Anyconnect VPN issues

Unanswered Question
Sep 9th, 2010
User Badges:

Hey guys, thought adding AnyConnect to my otherwise functioning configuration would be an easy job, unfortunately it isnt. I had remote VPN set up and can connect fine but needed to add the webvpn configuration to allow AnyConnect. The issue is whenever I try to bring up the AnyConnect by typing the outside IP of the firewall in my browser from another site I get the generic "Page cannot be displayed" so here is my configuration (Am I missing anything?):


NOTE: I can ping the IP address 72.*.*.194 from another office


ASA# sh run
: Saved
:
ASA Version 8.3(1)

hostname ASA
domain-name mydomain.local
enable password GmSL9emLLUC2J7jz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names

interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0

interface Vlan2
nameif outside
security-level 0
ip address 72.*.*.194 255.255.255.248

interface Ethernet0/0
switchport access vlan 2

interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7

boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name mydomain.local

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any
subnet 0.0.0.0 0.0.0.0

object network obj-vpnPool
subnet 192.168.101.0 255.255.255.0

object network SERVER01
host 192.168.100.10

object network obj-LAN-192.168.100.0
subnet 192.168.100.0 255.255.255.0

object network SERVER02
host 192.168.100.10

object network SERVER03
host 192.168.100.10

object network obj-OutsideIP
host 72.*.*.94

object network obj-SSLClientPool
subnet 192.168.102.0 255.255.255.0

access-list splittunnel standard permit 192.168.100.0 255.255.255.0

access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_in extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list outside_in extended permit tcp any host 192.168.100.10 eq www
access-list outside_in extended permit tcp any host 192.168.100.10 eq https
access-list outside_in extended permit tcp any host 192.168.100.10 eq smtp
access-list outside_in extended permit tcp any host 72.*.*.94 eq www
access-list outside_in extended permit tcp any host 72.*.*.94 eq https

pager lines 24
logging asdm informational

mtu inside 1500
mtu outside 1500

ip local pool vpnpool 192.168.101.50-192.168.101.100
ip local pool SSLClientPool 192.168.102.1-192.168.102.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400

nat (inside,outside) source static obj-LAN-192.168.100.0 obj-LAN-192.168.100.0 destination static obj-vpnPool obj-vpnPool
nat (inside,outside) source static obj-LAN-192.168.100.0 obj-LAN-192.168.100.0 destination static obj-SSLClientPool obj-SSLClientPool

object network obj_any
nat (inside,outside) dynamic interface

object network SERVER01
nat (inside,outside) static interface service tcp smtp smtp

object network SERVER02
nat (inside,outside) static interface service tcp www www

object network SERVER03
nat (inside,outside) static interface service tcp https https

access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.*.*.193 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL

http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside

no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route

crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside

crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000

telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 60

ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60

console timeout 0

management-access inside

dhcpd dns 192.168.100.10 205.152.132.23
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain mydomain.local
dhcpd auto_config outside

dhcpd address 192.168.100.50-192.168.100.100 inside
dhcpd enable inside


priority-queue inside
priority-queue outside

threat-detection basic-threat
threat-detection statistics access-list

no threat-detection statistics tcp-intercept


webvpn
port 442
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable

group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.100.10 205.152.132.23
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local
address-pools value SSLClientPool

group-policy examplevpn internal
group-policy examplevpn attributes
dns-server value 192.168.100.10 205.152.132.23
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local

username user1 password D31hvx3jXaWXFqn7 encrypted privilege 15
username user1 attributes
vpn-group-policy examplevpn
service-type remote-access

username user2 password 12xa6U5eP9dlaTvH encrypted privilege 15
username user2 attributes
service-type remote-access

username user3 password uawVky7FnPv1TNTc encrypted privilege 15
username user3 attributes
vpn-group-policy examplevpn
service-type remote-access

username user4 password DwCTJcBn.Q0dDe9z encrypted privilege 15
username user4 attributes
vpn-group-policy examplevpn
service-type remote-access

username user5 password yIofvvZfJ4xLCwI6 encrypted privilege 15
username user5 attributes
vpn-group-policy examplevpn
service-type remote-access

tunnel-group RA-VPN type remote-access

tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authorization-server-group (outside) LOCAL
default-group-policy examplevpn

tunnel-group examplevpn ipsec-attributes
pre-shared-key *****

tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
address-pool SSLClientPool
default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable

class-map global-class
match default-inspection-traffic

class-map class_sip_tcp
match port tcp eq sip

class-map inspection_default
match default-inspection-traffic

policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect tftp
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect icmp
  inspect ipsec-pass-thru
  inspect ip-options
class class_sip_tcp
  inspect sip
!
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f6bfc493482b70a0a9ae6e8881b3f5c8
: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Thu, 09/09/2010 - 22:50
User Badges:
  • Gold, 750 points or more

When you try SSLVPN, do you specify port 442?

Based on your configuration, you changed the port from 443 to 442.


You can try to telnet to outside IP on port 442 to see if there is anything in the middle to block this port.


Also check ASA log when you are failed on SSLVPN connection to see what error message you get in the log.

vickyleach1 Fri, 09/10/2010 - 12:35
User Badges:

Yeh I noticed I had done that. I am one of those types that with basically try everything to get something to work in an ilogical way but once I have accomplished a new type of configuration I never forget. My collegue helped me last night and fixed the issue of connection. I am posting the config for others to reference. I kept the regular VPN info in there so user4 can connect via the regular VPN client. I am currious if there are any unnecessary configuration lines in there that are not necessary, any ideas? Oh also for future refence to others, I had to upgrade my SSL licensing as by default it was set to 2 licenses...very annoying. Anyway,  here is the configuration now:


ASA#  sh run
: Saved


ASA Version 8.3(1)


hostname ASA
domain-name mydomain.local
enable password GmSL9emLLUC2J7jz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names


interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0


interface Vlan2
nameif outside
security-level 0
ip address 72.*.*.194 255.255.255.248


interface Ethernet0/0
switchport access vlan 2


interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7


boot system disk0:/asa831-k8.bin
ftp mode passive


clock timezone CST -6
clock summer-time CDT recurring


dns server-group DefaultDNS
domain-name mydomain.local


same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


object network obj_any
subnet 0.0.0.0 0.0.0.0


object network obj-vpnPool
subnet 192.168.101.0 255.255.255.0


object network obj-LAN-192.168.100.0
subnet 192.168.100.0 255.255.255.0


object network obj-OutsideIP
host 72.*.*.194


object network obj-SSLClientPool
subnet 192.168.102.0 255.255.255.0


access-list splittunnel standard permit 192.168.100.0 255.255.255.0
access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_in extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24


logging asdm informational


mtu inside 1500
mtu outside 1500


ip local pool vpnpool 192.168.101.50-192.168.101.100


icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400


nat (inside,outside) source static obj-LAN-192.168.100.0 obj-LAN-192.168.100.0 destination static obj-vpnPool obj-vpnPool


object network obj_any
nat (inside,outside) dynamic interface


access-group outside_in in interface outside


route outside 0.0.0.0 0.0.0.0 72.*.*.193 1


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00


dynamic-access-policy-record DfltAccessPolicy


aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL


http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside


no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart


crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000


crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route


crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside


crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400


crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000


telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 60


ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60


console timeout 0


management-access inside


dhcpd dns 192.168.100.10 205.152.132.23
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain mydomain.local
dhcpd auto_config outside


dhcpd address 192.168.100.50-192.168.100.100 inside
dhcpd enable inside



priority-queue inside
priority-queue outside


threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept


webvpn
port 442
enable outside
dtls port 442
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable


group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.100.10 205.152.132.23
vpn-idle-timeout 180
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local


group-policy examplevpn internal
group-policy examplevpn attributes
dns-server value 192.168.100.10 205.152.132.23
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local


username user1 password D31hvx3jXaWXFqn7 encrypted privilege 15
username user1 attributes
default-group-policy SSLClientPolicy
service-type remote-access


username user2 password 12xa6U5eP9dlaTvH encrypted privilege 15
username user2 attributes

default-group-policy SSLClientPolicy
service-type remote-access


username user3 password uawVky7FnPv1TNTc encrypted privilege 15
username user3 attributes
default-group-policy SSLClientPolicy
service-type remote-access


username user4 password DwCTJcBn.Q0dDe9z encrypted privilege 15
username user4 attributes

default-group-policy examplevpn


tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2


tunnel-group RA-VPN type remote-access
tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authorization-server-group (outside) LOCAL
default-group-policy SSLClientPolicy


tunnel-group examplevpn ipsec-attributes
pre-shared-key *****


tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
address-pool vpnpool
default-group-policy SSLClientPolicy


tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable


tunnel-group SSLClientProfile ipsec-attributes
pre-shared-key *****


class-map global-class
match default-inspection-traffic


class-map class_sip_tcp
match port tcp eq sip


class-map inspection_default
match default-inspection-traffic



policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512


policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect tftp
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect icmp
  inspect ipsec-pass-thru
  inspect ip-options
class class_sip_tcp
  inspect sip
!
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:09aea6db0674c8eb6976e3b519edb998
: end

Actions

This Discussion