09-09-2010 02:16 PM - edited 02-21-2020 04:50 PM
Hey guys, thought adding AnyConnect to my otherwise functioning configuration would be an easy job, unfortunately it isnt. I had remote VPN set up and can connect fine but needed to add the webvpn configuration to allow AnyConnect. The issue is whenever I try to bring up the AnyConnect by typing the outside IP of the firewall in my browser from another site I get the generic "Page cannot be displayed" so here is my configuration (Am I missing anything?):
NOTE: I can ping the IP address 72.*.*.194 from another office
ASA# sh run
: Saved
:
ASA Version 8.3(1)
hostname ASA
domain-name mydomain.local
enable password GmSL9emLLUC2J7jz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 72.*.*.194 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name mydomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-vpnPool
subnet 192.168.101.0 255.255.255.0
object network SERVER01
host 192.168.100.10
object network obj-LAN-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network SERVER02
host 192.168.100.10
object network SERVER03
host 192.168.100.10
object network obj-OutsideIP
host 72.*.*.94
object network obj-SSLClientPool
subnet 192.168.102.0 255.255.255.0
access-list splittunnel standard permit 192.168.100.0 255.255.255.0
access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_in extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list outside_in extended permit tcp any host 192.168.100.10 eq www
access-list outside_in extended permit tcp any host 192.168.100.10 eq https
access-list outside_in extended permit tcp any host 192.168.100.10 eq smtp
access-list outside_in extended permit tcp any host 72.*.*.94 eq www
access-list outside_in extended permit tcp any host 72.*.*.94 eq https
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.101.50-192.168.101.100
ip local pool SSLClientPool 192.168.102.1-192.168.102.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-LAN-192.168.100.0 obj-LAN-192.168.100.0 destination static obj-vpnPool obj-vpnPool
nat (inside,outside) source static obj-LAN-192.168.100.0 obj-LAN-192.168.100.0 destination static obj-SSLClientPool obj-SSLClientPool
object network obj_any
nat (inside,outside) dynamic interface
object network SERVER01
nat (inside,outside) static interface service tcp smtp smtp
object network SERVER02
nat (inside,outside) static interface service tcp www www
object network SERVER03
nat (inside,outside) static interface service tcp https https
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.*.*.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route
crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 192.168.100.10 205.152.132.23
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain mydomain.local
dhcpd auto_config outside
dhcpd address 192.168.100.50-192.168.100.100 inside
dhcpd enable inside
priority-queue inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 442
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.100.10 205.152.132.23
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local
address-pools value SSLClientPool
group-policy examplevpn internal
group-policy examplevpn attributes
dns-server value 192.168.100.10 205.152.132.23
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local
username user1 password D31hvx3jXaWXFqn7 encrypted privilege 15
username user1 attributes
vpn-group-policy examplevpn
service-type remote-access
username user2 password 12xa6U5eP9dlaTvH encrypted privilege 15
username user2 attributes
service-type remote-access
username user3 password uawVky7FnPv1TNTc encrypted privilege 15
username user3 attributes
vpn-group-policy examplevpn
service-type remote-access
username user4 password DwCTJcBn.Q0dDe9z encrypted privilege 15
username user4 attributes
vpn-group-policy examplevpn
service-type remote-access
username user5 password yIofvvZfJ4xLCwI6 encrypted privilege 15
username user5 attributes
vpn-group-policy examplevpn
service-type remote-access
tunnel-group RA-VPN type remote-access
tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authorization-server-group (outside) LOCAL
default-group-policy examplevpn
tunnel-group examplevpn ipsec-attributes
pre-shared-key *****
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
address-pool SSLClientPool
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
class-map global-class
match default-inspection-traffic
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect tftp
inspect sunrpc
inspect xdmcp
inspect sip
inspect icmp
inspect ipsec-pass-thru
inspect ip-options
class class_sip_tcp
inspect sip
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f6bfc493482b70a0a9ae6e8881b3f5c8
: end
09-09-2010 10:50 PM
When you try SSLVPN, do you specify port 442?
Based on your configuration, you changed the port from 443 to 442.
You can try to telnet to outside IP on port 442 to see if there is anything in the middle to block this port.
Also check ASA log when you are failed on SSLVPN connection to see what error message you get in the log.
09-10-2010 12:35 PM
Yeh I noticed I had done that. I am one of those types that with basically try everything to get something to work in an ilogical way but once I have accomplished a new type of configuration I never forget. My collegue helped me last night and fixed the issue of connection. I am posting the config for others to reference. I kept the regular VPN info in there so user4 can connect via the regular VPN client. I am currious if there are any unnecessary configuration lines in there that are not necessary, any ideas? Oh also for future refence to others, I had to upgrade my SSL licensing as by default it was set to 2 licenses...very annoying. Anyway, here is the configuration now:
ASA# sh run
: Saved
ASA Version 8.3(1)
hostname ASA
domain-name mydomain.local
enable password GmSL9emLLUC2J7jz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 72.*.*.194 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name mydomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-vpnPool
subnet 192.168.101.0 255.255.255.0
object network obj-LAN-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj-OutsideIP
host 72.*.*.194
object network obj-SSLClientPool
subnet 192.168.102.0 255.255.255.0
access-list splittunnel standard permit 192.168.100.0 255.255.255.0
access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_in extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.101.50-192.168.101.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-LAN-192.168.100.0 obj-LAN-192.168.100.0 destination static obj-vpnPool obj-vpnPool
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.*.*.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route
crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 192.168.100.10 205.152.132.23
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain mydomain.local
dhcpd auto_config outside
dhcpd address 192.168.100.50-192.168.100.100 inside
dhcpd enable inside
priority-queue inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 442
enable outside
dtls port 442
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.100.10 205.152.132.23
vpn-idle-timeout 180
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local
group-policy examplevpn internal
group-policy examplevpn attributes
dns-server value 192.168.100.10 205.152.132.23
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local
username user1 password D31hvx3jXaWXFqn7 encrypted privilege 15
username user1 attributes
default-group-policy SSLClientPolicy
service-type remote-access
username user2 password 12xa6U5eP9dlaTvH encrypted privilege 15
username user2 attributes
default-group-policy SSLClientPolicy
service-type remote-access
username user3 password uawVky7FnPv1TNTc encrypted privilege 15
username user3 attributes
default-group-policy SSLClientPolicy
service-type remote-access
username user4 password DwCTJcBn.Q0dDe9z encrypted privilege 15
username user4 attributes
default-group-policy examplevpn
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group RA-VPN type remote-access
tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authorization-server-group (outside) LOCAL
default-group-policy SSLClientPolicy
tunnel-group examplevpn ipsec-attributes
pre-shared-key *****
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
address-pool vpnpool
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
tunnel-group SSLClientProfile ipsec-attributes
pre-shared-key *****
class-map global-class
match default-inspection-traffic
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect tftp
inspect sunrpc
inspect xdmcp
inspect sip
inspect icmp
inspect ipsec-pass-thru
inspect ip-options
class class_sip_tcp
inspect sip
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:09aea6db0674c8eb6976e3b519edb998
: end
09-10-2010 12:36 PM
Oh and what do you mean by ASA log?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: