Re: ASA 5508-x IPSEC VPN

Jah8887 · ‎03-25-2020

Hi all,

I am trying to setup an Anyconnect VPN so my home users can remote to the internal network. I have gone through and configured it through the Anyconnect Wizard but it will not let me log in through the Anyconnect client I installed. I used internal DNS servers and put my FQDN for where it says domain. Also, I made sure the address pool for the client was not part of the internal network. I am trying to figure out where I went wrong.

Jah8887 · ‎03-25-2020

I forgot to incorporate the CLI preview after that screen my apologies
[OK] ! write client profile "disk0:/testvpn_client_profile.xml" to ASA
[OK] webvpn
[OK] anyconnect profiles testvpn_client_profile disk0:/testvpn_client_profile.xml
[OK] exit
[OK] username vpnuser password ********** privilege 2
[OK] group-policy GroupPolicy_testvpn internal
[OK] group-policy GroupPolicy_testvpn attributes
group-policy GroupPolicy_testvpn attributes
[OK] vpn-tunnel-protocol ikev2 ssl-client
[OK] webvpn
group-policy GroupPolicy_testvpn attributes
webvpn
[OK] anyconnect profiles value testvpn_client_profile type user
[OK] exit
[OK] group-policy GroupPolicy_testvpn attributes
group-policy GroupPolicy_testvpn attributes
[OK] dns-server value Internal DNS Server IPs
[OK] wins-server none
[OK] default-domain value FQDN
[OK] exit
[OK] tunnel-group testvpn type remote-access
[OK] tunnel-group testvpn general-attributes
tunnel-group testvpn general-attributes
[OK] default-group-policy GroupPolicy_testvpn
[OK] address-pool 200
[OK] tunnel-group testvpn webvpn-attributes
tunnel-group testvpn webvpn-attributes
[OK] group-alias testvpn enable
[OK] clear config tunnel-group Vpnblue
[OK] clear config tunnel-group "VPN ANY"
[ERROR] no group-policy "GroupPolicy_VPN ANY"
Use 'no group-policy GroupPolicy_VPN ANY attributes' to remove all attributes before removing this group-policy. 'clear configure group-policy GroupPolicy_VPN ANY' can also be used to remove the group-policy.

[OK] no group-policy "GroupPolicy_VPN ANY" attributes
[OK] clear config group-policy GroupPolicy_Vpnblue
[OK] no crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 noconfirm

Jah8887 · ‎03-25-2020

Here is also my Show run command if this will help
ciscoasa# show run webvpn
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.7.01076-webdeploy-k9.pkg 1
anyconnect profiles testvpn_client_profile disk0:/testvpn_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
ciscoasa# show run tunnel-group
tunnel-group AnyBlue type remote-access
tunnel-group AnyBlue general-attributes
address-pool 200
default-group-policy GroupPolicy_AnyBlue
tunnel-group AnyBlue webvpn-attributes
group-alias AnyBlue enable

Cristian Matei · ‎03-27-2020

Hi,

Go through this guide, see what you missed and perform a correct configuration, try to connect and post here exactly what's not working (error messages , or do you even get the authentication prompt, etc).

Regards,

Cristian Matei.

Jah8887 · ‎03-29-2020

Thanks for that link! I went through the guide successfully, however, When I downloaded the Cisco Anyconnect 4.7 package and installed the Core and VPN part,then tried logging in with the Anyconnect application it says no valid certifications available for authentication. I am putting the ASA's ip into the Cisco Anyconnect VPN application when it asks where to connect to and that message pops up.

girafskind · ‎03-31-2020

Hi, it looks like Anyconnect is searching for a certificate for authentication.

Since You don't have any 'authentication-server-group' defined, it will look into the default tunnel-group, 'DefaultWEBVPNGroup'.

You could try to specify LOCAL as authentication server group, e.g.:

tunnel-group AnyBlue general-attributes
 authentication-server-group LOCAL

Jah8887 · ‎04-04-2020

Thanks for that. I was able to create a connection from my house back into the work network. I am just working on the last portion which is being able to remote into the pcs onto the network now. Thanks for the assistance to both of you for helping the tunnel get built.