ā07-05-2012 11:12 PM - edited ā02-21-2020 06:10 PM
Has anyone been able to configure and connect using Cisco anyconnect ssl vpn over an Cisco IPSEC tunnel. I have used this in past from a Windows XP system in past but its not working now. None of my users are able to cooect using the Anyconnect over IPSEC. IPSEC on its own works fine.
Also the Anyconnect is able to create the connect to its ASA firewall however its not able to route any traffic across. Do we have any suggestions?
Solved! Go to Solution.
ā07-09-2012 08:01 PM
thanks for the update.
ā07-05-2012 11:28 PM
Do you have NAT exemption configured ?
ā07-06-2012 04:12 AM
The IPSEC tunnel connects to the corporate network. And then users use the Anyconnect to connect it to another network within the corporate network to access Staging environment.
Please see the below ASA which connects to the Staging environment via Anyconnect. The Anyconnect connects to this ASA firewall which then adds the routes and gives IP address to the remote clients adapter.
ASA Version 8.4(3)9
!
interface Ethernet0/0
nameif lab-mgmt
security-level 100
ip address 192.0.2.1 255.255.255.192
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
speed 100
duplex full
nameif dcmgmt
security-level 0
ip address 10.196.x.x 255.255.255.240
!
boot system disk0:/asa843-9-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name x.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list dcmgmt_acl extended deny ip any any
access-list inside_acl extended permit ip any any
access-list Local_LAN remark SSL VPN Client local LAN
access-list Local_LAN standard permit 198.51.100.0 255.255.255.0
access-list Local_LAN standard permit 203.0.x.0 255.255.255.0
access-list Local_LAN standard permit 192.0.2.0 255.255.255.128
access-list Local_LAN standard permit 192.0.2.192 255.255.255.192
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging history alerts
logging facility 17
mtu dcmgmt 1500
mtu lab-mgmt 1500
ip local pool SSLClientPool 192.0.2.128-192.0.2.190 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
access-group dcmgmt_acl in interface dcmgmt
route dcmgmt 0.0.0.0 0.0.0.0 10.196.71.190 1
route lab-mgmt 192.0.2.0 255.255.255.128 192.0.2.5 1
route lab-mgmt 192.0.2.192 255.255.255.192 102.0.2.5 1
route lab-mgmt 198.51.100.0 255.255.255.0 192.0.2.5 1
route lab-mgmt 203.0.x.0 255.255.255.0 192.0.2.5 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 dcmgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint
enrollment self
subject-name CN=x-asa-mgmt
ip-address 10.196.x.x
crl configure
crypto ca server
lifetime ca-certificate 3650
lifetime certificate 3650
keysize 2048
keysize server 2048
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
30820221 ..........................................................
.........................................................
quit
crypto ca certificate chain ASDM_TrustPoint
certificate bcad8f4f
30820342 3082022a a0030201 020204bc ad8f4f30 0d06092a 864886f7 0d010105
05003063 311b3019 06035504 03131268 69646576 2d737769 2d617361 2d6d676d
.....................
quit
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 dcmgmt
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable dcmgmt
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
banner value Development Lab Remote Access Service
banner value Unauthorized Access is Strictly Prohibited
vpn-simultaneous-logins 100
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_LAN
address-pools value SSLClientPool
webvpn
url-list none
homepage none
anyconnect ask none default webvpn
hidden-shares visible
file-entry enable
file-browsing enable
url-entry enable
username ppaginton attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ssl-client
service-type remote-access
username Jsmith password Mcmtw52fmRxsAkXC encrypted
username Jsmith attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ssl-client
service-type remote-access
............................
.....................
.....................
.....................
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias HISSL-VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d43d0f14bb1e7ad9dd345c767de3f3b9
: end
ā07-06-2012 06:01 AM
Do you have NAT exemption configured or you have omitted that part from the config?
object network obj-198.51.100.0
subnet 198.51.100.0 255.255.255.0
object network obj-203.0.x.0
subnet 203.0.x.0 255.255.255.0
object network obj-192.0.2.0
subnet 192.0.2.0 255.255.255.128
object network obj-192.0.2.192
subnet 192.0.2.192 255.255.255.192
object-group network local-LAN-group
network-object obj-198.51.100.0
network-object obj-203.0.x.0
network-object obj-192.0.2.0
network-object obj-192.0.2.192
object network obj-192.0.2.128
subnet 192.0.2.128 255.255.255.192
nat (lab-mgmt,dcmgmt) source static local-LAN-group local-LAN-group destination static obj-192.0.2.128 obj-192.0.2.128
ā07-06-2012 07:13 AM
I think this might be missing. I have to apply this rule and see if this fixes the underlying problem. But one more thing it works fine when I connect directly from the corporate network i.e when I am on the corporate LAN. I mean from from work LAN this Anyconnect works fine and I am able to connect to the inside (lab-mgmt) network. But the only issue arises when connecting remotly via the IPSEC tunnel.
ā09-28-2012 12:04 AM
Sorojkjena,
I have having issues right now with configuring cisco anyconnect over an IPSEC vpn tunnel. The workstation that the AnyConnect client is installed on is a windows VM. Can you tell me how you got this to work. It would be greatly appreciated.
Thanks,
John
You can reach me via e-mail at burtonj888@yahoo.com
ā09-28-2012 12:45 AM
Hi John
This is a known issue with Cisco and Windows VM. I don't think you can get it working on a windows VM but I believe it works on a RedHat or OSx VM.
I would suggest to get a clean build windows VM without any application which create a virtual adapter and then install anyconnect.
Thanks
Saroj
ā07-09-2012 10:20 AM
I have found the problem. Its nothing to do with NAT rather the issue is with how the Anyconnect and IPSEC interact with virtual adapter.
Unfortunately issue lies with the winsock bindings.The connection over an IPSEC using Anyconnect will only work if you do not have any other application doing any virtutal binding to you ethernet adapter. Like virtual box or VM client.
On a clean build laptop with no other bindings this solution will work without any problem.
ā07-09-2012 08:01 PM
thanks for the update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide