05-31-2018 08:15 AM
Hello Team,
please i just setup an asa5505 for and configured anyconnect using asdm 7.6, but am unable to https to it from the internet.
below is the configure, kindly advice me:
Result of the command: "sh run"
: Saved
:
: Serial Number: JMX180240B7
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4)18
!
hostname StaffVPN
domain-name <deleted>
enable password <deleted> encrypted
names
ip local pool SSLVPNPool 10.90.10.1-10.90.10.100 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2404
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description LAN
nameif inside
security-level 100
ip address 10.70.3.183 255.255.255.128
!
interface Vlan2404
description WAN
nameif outdside
security-level 0
ip address 41.191.99.14 255.255.255.192
!
ftp mode passive
dns server-group DefaultDNS
domain-name GCBLTD.COM
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Internal_ip
host 192.168.138.30
description Jumpbox
object network 41.191.99.1
host 41.191.99.1
description 41.191.99.1
object network public
host 41.191.99.14
description public
object service http
service tcp destination eq https
object network inside
subnet 192.168.0.0 255.255.0.0
description inside
object-group network DM_INLINE_NETWORK_1
network-object 10.70.3.128 255.255.255.128
network-object object inside
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp destination eq https
access-list outdside_access_in extended permit tcp any host 41.191.99.14 eq https
access-list outdside_access_in_1 extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outdside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group outdside_access_in_1 in interface outdside
route inside 10.70.0.0 255.255.0.0 10.70.3.254 1
route inside 192.168.0.0 255.255.0.0 10.70.3.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
http 10.70.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outdside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn remoteendpoint.gcbltd.com
subject-name CN=remoteendpoint.gcbltd.com
keypair sslvpnkeypair
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 67770d5b
30820213 3082017c a0030201 02020467 770d5b30 0d06092a 864886f7 0d010105
0500304e 31223020 06035504 03131972 656d6f74 65656e64 706f696e 742e6763
626c7464 2e636f6d 31283026 06092a86 4886f70d 01090216 1972656d 6f746565
6e64706f 696e742e 6763626c 74642e63 6f6d301e 170d3138 30353239 31363236
31335a17 0d323830 35323631 36323631 335a304e 31223020 06035504 03131972
656d6f74 65656e64 706f696e 742e6763 626c7464 2e636f6d 31283026 06092a86
4886f70d 01090216 1972656d 6f746565 6e64706f 696e742e 6763626c 74642e63
6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100f0
e0395a2f c925b6a6 a6aef66c afd94031 9b81a9bd 62b2942f 9491aea0 d8704046
d69f7ed3 0f771242 9f94c327 4c490efb c933fe12 26faa82a 41601d70 32d25a96
f057a548 76cbc70f f380fd53 618a93e9 a136296b 4afb834a fb1285c2 238fea2e
cc7cdd30 df697ec8 37a6d5c6 73af2bdd 99344ed9 fcd96875 27ac67da 7c329102
03010001 300d0609 2a864886 f70d0101 05050003 81810041 887998ec 6208186c
6b4cf132 54b3ed5b 3f12e92e e8121ffc 900c737c 94da35da e97f1853 3d123c6b
eb6d218c 66c4adb1 102e891b 542bda0c 292b9879 dbdb53f7 1cc1af87 47c931b2
cc3ad9ed 1d37a8eb 973fbea5 45d98b3d 6b5bd90c a3cdc4a0 92ab597b 2973dee0
314999e3 1c43bcca 62173f71 71aae4eb 710e35c6 f098e3
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
no ssh stricthostkeycheck
ssh 10.70.0.0 255.255.0.0 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd auto_config outdside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect image disk0:/anyconnect-win-4.4.00243-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.4.00243-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 10.70.1.46 10.70.1.47
vpn-tunnel-protocol ssl-client
default-domain value GCBLTD.COM
address-pools value SSLVPNPool
username <deleted> password FLImc3IfwN5MydxT encrypted privilege 15
username <deleted>password 91MJ8sqJL57AoQZO encrypted
username <deleted> attributes
service-type remote-access
username <deleted> password 9LEE1NIjFERnNU/M encrypted
username <deleted> attributes
service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias Staff enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:4b6316cd2d08abe8d83946909267547d
: end
Thank you in advance.
Jamal
06-06-2018 12:11 PM
Looks like you are missing the 'enable outside' command under your webvpn section. This enables the interface called to accept anyconnect connections on it.
Give that a shot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide