Solved: Re: Anyconnect setup

thejuan5602 · ‎06-08-2024

Hello,

I have been trying to setup an Anyconnect VPN on my cisco ASA. Currently the ASA is accessible through the internet.It is not working. here are my Current configurations:

webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/cisco-secure-client-win-5.1.1.42-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server none
dns-server value 10.0.0.5
vpn-tunnel-protocol ssl-client
default-domain value google.com
dynamic-access-policy-record DfltAccessPolicy
username Vegeta password ***** pbkdf2 privilege 15
username admin1 password ***** pbkdf2
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool SSL-VPN
default-group-policy GroupPolicy_VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
!

ip local pool SSL-VPN 10.5.5.1-10.5.5.254 mask 255.255.255.0

Please let me know if you need anymore info.

ccieexpert · ‎06-09-2024

good to hear that.. it must feel good that you have gotten to the bottom of this.. Glad i was able to help narrow this down

View solution in original post

ccieexpert · ‎06-08-2024

Have you looked at the logs to see what is it showing ? please attach the logs..

also a capture of the 443 port on the ASA will be helpful

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

CCIEx2 - freelance consultant

MasterChief · ‎06-09-2024

Thank you for the response.

As for the 443 logs I see no traffic when I try to capture logs on that port so it is something with my config that I must be missing. Would you like me to upload my config?

Marvin Rhoads · ‎06-09-2024

"not working" means what exactly in this context? i.e., You don't get prompted to login? Login attempt fails after the prompt?

Do you have the 3DES-AES license installed?

MasterChief · ‎06-09-2024

I do not get prompted to login is the issue. As for the License I do have that installed.

ccieexpert · ‎06-09-2024

a couple of things... enable anyconnect on the inside interface and see if you can get a prompt from a PC on the inside.

Also try use a browser and see if it works ?

Attach logs or get packet captures.

show asp table socket - this command will socket listening sockets..

MasterChief · ‎06-09-2024

So after enabling anyconnect on the inside and trying to access it via a PC inside the network. It worked! As for the "Show asp table Socket"

Here are some packet captures. I logged into the Anyconnect on the inside and also attempted a login from outside the network.

Let me know if you need anything else

MasterChief · ‎06-09-2024

Disregard this post. I totally forgot to port forward on my home router. I only allowed port 22 and not 443. Once I allowed 443 it worked.

ccieexpert · ‎06-09-2024

good to hear that.. it must feel good that you have gotten to the bottom of this.. Glad i was able to help narrow this down

Sheraz.Salim · ‎06-09-2024

The provided wireshark for inside capture we can clearly see you attempeted anyconnect and get connected. however, looking ont he wireshark capture for outside there seem to be attempts but ASA does not seem to be responding. have your configure the certificate for outside interface (for anyconnect). you might getting an error No valid certificates available for authentication.

share your configuration of the firewall please.

please do not forget to rate.

Sheraz.Salim · ‎06-09-2024

Here This web tutorial explain in details setting up the anyconnect. It will help you mirror your configuration inline to work properly.

please do not forget to rate.