- Cisco Community
- Technology and Support
- Security
- VPN
- ASA5510 SSL VPN, AnyConnect - NO CONNECTION
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA5510 SSL VPN, AnyConnect - NO CONNECTION
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2016 07:43 PM - edited 02-21-2020 08:55 PM
Hi Guys,
So I have been home study at night after work preparing myself hopefully for better feature and currently shooting for IINS cert. and since I like to play with real equipment to learn I got myself some older Cisco gear to play with... anyway currently I have this problem to set up VPN access to my internal network through ASA5510. The ASA sits after my TWC cable modem which is in bridge mode.
I had SSL VPN setup before that was working fine but it was through 1811W Router I was able to connect and access any of mine equipment with out any problem but with all the routing, acl's etc... I was able to get only 22mb/down and 18mb/up internet speed on my local network but with ASA and one of the inside interfaces connected to a 3750G switch I'm getting 92mb/down and 22mb/up on wired network. This is 4th night I'm trying to make this happened and still no luck.
- I can't ping outside interface on ASA which is DHCP assigned public IP but I can ping/access public IP address while connected to my local network of my cable modem which puts me in to modem login page
- When Logging/Monitoring with ASDM I don't see any traffic denied on outside interface when trying access or ping that interface
- I'm using self signed certificate and made up domain name in vpn setup not sure if that could be my problem but I used self signed certificate on the 1811 router and it was fine
- There is another problem with my ASA that could be related... I don't see any OSPF routes besides static routes on ASA itself also no neighbors :-(
Any inputs or suggestions will be a big help....
ASA-5510# sh run
: Saved
:
ASA Version 9.0(4)
!
hostname ASA-5510
enable password ****************** encrypted
names
ip local pool VPN-Pool 10.10.90.1-10.10.90.10 mask 255.255.255.0
!
interface Ethernet0/0
nameif Outside-TWC
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif Inside-LAN
security-level 100
ip address 192.168.75.1 255.255.255.0
!
interface Ethernet0/2
nameif Inside-R1
security-level 100
ip address 192.168.76.1 255.255.255.0
!
interface Ethernet0/3
nameif Inside-R2
security-level 100
ip address 192.168.77.1 255.255.255.0
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.45.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Inside-LAN
subnet 192.168.75.0 255.255.255.0
object network Inside-R1
subnet 192.168.76.0 255.255.255.0
object network Inside-R2
subnet 192.168.77.0 255.255.255.0
object network NETWORK_OBJ_10.10.90.0_28
subnet 10.10.90.0 255.255.255.240
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
access-list Outside-TWC_access_in extended permit icmp any any echo-reply
access-list Outside-TWC_access_in extended permit tcp any any object-group DM_INLINE_TCP_4
access-list Inside-LAN_access_in extended permit ip any any
access-list Inside-LAN_access_in extended permit tcp any any object-group DM_INLINE_TCP_2
access-list Inside-R1_access_in extended permit ip any any
access-list Inside-R1_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list Inside-R2_access_in extended permit ip any any
access-list Inside-R2_access_in extended permit tcp any any object-group DM_INLINE_TCP_3
pager lines 24
logging enable
logging asdm informational
mtu Outside-TWC 1500
mtu Inside-LAN 1500
mtu Inside-R1 1500
mtu Inside-R2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside-LAN,Outside-TWC) source static any any destination static NETWORK_OBJ_10.10.90.0_28 NETWORK_OBJ_10.10.90.0_28 no-proxy-arp route-lookup
!
object network Inside-LAN
nat (any,Outside-TWC) dynamic interface
object network Inside-R1
nat (any,Outside-TWC) dynamic interface
object network Inside-R2
nat (any,Outside-TWC) dynamic interface
access-group Outside-TWC_access_in in interface Outside-TWC
access-group Inside-LAN_access_in in interface Inside-LAN
access-group Inside-R1_access_in in interface Inside-R1
access-group Inside-R2_access_in in interface Inside-R2
!
router ospf 1
network 71.xx.xxx.x 255.255.224.0 area 10
network 192.168.45.0 255.255.255.0 area 10
network 192.168.75.0 255.255.255.0 area 10
network 192.168.76.0 255.255.255.0 area 10
network 192.168.77.0 255.255.255.0 area 10
area 10
log-adj-changes
redistribute static
!
route Outside-TWC 0.0.0.0 0.0.0.0 7x.xx.xxx.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.45.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside-TWC_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside-TWC_map interface Outside-TWC
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=sslvpn.cybernetcx.com
keypair SSLCyberNet
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 13811d3e
308201e9 30820152 a0030201 02020413 811d3e30 0d06092a 864886f7 0d010105
05003039 311e301c 06035504 03131573 736c7670 6e2e6379 6265726e 65746378
2e636f6d 31173015 06092a86 4886f70d 01090216 08415341 2d353531 30301e17
0d303330 31303932 33303835 325a170d 31333031 30363233 30383532 5a303931
1e301c06 03550403 13157373 6c76706e 2e637962 65726e65 7463782e 636f6d31
17301506 092a8648 86f70d01 09021608 4153412d 35353130 30819f30 0d06092a
864886f7 0d010101 05000381 8d003081 89028181 00bc7d7a c693c0cc 9e221010
425bdd6d ff938d2f 98ea1353 d3db57de ef2ce830 0f91dc94 d1110b93 3b0bd0ba
0649d460 c984ab48 5491919d 52f74df9 ef16741e a77077c8 b9e79c43 160408d2
ff346260 1a46b28b 4341cfd0 30b8136f bb2ef454 79785cfe 7df3ba48 60a8bb49
03ac7482 84e381f8 7ffc0e4c 940085e0 4e65d128 01020301 0001300d 06092a86
4886f70d 01010505 00038181 004631a0 a20257d5 5a9e18e6 2883b9fd e7700e52
15a3dbe9 26789e3d f16f35b7 b4f20567 5b0ae20f 4464f1c1 850fc422 be6d26a0
4bb8f652 d051147a c44c4167 1e8e6cea 36bb1987 454d3380 7416e70b 6972e07b
dd1092a7 358dc7df aa039930 9bb8ebbb e5ff5135 3d78d713 f31b2993 57d42209
7a838d5e 2e7cc581 2ef5411a b1
quit
crypto ikev1 enable Outside-TWC
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface Outside-TWC
dhcpd dns 20x.xx.xx.xx 20x.xx.xx.xx
!
dhcpd address 192.168.75.10-192.168.75.254 Inside-LAN
dhcpd enable Inside-LAN
!
dhcpd address 192.168.76.10-192.168.76.254 Inside-R1
dhcpd enable Inside-R1
!
dhcpd address 192.168.77.10-192.168.77.254 Inside-R2
dhcpd enable Inside-R2
!
dhcpd address 192.168.45.2-192.168.45.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 Outside-TWC
webvpn
enable Outside-TWC
anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy "GroupPolicy_CyberNet VPN" internal
group-policy "GroupPolicy_CyberNet VPN" attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev1 ssl-client
username cyborgx password eY2q2N551hbKBnwt encrypted privilege 15
tunnel-group "CyberNet VPN" type remote-access
tunnel-group "CyberNet VPN" general-attributes
address-pool VPN-Pool
default-group-policy "GroupPolicy_CyberNet VPN"
tunnel-group "CyberNet VPN" webvpn-attributes
group-alias "CyberNet VPN" enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:07e71df731ceb8535f395f1744ef2f06
: end
- Labels:
-
AnyConnect
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2016 10:02 PM
Hi,
Please find my answers inline:
- I can't ping outside interface on ASA which is DHCP assigned public IP but I can ping/access public IP address while connected to my local network of my cable modem which puts me
Are you pinging from the inside interface ? If yes you would not be able to ping the outside interface.
Check my explanation on :
https://supportforums.cisco.com/discussion/12925391/asa-ping-distant-interface-or-use-workaround
- When Logging/Monitoring with ASDM I don't see any traffic denied on outside interface when trying access or ping that interface
Where are you checking the logs ?
Can you check the
- I'm using
Can you share a screenshot of the error you are getting ? So you are not able to
- There is another problem with my ASA that could be related... I don't see any OSPF routes besides static routes on ASA itself also no neighbors :-(
Can you issue clear
Regards,
Aditya
Please rate helpful posts and mark correct answers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2016 05:22 PM
Are you pinging from the inside interface ? If yes you would not be able to ping the outside interface.
Well I'm trying to ping it from my laptop that is connected to a switch , switch is connected directly to one of the Inside ports on ASA. Cable from ASA is connected to G0/20 on the switch and G0/20 and my laptop sits on Vlan75. Is this the scenario you talking about? other words is that mean I'm still trying to ping from Inside interface?
Just did another test: I used my phone which I disconnect from my Wi-Fi and website www.ipaddressguide.com/ping ; to ping my public ip address and compare to that website ping was successful.
Where are you checking the logs ?
That's exactly where I was checking for any events. There is a lot going on but most of the stuff is just rated as INFORMATIONAL and once a while there is random denial on port 23 from IP address that I don't recognize. When I ran lookup lots of them are originated from china. What exactly and how you want me to run that filter?
Can you share a screenshot of the error you are getting ? So you are not able to login ?
AnyConnect client and web browser just time out no connection no error. Other words if I use web browser I receive:
The server at 71.x.x.x is taking too long to respond. The connection has timed out
Can you issue clear ip ospf process on the ASA and check if you are able to learn the routes ?
No luck on that still after I issue "sh ospf neigh" nothing come up... with EIGRP I can see 2 routes one to my R1-1811 and second to my other R2-1811 router but with EIGRP i'm getting error on the interface F0 which is connected to ASA
*Aug 4 12:49:28.256: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.76.1 (FastEthernet0) is down: Interface PEER-TERMINATION received
*Aug 4 12:49:31.800: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.76.1 (FastEthernet0) is up: new adjacency
It seems like EIGRP never receive ACK so it counts to 16 then resets :-( MTU size is all same on both ends
Edit1:
Did another clean setup of AnyConnect VPN on my ASA then I try use my phone and AnyConnect App on my phone and it did connect... or I will say I got the warning about certificate since it's self signed and then after I log in I got disconnected. In the log even there was this message...
3 Jan 10 2003 12:44:03 716057 Group <GroupPolicy_CyberNet VPN> User <cyborgx> IP <107.77.236.165> Session terminated, no AnyConnect Mobile license available
So next thing I will do is to try connect through my friend network with my laptop because I suspecting that as long as I'm home on my home network I will be not able to connect to the VPN because like you said and I read about that on several occasions you can't ping outside interface from inside interface. I will confirm that later tonight. I guess ASA is just totaly different appliance than Router and it behaving differently because when i have VPN setup on one of the 1811 routers I was able to test that VPN through my home network with out any problems.
Edit2:
Another discovery... I used my internet browser and in the settings I used Anonymous Proxy Server to mask my IP address and was able to connect to the portal page where upon a log-in the initial configuration/download of anyconnect vpn client was initiated... again it confirmed that I can't access outside interface from inside network. Leaving for work now but I will take my laptop with AnyConnect client installed and try connect to my ASA from different location.
Edit3:
So lesson learned :-) Everything works just fine if I try to connect to the ASA from outside of my network or if i mask my real IP address with anonymous proxy server settings... oh well :-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2016 10:55 PM
Hello,
You can activate webvpn on inside interface aswell.
webvpn
enable INSIDE
enable OUTSIDE
Then point client to IP of inside interface.
//Cristian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-05-2016 05:27 AM
I know but point was to be able to connect to my home network from outside... my problem was that i didn't know that the ASA behaving differently than Router with VPN because with VPN enabled on router there is no problem to come out from inside network through the internet back to the VPN.... now I know that's why I love practicing on real equipment. All the videos I watched was done through GNS3 using private addresses and that was what trow me off...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide