Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1470
Views
0
Helpful
4
Replies

ASA5506x AnyConnect - when connected no internet

Go to solution
Carl Fitzsimmons
Level 1
Level 1

‎10-01-2016 03:59 PM - edited ‎03-10-2019 12:43 AM

We decided to get an ASA that had VPN and IPS capabilities. For our needs (less than 20 people) it was suggested to purchase an ASA5506x without wireless.

I contracted a person to do setup. Internally we utilize an OS X Server for OpenDirectory, DHCP, DNS, File Sharing, Mail, Time Machine, VPN, Websites. VPN from OS X would remain as fallback. When all was completed we would next need VPN access for remote Cisco Phones and are currently using CUCM v10.x

The contractor did a decent job of moving all routing to a 3750G while leaving SIP to the 2821. However they did not get certs setup for AnyConnect and FirePOWER module does not connect when you startup Cisco ASDM-IDM Launcher application.

Testing revealed that internally we can get in and out to the internet just fine. Phones work, mail works and OS X VPN worked. When the next phase started which was to address AnyConnect thats where problems arose which also means VPN for Phones then IPS. OS X Open Directory is integrated and works fine.

Testing AnyConnect demonstrates you can connect to the office from outside either by iPhone-iPad (using downloaded app from App store) or from desktop MAC-PC. MAC-PC gets software downloaded from ASA upon first connecting.

When you connect using AnyConnect all web and mail traffic is dead. We can surf internal to the company network but thats it.

We just recently purchased the latest Cisco licenses so that is not an issue

I am not an ASA security expert. I can do L2, L3 and do a lot of CUCM-Unity Connection work so getting into CLI is not a problem. However I attempted several times to get AnyConnect to function like the OS X VPN server performed which allowed users to VPN in, cruise the internet, get mail, chat internally etc but I actually made things worse. By worse I mean AnyConnect would not complete a connection at all. Currently we are back to where you can connect as before.

So we still need to address

  • AnyConnect
  • Phone VPN
  • Why is FirePOWER not able to connect
  • IPS 

ASA Info

  • ASA5506x
  • Version: 9.6(2)
  • ASDM Version: 7.6(2)
  • ASA FirePOWER
    • Application Name: ASA FirePOWER
    • Application Status: UP
    • Application Status Description: Normal Operation
    • Application version: 5.4.1-211
    • Data Plane Status: UP
    • Status: UP

I would like to continue to utilize Open Directory, DHCP and DNS from OS X server for AnyConnect. If that is not advisable then still using OpenDirectory then setting up DHCP and DNS on ASA5506x with route capability internal and external

Suggestions on what I need to change-address to enable successful AnyConnect are welcomed?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
austin.lechelt
Level 1
Level 1

‎10-01-2016 08:59 PM

Without having more information, i.e. configuration outputs, I’m going to make some assumptions (cause that’s never resulted in my wife yelling at meJ).

 

1st it sounds like your internal networks are referenced in the ACL that’s referenced in the group-policy that’s referenced in your connection profile (that feels like a lot for one sentence). So you may need to enable U-turning:

 

               ciscoasa(config)# same-security-traffic permit intra-interface.

               ciscoasa(config)# nat (outside,outside) 23 source dynamic any interface

 

2nd configuring the sfr module! There’s a couple of ways to skin this cat, the easiest is the layer 2 approach as the only backplane connection between the ASA and the sfr module is through the Management1/1 interface. Use any additional interface, or a sub-interface, on the ASA as a management interface (just nameif management or, in the case of a sub-interface, vlan ##, nameif management. Default the actual Management 1/1 interface (no nameif). Now, whatever you set your new management interface IP address to, let’s say non classified military 214.45.99.1, you’re going to want to set your sfr module’s gateway to, and you’re going to set your sfr module eth0 interface in the same subnet e.g. 214.45.99.3. Connect a jumper CAT from the Management1/1 of the ASA to a switch (switchport same VLAN as the switchport connected to the new management interface…or trunk if it’s a sub-interface). Hope this makes sense. Remember, before you tell the ASA to pipe traffic through the sfr module, you’re going to need to run through the initial configuration of the sfr module, otherwise the default ACP of the sfr, being deny all, will kill all traffic passing through the sfr.

 

Accessing the initial configuration of the sfr module:

 

               ciscoasa# session sfr console

               Username:: admin

               Password:: Sourcefire

 

Allowing the ASA to pass traffic through the sfr module:

 

               policy-map global_policy

                class sourcefire

                 sfr fail-open

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
cwhite0013
Level 1
Level 1

‎10-01-2016 08:16 PM

What is the end goal for when you connect to AnyConnect? Do you want all internet traffic to go through the VPN or just traffic destined to your network? If you just want the traffic destined to your network encrypted, you need to setup interesting traffic ACLs (split tunnel). This will tell the AnyConnect client what subnets should go over the VPN.

For example, if your office uses 10.1.1.0/23, only traffic destined to 10.1.1.0/23 will be encrypted and the rest would be forwarded normally out to your ISP. For more information on split tunneling and how to set it up, here is a Cisco article:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html#anc9

FirePower isn't my strong suite but I know I had issues with FirePower not showing up when I was on a Linux box and I may have had issues with OS X also. This was about a year ago though and I'd how FirePower supported OS X by now. Maybe try to access ASDM from a Windows host? 

0 Helpful

Go to solution
Carl Fitzsimmons
Level 1
Level 1
In response to cwhite0013

‎10-02-2016 06:56 AM

Thanks for your replies and suggestions

I went through both aspects and still could not get full functionality. This must be my lack of understanding ASA routing aspects. My current development and business activities out weigh the time I need to dive into this and figure it out. At least I am back to where I can log in to internal network. Again - thanks for your suggestions.

0 Helpful

Go to solution
austin.lechelt
Level 1
Level 1

‎10-01-2016 08:59 PM

Without having more information, i.e. configuration outputs, I’m going to make some assumptions (cause that’s never resulted in my wife yelling at meJ).

 

1st it sounds like your internal networks are referenced in the ACL that’s referenced in the group-policy that’s referenced in your connection profile (that feels like a lot for one sentence). So you may need to enable U-turning:

 

               ciscoasa(config)# same-security-traffic permit intra-interface.

               ciscoasa(config)# nat (outside,outside) 23 source dynamic any interface

 

2nd configuring the sfr module! There’s a couple of ways to skin this cat, the easiest is the layer 2 approach as the only backplane connection between the ASA and the sfr module is through the Management1/1 interface. Use any additional interface, or a sub-interface, on the ASA as a management interface (just nameif management or, in the case of a sub-interface, vlan ##, nameif management. Default the actual Management 1/1 interface (no nameif). Now, whatever you set your new management interface IP address to, let’s say non classified military 214.45.99.1, you’re going to want to set your sfr module’s gateway to, and you’re going to set your sfr module eth0 interface in the same subnet e.g. 214.45.99.3. Connect a jumper CAT from the Management1/1 of the ASA to a switch (switchport same VLAN as the switchport connected to the new management interface…or trunk if it’s a sub-interface). Hope this makes sense. Remember, before you tell the ASA to pipe traffic through the sfr module, you’re going to need to run through the initial configuration of the sfr module, otherwise the default ACP of the sfr, being deny all, will kill all traffic passing through the sfr.

 

Accessing the initial configuration of the sfr module:

 

               ciscoasa# session sfr console

               Username:: admin

               Password:: Sourcefire

 

Allowing the ASA to pass traffic through the sfr module:

 

               policy-map global_policy

                class sourcefire

                 sfr fail-open

 

 

0 Helpful

Go to solution
Carl Fitzsimmons
Level 1
Level 1

‎10-02-2016 11:30 AM

apologies - wrong button meant to reply

I could send configs but would prefer to send them to either you or cwhite0013 email

Let me know if either of you are interested - cfitzsimmons@scgconnect.com

0 Helpful
Customers Also Viewed These Support Documents