AnyConnect VPN connections to Cisco ASA 5505 denied

Answered Question
Sep 30th, 2010
User Badges:

I am trying to configure VPN access to my Cisco 5505 with AnyConnect VPN client.  Here is the relevant information from my config:


interface Vlan2
mac-address xxxx.xxxx.xxxx
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
access-list outside_access_in extended permit tcp any host C.C.C.C eq https
access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq https
access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq www
access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
access-list outside_access_in extended permit gre any host C.C.C.C
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any interface outside
access-list inside_access_out extended permit ip any any


access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside


webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable


group-policy DfltGrpPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
address-pools value palm
webvpn
  svc rekey time 30
  svc rekey method ssl
  svc ask enable default webvpn


policy-map global_policy
class inspection_default
  inspect pptp
  inspect http
  inspect icmp
  inspect ftp
!




I am getting this error in the Real-Time Log Viewer when I try to connect:


TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443


Here are the license details:


Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
SSL VPN Peers                : 2
Total VPN Peers              : 10
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has a Base license.


Can anyone tell me what I'm doing wrong or what access list I'm missing?


I have two Cisco ASA 5510 firewalls setup with a similar configuration and AnyConnect SSL VPN is working fine.

Correct Answer by Herbert Baerten about 6 years 6 months ago

Hi Matt,


You're probably landing on the default tunnel-group - you need to instruct the client which group to connect to. This can be done in different ways - I see you already have a group-alias defined, but to be able to use that you need to configure:


  webvpn

    tunnel-group-list enable


Alternatively, if you only have one group you can add  "group-url https://yourasa.yourcompany.com/ enable" to the tunnel-group webvpn-attributes.


hth

Herbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Thu, 09/30/2010 - 22:08
User Badges:
  • Cisco Employee,

Can you please share the following:

sh run http

sh run static


Would like to see if ASDM is enabled on the outside interface, and if there is any static PAT with the outside interface IP.

mattkl3com Fri, 10/01/2010 - 09:31
User Badges:

Here are those settings:


static (inside,outside) tcp C.C.C.D https D.D.D.D https netmask 255.255.255.255
static (inside,outside) tcp C.C.C.D ftp D.D.D.D ftp netmask 255.255.255.255
static (inside,outside) tcp C.C.C.D www D.D.D.D www netmask 255.255.255.255
static (inside,outside) tcp C.C.C.D ssh D.D.D.E ssh netmask 255.255.255.255
static (inside,outside) tcp C.C.C.D 8080 D.D.D.D 8080 netmask 255.255.255.255
static (inside,inside) tcp C.C.C.D 8080 D.D.D.D 8080 netmask 255.255.255.255
static (inside,inside) tcp C.C.C.D ssh D.D.D.E ssh netmask 255.255.255.255
static (inside,inside) tcp C.C.C.D www D.D.D.D www netmask 255.255.255.255
static (inside,inside) tcp C.C.C.D https D.D.D.D https netmask 255.255.255.255
static (inside,inside) tcp C.C.C.C pptp D.D.D.F pptp netmask 255.255.255.255
static (inside,inside) tcp C.C.C.C ftp D.D.D.G ftp netmask 255.255.255.255
static (inside,inside) tcp C.C.C.C smtp D.D.D.F smtp netmask 255.255.255.255
static (inside,outside) tcp C.C.C.C https D.D.D.F https netmask 255.255.255.255
static (inside,outside) tcp C.C.C.C ftp D.D.D.G ftp netmask 255.255.255.255
static (inside,outside) tcp C.C.C.C smtp D.D.D.F smtp netmask 255.255.255.255
static (inside,outside) tcp C.C.C.C pptp D.D.D.F pptp netmask 255.255.255.255


http server enable
http D.D.D.0 255.255.255.0 inside

Jennifer Halim Fri, 10/01/2010 - 19:09
User Badges:
  • Cisco Employee,

Sorry, from the error message, it seems that you might have port address redirection for HTTPS for your outside interface.

Do you happen to have the following:


static (inside,outside) tcp interface https https netmask 255.255.255.255


You might want to test changing the webvpn port to something which is not used, for example: port 8000, and try to connect with port 8000 and see if that works. Seems that it might conflict in https port for the outside interface ip address.

If you can share the complete config, that might help to understand why.

mattkl3com Wed, 10/06/2010 - 12:40
User Badges:

I've gotten past the original problem now.  Connections started working after a "reload" for some reason.


Now I'm trying to get the VPN connections authenticated with LDAP.  Here are the settings (with a few name subsitutions):


aaa-server ldap protocol ldap
aaa-server ldap (inside) host 192.168.103.210
timeout 5
ldap-base-dn dc=exampla,dc=com
ldap-scope subtree
ldap-naming-attribute userid
ldap-login-password *
ldap-login-dn cn=administrator,dc=exampla,dc=com
server-type openldap


webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 3
svc enable


tunnel-group VPNGROUP type remote-access
tunnel-group VPNGROUP general-attributes
address-pool VPNGROUP
authentication-server-group ldap
authentication-server-group (outside) ldap
authorization-required
tunnel-group VPNGROUP webvpn-attributes
group-alias VPNGROUP enable


group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value no-nat
address-pools value VPNPOOL
webvpn
  svc rekey time 30
  svc rekey method ssl
  svc ask enable default webvpn


I am able to run a test and authentication succeeds:


ciscoasa(config)# test aaa-server authentication ldap host 192.168.103.210 username testuser password testpw
INFO: Attempting Authentication test to IP address <192.168.103.210> (timeout: 10 seconds)
INFO: Authentication Successful


When I connect with the AnyConnect client, I can only connect with users that are in the LOCAL database.  Any attempt to login with a user from LDAP results in "Login failed."


When I go to "ASDM -> Monitoring -> Properties -> AAA Servers" and view the conneciton statistics, it shows 0 for all of the entries under "ldap".  Each time I try to connect with an LDAP user, the "Number of rejects" field for LOCAL increments.


It doesn't seem like it's trying to authenticate with LDAP at all?


I have tried debug with:


debug aaa authentication


but that doesn't seem to do anything.


Any ideas?


Thanks!

Correct Answer
Herbert Baerten Wed, 10/06/2010 - 14:13
User Badges:
  • Cisco Employee,

Hi Matt,


You're probably landing on the default tunnel-group - you need to instruct the client which group to connect to. This can be done in different ways - I see you already have a group-alias defined, but to be able to use that you need to configure:


  webvpn

    tunnel-group-list enable


Alternatively, if you only have one group you can add  "group-url https://yourasa.yourcompany.com/ enable" to the tunnel-group webvpn-attributes.


hth

Herbert

mattkl3com Wed, 10/06/2010 - 15:27
User Badges:

I added the "group-url" as suggested and it started working.  Thank you!


Matt

Actions

This Discussion

Related Content