cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3142
Views
0
Helpful
2
Replies

Configure AnyConnect (Mobile) on ASA5505

Joffroi85
Level 1
Level 1

I've found tutorials and guides on how to configure AnyConnect on an ASA5505, but I wanted to check before to make sure I was going the right direction. 

Setup:

I have a very simple setup and basic goal.  I currently just have one laptop on E0/1 of my ASA5505 and then the ASA configured with a static IP plugged to the Internet.  I have the ASA correctly configured and can browse the web through the laptop.

I also have the AnyConnect and AnyConnect Mobile licenses as well.

Goal:

I want to set up AnyConnect on the ASA5505 and just establish a successful connection from an android mobile device running the necessary AnyConnect software from the market.

===========

There are lots of guides for specifc set ups, but as described, I want to keep this as simple as possible.

Would this be a good guide to be able to complete this?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml

Also, I'm more comfortable with the CLI. Is it simpler to use the ASDM wizard for this?

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Hello Joffroi,

Please mark the question as answered so future users can learn from your own resolution

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

2 Replies 2

Joffroi85
Level 1
Level 1

I am unable to connect to https://192.168.1.1/admin for asdm for some reason, so I went ahead and tried my first attempt at getting AnyConnect set up through CLI (which I prefer anyway).

My ASA is assigned 99.66.167.69 and I'm still able to browse content through a connected laptop. After my set up, I am unable to access https://99.66.167.69 though.  Is there something wrong with my assigned IP Pool?

Below is my config file. Any help is greatly appreciated.

===================================================================

ASA5505# show run

: Saved

:

ASA Version 8.2(5)

!

hostname SA5505

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 99.66.167.69 255.255.255.248

!

ftp mode passive

access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 99.66.167.70 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

anyconnect-essentials

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value 192.168.5.100

vpn-tunnel-protocol svc

address-pools value SSLClientPool

username testuser password cd0dmVM0fEWRYugq encrypted

username testuser attributes

service-type remote-access

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d5fab45fe19eea3f55517353a07e50d0

: end

EDIT:  I just tested this configurations on AnyConnect on my device and I was SUCCESSFULLY able to complete the VPN! I apologize for taking up room on this forum. I guess I should have tried a couple times first being reaching out to help. Surprised myself.

Hello Joffroi,

Please mark the question as answered so future users can learn from your own resolution

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: