cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Webcast- Catalyst 9000
5941
Views
5
Helpful
8
Replies
Highlighted
Beginner

Anyconnect SSL VPN over IPSEC Tunnel

Has anyone been able to configure and connect using Cisco anyconnect ssl vpn over an Cisco IPSEC  tunnel. I have used this in past from a Windows XP system in past but its not working now. None of my users are able to cooect using the Anyconnect over IPSEC. IPSEC on its own works fine.

Also the Anyconnect is able to create the connect to its ASA firewall however its not able to route any traffic across. Do we have any suggestions?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Anyconnect SSL VPN over IPSEC Tunnel

thanks for the update.

8 REPLIES 8
Cisco Employee

Anyconnect SSL VPN over IPSEC Tunnel

Do you have NAT exemption configured ?

Beginner

Anyconnect SSL VPN over IPSEC Tunnel

The IPSEC tunnel connects to the corporate network. And then users use the Anyconnect to connect it to another network within the corporate network to access Staging environment.

Please see the below ASA which connects to the Staging environment via Anyconnect. The Anyconnect connects to this ASA firewall which then adds the routes and gives IP address to the remote clients adapter.


ASA Version 8.4(3)9

!
interface Ethernet0/0
nameif lab-mgmt
security-level 100
ip address 192.0.2.1 255.255.255.192
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
  speed 100
duplex full
nameif dcmgmt
security-level 0
ip address 10.196.x.x 255.255.255.240
!
boot system disk0:/asa843-9-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name x.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list dcmgmt_acl extended deny ip any any
access-list inside_acl extended permit ip any any
access-list Local_LAN remark SSL VPN Client local LAN
access-list Local_LAN standard permit 198.51.100.0 255.255.255.0
access-list Local_LAN standard permit 203.0.x.0 255.255.255.0
access-list Local_LAN standard permit 192.0.2.0 255.255.255.128
access-list Local_LAN standard permit 192.0.2.192 255.255.255.192
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging history alerts
logging facility 17
mtu dcmgmt 1500
mtu lab-mgmt 1500
ip local pool SSLClientPool 192.0.2.128-192.0.2.190 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
access-group dcmgmt_acl in interface dcmgmt
route dcmgmt 0.0.0.0 0.0.0.0 10.196.71.190 1
route lab-mgmt 192.0.2.0 255.255.255.128 192.0.2.5 1
route lab-mgmt 192.0.2.192 255.255.255.192 102.0.2.5 1
route lab-mgmt 198.51.100.0 255.255.255.0 192.0.2.5 1
route lab-mgmt 203.0.x.0 255.255.255.0 192.0.2.5 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 dcmgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint
enrollment self
subject-name CN=x-asa-mgmt
ip-address 10.196.x.x
crl configure
crypto ca server
lifetime ca-certificate 3650
lifetime certificate 3650
keysize 2048
keysize server 2048
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
    30820221 ..........................................................
    .........................................................

  quit
crypto ca certificate chain ASDM_TrustPoint
certificate bcad8f4f
    30820342 3082022a a0030201 020204bc ad8f4f30 0d06092a 864886f7 0d010105
    05003063 311b3019 06035504 03131268 69646576 2d737769 2d617361 2d6d676d
    .....................


  quit
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 dcmgmt
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable dcmgmt
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
banner value Development Lab Remote Access Service
banner value Unauthorized Access is Strictly Prohibited
vpn-simultaneous-logins 100
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_LAN
address-pools value SSLClientPool
webvpn
  url-list none
  homepage none
  anyconnect ask none default webvpn
  hidden-shares visible
  file-entry enable
  file-browsing enable
  url-entry enable

username ppaginton attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ssl-client
service-type remote-access

username Jsmith password Mcmtw52fmRxsAkXC encrypted
username Jsmith attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ssl-client
service-type remote-access
............................
.....................
.....................
.....................

tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias HISSL-VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d43d0f14bb1e7ad9dd345c767de3f3b9
: end

Cisco Employee

Anyconnect SSL VPN over IPSEC Tunnel

Do you have NAT exemption configured or you have omitted that part from the config?

object network obj-198.51.100.0

  subnet 198.51.100.0 255.255.255.0

object network obj-203.0.x.0

  subnet 203.0.x.0 255.255.255.0

object network obj-192.0.2.0

  subnet 192.0.2.0 255.255.255.128

object network obj-192.0.2.192

  subnet 192.0.2.192 255.255.255.192

object-group network local-LAN-group

  network-object obj-198.51.100.0

  network-object obj-203.0.x.0

  network-object obj-192.0.2.0

  network-object obj-192.0.2.192

object network obj-192.0.2.128

  subnet 192.0.2.128 255.255.255.192

nat (lab-mgmt,dcmgmt) source static local-LAN-group local-LAN-group destination static obj-192.0.2.128 obj-192.0.2.128

Beginner

Anyconnect SSL VPN over IPSEC Tunnel

I think this might be missing. I have to apply this rule and see if this fixes the underlying problem. But one more thing it works fine when I connect directly from the corporate network i.e when I am on the corporate LAN. I mean from from work LAN this Anyconnect works fine and I am able to connect to the inside (lab-mgmt) network. But the only issue arises when connecting remotly via the IPSEC tunnel.

Beginner

Anyconnect SSL VPN over IPSEC Tunnel

Sorojkjena,

I have having issues right now with configuring cisco anyconnect over an IPSEC vpn tunnel.  The workstation that the AnyConnect client is installed on is a windows VM.  Can you tell me how you got this to work.  It would be greatly appreciated.

Thanks,

John

You can reach me via e-mail at burtonj888@yahoo.com

Beginner

Anyconnect SSL VPN over IPSEC Tunnel

Hi John

This is a known issue with Cisco and Windows VM. I don't think you can get it working on a windows VM but I believe it works on a RedHat or OSx VM.

I would suggest to get a clean build windows VM without any application which create a virtual adapter and then install anyconnect.

Thanks

Saroj

Beginner

Anyconnect SSL VPN over IPSEC Tunnel

I have found the problem. Its nothing to do with NAT rather the issue is with how the Anyconnect and IPSEC interact with virtual adapter.

Unfortunately issue lies with the winsock bindings.The connection over an IPSEC using Anyconnect will only work if you do not have any other application doing any virtutal binding to you ethernet adapter. Like virtual box or VM client.

On a clean build laptop with no other bindings this solution will work without any problem.

Cisco Employee

Anyconnect SSL VPN over IPSEC Tunnel

thanks for the update.