Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyconnect help on ASA 5505

Can someone help me set up AnyConnect on my ASA5505? I have my VPN access working properly through the Cisco client however I want to be able to use the clientless program as well  that is available. If someone can assist I will post my config.

Thanks in advance!

6 REPLIES
Hall of Fame Super Silver

Anyconnect help on ASA 5505

Clientless SSL VPN requires a feature license. Please check "show version" or "show activation-key" output for "AnyConnect Premium" (8.4(1) and later terminology) or "SSL VPN" (pre-8.2) or some variant thereof. In ASDM, it can be viewed under "Configuration, Device Management, Licensing".

Assuming you have the license, it's pretty easy to setup in ASDM using the Remote Access VPN wizard.

New Member

Anyconnect help on ASA 5505

Hey Marvin,

It looks like I can have 2 clientless VPN connections if I am reading this correctly:

ASA5505# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(3)

Device Manager Version 6.4(7)

 

Licensed features for this platform:

Maximum Physical Interfaces       : 8             perpetual

VLANs                             : 20             DMZ Unrestricted

Dual ISPs                         : Enabled       perpetual

VLAN Trunk Ports                  : 8             perpetual

Inside Hosts                     : Unlimited     perpetual

Failover                         : Active/Standby perpetual

VPN-DES                           : Enabled       perpetual

VPN-3DES-AES                     : Enabled       perpetual

AnyConnect Premium Peers         : 2             perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 25             perpetual

Total VPN Peers                   : 25             perpetual

Shared License                   : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone   : Disabled       perpetual

Advanced Endpoint Assessment     : Disabled       perpetual

UC Phone Proxy Sessions           : 2             perpetual

Total UC Proxy Sessions           : 2             perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5505 Security Plus license.

New Member

Anyconnect help on ASA 5505

I might be askign for the wrong thing. I am trying to get the browser based clientless VPN up and working. Even using the Wizard this does not work.

Anyconnect help on ASA 5505

AnyConnect Premium Peers         : 2             perpetual

With a premium AnyConnect license you do have the ability to have client and clientless ssl.

So your real question is regarding clientless SSL and not Anyconnect as you post on this question!!

Is there a way that you could post your configuration, I would like to see the webvpn and some other configuration..

Please try to be carefull and change some of the configuration ( Ip address, usernames,etc)

regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Hall of Fame Super Silver

Anyconnect help on ASA 5505

Yes, you have the two included licenses and thus should be able to setup browser-based clientless VPN. As Julio suggested, we'd need to see your sanitized configuration file to assist further.

New Member

Anyconnect help on ASA 5505

Hey guys thanks for being willing to look over my config. I already have two VPN profiles (non clientless) that work just fine however if I can get the clientless VPN working that would be great. I would appreciate any help you can assist on.

ASA Version 8.4(3)

!

hostname ASA5505

domain-name mydns.dyndns.org

enable password XXXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXXXXX encrypted

names

name 192.168.10.2 server

name 192.168.10.3 desktop

name 192.168.10.5 canon

name 192.168.10.6 mvix

name 192.168.10.7 xbox

name 192.168.10.8 dvr

name 192.168.10.9 bluray

name 192.168.10.10 lcd

name 192.168.10.11 mp620

name 192.168.10.12 kayla

name 192.168.1.1 asa5505

name 192.168.1.2 ap1

name 192.168.10.4 mvix2

name 192.168.10.13 lcd2

name 192.168.10.14 dvr2

name 192.168.10.15 wdlive

<--- More --->              !

interface Ethernet0/0

description Pointing towards WAN

switchport access vlan 2

!

interface Ethernet0/1

description Uplink to Linksys port 12

switchport access vlan 10

!

interface Ethernet0/2

description Server 192.168.10.2/27

switchport access vlan 10

!

interface Ethernet0/3

description Uplink to Eth1 Management

!

interface Ethernet0/4

switchport access vlan 30

!

interface Ethernet0/5

switchport access vlan 30

!

interface Ethernet0/6

switchport access vlan 30

<--- More --->              !

interface Ethernet0/7

description Cisco 1242AG Access Point

switchport trunk allowed vlan 1,10,20

switchport trunk native vlan 1

switchport mode trunk

!

interface Vlan1

nameif Management

security-level 100

ip address asa5505 255.255.255.248

management-only

!

interface Vlan2

mac-address 0050.8db6.8287

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan10

nameif Private

security-level 100

ip address 192.168.10.1 255.255.255.224

!interface Vlan20

nameif Public

security-level 100

ip address 192.168.20.1 255.255.255.224

!

banner login Unauthorized access prohibited

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name mydns.dyndns.org

same-security-traffic permit intra-interface

object network obj-192.168.50.0

subnet 192.168.50.0 255.255.255.0

object network server

host 192.168.10.2

object network obj-192.168.10.0

subnet 192.168.10.0 255.255.255.224

object network obj-192.168.20.0

subnet 192.168.20.0 255.255.255.224

object network server-02

host 192.168.10.2

object network xbox

host 192.168.10.7

object network xbox-01

host 192.168.10.7

object network xbox-02

host 192.168.10.7

object network xbox-03

host 192.168.10.7

object network xbox-04

host 192.168.10.7

object network server-03

host 192.168.10.2

object network server-04

host 192.168.10.2

object network server-05

host 192.168.10.2

object network desktop

host 192.168.10.3

object network obj-192.168.100.0

subnet 192.168.100.0 255.255.255.0

object network desktop-01

host 192.168.10.3

object network China-VPN

subnet 192.168.100.0 255.255.255.0

object network kayla

host 192.168.10.12

object network kayla-RDP

host 192.168.10.12

object network ap1

host 192.168.1.2

access-list Home_VPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.224

access-list outside_access_in extended permit tcp any any eq 2325

access-list outside_access_in extended permit tcp any object server eq ftp

access-list outside_access_in extended permit udp any any eq 5850

access-list outside_access_in extended permit tcp any any eq pptp

access-list outside_access_in extended permit udp any any eq syslog

access-list outside_access_in extended permit udp any any eq 88

access-list outside_access_in extended permit udp any any eq 3074

access-list outside_access_in extended permit tcp any any eq 3074

access-list outside_access_in extended permit tcp any any eq domain

access-list outside_access_in extended permit udp any any eq domain

access-list outside_access_in extended permit tcp any any eq https

access-list outside_access_in extended permit tcp any any eq 2322

access-list outside_access_in extended permit tcp any any eq 5900

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any source-quench

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit udp any any eq 5851

access-list outside_access_in extended permit tcp any any eq 3389

access-list outside_access_in extended permit tcp any any eq 3390

access-list outside_access_in extended permit tcp any any eq ssh

pager lines 24

logging enable

logging timestamp

logging buffer-size 36000

logging buffered warnings

logging trap debugging

logging asdm informational

logging mail errors

logging from-address

erics@myisp.net

logging recipient-address

erics@myisp.net

level alerts

mtu Management 1500

mtu outside 1500

mtu Private 1500

mtu Public 1500

ip local pool IPPOOL 192.168.50.2-192.168.50.10 mask 255.255.255.0

ip local pool VPN_POOL 192.168.100.2-192.168.100.10 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (Private,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.50.0 obj-192.168.50.0 no-proxy-arp route-lookup

nat (Private,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp route-lookup

!

object network obj-192.168.10.0

nat (Private,outside) dynamic interface

object network obj-192.168.20.0

nat (Public,outside) dynamic interface

object network server-02

nat (Private,outside) static interface service udp syslog syslog

object network xbox

nat (Private,outside) static interface service udp 88 88

object network xbox-01

nat (Private,outside) static interface service udp 3074 3074

object network xbox-02

nat (Private,outside) static interface service tcp 3074 3074

object network xbox-03

nat (Private,outside) static interface service tcp domain domain

object network xbox-04

nat (Private,outside) static interface service udp domain domain

object network server-03

nat (Private,outside) static interface service tcp https https

object network server-04

nat (Private,outside) static interface service tcp ssh 2322

object network server-05

nat (Private,outside) static interface service tcp 5900 5900

object network desktop

nat (Private,outside) static interface service tcp 3389 3389

object network desktop-01

nat (Private,outside) static interface service udp 5850 5850

object network China-VPN

nat (outside,outside) dynamic interface

object network kayla

nat (Private,outside) static interface service udp 5851 5851

object network kayla-RDP

nat (Private,outside) static interface service tcp 3389 3390

object network ap1

nat (Management,outside) static interface service tcp telnet 2325

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.248 Management

http redirect outside 80

snmp-server location Upstairs Office

snmp-server contact

myemail@yahoo.com

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=ASA5505

crl configure

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.248 Management

telnet timeout 5

ssh 192.168.1.0 255.255.255.248 Management

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

console timeout 30

management-access Management

dhcpd dns 208.67.222.222 208.67.220.220

dhcpd ping_timeout 750

dhcpd domain mydns.dyndns.org

dhcpd auto_config outside

!

dhcpd address 192.168.1.4-192.168.1.5 Management

dhcpd enable Management

!

dhcpd address 192.168.10.20-192.168.10.30 Private

dhcpd enable Private

!

dhcpd address 192.168.20.2-192.168.20.30 Public

dhcpd enable Public

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.43.244.18

ntp server 129.6.15.28

webvpn

enable outside

group-policy DfltGrpPolicy attributes

webvpn

  url-list value ClientlessBookmark

group-policy Home_VPN internal

group-policy Home_VPN attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol ikev1 ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Home_VPN_splitTunnelAcl

default-domain value

www.connected.com

address-pools value IPPOOL

webvpn

  url-list value ClientlessBookmark

group-policy KaileY internal

group-policy KaileY attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelall

default-domain value eostrike.dyndns.org

group-policy ClientLessPolicy internal

group-policy ClientLessPolicy attributes

vpn-tunnel-protocol ssl-clientless

webvpn

  url-list value ClientlessBookmark

username joek password XXXXXXXXXXXXXX encrypted privilege 0

username joek attributes

service-type remote-access

username eostrike password XXXXXXXXXXXXXXX encrypted privilege 15

username james password XXXXXXXXXXXXXX encrypted privilege 0

username almostsi password XXXXXXXXXXXXXXXX encrypted privilege 0

username almostsi attributes

service-type remote-access

tunnel-group Home_VPN type remote-access

tunnel-group Home_VPN general-attributes

address-pool IPPOOL

authorization-server-group LOCAL

authorization-server-group (outside) LOCAL

default-group-policy Home_VPN

authorization-required

tunnel-group Home_VPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

tunnel-group ClientLESS type remote-access

tunnel-group KaileY type remote-access

tunnel-group KaileY general-attributes

address-pool VPN_POOL

default-group-policy KaileY

tunnel-group KaileY ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group ClientLess type remote-access

tunnel-group ClientLess general-attributes

default-group-policy ClientLessPolicy

tunnel-group ClientLess1 type remote-access

tunnel-group ClientLess1 webvpn-attributes

group-alias sslvpn enable

group-url

https://xxx.xxx.xxx.xxx/sslvpn

enable

tunnel-group-map default-group Home_VPN

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:623e7d7bd047a347814510e7bd5c597d

: end

ASA5505#

929
Views
0
Helpful
6
Replies