cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10876
Views
0
Helpful
6
Replies

AnyConnect VPN connections to Cisco ASA 5505 denied

mattkl3com
Level 1
Level 1

I am trying to configure VPN access to my Cisco 5505 with AnyConnect VPN client.  Here is the relevant information from my config:

interface Vlan2
mac-address xxxx.xxxx.xxxx
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
access-list outside_access_in extended permit tcp any host C.C.C.C eq https
access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq https
access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq www
access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
access-list outside_access_in extended permit gre any host C.C.C.C
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any interface outside
access-list inside_access_out extended permit ip any any

access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside

webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable

group-policy DfltGrpPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
address-pools value palm
webvpn
  svc rekey time 30
  svc rekey method ssl
  svc ask enable default webvpn

policy-map global_policy
class inspection_default
  inspect pptp
  inspect http
  inspect icmp
  inspect ftp
!

I am getting this error in the Real-Time Log Viewer when I try to connect:

TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443

Here are the license details:

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
SSL VPN Peers                : 2
Total VPN Peers              : 10
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has a Base license.

Can anyone tell me what I'm doing wrong or what access list I'm missing?

I have two Cisco ASA 5510 firewalls setup with a similar configuration and AnyConnect SSL VPN is working fine.

1 Accepted Solution

Accepted Solutions

Hi Matt,

You're probably landing on the default tunnel-group - you need to instruct the client which group to connect to. This can be done in different ways - I see you already have a group-alias defined, but to be able to use that you need to configure:

  webvpn

    tunnel-group-list enable

Alternatively, if you only have one group you can add  "group-url https://yourasa.yourcompany.com/ enable" to the tunnel-group webvpn-attributes.

hth

Herbert

View solution in original post

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

Can you please share the following:

sh run http

sh run static

Would like to see if ASDM is enabled on the outside interface, and if there is any static PAT with the outside interface IP.

Here are those settings:

static (inside,outside) tcp C.C.C.D https D.D.D.D https netmask 255.255.255.255
static (inside,outside) tcp C.C.C.D ftp D.D.D.D ftp netmask 255.255.255.255
static (inside,outside) tcp C.C.C.D www D.D.D.D www netmask 255.255.255.255
static (inside,outside) tcp C.C.C.D ssh D.D.D.E ssh netmask 255.255.255.255
static (inside,outside) tcp C.C.C.D 8080 D.D.D.D 8080 netmask 255.255.255.255
static (inside,inside) tcp C.C.C.D 8080 D.D.D.D 8080 netmask 255.255.255.255
static (inside,inside) tcp C.C.C.D ssh D.D.D.E ssh netmask 255.255.255.255
static (inside,inside) tcp C.C.C.D www D.D.D.D www netmask 255.255.255.255
static (inside,inside) tcp C.C.C.D https D.D.D.D https netmask 255.255.255.255
static (inside,inside) tcp C.C.C.C pptp D.D.D.F pptp netmask 255.255.255.255
static (inside,inside) tcp C.C.C.C ftp D.D.D.G ftp netmask 255.255.255.255
static (inside,inside) tcp C.C.C.C smtp D.D.D.F smtp netmask 255.255.255.255
static (inside,outside) tcp C.C.C.C https D.D.D.F https netmask 255.255.255.255
static (inside,outside) tcp C.C.C.C ftp D.D.D.G ftp netmask 255.255.255.255
static (inside,outside) tcp C.C.C.C smtp D.D.D.F smtp netmask 255.255.255.255
static (inside,outside) tcp C.C.C.C pptp D.D.D.F pptp netmask 255.255.255.255

http server enable
http D.D.D.0 255.255.255.0 inside

Sorry, from the error message, it seems that you might have port address redirection for HTTPS for your outside interface.

Do you happen to have the following:

static (inside,outside) tcp interface https https netmask 255.255.255.255

You might want to test changing the webvpn port to something which is not used, for example: port 8000, and try to connect with port 8000 and see if that works. Seems that it might conflict in https port for the outside interface ip address.

If you can share the complete config, that might help to understand why.

I've gotten past the original problem now.  Connections started working after a "reload" for some reason.

Now I'm trying to get the VPN connections authenticated with LDAP.  Here are the settings (with a few name subsitutions):

aaa-server ldap protocol ldap
aaa-server ldap (inside) host 192.168.103.210
timeout 5
ldap-base-dn dc=exampla,dc=com
ldap-scope subtree
ldap-naming-attribute userid
ldap-login-password *
ldap-login-dn cn=administrator,dc=exampla,dc=com
server-type openldap

webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 3
svc enable

tunnel-group VPNGROUP type remote-access
tunnel-group VPNGROUP general-attributes
address-pool VPNGROUP
authentication-server-group ldap
authentication-server-group (outside) ldap
authorization-required
tunnel-group VPNGROUP webvpn-attributes
group-alias VPNGROUP enable

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value no-nat
address-pools value VPNPOOL
webvpn
  svc rekey time 30
  svc rekey method ssl
  svc ask enable default webvpn

I am able to run a test and authentication succeeds:

ciscoasa(config)# test aaa-server authentication ldap host 192.168.103.210 username testuser password testpw
INFO: Attempting Authentication test to IP address <192.168.103.210> (timeout: 10 seconds)
INFO: Authentication Successful

When I connect with the AnyConnect client, I can only connect with users that are in the LOCAL database.  Any attempt to login with a user from LDAP results in "Login failed."

When I go to "ASDM -> Monitoring -> Properties -> AAA Servers" and view the conneciton statistics, it shows 0 for all of the entries under "ldap".  Each time I try to connect with an LDAP user, the "Number of rejects" field for LOCAL increments.

It doesn't seem like it's trying to authenticate with LDAP at all?

I have tried debug with:

debug aaa authentication

but that doesn't seem to do anything.

Any ideas?

Thanks!

Hi Matt,

You're probably landing on the default tunnel-group - you need to instruct the client which group to connect to. This can be done in different ways - I see you already have a group-alias defined, but to be able to use that you need to configure:

  webvpn

    tunnel-group-list enable

Alternatively, if you only have one group you can add  "group-url https://yourasa.yourcompany.com/ enable" to the tunnel-group webvpn-attributes.

hth

Herbert

I added the "group-url" as suggested and it started working.  Thank you!

Matt

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: