Anyconnect VPN issues

Unanswered Question
Sep 9th, 2010

Hey guys, thought adding AnyConnect to my otherwise functioning configuration would be an easy job, unfortunately it isnt. I had remote VPN set up and can connect fine but needed to add the webvpn configuration to allow AnyConnect. The issue is whenever I try to bring up the AnyConnect by typing the outside IP of the firewall in my browser from another site I get the generic "Page cannot be displayed" so here is my configuration (Am I missing anything?):

NOTE: I can ping the IP address 72.*.*.194 from another office

ASA# sh run
: Saved
:
ASA Version 8.3(1)

hostname ASA
domain-name mydomain.local
enable password GmSL9emLLUC2J7jz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names

interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0

interface Vlan2
nameif outside
security-level 0
ip address 72.*.*.194 255.255.255.248

interface Ethernet0/0
switchport access vlan 2

interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7

boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name mydomain.local

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any
subnet 0.0.0.0 0.0.0.0

object network obj-vpnPool
subnet 192.168.101.0 255.255.255.0

object network SERVER01
host 192.168.100.10

object network obj-LAN-192.168.100.0
subnet 192.168.100.0 255.255.255.0

object network SERVER02
host 192.168.100.10

object network SERVER03
host 192.168.100.10

object network obj-OutsideIP
host 72.*.*.94

object network obj-SSLClientPool
subnet 192.168.102.0 255.255.255.0

access-list splittunnel standard permit 192.168.100.0 255.255.255.0

access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_in extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list outside_in extended permit tcp any host 192.168.100.10 eq www
access-list outside_in extended permit tcp any host 192.168.100.10 eq https
access-list outside_in extended permit tcp any host 192.168.100.10 eq smtp
access-list outside_in extended permit tcp any host 72.*.*.94 eq www
access-list outside_in extended permit tcp any host 72.*.*.94 eq https

pager lines 24
logging asdm informational

mtu inside 1500
mtu outside 1500

ip local pool vpnpool 192.168.101.50-192.168.101.100
ip local pool SSLClientPool 192.168.102.1-192.168.102.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400

nat (inside,outside) source static obj-LAN-192.168.100.0 obj-LAN-192.168.100.0 destination static obj-vpnPool obj-vpnPool
nat (inside,outside) source static obj-LAN-192.168.100.0 obj-LAN-192.168.100.0 destination static obj-SSLClientPool obj-SSLClientPool

object network obj_any
nat (inside,outside) dynamic interface

object network SERVER01
nat (inside,outside) static interface service tcp smtp smtp

object network SERVER02
nat (inside,outside) static interface service tcp www www

object network SERVER03
nat (inside,outside) static interface service tcp https https

access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.*.*.193 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL

http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside

no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route

crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside

crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000

telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 60

ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60

console timeout 0

management-access inside

dhcpd dns 192.168.100.10 205.152.132.23
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain mydomain.local
dhcpd auto_config outside

dhcpd address 192.168.100.50-192.168.100.100 inside
dhcpd enable inside


priority-queue inside
priority-queue outside

threat-detection basic-threat
threat-detection statistics access-list

no threat-detection statistics tcp-intercept


webvpn
port 442
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable

group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.100.10 205.152.132.23
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local
address-pools value SSLClientPool

group-policy examplevpn internal
group-policy examplevpn attributes
dns-server value 192.168.100.10 205.152.132.23
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local

username user1 password D31hvx3jXaWXFqn7 encrypted privilege 15
username user1 attributes
vpn-group-policy examplevpn
service-type remote-access

username user2 password 12xa6U5eP9dlaTvH encrypted privilege 15
username user2 attributes
service-type remote-access

username user3 password uawVky7FnPv1TNTc encrypted privilege 15
username user3 attributes
vpn-group-policy examplevpn
service-type remote-access

username user4 password DwCTJcBn.Q0dDe9z encrypted privilege 15
username user4 attributes
vpn-group-policy examplevpn
service-type remote-access

username user5 password yIofvvZfJ4xLCwI6 encrypted privilege 15
username user5 attributes
vpn-group-policy examplevpn
service-type remote-access

tunnel-group RA-VPN type remote-access

tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authorization-server-group (outside) LOCAL
default-group-policy examplevpn

tunnel-group examplevpn ipsec-attributes
pre-shared-key *****

tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
address-pool SSLClientPool
default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable

class-map global-class
match default-inspection-traffic

class-map class_sip_tcp
match port tcp eq sip

class-map inspection_default
match default-inspection-traffic

policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect tftp
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect icmp
  inspect ipsec-pass-thru
  inspect ip-options
class class_sip_tcp
  inspect sip
!
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f6bfc493482b70a0a9ae6e8881b3f5c8
: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Thu, 09/09/2010 - 22:50

When you try SSLVPN, do you specify port 442?

Based on your configuration, you changed the port from 443 to 442.

You can try to telnet to outside IP on port 442 to see if there is anything in the middle to block this port.

Also check ASA log when you are failed on SSLVPN connection to see what error message you get in the log.

vickyleach1 Fri, 09/10/2010 - 12:35

Yeh I noticed I had done that. I am one of those types that with basically try everything to get something to work in an ilogical way but once I have accomplished a new type of configuration I never forget. My collegue helped me last night and fixed the issue of connection. I am posting the config for others to reference. I kept the regular VPN info in there so user4 can connect via the regular VPN client. I am currious if there are any unnecessary configuration lines in there that are not necessary, any ideas? Oh also for future refence to others, I had to upgrade my SSL licensing as by default it was set to 2 licenses...very annoying. Anyway,  here is the configuration now:

ASA#  sh run
: Saved

ASA Version 8.3(1)

hostname ASA
domain-name mydomain.local
enable password GmSL9emLLUC2J7jz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names

interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0

interface Vlan2
nameif outside
security-level 0
ip address 72.*.*.194 255.255.255.248

interface Ethernet0/0
switchport access vlan 2

interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7

boot system disk0:/asa831-k8.bin
ftp mode passive

clock timezone CST -6
clock summer-time CDT recurring

dns server-group DefaultDNS
domain-name mydomain.local

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any
subnet 0.0.0.0 0.0.0.0

object network obj-vpnPool
subnet 192.168.101.0 255.255.255.0

object network obj-LAN-192.168.100.0
subnet 192.168.100.0 255.255.255.0

object network obj-OutsideIP
host 72.*.*.194

object network obj-SSLClientPool
subnet 192.168.102.0 255.255.255.0

access-list splittunnel standard permit 192.168.100.0 255.255.255.0
access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_in extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24

logging asdm informational

mtu inside 1500
mtu outside 1500

ip local pool vpnpool 192.168.101.50-192.168.101.100

icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400

nat (inside,outside) source static obj-LAN-192.168.100.0 obj-LAN-192.168.100.0 destination static obj-vpnPool obj-vpnPool

object network obj_any
nat (inside,outside) dynamic interface

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 72.*.*.193 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL

http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside

no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route

crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside

crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000

telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 60

ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60

console timeout 0

management-access inside

dhcpd dns 192.168.100.10 205.152.132.23
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain mydomain.local
dhcpd auto_config outside

dhcpd address 192.168.100.50-192.168.100.100 inside
dhcpd enable inside


priority-queue inside
priority-queue outside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

webvpn
port 442
enable outside
dtls port 442
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable

group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.100.10 205.152.132.23
vpn-idle-timeout 180
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local

group-policy examplevpn internal
group-policy examplevpn attributes
dns-server value 192.168.100.10 205.152.132.23
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local

username user1 password D31hvx3jXaWXFqn7 encrypted privilege 15
username user1 attributes
default-group-policy SSLClientPolicy
service-type remote-access

username user2 password 12xa6U5eP9dlaTvH encrypted privilege 15
username user2 attributes

default-group-policy SSLClientPolicy
service-type remote-access

username user3 password uawVky7FnPv1TNTc encrypted privilege 15
username user3 attributes
default-group-policy SSLClientPolicy
service-type remote-access

username user4 password DwCTJcBn.Q0dDe9z encrypted privilege 15
username user4 attributes

default-group-policy examplevpn

tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2

tunnel-group RA-VPN type remote-access
tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authorization-server-group (outside) LOCAL
default-group-policy SSLClientPolicy

tunnel-group examplevpn ipsec-attributes
pre-shared-key *****

tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
address-pool vpnpool
default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable

tunnel-group SSLClientProfile ipsec-attributes
pre-shared-key *****

class-map global-class
match default-inspection-traffic

class-map class_sip_tcp
match port tcp eq sip

class-map inspection_default
match default-inspection-traffic


policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512

policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect tftp
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect icmp
  inspect ipsec-pass-thru
  inspect ip-options
class class_sip_tcp
  inspect sip
!
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:09aea6db0674c8eb6976e3b519edb998
: end

Actions

This Discussion