How To Configure AnyConnect SSL VPN on Cisco ASA 5500

"Sponsored Links"

Virtual private networks, and really VPN services of many types, are similar in function but different in setup. In a previous post (anyconnect ssl vpn) I briefly explained the general functionality of a new remote access vpn technology, the AnyConnect SSL client VPN. The Cisco AnyConnect VPN is supported on the new ASA 8.x software version and provides remote access to users with just a secure Web Browser (https). The AnyConnect client software supports Windows Vista, XP, 2000, MAC OS X and Linux. The client can either be preinstalled to remote user’s PC or it can be loaded to ASA flash and uploaded to remote user’s PC when they connect to the ASA. You have also the option to uninstall the client from the remote user when he/she disconnects from the ASA.

EDIT: My new ebook, “Cisco VPN Configuration Guide – By Harris Andrea” provides a comprehensive technical tutorial about all types of VPNs that you can configure on Cisco Routers and ASA Firewalls (including of course SSL Anyconnect or IPSEC Remote Access VPNs).

In this post I will explain the technical details to configure AnyConnect SSL VPN on Cisco ASA 5500. I assume that we use the AnyConnect client version 2.0 which will be stored on ASA flash and uploaded to remote user on demand. The same configuration applies for newer versions of AnyConnect. The remote users, after successful authentication, will receive an IP address from local ASA pool 192.168.100.1-50. The internal ASA network will use subnet range 192.168.5.0/24

Therefore, after the remote user successfully authenticates on Cisco ASA with the AnyConnect client, he will receive an IP address in the range 192.168.100.1 to 50 and he will be able to access resources in the internal LAN network 192.168.5.0/24.

Upload AnyConnect to ASA

The first step is to obtain the AnyConnect client software from the Cisco Software Download Website. You will need to download the appropriate software version according to the Operating System that your users have on their computers.

Assume the software vpn client file is “anyconnect-win-2.0.0343-k9.pkg”.

ASA(config)# copy tftp flash
Address or name of remote host ? 192.168.5.10
Source filename ? anyconnect-win-2.0.0343-k9.pkg
Destination filename [anyconnect-win-2.0.0343-k9.pkg]?

Accessing tftp://192.168.5.10/anyconnect-win-2.0.0343-k9.pkg…!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.0.0343-k9.pkg…
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Configuring the Cisco ASA

! Specify the AnyConnect image to be downloaded by users
ASA(config)#webvpn
ASA(config-webvpn)#anyconnect image disk0:/anyconnect-win-2.0.0343-k9.pkg 1

! Enable AnyConnect access on the outside ASA interface
ASA(config-webvpn)#enable outside
ASA(config-webvpn)#anyconnect enable
ASA(config-webvpn)#exit

! Create a local IP address pool to assign for remote users
ASA(config)# ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0

! Configure NAT exemption for traffic between internal LAN and remote users

For ASA Version prior to 8.3
ASA(config)#access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0

ASA(config)# nat (inside) 0 access-list NONAT

For ASA Version 8.3 and later

object network INSIDE-HOSTS
 subnet 192.168.5.0 255.255.255.0
 !
 object network VPN-HOSTS
 subnet 192.168.100.0 255.255.255.0
 !
 nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS  destination static VPN-HOSTS VPN-HOSTS

! Create usernames that will use the AnyConnect remote access only
ASA(config)#username userA password test123
ASA(config)#username userA attributes
ASA(config-username)# service-type remote-access

ASA(config)#username userB password test12345
ASA(config)#username userB attributes
ASA(config-username)# service-type remote-access

! Create a group policy with configuration parameters that should be applied to clients (there are two options available here according to the ASA version you are running)

OPTION 1
ASA(config)# group-policy SSLCLientPolicy internal

ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# dns-server value 192.168.5.100
ASA(config-group-policy)# vpn-tunnel-protocol svc
ASA(config-group-policy)# address-pools value SSLClientPool

OPTION 2
ASA(config)# group-policy SSLCLientPolicy internal
ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# dns-server value 192.168.5.100
ASA(config-group-policy)# address-pools value SSLClientPool
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn))#vpn-tunnel-protocol svc

! Allow the AnyConnect traffic to bypass access lists
ASA(config)# sysopt connection permit-vpn

! Create tunnel group profile to define connection parameters
ASA(config)# tunnel-group SSLClientProfile type remote-access
ASA(config)# tunnel-group SSLClientProfile general-attributes
ASA(config-tunnel-general)# default-group-policy SSLCLientPolicy
ASA(config-tunnel-general)# tunnel-group SSLClientProfile webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias SSLVPNClient enable
ASA(config-tunnel-webvpn)# webvpn
ASA(config-webvpn)#tunnel-group-list enable

How to Connect

The user just needs to open a browser and go to https://[outside ASA IP]

The login screen is displayed as below example:

On “Group” field enter the name of the tunnel group SSLClientProfile or SSLVPNClient (group alias name).

On “Username” and “Password” field enter the user credentials (e.g UserA, test123)

"Sponsored Links"

Comments

  1. mike says

    I’ve tried using this configuration example on my simple ASA configuration, I’m able to get the client to load form the https:// url, however when enabling debug (debug webvpn svc 255) on the ASA 5505, it errors out with: SVC message: t/s=3/16: Failed to fully establish a connection to the secure gate
    way (proxy authentication, handshake, bad cert, etc.).

    Before that it is assigning it an IP address and such.

    On the VPN Client log, I see:
    A SSL connection has been established using cipher RC4-SHA .
    then
    Function: CNetInterface::GetIPAddrInfo Return code: 0xFE0F000F File: .\Utility\NetInterface.cpp Line: 256 Description: NETINTERFACE_ERROR_INTERFACE_NOT_AVAILABLE . (repeats 4 times)
    Termination reason code 16: Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.). .
    Function: CVpnMgr::initiateTunnel Return code: 0xFE0A0010 File: .\VpnMgr.cpp Line: 1014 Description: VPNMGR_ERROR_TERMINATING .
    Termination reason code 16: Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.). .

  2. Shea says

    Mike, I have a couple of employees that are having the same issue and the exact same error in the event log. One of the things I noticed was another event ID, 53. It shows the following about the end users local ethernet interface:
    Public address: 127.0.0.1
    Public mask: 255.0.0.0

    When I look at Event ID 53 on my PC and others, it shows the local interface ip address, not loopback. I’m not sure what is causing the local interface to register with a loopback address. Does your PC have the same info in event ID 53?

    If anyone has an answer please post.
    Thanks,
    Shea

  3. BlogAdmin says

    Hello Jimmy,

    Well, after ASA version 7.3(1) , a new keyword was added to allow SSL tunnel negotiation. This is the “svc” keyword. I don’t know what version of ASA you are refering to, but the “vpn-tunnel-protocol svc” command is correct. In some other cases (again according to what asa version you are running), you might need to configure the following under the group policy:

    ASA(config-group-policy)# webvpn
    ASA(config-group-webvpn)# vpn-tunnel-protocol svc

  4. haku says

    hello,

    any idea on where the certificates for the SSL stuff are kept? I’m kinda wanting to see how the traffic looks like under wireshark, which needs the ssl keypair to decrypt the ssl traffic. Any clue?

    Thanks

  5. Martin says

    mike, shea: Deactivating Kaspersky AV reproducibly fixed the problem. I could connect without a glitch as soon after turning the AV engine off. Bummer.

  6. Brian says

    Nice article. I would like to mention that some users may want to use the ‘port’ command before ‘enable outside’ to run WebVPN on a port other than 443, just in case something else is using https on the outside interface (like Active Sync for example). Thanks again.

  7. Abid says

    Thanks

    Just one problem i have defined a pool of /28 ip addresses now when customer connects it gets first ip address from the pool and the default gateway is next available ip address… which is not assigned to any thing ..and client is not able to connect to any thing.

    Any idea, is this is how it should be ?

  8. Jamie Dumanski says

    It looks like your example is great. I am trying to confi this in a new ASA 5505. It will not allow me to use the command “nat (inside) 0 access-list NONAT”. It says I must use object-groups, but I am not sure how to yet. Can you please explain?

    Thanks

  9. BlogAdmin says

    Hello Jamie,

    The reason you get this message is that you are running version 8.3 and up. From ASA 8.3 the NAT configuration has been completely changed. In order to configure “nat 0″ you must do the following (using object groups)::

    We need to exempt traffic going from 192.168.5.0/24 to 192.168.100.0/24.

    object network obj-192.168.5.0
    subnet 192.168.5.0 255.255.255.0

    object network obj-192.168.100.0
    subnet 192.168.100.0 255.255.255.0

    nat (inside,outside) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.100.0 obj-192.168.100.0

  10. Jae says

    Thanks for the great example! I have my SSL-VPN with Anyconnect all up and working, except for one minor thing. When I am logged into the VPN, I cannot access the firewall with ASDM nor SSH. Is this an ASA security control, or am I missing something here?

    Thanks!

  11. BlogAdmin says

    Jae,

    You should enable ssh or asdm to allow access from the IP pool which is assigned to the VPN users. Then you can access the ASA on the inside interface.

  12. Steve says

    I’ve also successfully enabled AnyConnect, is there a command that would let the VPN users travers our site-to-site connection as well in order to access resources at another site?

    Thanks for the great article, it works WAY better than the Cisco example that is on the Cisco website.

  13. BlogAdmin says

    Hi Steve,

    If the other site is behind the main site, then you need to add the new site’s private LAN IP range in the access-list NONAT command.

  14. Art says

    Hi,

    Thanks for posting this. I can connect successfully via AnyConnect and access internal resources, however it won’t let me access any websites. Do I need to create a firewall rule to allow traffic from my VPN segment out to the Internet?

    Thanks,
    Art

  15. Jeff says

    Hi,

    I just wanted to thank you for not only taking the time to draw this up but also for quickly responding to all questions posed by your readers. I’m going to give this a try tomorrow, and I’ll post back on how it goes. Have a merry Xmas!

  16. Jeff says

    Hi,

    I added in the configuration in your tutorial, and I had a friend test it (this is on my home network). He was able to connect, but he had no access to anything. He doesn’t have any credentials on any of my systems, so we were expecting that. :)

    I ran into a few issues/questions, though.

    1) As mentioned in Abid’s post, the .1 address was given to the VPN user, and the gateway was the .2 address.

    2) There was no Internet access available, and I saw your post about split-tunneling, but the link you provided to Cisco includes the entire configuration to setup VPN access. I’m wondering which portion of that configuration is necessary to add to your configuration to provide Internet access.

    3) To provide wireless access on my network, I’d simply plugged a Netgear wireless router into the ASA in bridged mode. The ASA would hand out DHCP addresses, and I was able to connect w/out a problem. After adding in the VPN configuration, I wasn’t able to get a DHCP address from the ASA via my laptop. Instead, it gives me a 169.x.x.x address. I added a static address, and it connected w/out a problem.

    Some details about my network/configuration:

    ASA Version 8.0(2)
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    ip local pool SSLClientPool 192.168.100.1-192.168.100.25 mask 255.255.255.0
    dhcpd address 192.168.2.2-192.168.2.25 inside

    Also, I run internal DNS on 192.168.2.50.

    One other question, is there a way to make a VPN connection via http and have it automatically switch over to an https connection? Any help you could provide would be great. Again, thank you so much for your configuration. It’s really made my life much easier. Happy New Year!

  17. BlogAdmin says

    Hi everyone and Happy new Year,

    Since I’m not a magician (or God!!!) you understand that I can not solve any ASA problem you have just from the information you give me and without having actual access and debug information from your appliance. Anyway, the split tunnel configuration from the cisco site which is relevant to my article above is:

    ciscoasa(config)#access-list split-tunnel standard permit 10.77.241.128 255.255.255.192
    ciscoasa(config)#group-policy clientgroup internal
    ciscoasa(config)#group-policy clientgroup attributes
    ciscoasa(config-group-policy)#vpn-tunnel-protocol webvpn
    ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified
    ciscoasa(config-group-policy)#split-tunnel-network-list value split-tunnel

    (just change the IP addresses or names accordingly).

    Also, in order to redirect a VPN connection from http to https:

    ASA(config)# http redirect outside 80

  18. Konstantin says

    Hello!
    First, i’d like to thank the BlogAdmin for the useful article!
    It helped me to build the anyconnection with asa and windows, but my aim is to build it with iPhone

    the problems begin after entering the username and password

    are there any special settings on asa for the iPhone?
    besides, what about certificates? can the asa be the trustpoint and
    give the certificate to iPhone?

    iPhone has its own anyconnect client, that’s why, I suppose, there is no need to use

    webvpn
    svc enable

  19. BlogAdmin says

    Konstantin

    I have never tried anyconnect vpn with an iphone so unfortunately I can not help you on that issue.

  20. Andy says

    Hey – Thanks for the post – very very insightful.
    I have a question – if I wanted my internal DHCP server to give out the Pool – what would I have to do for this – sorry I am a newbie – old SA left the compnay and I am learning fast – Everything is good but we will be rolling out Windows 7 this year and we are using old VPN 3000 concentrators – so we have bought some ASA 5505s

    Thanks in advance

  21. BlogAdmin says

    Andy,

    The following is taken from the Cisco site:

    To define a DHCP server for IP addressing, perform the following steps.

    Step 1 To configure DHCP as the address assignment method, enter the vpn-addr-assign command with the dhcp argument:

    hostname(config)# vpn-addr-assign dhcp
    hostname(config)#

    Step 2 To establish the tunnel group called firstgroup as a remote access or LAN-to-LAN tunnel group, enter the tunnel-group command with the type keyword. The following example configures a remote access tunnel group.

    hostname(config)# tunnel-group firstgroup type ipsec-ra
    hostname(config)#

    Step 3 To enter general-attributes configuration mode, which lets you configure a DHCP server, enter the tunnel-group command with the general-attributes argument.

    hostname(config)# tunnel-group firstgroup general-attributes
    hostname(config)#

    Step 4 To define the DHCP server, enter the dhcp-server command. The following example configures a DHCP server at IP address 172.33.44.19.

    hostname(config-general)# dhcp-server 172.33.44.19
    hostname(config-general)#

    Step 5 Exit tunnel-group mode.

    hostname(config-general)# exit
    hostname(config)#

    Step 6 To define the group policy called remotegroup as an internally or externally configured group, enter the group-policy command with the internal or external argument. The following example configures an internal group.

    hostname(config)# group-policy remotegroup internal
    hostname(config)#

    Step 7 (Optional) To enter group-policy attributes configuration mode, which lets you configure a subnetwork of IP addresses for the DHCP server to use, enter the group-policy command with the attributes keyword.

    hostname(config)# group-policy remotegroup attributes
    hostname(config-group-policy)#

    Step 8 (Optional) To specify the range of IP addresses the DHCP server should use to assign addresses to users of the group policy called remotegroup, enter the dhcp-network-scope command. The following example configures at network scope of 192.86.0.0.

    hostname(config-group-policy)# dhcp-network-scope 192.86.0.0
    hostname(config-group-policy)#

  22. Andy says

    Thanks for the reply.
    I will look into the DHCP bit
    I have everything working including authentication on the Domain Controllers.
    However I get the same problem as abib – I set the pool up and it gives me an IP but the Default gateway is the next IP in line.

  23. Andy says

    Hi again – sorry for the post but seem to hit a snag which I may be completely missing.
    I will post the config here however some names have being changed and IP.
    The problem I have is like mentioned before – I can connect through anyconnect using an SSL Cert from the ASA,
    I authenticate through the Domain contoller fine.
    I get a IP address from the pool 192.168.100.1, gateway always seems to be 192.168.100.2
    Then I can’t access anything on the network I want to get to 170.62.0.0/16

    Here is the Config file – am I missing something?

    ASA Version 8.2(1)11
    !
    hostname RTPFW01
    domain-name test.com

    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 170.62.4.22 255.255.252.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address x.x.x.x 255.255.255.224
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 170.62.4.30
    domain-name test.com
    access-list no_nat extended permit ip 170.62.0.0 255.255.0.0 192.168.100.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool SSLClientPool 192.168.100.1-192.168.100.200 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-623.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list no_nat
    route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
    route inside 170.62.0.0 255.255.0.0 170.62.4.11 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server test protocol nt
    aaa-server test (inside) host 170.62.4.30
    nt-auth-domain-controller dc01
    http server enable
    http 170.62.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000

    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc enable
    tunnel-group-list enable
    group-policy SSLClientPolicy internal
    group-policy SSLClientPolicy attributes
    dns-server value 170.62.4.30
    vpn-tunnel-protocol svc webvpn
    default-domain value test.com
    address-pools value SSLClientPool
    tunnel-group SSLClientProfile type remote-access
    tunnel-group SSLClientProfile general-attributes
    authentication-server-group test
    default-group-policy SSLClientPolicy
    tunnel-group SSLClientProfile webvpn-attributes
    group-alias SSLVPNClient enable
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:0812042599b7f564d0769aeba9126fff

  24. Konstantin says

    Good day!

    I have one more question, it’s about using sertificates

    Anyconnect is announced as SSL VPN, so, I guess, we should use certificates to authenticate the client.
    Now we can see, that anyconnect can work without certificates – we just need login and pass to establish the connection – it seems to me, that it’s not very secure.

  25. jchan says

    I have a question. Can we assign a single user to multiple groups?

    For example:
    username anyconnect_user password anyconnect_user
    username anyconnect_user attributes
    vpn-group-policy ANYCONNECT_GROUP1_POLICY

    If I tried assigning another vpn-group-policy for the same user, the latter one will override the earlier one.

    Is there a way to do that? Thanks!

  26. BlogAdmin says

    From what I know, you can not assign a user to two groups. Maybe this can be done using Cisco ACS AAA server for authentication and Authorization in which you can assign different network policies for a user.

  27. jchan says

    Thanks for quick replay.

    I created 2 groups and I see 2 group names on the pull down menu on the login page. Is there a way to limit the group name access to one when connect to ASA? other than changing the different group names to the same group name.

    Thanks!

  28. BlogAdmin says

    even if the user sees two group names, the user can only connect to the one which his username is assigned to.

  29. jchan says

    Thanks again! You are right, users can only access to the one that is assigned to them.

    I have another question, I found this is very strange. When I was testing it, I configured a username test password test privilege 1 on ASA, I did not assign this user test to any tunnel group via vpn-group-policy command under username attributes. For some reasons, user test can connect to the predefined anyconnect group. Is this the expected behavior?

    username test password test privilege 1
    username ssluser1 attributes
    vpn-group-policy ANYCONNECT_SSLUSER1_POLICY

    Both user ssluser1 and user test can connect to “SSLUSER1″ Group with no problem.

  30. Dax says

    Hello

    First off let me thank everyone who has contributed to this blog especially blog admin. With this easy to follow tutorial I was able to get the VPN working in 10 minutes. Im still having trouble figuring out how to do the split tunneling to enable users who VPN in to have internet access. The inside network in my example is 192.168.1.0 /24 and the vpnpool addys are on the 192.168.5.0 /24 network. What commands would i need to run to get vpnd users connected to the internet. The asa localip is 192.168.1.1 and lets assume my external ip is 29.29.29.29 /24

    Thanks!

  31. BlogAdmin says

    Dax,

    You need to do the following in order to enable split tunneling for anyconnect ssl vpn:

    1) first create an access list for the split tunnel. This access list should include your internal network range:

    ASA(config)#access-list split-tunnel standard permit 192.168.1.0 255.255.255.0

    2) Then assign this ACL into the SSL group poilicy

    ASA(config)# group-policy SSLCLientPolicy internal
    ASA(config)# group-policy SSLCLientPolicy attributes
    ASA(config-group-policy)# split-tunnel-policy tunnelspecified
    ASA(config-group-policy)# split-tunnel-network-list value split-tunnel

  32. jchan says

    Good day all,

    I have a quick question. When you close and open up the anyconnect client program, it seems the program can only recall the last hostname or ip address that anyconnect client was connected to.

    I have configured multiple ASAs in network for anyconnect client to access. Is that a way to store/save multiple hostname/IP address under the “Connect To” pull down menu on the login screen so that client doesn’t need to reenter hostname or ip address everytime when accessing different ASAs?

  33. BlogAdmin says

    You can have multiple login profiles by configuring several tunnel-groups and group-policy.

  34. Dax says

    Hi Blogadmin

    Thanks for your help I’m now able to access the interent when connecting. Two questions for you

    1. How can i get dns to work properly. Acording to my ipconfig i am getting the DNS server ip from the VPNd network when I connect but i am unable to ping by internal DNS

    2. How can i force all traffic through the VPN when connected

  35. says

    Hi all,

    i have anyconnect vpn users are able to access the internet and inside networks but can not access DMZ servers

    please help me on this.

    thanks.

  36. BlogAdmin says

    Raj,

    You need to exclude from NAT the traffic from DMZ towards the anyconnect IP pool range

  37. essay writing says

    Finally a config that works! BlogAdmin, thank you for such a great tutorial, it actually works! I have a feeling the official Cisco online documentation is made to waste people’s time to the point where they give up and hire a ccnp.
    You could incorporate the part about split tunneling in the article, that would make it a perfect guide for a scenario where certain computers of a remote branch needs connectivity with the main branch without getting a persistent tunnel.

  38. Alf says

    Hi everyone!

    I am a newbie here, my ASA 5505 at home is working fine, although i would like to connect via AnyConnect.

    When i connect via a remote network, i get my IP and have access, through the ASA but i am as many other NOT able to telnet to my internal switches.

    My home network is as:
    ASA Internal 192.168.1.1
    Home equip: 192.168.1.X
    DHCP for Anyconn: 10.10.10.0

    I have been readin alot, these past three weeks, but is still not able to telnet, through my Anyconnect, to my internal LAB, who is in the 192.168.1.x range.

    I hope that someone could shed some light on this.

    ASA Version 8.4(2)
    !
    hostname athomeasa
    domain-name home.no
    enable password /Aufnhrl6Wq2.63I encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    ddns update method dyndns.com
    ddns both
    interval maximum 1 0 0 0
    !
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    switchport trunk allowed vlan 1,99
    switchport trunk native vlan 1
    switchport mode trunk
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    shutdown
    !
    interface Ethernet0/7
    shutdown
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface Vlan5
    nameif dmz
    security-level 50
    ip address dhcp setroute
    !
    boot system disk0:/asa842-k8.bin
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 192.168.1.1
    name-server 193.213.112.4
    name-server 130.67.15.198
    domain-name home.no
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    access-list Split_Tunnel_List remark @home VPN adress pool
    access-list Split_Tunnel_List standard permit host 10.10.10.0
    access-list 80 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
    access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
    access-list OUTSIDE_IN_ACL extended permit ip any any
    pager lines 24
    logging enable
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    ip local pool Anyconnect 10.10.10.0-10.10.10.5 mask 255.255.255.248
    ip verify reverse-path interface outside
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit 192.168.1.0 255.255.255.0 outside
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    !
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group OUTSIDE_IN_ACL in interface outside
    !
    router rip
    network 10.0.0.0
    network 192.168.0.0
    network 192.168.1.0
    passive-interface outside
    version 2
    no auto-summary
    !

    user-identity default-domain LOCAL
    aaa authentication enable console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 10.10.10.0 255.255.255.248 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart

    telnet 192.168.1.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 outside
    telnet 10.10.10.0 255.255.255.248 outside
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 172.15.253.0 255.255.255.0 inside
    ssh 10.10.10.0 255.255.255.248 outside
    ssh 192.168.1.0 255.255.255.248 outside
    ssh timeout 5
    ssh version 2
    console timeout 0
    management-access inside
    vpn-sessiondb max-other-vpn-limit 25
    vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2

    dhcpd auto_config outside
    dhcpd update dns both
    !
    dhcpd address 192.168.1.10-192.168.1.30 inside
    dhcpd update dns both interface inside
    dhcpd enable inside
    !
    threat-detection basic-threat
    no threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 131.188.3.222 source outside
    ssl trust-point ASDM_TrustPoint0 outside
    ssl trust-point ASDM_TrustPoint0 inside
    webvpn
    enable inside
    enable outside
    anyconnect image disk0:/anyconnect-dart-win-2.5.3054-k9.pkg 2
    anyconnect profiles Anyconnect_home disk0:/anyconnect_home.xml
    anyconnect profiles IKEv2_AnyConnect_Profile disk0:/ikev2_anyconnect_profile.xml
    anyconnect enable
    port-forward Telnet telnet 23 telnet For telnet mot LAB
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    dns-server value 193.213.112.4 130.67.15.198
    vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
    default-domain value home.no
    webvpn
    port-forward enable Telnet
    anyconnect profiles value Anyconnect_home type user
    username admin password XARaPhDBv.vSnjL/ encrypted privilege 15
    username AnyconnUser password HwThb.7IkFtu/Zj9 encrypted privilege 15
    username AnyconnUser attributes
    webvpn
    port-forward enable Telnet
    tunnel-group “Anyconnect Home” type remote-access
    tunnel-group “Anyconnect Home” general-attributes
    address-pool Anyconnect
    tunnel-group “Anyconnect Home” webvpn-attributes
    group-alias AnyconnectSSL1 enable
    group-url xxxxxxxxxxxxxxxxxx enable
    !
    !
    !
    policy-map global-policy
    class class-default
    user-statistics accounting
    !
    service-policy global-policy global
    prompt hostname context

    : end
    [OK]
    athomeasa#

  39. BlogAdmin says

    Hi Alf,

    Your configuration is too messy and it will take me 1 hour to debug it :) so as a shortcut first of all you should check to see if your internal LAB devices have a default gateway configured. Their default gateway must be 192.168.1.1 (internal IP of ASA).

    Please check this and let us know.

    Thanks

  40. Raj says

    Hi all,

    I am unable to access the DMZ servers from the anyconnect vpn client,
    even i have added the exclude from NAT the traffic from DMZ towards the anyconnect IP pool range.

    nat (dmz,any) source static obj-10.4.2.0 obj-10.4.2.0 destination static obj-10.8.1.0 obj-10.8.1.0

    10.4.2.0 —> DMZ network.
    10.8.1.0—-> anyconnect ip pool

    please help me.

  41. alf says

    Messy Uh? 😉

    Yeah, i have checked and my first switch, i try to reach, is directly connected to port # 3 on the ASA, and it has the def gw, pointing to 192.168.1.1.

    When i am at my internal LAN, via the ASA, i could reach the .1.41 switch, who is behind the 1.79 switch, and from the 1.41, i could easy ping throght to ASA at 1.1

    Hope this help a litle bit. It would be of tremendous help if i could get this to work, as i am about to leave home soon, for a while, and from there, it would really save me if i still could reach my internal home net.

    regards, and in advance thanks for reading, and answering this one.

    /alf

  42. BlogAdmin says

    Hi Alf,

    Thanks for purchasing my book. Please follow the steps to configure Anyconnect SSL VPN in the book, and in case you still have a problem please let me know and I’ll help you. Since you have ASA 8.4 version, there are some small changes in a couple of commands. For example, the “svn” command is now replaced with “anyconnect” command. I suggest you to remove all old configuration from your ASA and start configuring from scratch using my book because the configs in the book are tried and working.

    Thanks

  43. alf says

    Thanks, will do that, away this weekend, but would give you a feedback, monday afternoon.

    P.S. You could delete these post,and maybe also that “ugly” one 😉

    regards
    /alf

  44. alf says

    Hi again

    Well, now i have reconfigured it, and applyed the config as in your book ( i’l guess)
    from work now, i am able to Make an anyconn VPN connection to my ASA 5505, i have the VPN IP og 192.168.5.1 as configured.
    I am able to ping 192.168.1.70, (the switch which is connected to Ethernet 0/1 VLAN 1 on the ASA.), but not able to Telnet to it. I tried the packet sniffer from ASDM, and it says that i should be able to telnet fro 192.168.5.1 to 1.70 (although, i just tested with port 23, not any object or)
    My AnyCon Statistic shows that Mode is ALl Traffic, transport is DTLS, trusted network Detection is Disabled.
    I have a LYNC client here, and it is connected, cause it goes out via DNS, when it’s not able to reach our internal server farm, but the other applications, are not able to use SPlit tunnelling, so that they work!

    My config is alot cleaner now, so would you be kind to have a look at my conf.

    Regards

    Alf

    P.S

    By the way, i have started to read the Whole books, but i was keen to get this up an running, and then learn the rest 😉

  45. BlogAdmin says

    Hi Alf,

    If you can ping the internal switch from the Anyconnect client, it means that IP connectivity is working fine. Have you enabled Telnet on the switch? You must go to “line vty 0 4″ and put a password there. Can you telnet to the same switch from within the internal network?

  46. alf says

    Hi

    Well with all respect BlogAdmin 😉

    I am soon to be a CCNP RS, and yes i have enablet line vty 0 4 ++
    In my lab, i have already a frame relay network running, between three 2600 routers, i have an Cisco Acess switch with eight serial console cable, so that i from that one, could telnet through another 5 switches, + some other routers. Here from my internal network, behind the inside of my ASA, i could do all that, otherwise i could telnet all my internal equipment 😉

    Deep inside my lab network, i could ping the ASA also, and back.

  47. alf says

    Packet Tracer,shows that telnet from x.x.5.1 to 1.41 works OK.
    NAT shows: nat(inside,outside)source static any any dest stat obj-vpnpool obj-vpnpool

    IP-Option Action ALLOW

    FLOW-Creation: New flow

  48. alf says

    Hi again

    Maybe it was because the ssluser1, was not allowed to either, SSH, Telnet or ASDM !

    Checking, and give you an update tomorrow.
    regards
    /alf

  49. BlogAdmin says

    Hi Alf,

    I was a little more detailed on my instructions to you because you said at your very first comment that you are a newbie :)

    You have not sent me the new ASA config, have you?

    Please post it here to have a look if you want.

    Thanks

  50. alf says

    Hi, thats fine, yeah well i am a newbie regarding the ASA stuff, and the more advanced sec things, but i find it amazing what this box can do, as i read through your book, and try things out! Very good!

    I think, that since the PING went OK, it maybe was because the ssluser, was restricted as regarding use of Telnet, SSH and ASDM access. Will try from work tomorrow, and then i let you know, as i think i have sorted that one out now. Then i’ post my config.

    Thanks for answerin.

    Regards

    /alf

  51. alf says

    Hi to everyone who’s reading this blog. Go get that ASA book from blogadmin, no questions asked! It has helped me tremendeous, i am now working remote into my home network from miles away! Those exampels does work, if you are following them.

    cheers.
    /alf

  52. asa_newb says

    Can someone please post the full how to config an ASA 5505 with Anyconnect on version 8.4(1) or change this how to for 8.4(1). I am new and would like to get this ASA up and running ASAP.

    Error I get:
    nat (inside) 0 access-list NONAT
    ERROR: This syntax of nat command has been deprecated.
    Please refer to “help nat” command for more details.

    Thanks in advance.

  53. BlogAdmin says

    Hello,

    From 8.3 ASA version and later, Cisco has changed how NAT is configured. Because I don’t have time to put a full configuration again, try to find how to use “nat 0″ on version 8.4 and just substitute this to the config above.

  54. says

    After following the above configuration example, I manged to setup VPN on ASA, however when the remote PC was trying to establish the connection, it failed and ASA generated below log.

    5 Jan 16 2012 09:28:11 722010 Group User IP SVC Message: 16/ERROR: Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.)..

    However when tried with different PC it worked and reliased it was the Kaspersky AV was causing the issue.

    As per the following link, Cisco recommends to remove AV but that is not the longer term solution. Therefore I wolud like to know whether anyone else has come across this issue and whether there is a concrete resolution for this.

    http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac08managemonitortbs.html

  55. BlogAdmin says

    Hi SF,

    unfortunately I have not encountered something similar before. Hope that someone can shed some light on this. Maybe there is a solution if you make Kaspersky to bypass checking of the active-x application that anyconnect ssl is downloading on the user’s computer.

  56. Shiva says

    Hi,

    I have ASA Firewall and need to capture the VPN authentication logs/events on the firewall.

    Currently these type of logs are not getting generated on the Firewall.

    Can you please let me know what changes needs to be done on the firewall in order to capture these logs.

  57. BlogAdmin says

    Shiva,
    You can use AAA (Authentication Authorization Accounting) server to authenticate the VPN users. In this way you can enable Accounting on the AAA server which will give you all authentication logs.

  58. says

    First of all big thank for maintaining very usefull site !!

    As per my previous post, I have mentioned that Anyconnect has comaptibility issue with Kaspersky, after doing lots of googlings, I found a blog site where one of the users has mentioned that he/she manged to get around this by unchecking port 443 on Kaspersky port monitor settings. This of course did work for me too.
    However still having issues when enabling Secure Desktop, which works fine when used with a workstation that doesn’t have Kaspersky.

    The other biggest problem is when I upgraded ASA 8.4, I realised that NAT implementation has been changed. Following link explains this.

    [link not correct]

    Also Cisco has announced a bug

    [link requires authentication]

    The biggest problem I have currently is to authenticate users using active directory, which worked fine before the version upgrade. When I configure server address and try to test I get follwing error.


    Authentication test to host 192.168.xx.xx failed. Following error
    occured-

    ERROR: Authentication Rejected: Memmory
    error ”

    Following blog shows that some other users also have experienced this but mnaged to get around. However in my case I am still stuck therefore I would be great, if you could shed a light on this.

  59. Stella says

    Hi,

    Trying to get this working and just will not work! I have Cisco Anyconnect SSL VPN and the client connects fine. but cannot ping the default gateway 10.15.202.2. From the ASA I cannot even ping the client who gets the 1st IP address out of the pool. What am I doing wrong? Cisco ASA 8.4.

    I have sub interfaces on my inside network and the cust1 user needs access to 10.15.200.0/24

    on ASDM logging I can see the connection being built and torn down.. just no connectivity???

    The config I have:

    asa-fw1# sh run

    ASA Version 8.4(2)
    !
    hostname w1

    !
    interface GigabitEthernet0/0
    description outside
    nameif outside
    security-level 0
    ip address 204.xx.xxx.xx 255.255.255.248

    interface TenGigabitEthernet0/8
    no nameif
    no security-level
    no ip address
    !
    !
    interface TenGigabitEthernet0/8.16
    description Admin
    vlan 16
    nameif inside
    security-level 100
    ip address 10.15.16.1 255.255.255.248
    !
    interface TenGigabitEthernet0/8.200
    description cust1
    vlan 200
    nameif cust1
    security-level 20
    ip address 10.15.200.1 255.255.255.0
    !
    !
    interface TenGigabitEthernet0/9
    shutdown
    no nameif
    no security-level
    no ip address
    !
    ftp mode passive
    dns server-group DefaultDNS
    domain-name xxxxxxx.com
    object network obj_10.15.202.0
    subnet 10.15.202.0 255.255.255.0
    object network obj_10.15.200.0
    subnet 10.15.200.0 255.255.255.0

    access-list Access_cust extended permit ip 10.15.200.0 255.255.255.0 object obj_10.15.202.0
    pager lines 24
    logging enable
    logging buffered informational
    logging asdm informational

    mtu outside 1500
    mtu inside 1500
    mtu cust1 1500

    ip local pool cust_address_pool 10.15.202.1-10.15.202.254 mask 255.255.255.0

    icmp unreachable rate-limit 1 burst-size 1
    icmp permit 10.15.202.0 255.255.255.248 outside
    no asdm history enable
    arp timeout 14400
    nat (cust1,outside) source static obj_10.15.202.0 obj_10.15.202.0 destination static obj_10.15.200.0 obj_10.15.200.0

    route outside 0.0.0.0 0.0.0.0 204.xx.xxx.xx 1
    route inside 10.0.0.0 255.0.0.0 10.15.16.5 1

    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 10.0.0.0 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    telnet timeout 5
    ssh 10.1.20.0 255.255.255.0 inside

    ssh timeout 5
    console timeout 0
    vpn-sessiondb max-other-vpn-limit 10000
    vpn-sessiondb max-anyconnect-premium-or-essentials-limit 4
    !
    tls-proxy maximum-session 1000
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
    anyconnect enable
    tunnel-group-list enable
    group-policy SSLClientPolicy internal
    group-policy SSLClientPolicy attributes
    dns-server value 10.1.1.25
    vpn-filter value Access_cust
    address-pools value cust_address_pool
    group-policy DfltGrpPolicy attributes
    dns-server value 10.1.1.25
    vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
    default-domain value xxxxxx.com

    username admin password xxxxxxxxxxxxxxx encrypted
    username cust1 password xxxxxxxxxxxxxxx encrypted
    tunnel-group SSLClientProfile type remote-access
    tunnel-group SSLClientProfile general-attributes
    default-group-policy SSLClientPolicy
    tunnel-group SSLClientProfile webvpn-attributes
    group-alias SSLVPNClient enable
    !
    class-map inspection_default
    match default-inspection-traffic
    class-map default
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    prompt priority state hostname
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly 11
    subscribe-to-alert-group configuration periodic monthly 11
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:8038877e65c2884a7549f84fdb4c1ac0
    : end

    any thoughts?

  60. BlogAdmin says

    Hi Stella,

    I have spotted two things:

    1) Reverse the nat statement to the following:

    nat (cust1,outside) source static obj_10.15.200.0 obj_10.15.200.0 destination static obj_10.15.202.0 obj_10.15.202.0

    2) remove the inside route statement and make it more specific. Maybe this statement is not needed at all

  61. Joerg says

    Hey folks,

    thanks for the great tutorial.
    I already used it once and it worked like a charm! But now I have similar trouble like stella and cannot find the reason why… AnyConnect connects properly to the ASA but I cannot ping any host on the LAN.

    I am thankful for any hint. Attached you’ll find the config I am using… If there’s anybody who might have a look at…?

    Best regards,

    Joerg

    : Saved
    :
    ASA Version 8.4(3)
    !
    hostname ASA-Wiebke
    enable password FRL7ZmTyZNUIuRT0 encrypted
    passwd FRL7ZmTyZNUIuRT0 encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.178.254 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    pppoe client vpdn group xxx
    ip address pppoe setroute
    !
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 194.25.0.52
    name-server 194.25.0.60
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network LAN-Wiebke
    subnet 192.168.178.0 255.255.255.0
    object network VPN-Clients
    subnet 192.168.200.0 255.255.255.0
    access-list outside_access_in extended permit udp any any eq isakmp
    access-list outside_access_in extended permit esp any any
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any any eq ssh
    access-list outside_access_in extended permit udp any any eq time
    access-list outside_access_in extended deny ip any any
    access-list outside_access_in extended permit tcp any any eq https
    access-list NONAT extended permit ip 192.168.178.0 255.255.255.0 192.168.200.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm-buffer-size 512
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool AnyConnect 192.168.200.1-192.168.200.50 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-647.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source dynamic any interface
    nat (inside,outside) source static LAN-Wiebke LAN-Wiebke destination static VPN-Clients VPN-Clients
    !
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.178.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca trustpoint TrustPoint_Wiebke
    enrollment self
    subject-name CN=ASA-Wiebke
    keypair ASA_Wiebke_Cert
    proxy-ldc-issuer
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA

    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 444
    crypto ikev2 remote-access trustpoint TrustPoint_Wiebke
    telnet timeout 5
    ssh 192.168.178.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    vpdn group xxx request dialout pppoe
    vpdn group xxx localname xxx@xxx
    vpdn group xxx ppp authentication pap
    vpdn username xxx@xxx password *****

    dhcpd auto_config outside
    !
    dhcpd address 192.168.178.50-192.168.178.69 inside
    dhcpd dns 194.25.0.52 194.25.0.60 interface inside
    dhcpd enable inside
    !
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 192.53.103.103 source outside prefer
    ntp server 147.231.100.5 source outside
    ntp server 192.53.103.104 source outside
    ssl trust-point TrustPoint_Wiebke outside
    webvpn
    port 444
    enable outside
    dtls port 444
    anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
    anyconnect image disk0:/anyconnect-macosx-i386-3.0.5080-k9.pkg 2
    anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy SSLClientPolicy internal
    group-policy SSLClientPolicy attributes
    dns-server value 192.168.178.254
    vpn-tunnel-protocol ssl-client
    address-pools value AnyConnect
    username admin password b0I/H6VfrSJoXgoT encrypted privilege 15
    username biologie password iNdrrTrxzVRoPe5k encrypted
    username biologie attributes
    service-type remote-access
    username mathe password UDXY0B8YZDbHJ7a5 encrypted
    username mathe attributes
    service-type remote-access
    username mathematik password UDXY0B8YZDbHJ7a5 encrypted
    username mathematik attributes
    service-type remote-access
    tunnel-group SSLClientProfile type remote-access
    tunnel-group SSLClientProfile general-attributes
    default-group-policy SSLClientPolicy
    tunnel-group SSLClientProfile webvpn-attributes
    group-alias AnyConnect enable
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    id-randomization
    id-mismatch action log
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    Cryptochecksum:561c7d37f9a6a18154437c6635fed688
    : end
    asdm image disk0:/asdm-647.bin
    no asdm history enable

  62. BlogAdmin says

    From a first glance the configuration looks correct. Maybe a Microsoft Windows firewall on your internal LAN PCs prevent you from pinging them? Instead of pinging, enable remote desktop on one of the internal computers and try to connect with RDP

  63. StinkyB says

    Hi great book! I’ve bought and read it through last night.

    I’ve configured most of the settings from what I think.

    However I cannot get the annyconnect website to come up properly.

    Could I have missed something?

    I’ve followed your step 4 configuration and checked the settings above.

    : Saved
    :
    ASA Version 8.4(3)
    !
    hostname ASA5510
    domain-name domain.internal
    enable password xxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxx encrypted
    names
    !
    interface Ethernet0/0
    nameif WAN
    security-level 0
    ip address 111.111.111.111 255.255.255.248
    !
    interface Ethernet0/1
    nameif LAN
    security-level 100
    ip address 192.168.0.1 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    dns server-group DefaultDNS
    domain-name domain.internal
    object network Internal_LAN
    subnet 192.168.0.0 255.255.255.0
    object network obj-remote
    subnet 172.21.5.0 255.255.255.0
    access-list outside_in extended permit icmp any any echo-reply
    access-list outside_in extended deny ip any any log
    access-list nat0_acl extended permit ip 192.168.0.0 255.255.255.0 172.21.5.0 255.255.255.0
    access-list splittunnel standard permit 192.168.0.0 255.255.255.0
    pager lines 24
    logging enable
    logging trap debugging
    logging asdm informational
    mtu management 1500
    mtu WAN 1500
    mtu LAN 1500
    ip local pool vpnpool 172.21.5.101-172.21.5.130
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (LAN,WAN) source static any any destination static obj-remote obj-remote
    nat (LAN,WAN) source static Internal_LAN Internal_LAN destination static obj-remote obj-remote no-proxy-arp route-lookup
    !
    object network Internal_LAN
    nat (LAN,WAN) dynamic interface
    access-group outside_in in interface WAN
    route WAN 0.0.0.0 0.0.0.0 111.111.111.112 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication serial console LOCAL
    http server enable
    http server session-timeout 15
    http 192.168.1.0 255.255.255.0 management
    http 192.168.0.0 255.255.255.0 LAN
    http 192.168.1.0 255.255.255.0 LAN
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface WAN
    crypto ikev1 enable WAN
    crypto ikev1 policy 20
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.0.0 255.255.255.0 management
    ssh 192.168.1.0 255.255.255.0 management
    ssh 192.168.0.0 255.255.255.0 LAN
    ssh 192.168.1.0 255.255.255.0 LAN
    ssh timeout 5
    console timeout 0
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable WAN
    anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
    anyconnect enable
    tunnel-group-list enable
    group-policy remotevpn internal
    group-policy remotevpn attributes
    wins-server none
    dns-server value 192.168.0.221
    vpn-idle-timeout 30
    vpn-tunnel-protocol ikev2
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value splittunnel
    default-domain value domain.internal
    username admin password xxxxxxxxxxxxxx encrypted privilege 15
    username vpn1 password xxxxxxxxxxxxxx encrypted
    username vpn1 attributes
    service-type remote-access
    tunnel-group remotevpn type remote-access
    tunnel-group remotevpn general-attributes
    address-pool vpnpool
    default-group-policy remotevpn
    tunnel-group remotevpn webvpn-attributes
    group-url https://vpn.mydomain.com enable
    tunnel-group remotevpn ipsec-attributes
    ikev1 pre-shared-key *****
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:f8343d0a68d2fc2281d68ef2089dfbc3
    : end

  64. StinkyB says

    Ok I managed to get the Anyconnect going and splittunnel working but I still can’t access internal network….. =_=”

  65. BlogAdmin says

    StinkyB,

    OK, first check that you have received IP address. Run ipconfig /all on your machine to see which IP you have been assigned. When you say you can’t access internal network, how do you test this? Try to open an RDP connection to an internal windows box because ping might be denied by local windows firewall. Also, remove the “no-proxy-arp” from the end of nat command.

  66. StinkyB says

    For pure testing of the AnyConnect I’ve taken out the splittunnel.

    I got the ip address from the VPNpool, I’ve tested it by trying to ping the local machines. I’ve turned off the firewall on the PC in the internal network just to make sure but it cannot be accessed.

    Also I cannot browse the internet while I’m just connectted to Anyconnect. I can only browse the internet when I set the splittunnel. But if I do all the traffic seems to go out through the local gateway and never goes through the VPN tunnel.

  67. BlogAdmin says

    In order to access the Internet from the anyconnect client site you must enable split-tunneling. Otherwise, all traffic will flow in the tunnel towards your company network.

  68. SF says

    Hi All
    I have notced a weird problem on ASA5505 with regards to NAT.
    Basically what I did was to configure Dynamic NAT for all workstations and static nat for the server. Strangly the server is still choosing dynamic NAT althogh static nat statement is corrcet (verified several times).
    Has anyone experienced this before ??

    normally static should take the precedence over dynamic which did not happened.

    Any comments would be great

  69. Shae says

    Hi,

    Anyconnect VPN worked perfect by using your configuration.
    ASA 5510 came with only 2 connections so I ordered Anyconnect Essentials license.
    After I install the license, Anyconnect VPN is saying could not connect to server.
    I cannot open the https://my IP page either.

    Any advice?

  70. Karthik says

    Hi All,

    I have my SSL-VPN (SONICWALL) box behind Cisco ASA box, I have done the Static for the SSL BOX Im able to ping the box from internet, but not able to login to the ssl vpn webpage. Previously SSL box was working with the static public ip.

    Any suggestions would be great

  71. HL says

    Hi!

    Followed the guide above and the tunnel works almost perfect!

    Only problem is that i can’t reach the internal network. Can’t ping, RDP, telnet or open in explorer.

    I’m using the exact IP adresses as mentioned in the guide.

  72. BlogAdmin says

    HL,

    Open the “Cisco Anyconnect VPN Client” software (it must be installed on your PC after connecting for the first time on the ASA) and click on “Preferences” button (it is next to “Connect to: IP address”). Then click on “Enable Local LAN Access“.

  73. Azam says

    Please check the following which I configured on ASA 5540 8.4(2)
    ============================================
    Identity Nat
    ============================================
    object network INSIDE_HOSTS
    subnet 172.16.0.0 255.255.0.0
    !
    object network RAVPN_HOSTS
    subnet 172.16.170.0 255.255.255.0
    !
    nat (inside,Sahara-internet) source static INSIDE_HOSTS INSIDE_HOSTS destination static RAVPN_HOSTS RAVPN_HOSTS

    ============================================
    Identity Nat
    ============================================
    object network INSIDE_HOSTS1
    subnet 172.18.0.0 255.255.0.0
    !
    object network RAVPN_HOSTS1
    subnet 172.16.170.0 255.255.255.0
    !
    nat (inside,Sahara-internet) source static INSIDE_HOSTS1 INSIDE_HOSTS1 destination static RAVPN_HOSTS1 RAVPN_HOSTS1

    ===============================================
    Define your Split Tunnel ACL
    ===============================================
    ASA(config)# access-list rbt_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
    ASA(config)# access-list rbt_splitTunnelAcl standard permit 172.18.0.0 255.255.0.0

    =======================================
    Define the Group Policy for the WebVPN
    =======================================
    ASA(config)# group-policy NPC_SSLVPN internal
    ASA(config)# group-policy NPC_SSLVPN attributes
    ASA(config-group-policy)# vpn-tunnel-protocol svc webvpn
    ASA(config-group-policy)# webvpn
    ASA(config-group-webvpn)# split-tunnel-policy tunnelspecified
    ASA(config-group-webvpn)# split-tunnel-network-list value splitVPN
    ASA(config-group-webvpn)# split-dns value *****************
    ASA(config-group-webvpn)# dns-server value ************

    ============================
    Define a DHCP pool for the clients to use
    ============================
    ASA(config)#ip local pool NPCPOOL 172.16.170.51-172.16.170.200 mask 255.255.255.0

    ============================
    Define a local user to use for the VPN
    ============================
    ASA(config)# username password privilege 15
    ASA(config)# username attributes
    ASA(config-username)# vpn-group-policy NPC_SSLVPN

    =============================================
    Enable WebVPN
    =============================================

    ASA(config)# webvpn
    ASA(config-webvpn)#enable Sahara-internet
    ASA(config-webvpn)# anyconnect image disk0:/anyconnect-macosx-i386-2.5.2019-k9.pkg 1
    ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-2.5.2019-k9.pkg 2
    ASA(config-webvpn)# anyconnect enable

    =============================================
    Define the tunnel group
    =============================================
    ASA(config)# Tunnel-group TG_SSLVPN type remote-access
    ASA(config)# Tunnel-group TG_SSLVPN general-attributes
    ASA(config-tunnel-general)# default-group-policy NPC_SSLVPN
    ASA(config-tunnel-general)# address-pool NPCPOOL

    ===============================
    Link the tunnel group to WebVPN
    ===============================
    ASA(config)# webvpn
    ASA(config-webvpn)# tunnel-group-list enable
    ASA(config-webvpn)# exit
    ASA(config)# tunnel-group TG_SSLVPN webvpn-attributes
    ASA(config-tunnel-webvpn)# group-alias AnyConnect enable

    ====================
    saving the config
    ====================
    ASA(config)# write

  74. BlogAdmin says

    From a quick glance there is one error in the split tunnel access list. The following command is wrong:

    ASA(config-group-webvpn)# split-tunnel-network-list value splitVPN

    Change it to:

    ASA(config-group-webvpn)# split-tunnel-network-list value rbt_splitTunnelAcl

    So have you tried the above config and it doesn’t work?

    Harris

  75. pambosch10 says

    You should create a DNS entry (or register a new domain name) so that the vpn.mydomain.org will be resolved to the external public IP of the ASA firewall. Another option would be to manually configure the host file of each remote user to resolve vpn.mydomain.org to the public IP of ASA

  76. Orlando says

    I am able to access the local LAN from anyconnect hosts using your instructions. However I need to be able to remote into the anyconnect host from host on the local LAN, but it fails. Pinging the anyconnect host from the local LAN fails. Please advise and thank you in advance.

  77. BlogAdmin says

    Orlando,

    Usually there is a windows firewall enabled on the remote client (especially on the internet facing access the firewall blocks everything). Try to disable the firewall and check again.

    Harris

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>