Solved: Configure AnyConnect (Mobile) on ASA5505

Joffroi85 · ‎05-15-2012

I've found tutorials and guides on how to configure AnyConnect on an ASA5505, but I wanted to check before to make sure I was going the right direction.

Setup:

I have a very simple setup and basic goal. I currently just have one laptop on E0/1 of my ASA5505 and then the ASA configured with a static IP plugged to the Internet. I have the ASA correctly configured and can browse the web through the laptop.

I also have the AnyConnect and AnyConnect Mobile licenses as well.

Goal:

I want to set up AnyConnect on the ASA5505 and just establish a successful connection from an android mobile device running the necessary AnyConnect software from the market.

===========

There are lots of guides for specifc set ups, but as described, I want to keep this as simple as possible.

Would this be a good guide to be able to complete this?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml

Also, I'm more comfortable with the CLI. Is it simpler to use the ASDM wizard for this?

Thanks in advance.

Julio Carvajal · ‎05-15-2012

Hello Joffroi,

Please mark the question as answered so future users can learn from your own resolution

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Joffroi85 · ‎05-15-2012

I am unable to connect to https://192.168.1.1/admin for asdm for some reason, so I went ahead and tried my first attempt at getting AnyConnect set up through CLI (which I prefer anyway).

My ASA is assigned 99.66.167.69 and I'm still able to browse content through a connected laptop. After my set up, I am unable to access https://99.66.167.69 though. Is there something wrong with my assigned IP Pool?

Below is my config file. Any help is greatly appreciated.

===================================================================

ASA5505# show run

: Saved

:

ASA Version 8.2(5)

!

hostname SA5505

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 99.66.167.69 255.255.255.248

!

ftp mode passive

access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 99.66.167.70 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

anyconnect-essentials

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value 192.168.5.100

vpn-tunnel-protocol svc

address-pools value SSLClientPool

username testuser password cd0dmVM0fEWRYugq encrypted

username testuser attributes

service-type remote-access

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d5fab45fe19eea3f55517353a07e50d0

: end

EDIT: I just tested this configurations on AnyConnect on my device and I was SUCCESSFULLY able to complete the VPN! I apologize for taking up room on this forum. I guess I should have tried a couple times first being reaching out to help. Surprised myself.

Julio Carvajal · ‎05-15-2012

Hello Joffroi,

Please mark the question as answered so future users can learn from your own resolution

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC