03-07-2014 07:45 AM - edited 02-21-2020 07:33 PM
Hello all,
I am trying to configure an AnyConnect VPN for an IP Phone, however when the Phone tries to connect to the ASA the Syslog shows the SSL connection is denied. On the Phone it says the wrong Certificate is being used. The ASA sits behind another FIrewall, a Checkpoint, where all traffic to a certain IP is NATed to the ASA. The ASA Certificates are loaded on the CUCM and assigned to VPN Profile like another discussion had suggested. (
https://supportforums.cisco.com/docs/DOC-21469 ) Any suggestions?
Thank you
Steven
ASA Version 8.4(4)3
Phone 9951
Parts of the Configuration:
interface Ethernet0/0
nameif Voice
security-level 100
ip address 172.16.14.15 255.255.254.0
!
ip local pool TEST 172.16.15.20-172.16.15.29 mask 255.255.254.0
!
crypto ca trustpoint ASDM_TrustPoint_CASA_1
keypair ASDM_TrustPoint_CASA
crl configure
crypto ca trustpoint CAP-RTP-001_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint CAP-RTP-002_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint
enrollment terminal
crl configure
!
crypto ca trustpoint CallManager.pem
enrollment terminal
crl configure
crypto ca trustpoint CAPF.pem
enrollment terminal
crl configure
crypto ca trustpoint Cisco_Manufacturing_CA.pem
enrollment terminal
no client-types
crl configure
crypto ca trustpoint CAP-RTP-002.pem
enrollment terminal
no client-types
crl configure
crypto ca trustpoint CAP-RTP-001.pem
enrollment terminal
no client-types
crl configure
!
group-policy GroupPhoneWebvpn internal
group-policy GroupPhoneWebvpn attributes
banner none
vpn-simultaneous-logins 10
vpn-idle-timeout none
vpn-tunnel-protocol ssl-clientless
default-domain value ********.local
address-pools value TEST
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl keepalive 120
anyconnect ssl rekey time 4
anyconnect ssl rekey method new-tunnel
anyconnect dpd-interval client none
anyconnect dpd-interval gateway 300
anyconnect ssl compression deflate
anyconnect ask none default webvpn
!
username casa password S2HJZC6AF95kdYh6 encrypted
username casa attributes
vpn-group-policy GroupPhoneWebvpn
service-type remote-access
username CP-9951-SEPD0C28242EB95 password E4dPR6NyFHyvpT34 encrypted
username CP-9951-SEPD0C28242EB95 attributes
vpn-group-policy GroupPhoneWebvpn
service-type remote-access
webvpn
filter value webvpn
username CUCM1 password CEFLXB5e2sUl7nlS encrypted
username CUCM1 attributes
vpn-group-policy GroupPhoneWebvpn
service-type remote-access
username <user> password UWSVh1yZsma11IZ2 encrypted
username <user> attributes
vpn-group-policy GroupPhoneWebvpn
service-type remote-access
webvpn
filter value webvpn
!
tunnel-group VPNPhone type remote-access
tunnel-group VPNPhone general-attributes
address-pool TEST
default-group-policy GroupPhoneWebvpn
tunnel-group VPNPhone webvpn-attributes
group-url https://172.16.14.15/VPNPhone enable
tunnel-group CertPassTunnelGroup type remote-access
tunnel-group CertPassTunnelGroup general-attributes
authorization-server-group LOCAL
default-group-policy GroupPhoneWebvpn
username-from-certificate CN
tunnel-group CertPassTunnelGroup webvpn-attributes
authentication aaa certificate
pre-fill-username ssl-client
group-url https://172.16.14.15/CertPass enable
tunnel-group CertOnlyTunnelGroup type remote-access
tunnel-group CertOnlyTunnelGroup general-attributes
default-group-policy GroupPhoneWebvpn
tunnel-group CertOnlyTunnelGroup webvpn-attributes
authentication certificate
group-url https://172.16.14.15/CertOnly enable
03-07-2014 10:48 AM
I believe the address reported by the certificate has to match the host address seen by the IP phone. Your NAT in-between may be an issue in this case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide