09-30-2010 02:33 PM - edited 02-21-2020 04:53 PM
I am trying to configure VPN access to my Cisco 5505 with AnyConnect VPN client. Here is the relevant information from my config:
interface Vlan2
mac-address xxxx.xxxx.xxxx
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
access-list outside_access_in extended permit tcp any host C.C.C.C eq https
access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq https
access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq www
access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
access-list outside_access_in extended permit gre any host C.C.C.C
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any interface outside
access-list inside_access_out extended permit ip any anyaccess-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outsidewebvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enablegroup-policy DfltGrpPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
address-pools value palm
webvpn
svc rekey time 30
svc rekey method ssl
svc ask enable default webvpnpolicy-map global_policy
class inspection_default
inspect pptp
inspect http
inspect icmp
inspect ftp
!
I am getting this error in the Real-Time Log Viewer when I try to connect:
TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443
Here are the license details:
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Can anyone tell me what I'm doing wrong or what access list I'm missing?
I have two Cisco ASA 5510 firewalls setup with a similar configuration and AnyConnect SSL VPN is working fine.
Solved! Go to Solution.
10-06-2010 02:13 PM
Hi Matt,
You're probably landing on the default tunnel-group - you need to instruct the client which group to connect to. This can be done in different ways - I see you already have a group-alias defined, but to be able to use that you need to configure:
webvpn
tunnel-group-list enable
Alternatively, if you only have one group you can add "group-url https://yourasa.yourcompany.com/ enable" to the tunnel-group webvpn-attributes.
hth
Herbert
09-30-2010 10:08 PM
Can you please share the following:
sh run http
sh run static
Would like to see if ASDM is enabled on the outside interface, and if there is any static PAT with the outside interface IP.
10-01-2010 09:31 AM
Here are those settings:
static (inside,outside) tcp C.C.C.D https D.D.D.D https netmask 255.255.255.255
static (inside,outside) tcp C.C.C.D ftp D.D.D.D ftp netmask 255.255.255.255
static (inside,outside) tcp C.C.C.D www D.D.D.D www netmask 255.255.255.255
static (inside,outside) tcp C.C.C.D ssh D.D.D.E ssh netmask 255.255.255.255
static (inside,outside) tcp C.C.C.D 8080 D.D.D.D 8080 netmask 255.255.255.255
static (inside,inside) tcp C.C.C.D 8080 D.D.D.D 8080 netmask 255.255.255.255
static (inside,inside) tcp C.C.C.D ssh D.D.D.E ssh netmask 255.255.255.255
static (inside,inside) tcp C.C.C.D www D.D.D.D www netmask 255.255.255.255
static (inside,inside) tcp C.C.C.D https D.D.D.D https netmask 255.255.255.255
static (inside,inside) tcp C.C.C.C pptp D.D.D.F pptp netmask 255.255.255.255
static (inside,inside) tcp C.C.C.C ftp D.D.D.G ftp netmask 255.255.255.255
static (inside,inside) tcp C.C.C.C smtp D.D.D.F smtp netmask 255.255.255.255
static (inside,outside) tcp C.C.C.C https D.D.D.F https netmask 255.255.255.255
static (inside,outside) tcp C.C.C.C ftp D.D.D.G ftp netmask 255.255.255.255
static (inside,outside) tcp C.C.C.C smtp D.D.D.F smtp netmask 255.255.255.255
static (inside,outside) tcp C.C.C.C pptp D.D.D.F pptp netmask 255.255.255.255http server enable
http D.D.D.0 255.255.255.0 inside
10-01-2010 07:09 PM
Sorry, from the error message, it seems that you might have port address redirection for HTTPS for your outside interface.
Do you happen to have the following:
static (inside,outside) tcp interface https
You might want to test changing the webvpn port to something which is not used, for example: port 8000, and try to connect with port 8000 and see if that works. Seems that it might conflict in https port for the outside interface ip address.
If you can share the complete config, that might help to understand why.
10-06-2010 12:40 PM
I've gotten past the original problem now. Connections started working after a "reload" for some reason.
Now I'm trying to get the VPN connections authenticated with LDAP. Here are the settings (with a few name subsitutions):
aaa-server ldap protocol ldap
aaa-server ldap (inside) host 192.168.103.210
timeout 5
ldap-base-dn dc=exampla,dc=com
ldap-scope subtree
ldap-naming-attribute userid
ldap-login-password *
ldap-login-dn cn=administrator,dc=exampla,dc=com
server-type openldapwebvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 3
svc enabletunnel-group VPNGROUP type remote-access
tunnel-group VPNGROUP general-attributes
address-pool VPNGROUP
authentication-server-group ldap
authentication-server-group (outside) ldap
authorization-required
tunnel-group VPNGROUP webvpn-attributes
group-alias VPNGROUP enablegroup-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value no-nat
address-pools value VPNPOOL
webvpn
svc rekey time 30
svc rekey method ssl
svc ask enable default webvpn
I am able to run a test and authentication succeeds:
ciscoasa(config)# test aaa-server authentication ldap host 192.168.103.210 username testuser password testpw
INFO: Attempting Authentication test to IP address <192.168.103.210> (timeout: 10 seconds)
INFO: Authentication Successful
When I connect with the AnyConnect client, I can only connect with users that are in the LOCAL database. Any attempt to login with a user from LDAP results in "Login failed."
When I go to "ASDM -> Monitoring -> Properties -> AAA Servers" and view the conneciton statistics, it shows 0 for all of the entries under "ldap". Each time I try to connect with an LDAP user, the "Number of rejects" field for LOCAL increments.
It doesn't seem like it's trying to authenticate with LDAP at all?
I have tried debug with:
debug aaa authentication
but that doesn't seem to do anything.
Any ideas?
Thanks!
10-06-2010 02:13 PM
Hi Matt,
You're probably landing on the default tunnel-group - you need to instruct the client which group to connect to. This can be done in different ways - I see you already have a group-alias defined, but to be able to use that you need to configure:
webvpn
tunnel-group-list enable
Alternatively, if you only have one group you can add "group-url https://yourasa.yourcompany.com/ enable" to the tunnel-group webvpn-attributes.
hth
Herbert
10-06-2010 03:27 PM
I added the "group-url" as suggested and it started working. Thank you!
Matt
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: