Can you have two differrent VPN clients connecting to the ASA

Unanswered Question
May 6th, 2010

I need to know if I can have a user using Anyconnect client and others using the regular Cisco VPN client. Connecting to a Cisco ASA 5520. Let me know. Thanks Jose' Luis Granda

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
Loading.
Federico Coto F... Thu, 05/06/2010 - 10:56

Hi Jose,

Sure you can.

The Anyconnect client is an SSL client. (layer 7)

The regular VPN client use IPsec. (layer 3)

Those are different protocols and the ASA supports both simultaneously.

Federico.

jgranda12 Thu, 05/06/2010 - 13:15

Another question. I am getting the following error when the Anyconnect trys to connect. The Following message was received from the secure gateway: Host or network is 0". I cannot find where the issue is. Can you help.

Thanks,

Jose' luis Granda

Federico Coto F... Thu, 05/06/2010 - 15:12

The IPsec VPN client works?

The Anyconnect client connects?

When do you get the error exactly?

Federico.

jgranda12 Thu, 05/06/2010 - 16:05

IPsec VPN is working fine. When I try to connect using Linux via the Anyconnect VPN on the last  phase of the connection I get the following "The secure gateway has rejected the agent's VPN connect or reconnect request.  A new  connection requires re-authentication and must be started manually.   Please contact your network administrator if this problem persists.
The Following message was received from the secure gateway: Host or network is 0"

Let em know if that helps.

Thanks,

Jose' Luis Granda

jgranda12 Fri, 05/07/2010 - 05:29

Here is the show run

ASA Version 8.2(2)
!
hostname KnoxAsa5520
domain-name ecmdi.com
enable password 9pNHZI8cjYwvFfDR encrypted
passwd 9pNHZI8cjYwvFfDR encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.237.8.162 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address x.98.2.98 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address x.16.2.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address x.168.45.250 255.255.255.0
management-only
!
banner exec ************Warning:You are connected to Eastcoast Metals Distributo
rs Network Unathorized accessand use of this Network will be Vigorously Procecut
ed*********
banner login *******Warning:You are connected to Eastcoast Metals Distributors N
etwork, Unathorized access and use of this network will be Vigorously Prosecuted
*****************
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ecmdi.com
access-list out-in extended permit tcp any host x.237.8.166 eq smtp
access-list out-in extended permit tcp any host x.237.8.164 eq citrix-ica
access-list out-in extended permit tcp x.121.194.64 255.255.255.224 host x.237
.8.167 eq ftp
access-list out-in extended permit tcp x.103.62.112 255.255.255.248 host x.237
.8.167 eq ftp
access-list out-in extended permit icmp any host x.237.8.164
access-list out-in extended permit icmp any any
access-list out-in extended permit tcp any host x.237.8.163 eq https
access-list out-in extended permit tcp any host x.237.8.163 eq www
access-list out-in extended permit tcp any host x.237.8.165 eq www
access-list out-in extended permit tcp x.64.34.192 255.255.255.x host 63.237.
8.167 eq ftp
access-list out-in extended permit tcp x.80.200.0 255.255.248.0 host x.237.8.
166
access-list out-in extended permit tcp x.42.176.112 255.255.255.240 host x.23
7.8.166
access-list out-in extended permit tcp x.84.16.160 255.255.255.240 host x.237.
8.166
access-list out-in extended permit tcp any host x.237.8.166 eq https
access-list out-in extended permit tcp any host x.237.8.167 eq www
access-list out-in extended permit tcp any host x.237.8.167 eq https
access-list DMZ2in extended permit tcp host x.16.2.2 any eq www
access-list DMZ2in extended permit tcp host x.16.2.2 any eq citrix-ica
access-list DMZ2in extended permit udp host x.16.2.2 any eq domain
access-list DMZ2in extended permit ip host x.16.2.2 any
access-list DMZ2in extended permit tcp host x.16.2.2 any eq https
access-list IPS extended permit ip any any
access-list inside_nat0_outbound extended permit ip x.0.0.0 255.0.0.0 192.168.1
.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip x.168.64.0 255.255.224.0 x
.168.1.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip x.168.0.0 255.255.255.0 19
2.168.1.0 255.255.255.192
access-list Eastcoast_splitTunnelAcl standard permit x.0.0.0 255.0.0.0
access-list Eastcoast_splitTunnelAcl standard permit x.168.64.0 255.255.224.0
access-list Eastcoast_splitTunnelAcl standard permit x.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN-Pool 192.168.1.1-192.168.1.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 x.237.8.168-x.237.8.185 netmask 255.255.255.224
global (outside) 1 x.237.8.186 netmask 255.255.255.224
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.237.8.165 x.98.2.203 netmask 255.255.255.255
static (DMZ,outside) x.237.8.163 x.16.2.2 netmask 255.255.255.255
static (inside,outside) x.237.8.166 x.98.2.87 netmask 255.255.255.255
static (inside,outside) x.237.8.164 x.98.2.220 netmask 255.255.255.255
static (inside,DMZ) x.98.0.0 10.98.0.0 netmask 255.255.0.0
access-group out-in in interface outside
access-group DMZ2in in interface DMZ
route outside 0.0.0.0 0.0.0.0 63.237.8.161 1
route inside x.0.0.0 255.0.0.0 10.98.2.254 1
route inside x.168.0.0 255.255.255.0 10.98.2.254 1
route inside x.168.74.0 255.255.255.0 10.98.2.254 1
route inside x.168.75.0 255.255.255.0 10.98.2.254 1
route inside x.168.76.0 255.255.255.0 10.98.2.254 1
route inside x.168.77.0 255.255.255.0 10.98.2.254 1
route inside x.168.78.0 255.255.255.0 10.98.2.254 1
route inside x.168.79.0 255.255.255.0 10.98.2.254 1
route inside x.168.80.0 255.255.255.0 10.98.2.254 1
route inside x.168.81.0 255.255.255.0 10.98.2.254 1
route inside x.168.82.0 255.255.255.0 10.98.2.254 1
route inside x.168.83.0 255.255.255.0 10.98.2.254 1
route inside x.168.84.0 255.255.255.0 10.98.2.254 1
route inside x.168.85.0 255.255.255.0 10.98.2.254 1
route inside x.168.86.0 255.255.255.0 10.98.2.254 1
route inside x.168.87.0 255.255.255.0 10.98.2.254 1
route inside x.168.88.0 255.255.255.0 10.98.2.254 1
route inside x.168.90.0 255.255.255.0 10.98.2.254 1
route inside x.168.91.0 255.255.255.0 10.98.2.254 1
route inside x.168.92.0 255.255.255.0 10.98.2.254 1
route inside x.168.93.0 255.255.255.0 10.98.2.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http x.98.1.3 255.255.255.255 inside
http x.98.2.0 255.255.255.0 inside
http x.249.173.14 255.255.255.255 outside
http x.168.45.0 255.255.255.0 management
http x.168.1.0 255.255.255.0 inside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet x.98.1.3 255.255.255.255 inside
telnet x.98.2.6 255.255.255.255 inside
telnet x.98.2.87 255.255.255.255 inside
telnet x.98.1.5 255.255.255.255 inside
telnet x.98.1.158 255.255.255.255 inside
telnet x.98.2.0 255.255.255.0 inside
telnet x.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy Eastcoast internal
group-policy Eastcoast attributes
dns-server value 10.98.2.115 10.98.1.115
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Eastcoast_splitTunnelAcl
default-domain value ecmdi.com
username Eastcoast password aduEtRh5tsCJ0Ihu encrypted privilege 15
username Jose password q15k42Wn51D1wttj encrypted privilege 15
username Jose attributes
vpn-group-policy Eastcoast
tunnel-group Eastcoast type remote-access
tunnel-group Eastcoast general-attributes
address-pool VPN-Pool
default-group-policy Eastcoast
tunnel-group Eastcoast ipsec-attributes
pre-shared-key *****
tunnel-group east type remote-access
tunnel-group east general-attributes
address-pool VPN-Pool
!
class-map IPS
match access-list IPS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
class IPS
  ips inline fail-open
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:83a23c054dcbcd35dc6fcb5d277fb450
: end
[OK]

on debug I am getting is

Validating address: 0.0.0.0
CSTP state = WAIT_FOR_ADDRESS
webvpn_cstp_accept_address: 0.0.0.0/0.0.0.0
webvpn_cstp_accept_address: no address?!?
webvpn_cstp_accept_ipv6_address: No IPv6 Address
CSTP state = HAVE_ADDRESS
Host or network is 0: 0.0.0.0/0.0.0.0
webvpn_cstp_send_error: 503 Service Unavailable
CSTP state = ERROR
Not calling vpn_remove_uauth: never added!
Called vpn_remove_uauth: failed!
webvpn_svc_np_tear_down: no ACL
webvpn_svc_np_tear_down: no IPv6 ACL

Let me know what I am doing wrong.


Jose' Luis Granda

Federico Coto F... Fri, 05/07/2010 - 06:32

Jose,

Are you able to establish an HTTPS connection to the ASA?

Is the IP that you're coming from allowed under ''sh run http''

What is the output of the command:''sh webvpn svc'' when you establish the anyconnect connection?

Federico.

jgranda12 Fri, 05/07/2010 - 07:54

Yes I am able to connect via https. But not aable to bing up anyconnect.  On the ASA it show a clientless connection. Let em know if I need to do anything else.

Thanks,

Jose Luis Granda

Federico Coto F... Fri, 05/07/2010 - 08:05

Do you get promted for authentication?
Do you get the Anyconnect downloaded and installed on your machine?
Can you please try the connection from a different machine?
Post the output of ''debug webvpn svc 127'' when connecting with anyconnect.

Federico.

myles1984 Fri, 05/07/2010 - 08:53

We've just had a similar problem that was caused by the ASA using the DefaultWEBVPNGroup upon connection. We had setup a new connection profile, however because we hadn't created an alias for our new one (and enabled the user to select their profile), it defaulted to the DefaultWEBVPNGroup which hadn't been setup with our IP pools. Once we created the alias, enabled profile selection everything worked fine.

Maybe worth checking the running log on the ASDM while trying to connect with the AnyConnect client to see what error message pops up. This is what helped us!

Hope this helps!

Todd Pula Fri, 05/07/2010 - 10:04

As Myles stated above, you will want to make sure that if you are configuring a more specific tunnel group, you will need to allow the users to select the group which they want to connect to.  This can be accomplished using an alias with drop down selection or group URL.  If a more specific connection profile is not selected, the user will hit the DefaultWEBVPNGroup tunnel group.  The error that you are seeing typically means that an IP address could not be provided to the connecting client.  This can happen if you are matching a tunnel group that doesn't have an address pool or dhcp server defined.  Below is a sample config from my lab ASA which utilizes the alias approach.

webvpn
enable outside
csd image disk0:/csd_3.5.841-k9.pkg
svc image disk0:/anyconnect-win-2.5.0196-k9.pkg 1
svc enable
tunnel-group-list enable <--Enables tunnel group selection via drop down menu on logon page
java-trustpoint CodeSigner
cache
  disable

tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool TRUSTED-POOL
default-group-policy AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable  <--defines an alias for the tunnel group that will be presented in the above drop down

sjbdallas Fri, 05/07/2010 - 08:16

Sorry for poking my nose into the troubleshooting but can someone explain what this part of his config is:

service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
   destination address email [email protected]
  destination  transport-method http
  subscribe-to-alert-group diagnostic
   subscribe-to-alert-group environment
  subscribe-to-alert-group  inventory periodic monthly
  subscribe-to-alert-group configuration  periodic monthly
  subscribe-to-alert-group telemetry periodic daily

I'm not familiar with it.

Actions

This Discussion