Hello

Thanks for your reply. I found a way to control. Please correct me if this is wrong or not good.

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

reference above link, below acl allow 10.10.10.1 access to  192.168.1.0 23(telnet) port 

1. access-list vpnfilt-ra permit tcp 10.10.10.1 255.255.255.255 192.168.1.0 255.255.255.0 eq 23

2. I create a policy group

policy-group pg_vpnfilt-ra

policy-group pg_vpnfilt-ra attri

vpn-filter vpnfilt-ra

3. set to tunnel-group

tunnel-group tg_vpnfilt-ra attr

default policy-group pg_vpnfilt-ra

show vpnsessoindb detail l2l

there is vpn-filte show  acl applied.

show asp table filter will show table

show access-list will show traffice hit

But below acl from the link, I think it's explain is wrong. it should means source port instead of dest port.

access-list vpnfilt-l2l permit tcp 10.0.0.0 255.255.255.0 eq 23
192.168.1.0 255.255.255.0

Hello Marvin

Thanks for reply.

I need to control anyconnect traffic instead of connection. As my another reply, I feel I had got the way.

2. the error is: no any response. not show login prompt.  I am from 10.1.10.119 which is allow network and can ping to firewall.

3. as I see there is anyconnect configuration is working fine on device, but no relate image on device flash. So I assume these configuration is setup by CLI? I manual create group policy, ikev1 connection profile and tunnel-group to archive this. But the result is I can connect but not able to access split-tunnel server. what I should check?

Thank you.

1. Your ACL should specify the protocol, destination host and port that you wish to restrict your VPN client to.

2. Is there any relevant output in the log when trying and failing to connect via ssh?

3. You can create a remote access VPN setup completely within ASDM, from cli or a combination of both. However IPsec IKEv1 has nothing to do with remote access VPN on ASA these days. 95% (or more) of customers use SSL VPN (actually TLS). The other much less common option is IPsec IKEv2.

Hello Marvin

below picture what exactly I had do in my GNS test.

2. how can I check the log and how can I know SSH is listening?

3.I am very agree SSL is more modern. I can setup complete SSL VPN OR L2L vpn on Sophos XG within 10 minutes and fortigate within 1 hour but not success on ASA after days hard learning.

my device is  ASA Version 8.6(1)2  ASA5512-K9. Does it support SSL? It even not support TLS 1.2. I don't have other option(hardware), I have to work on it.  As I know ikev2 need license, I am not sure doe it support. I need to check at tomorrow.

Post running config need to mask many information, so I try to settle without post. Would you please let me know if I have better remote access option on my device?

Thank you.

GNS is not exactly ASA, even when running ASA image.

You can check listening ports with "show asp table socket". Additionally the ASDM log should have some entries when you try to connect if you have "asdm logging informational" and "logging enable" configured.

I suppose you have no support on your hardware? The ASA version you are running is very very old - like the first one that supported that hardware from ~10 years ago. You are right it won't support TLS 1.2 but any modern ASA code will. It will still support SSL/TLS 1.0 (even though it's not advised to use that since it is deprecated). As far as licensing, ASA supports 2 SSL VPN clients but you still require an AnyConnect image. That version of ASA and software shipped with one - it may have been deleted at some point over the years.

Hello Marvin

Thanks for your reply.

before I have test device, GNS3 is my best option. At least it let me understand question1.

For question 2, I am asking for live device not GNS3. I can not connect even in same subnet. I mean suppose no layer 2 network rule block me connection.

3. There are some anyconnect connection profile is working, I have one msi beside my hand. I can install it and connect success to ASA. Does this is what I am looking for? I see below code in configuration file. If double confirm not found in flash, I can achieve by cli setup?

Q4. I manual create group policy, ikev1 connection profile and tunnel-group to archive this. But the result is I can connect but not able to access split-tunnel server. what I should check? Would you mind have some suggestion?

webvpn
enable outside
character-encoding gb2312
anyconnect image disk0:/AnyConnect/anyconnect-win-2.5.3055-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/AnyConnect/anyconnect-linux-2.5.3055-k9.pkg 2 regex "Linux"
anyconnect image disk0:/AnyConnect/anyconnect-linux-64-2.5.3055-k9.pkg 3 regex "Linux"
anyconnect image disk0:/AnyConnect/anyconnect-dart-win-2.5.3055-k9.pkg 4 regex "Windows NT"
anyconnect image disk0:/AnyConnect/anyconnect-macosx-i386-2.5.3055-k9.pkg 5 regex "Intel Mac OS X"
anyconnect image disk0:/AnyConnect/anyconnect-macosx-powerpc-2.5.3055-k9.pkg 6 regex "PPC Mac OS X"
anyconnect enable

For ssh please share the output of the command I mentioned already as well as the relevant log messages.

You keep mentioning ikev1. IPsec IKEv1 is only used for the long-discontinued Cisco VPN client (not AnyConnect) or site-to-site VPNs. If you are connecting with AnyConnect check your route details (gear icon of AnyConnect GUI) and make sure you are passing the necessary routes (subnets) for your server to the client.

Hello Marvin

Sorry, I may confuse at anyconnect and Cisco VPN client. I think they are same thing. I use Cisco VPN client to connect. I am trying to build VPN for it. I had attach masked running-config. EZVPN_2 is new profile I trying to build. Would you mind read and advise?

Thanks for your value time.

below result show SSH is listening, I found my IP will shun by keep ping. But even I clear from shun, I still can not ssh to it and no log show in real-time log viewer. logging level is debugging. I don't know what caus sync attack, but it stopped auto. It should not be the reason. I use a not shun server to SSH, but still fail. In current situation, I am considering some unknown blocking device working in middle.

threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics

Protocol Socket Local Address Foreign Address State
TCP 000162bf 192.168.103.70:22 0.0.0.0:* LISTEN