07-27-2012 10:40 PM - edited 02-21-2020 06:13 PM
Can someone assist me with configuring Cisco AnyConnect VPN? For some reason with the config below, I seem to get connected but then my internet connection randomly drops and reconnects. Ive tried several different times to get this to work properly but Im obivously missing something here. Any help is appreciated.
ASA Version 8.2(2)
!
hostname FW01
enable password .MlTybcgwEXNF1HM encrypted
passwd .MlTybcgwEXNF1HM encrypted
names
dns-guard
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
description ### Link to Internet ###
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
description ### Link to GUEST WIFI ###
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Vlan4
description ### Link to INSIDE LAN ###
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan5
description ### Link to INSIDE WIFI ###
nameif insidewifi
security-level 50
ip address 172.16.2.1 255.255.255.0
!
interface Ethernet0/0
description ### Link to Internet ###
switchport access vlan 2
!
interface Ethernet0/1
description ### Link to GUEST WIFI ###
switchport access vlan 3
!
interface Ethernet0/2
description ### Link to INSIDE LAN ###
switchport access vlan 4
!
interface Ethernet0/3
description ### Link to INSIDE WIFI ###
switchport access vlan 5
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
banner exec
banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********
banner exec *
banner exec * This system is for the use of authorized users only.
banner exec * Individuals using this system are subject to having all of their
banner exec * activities on this system monitored and recorded by system
banner exec * personnel.
banner exec *
banner exec * Anyone using this system expressly consents to such monitoring
banner exec * and is advised that if such monitoring reveals possible
banner exec * evidence of criminal activity, system personnel may provide the
banner exec * evidence of such monitoring to law enforcement officials.
banner exec *
banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********
banner exec
banner exec
banner exec Name:.......FW01
banner exec Address:....172.16.1.1
banner exec Location:...CST -5
ftp mode passive
clock timezone CST -5
same-security-traffic permit inter-interface
access-list inside extended permit ip any any
access-list outside extended permit ip any any
access-list guest extended permit udp any host 172.16.1.102 eq domain
access-list guest extended permit udp any host 172.16.1.103 eq domain
access-list guest extended permit udp any any range bootps tftp
access-list guest extended deny ip any 172.16.1.0 255.255.255.0 log
access-list guest extended deny ip any 172.16.2.0 255.255.255.0 log
access-list guest extended permit ip any any
access-list insidewifi extended permit ip any any
access-list Outside_In extended permit tcp any any eq 3389
pager lines 50
logging enable
logging list TEST level alerts
logging buffered debugging
logging asdm informational
logging mail TEST
logging from-address FW01@fw01.com
logging recipient-address ************* level errors
mtu outside 1500
mtu guest 1500
mtu inside 1500
mtu insidewifi 1500
ip local pool SSLClientPool 172.16.9.1-172.16.9.2 mask 255.255.255.0
ip audit name FW01-INFO info action alarm
ip audit name FW01-ATTACK attack action alarm reset
ip audit interface outside FW01-INFO
ip audit interface outside FW01-ATTACK
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any guest
icmp permit any inside
icmp permit any insidewifi
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 1 172.16.2.0 255.255.255.0
static (inside,outside) tcp interface 3389 172.16.1.200 3389 netmask 255.255.255.255
static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
access-group Outside_In in interface outside
access-group guest in interface guest
access-group inside in interface inside
access-group insidewifi in interface insidewifi
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment chain 1 outside
sysopt noproxyarp outside
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn sslvpn.moore.net
subject-name CN=sslvpn.moore.net
keypair sslvpnkeypair
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 956e1350
308201ef 30820158 a0030201 02020495 6e135030 0d06092a 864886f7 0d010105
0500303c 31193017 06035504 03131073 736c7670 6e2e6d6f 6f72652e 6e657431
1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e6d 6f6f7265 2e6e6574
301e170d 31323037 32383034 34363133 5a170d32 32303732 36303434 3631335a
303c3119 30170603 55040313 1073736c 76706e2e 6d6f6f72 652e6e65 74311f30
1d06092a 864886f7 0d010902 16107373 6c76706e 2e6d6f6f 72652e6e 65743081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c8 167e2c3d
04c16a6c b6639fda c60f085a 8ea6a2ea 6e0bcafb acb3ec8e 3c659274 37636c34
0df9e770 17fb97f6 c2b8641e ff3675f3 3d906e01 a7056bb0 9c0bf54c 3475729e
74caf157 068464d3 e235c46f a8525867 c3911d9c 760253d0 c7bbb7c8 84f91f92
858866c6 e0c1033d 6cfba6f0 b732158f 3d2d7ef5 9bbb0821 4d093f02 03010001
300d0609 2a864886 f70d0101 05050003 81810062 65e2455a cb4e87ea 7879099d
06ed1c5e 7eab180a 4d7564be c36810eb fe6a5bb9 94348ded 1336d811 d0949342
2718400c 8cc32395 23e7d722 3e2758a9 a2116a38 07500bd5 5b96f3c2 1d7c5769
dc5b876b 858cb447 355aa323 abbaf45d bed3814d a04f503a 21cddb47 aaecd5aa
1c82f701 22969424 f6845937 a21568a1 ecaa0e
quit
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.16.1.102
dhcpd ping_timeout 750
!
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay setroute guest
dhcprelay setroute insidewifi
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.0.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 211.233.40.78
ntp server 61.153.197.226
ntp server 202.150.213.154 prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.6005-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 172.16.1.102 172.16.1.103
vpn-tunnel-protocol svc
default-domain value moore.net
address-pools value SSLClientPool
username gmoore_a password PNUmTwjDhevRqhkT encrypted privilege 15
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server 68.1.17.8
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:847a9a2b25e6a8ea2d4b68d17cdd41d2
: end
no asdm history enable
07-31-2012 10:40 AM
I couldnt tell what the ldap.memberof attribute was set to, but does it match what the ASA retrieved?
[108] memberOf: value = CN=MOORE-APP-SSLVPNUsers-GS,OU=Groups,OU=MooreNetwork,DC=moore,DC=net
[108] memberOf: value = CN=MOORE-FS-MediaWriters-GS,OU=Groups,OU=MooreNetwork,DC=moore,DC=net
Also did you try to remove this condition to see if you were able to get access (just as a test).
Thanks,
Tarik Admani
*Please rate helpful posts*
07-31-2012 04:57 PM
It does match what was retrieved by the ASA. I removed the ldap attribute and I was unable to login.
07-31-2012 10:30 PM
Garland,
Can you check this DAP record and force the access method to use the anyconnect client and see if that changes your luck?
Thanks,
Tarik Admani
*Please rate helpful posts*
08-01-2012 06:45 PM
Unfortunately it didnt change my luck. This is very mind boggling!
08-01-2012 07:12 PM
Can you post a new running config after the changes we made.
Sent from Cisco Technical Support iPad App
08-06-2012 10:27 PM
My apologies for the delayed response. The truncated config is below...
same-security-traffic permit inter-interface access-list inside extended permit ip any any access-list outside extended permit ip any any access-list guest extended permit udp any host 172.16.1.102 eq domain access-list guest extended permit udp any host 172.16.1.103 eq domain access-list guest extended permit udp any any range bootps tftp access-list guest extended deny ip any 172.16.1.0 255.255.255.0 log access-list guest extended deny ip any 172.16.2.0 255.255.255.0 log access-list guest extended permit ip any any access-list insidewifi extended permit ip any any access-list Outside_In extended permit tcp any any eq 3389 access-list SSLClientProfile_SPLIT standard permit 172.16.1.0 255.255.255.0 access-list SSLClientProfile_SPLIT standard permit 172.16.2.0 255.255.255.0 access-list nonat_inside extended permit ip 172.16.1.0 255.255.255.0 172.16.9.0 255.255.255.0 access-list nonat_insidewifi extended permit ip 172.16.2.0 255.255.255.0 172.16.9.0 255.255.255.0 pager lines 50 logging enable logging list TEST level alerts logging buffered debugging logging asdm informational logging mail TEST logging from-address FW01@fw01.com logging recipient-address gdmoore85@gmail.com level errors mtu outside 1500 mtu guest 1500 mtu inside 1500 mtu insidewifi 1500 ip local pool SSLClientPool 172.16.9.1-172.16.9.2 mask 255.255.255.0 ip audit name FW01-INFO info action alarm ip audit name FW01-ATTACK attack action alarm reset ip audit interface outside FW01-INFO ip audit interface outside FW01-ATTACK ip audit signature 2000 disable ip audit signature 2001 disable ip audit signature 2004 disable ip audit signature 2005 disable no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any echo-reply outside icmp permit any guest icmp permit any inside icmp permit any insidewifi no asdm history enable arp timeout 14400 global (outside) 1 interface nat (guest) 1 172.16.10.0 255.255.255.0 nat (inside) 0 access-list nonat_inside nat (inside) 1 172.16.1.0 255.255.255.0 nat (insidewifi) 0 access-list nonat_insidewifi nat (insidewifi) 1 172.16.2.0 255.255.255.0 static (inside,outside) tcp interface 3389 172.16.1.200 3389 netmask 255.255.255.255 static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 access-group Outside_In in interface outside access-group guest in interface guest access-group inside in interface inside access-group insidewifi in interface insidewifi timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record SSLVPNAccessPolicy description "Access Policy for AnyConnect VPN Users" priority 1 webvpn svc ask none default svc dynamic-access-policy-record DfltAccessPolicy action terminate aaa-server SSLVPNUsers protocol ldap aaa-server SSLVPNUsers (inside) host 172.16.1.102 ldap-base-dn DC=MOORE,DC=NET ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=LDAP Service Account,OU=ServiceAccounts,OU=MooreNetwork,DC=moore,DC=net server-type microsoft aaa-server SSLVPNUsers (inside) host 172.16.1.103 ldap-base-dn DC=MOORE,DC=NET ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=LDAP Service Account,OU=ServiceAccounts,OU=MooreNetwork,DC=moore,DC=net server-type microsoft aaa authentication ssh console LOCAL aaa authentication http console LOCAL http server enable http 172.16.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart fragment chain 1 outside sysopt noproxyarp outside service resetoutside crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto ca trustpoint ASDM_TrustPoint0 enrollment self fqdn sslvpn.moore.net subject-name CN=sslvpn.moore.net keypair sslvpnkeypair crl configure crypto ca certificate chain ASDM_TrustPoint0 certificate 956e1350 308201ef 30820158 a0030201 02020495 6e135030 0d06092a 864886f7 0d010105 0500303c 31193017 06035504 03131073 736c7670 6e2e6d6f 6f72652e 6e657431 1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e6d 6f6f7265 2e6e6574 301e170d 31323037 32383034 34363133 5a170d32 32303732 36303434 3631335a 303c3119 30170603 55040313 1073736c 76706e2e 6d6f6f72 652e6e65 74311f30 1d06092a 864886f7 0d010902 16107373 6c76706e 2e6d6f6f 72652e6e 65743081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c8 167e2c3d 04c16a6c b6639fda c60f085a 8ea6a2ea 6e0bcafb acb3ec8e 3c659274 37636c34 0df9e770 17fb97f6 c2b8641e ff3675f3 3d906e01 a7056bb0 9c0bf54c 3475729e 74caf157 068464d3 e235c46f a8525867 c3911d9c 760253d0 c7bbb7c8 84f91f92 858866c6 e0c1033d 6cfba6f0 b732158f 3d2d7ef5 9bbb0821 4d093f02 03010001 300d0609 2a864886 f70d0101 05050003 81810062 65e2455a cb4e87ea 7879099d 06ed1c5e 7eab180a 4d7564be c36810eb fe6a5bb9 94348ded 1336d811 d0949342 2718400c 8cc32395 23e7d722 3e2758a9 a2116a38 07500bd5 5b96f3c2 1d7c5769 dc5b876b 858cb447 355aa323 abbaf45d bed3814d a04f503a 21cddb47 aaecd5aa 1c82f701 22969424 f6845937 a21568a1 ecaa0e quit telnet timeout 5 ssh 172.16.1.0 255.255.255.0 inside ssh timeout 20 console timeout 0 management-access inside dhcpd dns 172.16.1.102 dhcpd ping_timeout 750 ! dhcprelay server 172.16.1.102 inside dhcprelay enable guest dhcprelay enable insidewifi dhcprelay setroute guest dhcprelay setroute insidewifi dhcprelay timeout 60 threat-detection basic-threat threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.0.0 threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 211.233.40.78 ntp server 61.153.197.226 ntp server 202.150.213.154 prefer ssl trust-point ASDM_TrustPoint0 outside webvpn enable outside svc image disk0:/anyconnect-dart-win-2.5.6005-k9.pkg 1 svc enable tunnel-group-list enable group-policy SSLClientPolicy internal group-policy SSLClientPolicy attributes dns-server value 172.16.1.102 172.16.1.103 vpn-tunnel-protocol svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value SSLClientProfile_SPLIT default-domain value moore.net address-pools value SSLClientPool username gmoore_a password fcIL7rCtqCtPWWUm encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes authentication-server-group SSLVPNUsers LOCAL tunnel-group DefaultWEBVPNGroup general-attributes authentication-server-group SSLVPNUsers LOCAL tunnel-group SSLClientProfile type remote-access tunnel-group SSLClientProfile general-attributes authentication-server-group SSLVPNUsers LOCAL default-group-policy SSLClientPolicy tunnel-group SSLClientProfile webvpn-attributes group-alias SSLVPNClient enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! service-policy global_policy global smtp-server 68.1.17.8 prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:2255d97f90c650fd6818ad3d604ba697 : end no asdm history enable
08-07-2012 12:22 AM
Garland,
Can you turn on the webvpn attributes under your group policy, here is what i have on my ASA (I am running 8.4 so adjust commands accordingly):
webvpn
anyconnect ask none default anyconnect
url-entry disable
Tarik Admani
*Please rate helpful posts*
08-07-2012 05:19 AM
Tarik,
I apologize I slightly confused on what you are asking me to do. My skills with the ASA arent that diverse, Im on version 8.2 and when I go to the group policy I dont see the option to do what youve asked me to do.
08-07-2012 07:31 PM
08-08-2012 08:09 PM
Made the changes that you suggested and Im still unable to login with a domain account.
08-16-2012 10:09 PM
Here is the partial config I came up with to solve this LDAP issue...
ldap attribute-map LDAPMAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN=MOORE-APP-SSLVPNUsers-DL,OU=Groups,OU=MooreNetwork,DC=moore,DC=net SSLVPNPolicy
dynamic-access-policy-record SSLVPNAccessPolicy
description "Access Policy for AnyConnect VPN Users"
priority 1
webvpn
svc ask none default svc
dynamic-access-policy-record DfltAccessPolicy
action terminate
aaa-server SSLVPNUsers protocol ldap
aaa-server SSLVPNUsers (inside) host 172.16.1.102
ldap-base-dn DC=MOORE,DC=NET
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAP Service Account,OU=ServiceAccounts,OU=MooreNetwork,DC=moore,DC=net
server-type microsoft
ldap-attribute-map LDAPMAP
aaa-server SSLVPNUsers (inside) host 172.16.1.103
ldap-base-dn DC=MOORE,DC=NET
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAP Service Account,OU=ServiceAccounts,OU=MooreNetwork,DC=moore,DC=net
server-type microsoft
ldap-attribute-map LDAPMAP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide