anyconnect VPN

filip00011 · ‎03-03-2016

I have a problem with annycont. it says asa anyconnect was not able to establish a connection to the specified secure gateway

I dont have kaspersky lab and i dont share internet connection.

i can log in through inside interface. I cannot do it through outside interface.

: Saved
:
: Serial Number:
: Hardware: ASA5505, 1024 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4)
!
hostname ASA

enable password XejxZFfyt2wxqfff encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool testpool 192.168.0.1-192.168.0.254 mask 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp
!
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone Chicago -6
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.200.12
domain-name gt.com
dns server-group dns
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-subnet
subnet 192.168.200.0 255.255.255.0
object network vdeset
subnet 192.168.10.0 255.255.255.0
object network dvacet
subnet 192.168.20.0 255.255.255.0
object network pet
subnet 192.168.5.0 255.255.255.0
object network vpn
subnet 192.168.60.0 255.255.255.0
object network inside-net
subnet 10.10.10.0 255.255.255.0
object network translated-ip
object network NAT-SOURCE
subnet 10.10.10.0 255.255.255.0
object network NAT-DESTINATION
subnet 192.168.60.0 255.255.255.0
object network palatine
subnet 192.168.70.0 255.255.255.0
object network RV
subnet 192.168.1.0 255.255.255.0
object network VPN_POKUS_VLAN2
subnet 192.168.2.0 255.255.255.0
object network SWITCH
host 192.168.200.1
object network WLC
host 192.168.200.49
object network REMOTE_LAN
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
access-list IPSec-traffic extended permit ip 10.10.10.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list IPSec-traffic extended permit ip 192.168.200.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list IPSec-traffic extended permit ip 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list IPSec-traffic extended permit ip 192.168.200.0 255.255.255.0 192.168.70.0 255.255.255.0
access-list NO-NAT extended permit ip 10.10.10.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list outside-inside extended permit tcp any4 object SWITCH eq ssh
access-list outside-inside extended permit ip 192.168.0.0 255.255.255.0 any
access-list split standard permit 192.168.200.0 255.255.255.0
access-list split standard permit 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 50000
logging console debugging
logging monitor emergencies
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 10 burst-size 5
asdm image disk0:/asdm-752-153.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NAT-SOURCE NAT-SOURCE destination static NAT-DESTINATION NAT-DESTINATION
nat (inside,outside) source static inside-subnet inside-subnet destination static NAT-DESTINATION NAT-DESTINATION
nat (inside,outside) source static dvacet dvacet destination static NAT-DESTINATION NAT-DESTINATION
nat (inside,outside) source static NAT-SOURCE NAT-SOURCE destination static palatine palatine
nat (inside,outside) source static inside-subnet inside-subnet destination static palatine palatine
nat (inside,outside) source static inside-subnet inside-subnet destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup
!
object network inside-subnet
nat (inside,outside) dynamic interface
object network vdeset
nat (inside,outside) dynamic interface
object network dvacet
nat (inside,outside) dynamic interface
object network pet
nat (inside,outside) dynamic interface
object network NAT-SOURCE
nat (inside,outside) dynamic interface
object network RV
nat (inside,outside) dynamic interface
object network VPN_POKUS_VLAN2
nat (inside,outside) dynamic interface
object network SWITCH
nat (inside,outside) static interface service tcp ssh 222
object network REMOTE_LAN
nat (inside,outside) dynamic interface
access-group outside-inside in interface outside
route outside 0.0.0.0 0.0.0.0 73.72.168.1 1
route inside 192.168.1.0 255.255.255.0 10.10.10.3 1
route inside 192.168.2.0 255.255.255.0 10.10.10.2 1
route inside 192.168.5.0 255.255.255.0 10.10.10.2 1
route inside 192.168.10.0 255.255.255.0 10.10.10.2 1
route inside 192.168.20.0 255.255.255.0 10.10.10.2 1
route inside 192.168.200.0 255.255.255.0 10.10.10.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 1300
crypto ipsec ikev1 transform-set DYN-TS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set FirstSet esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map IPSEC 10 match address IPSec-traffic
crypto map IPSEC 10 set peer 96.90.34.238
crypto map IPSEC 10 set ikev1 transform-set DYN-TS
crypto map IPSEC 26 ipsec-isakmp dynamic dyn1
crypto map IPSEC interface outside
crypto ca trustpoint VPN_SLL
enrollment self
serial-number
crl configure
crypto ca trustpool policy
crypto ca certificate chain VPN_SLL
certificate adbdd856
308202de 308201c6 a0030201 020204ad bdd85630 0d06092a 864886f7 0d010105
05003031 312f3012 06035504 05130b4a 4d583131 30324b31 45303019 06092a86
4886f70d 01090216 0c415341 2e677435 312e636f 6d301e17 0d313630 33303332
33343631 345a170d 32363033 30313233 34363134 5a303131 2f301206 03550405
130b4a4d 58313130 324b3145 30301906 092a8648 86f70d01 0902160c 4153412e
67743531 2e636f6d 30820122 300d0609 2a864886 f70d0101 01050003 82010f00
3082010a 02820101 00bdc50e febc6f2d f4b32c7b d090fa53 5fd02ad7 5f5f6bef
7050de21 2f7ad476 fab27700 e8c3638b 32a8506f 12bd096b fa8f33d5 7bb64ad1
b55e741e 27d80bf6 e740b4fb 318c1280 2a19ec52 565218e2 c051b63e e57eec5c
19e230c8 283461f9 a6fe619b 7d7d6e14 6d5359e6 9e27d4e2 66faf159 3346af81
a1b67469 664cee64 1048c1f1 2b9208d6 40500735 f252ced8 4dbef282 6e29f6ef
896d97f5 b0cffe28 7919dd18 de7f75c8 d6dbec06 ad97b33f 306ed434 0f65b7b2
63727ee2 a2a8862f 2b486eb1 a08b6534 2c075d06 a07a54f0 5c932d91 10ed4542
f869edd2 b3f63f97 716c96f0 b1dc7017 735788b2 36eb1477 9226fe30 e8b413d9
3f86292b 698e32c5 13020301 0001300d 06092a86 4886f70d 01010505 00038201
010054c0 23d84a3b 20c949f1 c31d3ab8 c85c6e09 8a91fa90 f3c4ceae 56673e7b
74162300 1c58144c 071fae1e 06e5971c 9142c28d f52c2d7b a43d6bc1 c9752bab
ff097ab6 8bd856a7 355cddea 36895055 90a24ea2 5e1476db 96cf955e 4fd6008a
6459fe33 33e90c94 161bc421 e4036ab6 02884c24 7796eaec bb5099c6 a6658517
c5258547 19579302 261fab1f 19679dcc 3c8c7ce4 f68e7b3b fca1f813 9a2966a7
a03ba64f 89276534 7af864fd 3ed5d875 531c3eae ab16c24e 140bf5c1 d502db9d
12984bac cfffb568 eab6914f ad865d02 b730e79d 3b2951bf df84d54a f4eceb72
95f4523c 1cf538f5 a1ddb0d0 1ffba69b 56b76a79 524e8929 833c5853 e009da01
3f43
quit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto ikev1 policy 11
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 192.168.200.0 255.255.255.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.200.0 255.255.255.0 inside
ssh 192.168.200.82 255.255.255.255 inside
ssh 192.168.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.135.247.50
ssl trust-point VPN_SLL outside
webvpn
enable inside
enable outside
anyconnect image disk0:/anyconnect-win-4.2.00096-k9.pkg 1
anyconnect profiles ssl disk0:/ssl.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.200.12
split-tunnel-network-list value split
group-policy GroupPolicy_anyconnect_VPN internal
group-policy GroupPolicy_anyconnect_VPN attributes
wins-server none
dns-server value 192.168.200.12
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value aic.local
split-tunnel-all-dns disable
username testuser password IqY6lTColo8VIF24 encrypted
username testuser attributes
service-type remote-access
username filip password 45v666xro4yRZK4W encrypted privilege 15
tunnel-group 96.90.34.238 type ipsec-l2l
tunnel-group 96.90.34.238 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group anyconnect_VPN type remote-access
tunnel-group anyconnect_VPN general-attributes
address-pool testpool
default-group-policy GroupPolicy_anyconnect_VPN
tunnel-group anyconnect_VPN webvpn-attributes
group-alias anyconnect_VPN enable
!
class-map vpn
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
inspect pptp
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:508672c3732643c5af361a2f21cd4842
: end

Aditya Ganjoo · ‎03-03-2016

Hi,

I see that you are using a trustpoint on the outside interface.

ssl trust-point VPN_SLL outside

Are you trying with certificates from the inside interface as well ?

If yes then you should use the trustpoint on the inside interface as well.

ssl trust-point VPN_SLL inside

Regards,

Aditya

Please rate helpful posts.

filip00011 · ‎03-03-2016

it works on inside, it doesnt work on outside. I tried all combinations with trust-point without any difference

Aditya Ganjoo · ‎03-03-2016

Hi Filip,

Are you using certificates for authentication on the outside ?

Also could you share the syslogs of the ASA ?

Do we see the packets hitting the outside interface ?

Try using debug webvpn svc 255 and share the logs.

Regards,

Aditya

Please rate helpful posts.

filip00011 · ‎03-04-2016

this is the output from debug

Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no IPv6 ACL

syslog from ASA:

Mar 04 2016 10:03:59 302013 208.54.37.171 21588 73.72.168.22 443 Built inbound TCP connection 111881 for outside:208.54.37.171/21588 (208.54.37.171/21588) to identity:73.72.168.22/443 (73.72.168.22/443)

6 Mar 04 2016 10:04:03 725001 208.54.37.171 21588 Starting SSL handshake with client outside:208.54.37.171/21588 for TLS session.

6 Mar 04 2016 10:04:03 725002 208.54.37.171 21588 Device completed SSL handshake with client outside:208.54.37.171/21588

6 Mar 04 2016 10:04:03 725007 208.54.37.171 21588 SSL session with client outside:208.54.37.171/21588 terminated.

Aditya Ganjoo · ‎03-04-2016

Hi Filip,

On the PC from you are trying to connect can you remove the XML profile and then test ?

Here is the location for the Anyconnect profile:

%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

Regards,

Aditya

Please rate helpful posts.

filip00011 · ‎03-04-2016

Hi,

There is neither folder profile nor file called profile.

I have never established a working connection from that PC. I have tried 2 different PC.

Aditya Ganjoo · ‎03-04-2016

Hi Filip,

On checking the debugs I found that the connection is being built on the outside IP:

Mar 04 2016 10:03:59 302013 208.54.37.171 21588 73.72.168.22 443 Built inbound TCP connection 111881 for outside:208.54.37.171/21588 (208.54.37.171/21588) to identity:73.72.168.22/443 (73.72.168.22/443)

The IP of your inside interface is 10.10.10.1. May I know how do you connect to it ? Do you put in an IP or you try using hostname as the connection request is going on a different IP.

Regards,

Aditya

Please rate helpful posts.