cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2817
Views
0
Helpful
12
Replies

Trouble connecting using Any Connect and Ipsec VPN Client

mrkylewood
Level 1
Level 1

I'm having trouble connecting with Any Connect VPN client.  I can connect with Ipsec VPN client in Windows 7 32 bit.

Here is my latest running config.

Thank you for taking the time to read this over.

passwd W/KqlBn3sSTvaD0T encrypted

no names

name 192.168.1.117 kylewooddesk description kyle

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa822-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name wood.local

same-security-traffic permit intra-interface

object-group service rdp tcp

description rdp access

port-object eq 3389

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq 8080

access-list outside_access_in extended permit tcp any interface outside eq 3334

access-list outside_access_in extended permit ip 192.168.5.0 255.255.255.240 192.168.1.0 255.255.255.0

access-list woodgroup_splitTunnelAcl standard permit host 192.168.1.117

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.240

access-list outside_access_in_1 extended permit tcp any host 192.168.1.117 eq 3389

access-list woodgroup_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.240

access-list inside_nat0_outbound_1 extended permit ip 192.168.5.0 255.255.255.240 any

access-list inside_test extended permit icmp any host 192.168.1.117

no pager

logging enable

logging timestamp

logging asdm informational

logging debug-trace

mtu inside 1500

mtu outside 1500

ip local pool Kyle 192.168.5.1-192.168.5.10 mask 255.255.255.0

ip local pool vpnpool 192.168.1.220-192.168.1.230

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.117 3389 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 8080 192.168.1.117 8080 netmask 255.255.255.255

static (inside,outside) tcp interface 3334 192.168.1.86 3334 netmask 255.255.255.255

static (inside,inside) 75.65.238.40 192.168.1.117 netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

  file-browsing enable

  file-entry enable

  http-proxy enable

  url-entry enable

  svc ask none default svc

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd lease 3000

!

dhcpd address 192.168.1.100-192.168.1.130 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

group-policy sslwood internal

group-policy sslwood attributes

vpn-tunnel-protocol svc webvpn

webvpn

  url-list none

group-policy woodgroup internal

group-policy woodgroup attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value woodgroup_splitTunnelAcl_1

username mrkylewood password Q4339wmn1ourxj9X encrypted privilege 15

username mrkylewood attributes

vpn-group-policy sslwood

vpn-simultaneous-logins 3

vpn-tunnel-protocol svc webvpn

group-lock value sslwood

webvpn

  svc ask none default webvpn

tunnel-group woodgroup type remote-access

tunnel-group woodgroup general-attributes

address-pool Kyle

default-group-policy woodgroup

tunnel-group woodgroup ipsec-attributes

pre-shared-key *****

tunnel-group sslwood type remote-access

tunnel-group sslwood general-attributes

address-pool Kyle

authentication-server-group (inside) LOCAL

authentication-server-group (outside) LOCAL

default-group-policy sslwood

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect ip-options

policy-map type inspect dns MY_DNS_INSPECT_MAP

parameters

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination address http https://tools.cisco.com/its/service/...es/DDCEService

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:6fa8db79bcf695080cbdc1159b409360

: end

asawood(config)#

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Also need to add the following:

webvpn

    tunnel-group-list enable

exit

tunnel-group sslwood webvpn-attributes

    group-alias sslwood enable

Let us know if it works.

View solution in original post

12 Replies 12

Jennifer Halim
Cisco Employee
Cisco Employee

Also need to add the following:

webvpn

    tunnel-group-list enable

exit

tunnel-group sslwood webvpn-attributes

    group-alias sslwood enable

Let us know if it works.

Jennifer, that worked!!  But I can't access any of my inside resources.  What could be the problem?

Hello Kyle,

Can you give it a try to the following:

clear configure access-list inside_nat0_outbound_1

access-list  inside_nat0_outbound_1 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound_1

If that does not make a difference please provide us the following?

Packet-tracer input inside tcp 192.168.5.2 1025 192.168.1.2 80

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Add the split tunnel policy as well:

access-list sslwood_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

group-policy sslwood attributes

     split-tunnel-policy tunnelspecified

     split-tunnel-network-list value sslwood_splitTunnelAcl

I tried both suggestions.  I'm still unable to open explorer in windows and enter \\192.168.1.117 and view the shares on that drive. 

