fine when used with a workstation that doesn’t have Kaspersky.

The other biggest problem is when I upgraded ASA 8.4, I realised that NAT implementation has been changed. Following link explains this.

[link not correct]

Also Cisco has announced a bug

[link requires authentication]

The biggest problem I have currently is to authenticate users using active directory, which worked fine before the version upgrade. When I configure server address and try to test I get follwing error.

”
Authentication test to host 192.168.xx.xx failed. Following error
occured-

ERROR: Authentication Rejected: Memmory
error ”

Following blog shows that some other users also have experienced this but mnaged to get around. However in my case I am still stuck therefore I would be great, if you could shed a light on this.

I have ASA Firewall and need to capture the VPN authentication logs/events on the firewall.

Currently these type of logs are not getting generated on the Firewall.

Can you please let me know what changes needs to be done on the firewall in order to capture these logs.

In order for scenario 2 to work, you need a dedicated public IP which will be static nat to the inside server. Your problem shows that GRE does not pass from client (outside) to server inside. Only TCP port 1723 can pass from what you describe.

thanks for the tutorial.I’ve a problem with it.

I’ve an ASA 5110 8.0(4) released. I’m working on scenario 2.
When i try to connect with the client, it contact the server, try to verify user and password and after 30second it reply with the message:

Error 806: a connection between your computer and the VPN server has been established but the VPN connection cannot be completed. The most common cause for this is that there is at least one internet device between your computer and the VPN server is not configured to allow GRE protocol packets Verify that protocol 47 GRE is allowed on all personal firewall devices or routers. if the problem persists, contact your administrator.

If i try a telnet from client to server, on 1723 port, it work.

where i wrong?

Thanks

unfortunately I have not encountered something similar before. Hope that someone can shed some light on this. Maybe there is a solution if you make Kaspersky to bypass checking of the active-x application that anyconnect ssl is downloading on the user’s computer.

5 Jan 16 2012 09:28:11 722010 Group User IP SVC Message: 16/ERROR: Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.)..

However when tried with different PC it worked and reliased it was the Kaspersky AV was causing the issue.

As per the following link, Cisco recommends to remove AV but that is not the longer term solution. Therefore I wolud like to know whether anyone else has come across this issue and whether there is a concrete resolution for this.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac08managemonitortbs.html

The software license is for one computer only, so it would be good for either your home computer or your laptop.

If I find that my thinkpad is too old to run your software I don’t want to have a copy of you software I can’t use.
If I can do this setup I would buy one copy of AVS software now