cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1776
Views
4
Helpful
16
Replies

Cisco ASA 5505 AnyConnect VPN

goboston20
Level 1
Level 1

I have a ASA 5505(with VPN client configured on primary ISP) and I configured the primary ISP for anyconnect. ASA is on active/standby mode. Both vpn client/anyconnect are working fine on the active interface. I configured the AnyConnect for the standy interface, but I cannot https to it nor ping it(icmp enabled on the interface). Is it possible that I cannot ping nor https to it since it's on standby mode? If I want to make it live, would I have to disconnect the primary interface first? Thanks!

16 Replies 16

probably your routing is not set up correctly. Please post your config to check that.


Sent from Cisco Technical Support iPad App

Hi Karsten.

     I configured the AnyConnect on the "active" interface and I got it to work. I mirrored my steps onto the "standby" interface and no go. I cannot even ping the interface even with ICMP allowed on the stanby interface.

Thanks,

Jose

Hi Markus.

     This is what I suspected and would need to disconnect the "active" interface to really test it. Unfortunately, that connection is being used majority of the time.

Thanks,

Jose

First: is your failover-setup ok? So, can both units connect to the primary and secondary ISPs? If yes, then you don't have to power off the secondary unit. But probably something is configured wrong ... But you need to provide more input!

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

It's a single Cisco ASA 5505 with a failover ISP.

ok, then again: You routing is configured wrong. You are probably missing the route to the second ISP:

route (secondaryInterface) 0.0.0.0 0.0.0.0 GW-IP-ISP2 100

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

So a "standby" interface on a Cisco ASA 5505 can be ping/https if AnyConnect is setup?

thats pure ASA-behavior and independent of AnyConnect.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

So the "standby" interface should respond to pings if ACL is setup?

my routes are the following:

route "primary" 0.0.0.0. 0.0.0.0 GW-IP-ISP1 10 track 2

route "secondary" 0.0.0.0 0.0.0.0 GW-ISP2 15

route "primary" 4.2.2.2 255.255.255.255 GW-IP-ISP1 1

route "secondary" 192.168.2.0 255.255.255.0 IP-ISP2 1(note: 192.168.2.0/24 is for the Cisco VPN Clients)

Well, that looks fine. What is the output of "show run icmp"?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

I used the debugging to see if anything is even hitting the secondary IP and nothing. That's weird. ICMP is enabled through the interface.

icmp unreacheable rate-limit 1 burst-size 1

Here is a sanitized config:

+++++++++++++++++

: Saved

:

!

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name xyz.local

name 192.168.3.0 AnyConnect description AnyConnect

name 192.168.4.0 AnyConnect-SecondaryISP description AnyConnect-SecondaISP

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 13

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

mac-address x.x.x.x.

nameif outside

security-level 0

ip address x.x.163.186 255.255.255.252

!

interface Vlan3

shutdown

nameif dmz

security-level 50

no ip address

!

interface Vlan13

description Description Connection

nameif ISP1

security-level 0

ip address x.x.244.126 255.255.255.252

!

boot system disk0:/asa825-k8.bin

no ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns domain-lookup ISP1

dns server-group DefaultDNS

name-server 192.168.1.250

domain-name wpd.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service XXX tcp

port-object eq 3395

object-group service Remote tcp

description Remote Desktop

port-object eq 3389

object-group service VNC tcp

port-object eq 5900

object-group protocol ProtocolLine1

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group protocol ProtocolLine2

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group service SecureTCP

port-object eq 4550

port-object eq 5511

port-object eq 5550

port-object eq 6550

port-object eq 81

port-object eq 8866

object-group service FTP tcp

port-object range 50000 50005

access-list outside_access_in remark Security

access-list outside_access_in extended permit tcp host x.x.138.234 host x.x.163.186 object-group EM

access-list outside_access_in remark VNC

access-list outside_access_in extended permit tcp any host x.x.163.186 object-group VNC

access-list outside_access_in remark Remote Desktop

access-list outside_access_in extended permit tcp any host x.x.183.163.186 object-group Remote

access-list outside_access_in remark https

access-list outside_access_in extended permit tcp any host x.x.163.186 eq https

access-list outside_access_in extended permit tcp any host x.x.163.186 object-group SecurityServer

access-list outside_access_in extended permit icmp any any

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 AnyConnect 255.255.255.0

access-list inside_nat0_outbound extended permit ip AnyConnect 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 AnyConnect-SecondaryISP 255.255.255.0

access-list inside_nat0_outbound extended permit ip AnyConnect-SecondaryISP 255.255.255.0 192.168.1.0 255.255.255.0

access-list ACL standard permit 192.168.1.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list ISP1_access_in extended permit ip any any

access-list ISP1_access_in extended permit icmp any any

access-list ISP1_access_in remark VNC

access-list ISP1_access_in extended permit tcp host

x.x.138.234 interface ISP1 eq ftp-data

access-list ISP1_access_in remark VNC

access-list ISP1_access_in extended permit tcp host

x.x.138.234 interface ISP1 object-group FTP_pa

access-list ISP1_access_in remark FTP

access-list ISP1_access_in extended permit tcp host

x.x.138.234 interface ISP1 eq ftp

access-list ISP1_access_in remark VNC

access-list ISP1_access_in extended permit tcp any interface

ISP1 object-group VNC

access-list ISP1_access_in remark Remote Desktop

access-list ISP1_access_in extended permit tcp any interface

ISP1 object-group Remote

access-list ISP1_access_in extended permit tcp any interface

ISP1 object-group SecurityServ

access-list inside_nat_outbound extended permit ip any any

access-list AnyConnectACL remark ACL for AnyConnect

access-list AnyConnectACL standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu ISP1 1500

ip local pool VPNUSERS 192.168.2.2-192.168.2.253 mask 255.255.255.0

ip local pool AnyConnectPool 192.168.3.3-192.168.3.253 mask 255.255.255.0

ip local pool AnyConnect-SecondaryISP 192.168.4.2-192.168.4.253 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

asdm location AnyConnect 255.255.255.0 inside

asdm location AnyConnect-SecondaryISP 255.255.255.0 inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (ISP1) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list inside_nat_outbound

static (inside,outside) tcp interface 3395 192.168.1.99 3395 netmask 255.255.255.255

static (inside,ISP1) tcp interface 3395 192.168.1.99 3395 netmask 255.255.255.255

static (inside,outside) tcp interface 5900 192.168.1.253 5900 netmask 255.255.255.255

static (inside,ISP1) tcp interface 5900 192.168.1.253 5900 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.1.81 3389 netmask 255.255.255.255

static (inside,ISP1) tcp interface 3389 192.168.1.81 3389 netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.20 https netmask 255.255.255.255

static (inside,outside) tcp interface 81 192.168.1.231 81 netmask 255.255.255.255

static (inside,ISP1) tcp interface 81 192.168.1.231 81 netmask 255.255.255.255

static (inside,outside) tcp interface 4550 192.168.1.231 4550 netmask 255.255.255.255

static (inside,ISP1) tcp interface 4550 192.168.1.231 4550 netmask 255.255.255.255

static (inside,outside) tcp interface 5550 192.168.1.231 5550 netmask 255.255.255.255

static (inside,ISP1) tcp interface 5550 192.168.1.231 5550 netmask 255.255.255.255

static (inside,outside) tcp interface 6550 192.168.1.231 6550 netmask 255.255.255.255

static (inside,ISP1) tcp interface 6550 192.168.1.241 6550 netmask 255.255.255.255

static (inside,outside) tcp interface 8866 192.168.1.231 8866 netmask 255.255.255.255

static (inside,ISP1) tcp interface 8866 192.168.1.231 8866 netmask 255.255.255.255

static (inside,outside) tcp interface 5511 192.168.1.231 5511 netmask 255.255.255.255

static (inside,ISP1) tcp interface 5511 192.168.1.231 5511 netmask 255.255.255.255

static (inside,ISP1) tcp interface ftp 192.168.1.250 ftp netmask 255.255.255.255

static (inside,ISP1) tcp interface ftp-data 192.168.1.250 ftp-data netmask 255.255.255.255

static (inside,ISP1) tcp interface 50000 192.168.1.250 50000 netmask 255.255.255.255

static (inside,ISP1) tcp interface 50001 192.168.1.250 50001 netmask 255.255.255.255

static (inside,ISP1) tcp interface 50002 192.168.1.250 50002 netmask 255.255.255.255

static (inside,ISP1) tcp interface 50005 192.168.1.250 50005 netmask 255.255.255.255

static (inside,ISP1) tcp interface 50004 192.168.1.250 50004 netmask 255.255.255.255

static (inside,ISP1) tcp interface 50003 192.168.1.250 50003 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group ISP1_access_in in interface ISP1

route ISP1 0.0.0.0 0.0.0.0 x.x.244.125 10 track 2

route outside 0.0.0.0 0.0.0.0 x.x.163.185 15

route ISP1 4.2.2.2 255.255.255.255 x.x.244.125 1

route outside 192.168.2.0 255.255.255.0 x.x.163.186 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.1.250

key key

radius-common-pw key

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

sla monitor 3

type echo protocol ipIcmpEcho 4.2.2.2 interface ISP1

frequency 90

sla monitor schedule 3 life forever start-time now

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 1 set pfs group1

crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA

crypto dynamic-map ISP1_dyn_map 1 set pfs group1

crypto dynamic-map ISP1_dyn_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map ISP1_map 65535 ipsec-isakmp dynamic ISP1_dyn_map

crypto map ISP1_map interface ISP1

crypto isakmp enable outside

crypto isakmp enable ISP1

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 2 rtr 3 reachability

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.20-192.168.1.90 inside

dhcpd dns 192.168.1.250 interface inside

dhcpd lease 86400 interface inside

dhcpd domain xyz.local interface inside

dhcpd update dns both interface inside

dhcpd option 3 ip 192.168.1.1 interface inside

dhcpd option 46 hex 08 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

enable ISP1

svc image disk0:/anyconnect-win-3.0.08057-k9.pkg 1

svc profiles AnyConnect disk0:/anyconnect.xml

svc enable

tunnel-group-list enable

tunnel-group-preference group-url

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec webvpn

group-policy MCSVPNCLIENTS internal

group-policy MCSVPNCLIENTS attributes

wins-server none

dns-server value 192.168.1.250

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ACL

default-domain value xyz.local

group-policy AnyConnect-Policy internal

group-policy AnyConnect-Policy attributes

wins-server none

dns-server value 192.168.1.250

vpn-idle-timeout 600

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value AnyConnectACL

default-domain value xyz.local

webvpn

  svc profiles value AnyConnect

  svc ask none default svc

group-policy AnyConnect-SecondaryISP internal

group-policy AnyConnect-SecondaryISP attributes

vpn-tunnel-protocol svc webvpn

username admin1 password Password encrypted privilege 15

tunnel-group MCSVPNCLIENTS type remote-access

tunnel-group MCSVPNCLIENTS general-attributes

address-pool VPNUSERS

authentication-server-group RADIUS LOCAL

authorization-server-group RADIUS

accounting-server-group RADIUS

password-management password-expire-in-days 0

tunnel-group MCSVPNCLIENTS ipsec-attributes

pre-shared-key key

tunnel-group MCSVPNCLIENTS ppp-attributes

authentication ms-chap-v2

tunnel-group AnyConnect-VPN type remote-access

tunnel-group AnyConnect-VPN general-attributes

address-pool AnyConnectPool

authentication-server-group RADIUS

authentication-server-group (ISP1) RADIUS

default-group-policy AnyConnect-Policy

tunnel-group AnyConnect-VPN webvpn-attributes

group-alias AnyConnect-VPN enable

group-url https://x.x.244.126/AnyConnect-VPN enable

tunnel-group AnyConnect-SecondaryISP type remote-access

tunnel-group AnyConnect-SecondaryISP general-attributes

address-pool AnyConnect-SecondaryISP

authentication-server-group RADIUS

authentication-server-group (inside) RADIUS

default-group-policy AnyConnect-SecondaryISP

tunnel-group AnyConnect-SecondaryISP webvpn-attributes

group-alias AnyConnect-SecondaryISP enable

group-url https://x.x.163.186/AnyConnect-SecondaryISP enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ffd8ae6f8205c65f31f0abfd0280fd37

: end