Here is the packet tracer

asawood(config)# Packet-tracer input inside tcp 192.168.5.2 1025 192.168.1.2 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.1.0     255.255.255.0   inside

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

  match ip inside 192.168.1.0 255.255.255.0 inside 192.168.5.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 1

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (192.168.1.1 [Interface PAT])

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.5.2/1025 to 192.168.1.1/6605 using netmask 255.255.255

.255

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (192.168.1.1 [Interface PAT])

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Phase: 9

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (192.168.1.1 [Interface PAT])

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Phase: 11

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (192.168.1.1 [Interface PAT])

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Hello Kyle,

Can you provide us the No_Nat configuration again.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

this is my running config

User Access Verification

Password:

Password:

Type help or '?' for a list of available commands.

asawood> enable

Password: ******

Invalid password

Password: **********

asawood# conf t

asawood(config)# show run

: Saved

:

ASA Version 8.2(2)

!

hostname asawood

domain-name wood.local

enable password W/KqlBn3sSTvaD0T encrypted

passwd W/KqlBn3sSTvaD0T encrypted

no names

name 192.168.1.117 kylewooddesk description kyle

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa822-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name wood.local

same-security-traffic permit intra-interface

object-group service rdp tcp

description rdp access

port-object eq 3389

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq 8080

access-list outside_access_in extended permit tcp any interface outside eq 3334

access-list outside_access_in extended permit ip 192.168.5.0 255.255.255.240 192

.168.1.0 255.255.255.0

access-list woodgroup_splitTunnelAcl standard permit host 192.168.1.117

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19

2.168.5.0 255.255.255.240

access-list outside_access_in_1 extended permit tcp any host 192.168.1.117 eq 33

89

access-list woodgroup_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0

192.168.5.0 255.255.255.0

access-list inside_test extended permit icmp any host 192.168.1.117

access-list sslwood_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

no pager

logging enable

logging timestamp

logging asdm informational

logging debug-trace

mtu inside 1500

mtu outside 1500

ip local pool Kyle 192.168.5.1-192.168.5.10 mask 255.255.255.0

ip local pool vpnpool 192.168.1.220-192.168.1.230

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.117 3389 netmask 255.255.25

5.255  dns

static (inside,outside) tcp interface 8080 192.168.1.117 8080 netmask 255.255.25

5.255

static (inside,outside) tcp interface 3334 192.168.1.86 3334 netmask 255.255.255

.255

static (inside,inside) 75.65.238.40 192.168.1.117 netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

  file-browsing enable

  file-entry enable

  http-proxy enable

  url-entry enable

  svc ask none default svc

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128

-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256

-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd lease 3000

!

dhcpd address 192.168.1.100-192.168.1.130 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy sslwood internal

group-policy sslwood attributes

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value sslwood_splitTunnelAcl

webvpn

  url-list none

group-policy woodgroup internal

group-policy woodgroup attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value woodgroup_splitTunnelAcl_1

username mrkylewood password Q4339wmn1ourxj9X encrypted privilege 15

username mrkylewood attributes

vpn-group-policy sslwood

vpn-simultaneous-logins 3

vpn-tunnel-protocol svc webvpn

group-lock value sslwood

webvpn

  svc ask none default webvpn

tunnel-group woodgroup type remote-access

tunnel-group woodgroup general-attributes

address-pool Kyle

default-group-policy woodgroup

tunnel-group woodgroup ipsec-attributes

pre-shared-key *****

tunnel-group sslwood type remote-access

tunnel-group sslwood general-attributes

address-pool Kyle

authentication-server-group (inside) LOCAL

authentication-server-group (outside) LOCAL

default-group-policy sslwood

tunnel-group sslwood webvpn-attributes

group-alias sslwood enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect ip-options

policy-map type inspect dns MY_DNS_INSPECT_MAP

parameters

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

  destination address email callhome@cisco.com

  destination address http https://tools.cisco.com/its/service/...es/DDCEService

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:e07ba8b053b7e3d16726ff27e725d947

: end

asawood(config)#

Hello Kyle,

So basically this time you are able to connect,you get to the portal and select the sslwood tunnel group.

You get an ip address on the 192.168.5.0 range but you are still  unable to access the internal resources..

That is what is happening right now right?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Yes, Julio, that is correct.

I would say the configuration looks good,

What kind of traffic are you trying to send. No traffic is being able to get to the Local lan from the anyconnect clients.

What happens if you add the:

managment-access inside and then try to ping the inside interface?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

It looks like the command

access-list sslwood_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

group-policy sslwood attributes

     split-tunnel-policy tunnelspecified

     split-tunnel-network-list value sslwood_splitTunnelAcl

fixed it.

I'm able to access inside resources, thanks for all your help!!

Great to hear, and thanks for your update. Pls kindly mark the post answered, thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: