Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco AnyConnect Configuration

Can someone assist me with configuring Cisco AnyConnect VPN? For some reason with the config below, I seem to get connected but then my internet connection randomly drops and reconnects.  Ive tried several different times to get this to work properly but Im obivously missing something here.  Any help is appreciated.

ASA Version 8.2(2)

!

hostname FW01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

dns-guard

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

description ### Link to Internet ###

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

description ### Link to GUEST WIFI  ###

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

!

interface Vlan4

description ### Link to INSIDE LAN ###

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface Vlan5

description ### Link to INSIDE WIFI ###

nameif insidewifi

security-level 50

ip address 172.16.2.1 255.255.255.0

!

interface Ethernet0/0

description ### Link to Internet ###

switchport access vlan 2

!

interface Ethernet0/1

description ### Link to GUEST WIFI  ###

switchport access vlan 3

!

interface Ethernet0/2

description ### Link to INSIDE LAN ###

switchport access vlan 4

!

interface Ethernet0/3

description ### Link to INSIDE WIFI ###

switchport access vlan 5

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

banner exec

banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********

banner exec *                                                                  

banner exec *      This system is for the use of authorized users only.        

banner exec *      Individuals using this system are subject to having all of their  

banner exec *      activities on this system monitored and recorded by system  

banner exec *      personnel.                                                  

banner exec *                                                                  

banner exec *      Anyone using this system expressly consents to such monitoring    

banner exec *      and is advised that if such monitoring reveals possible     

banner exec *      evidence of criminal activity, system personnel may provide the   

banner exec *      evidence of such monitoring to law enforcement officials.   

banner exec *                                                                  

banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********

banner exec

banner exec

banner exec Name:.......FW01

banner exec Address:....172.16.1.1

banner exec Location:...CST -5

ftp mode passive

clock timezone CST -5

same-security-traffic permit inter-interface

access-list inside extended permit ip any any

access-list outside extended permit ip any any

access-list guest extended permit udp any host 172.16.1.102 eq domain

access-list guest extended permit udp any host 172.16.1.103 eq domain

access-list guest extended permit udp any any range bootps tftp

access-list guest extended deny ip any 172.16.1.0 255.255.255.0 log

access-list guest extended deny ip any 172.16.2.0 255.255.255.0 log

access-list guest extended permit ip any any

access-list insidewifi extended permit ip any any

access-list Outside_In extended permit tcp any any eq 3389

pager lines 50

logging enable

logging list TEST level alerts

logging buffered debugging

logging asdm informational

logging mail TEST

logging from-address FW01@fw01.com

logging recipient-address ************* level errors

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

ip local pool SSLClientPool 172.16.9.1-172.16.9.2 mask 255.255.255.0

ip audit name FW01-INFO info action alarm

ip audit name FW01-ATTACK attack action alarm reset

ip audit interface outside FW01-INFO

ip audit interface outside FW01-ATTACK

ip audit signature 2000 disable

ip audit signature 2001 disable

ip audit signature 2004 disable

ip audit signature 2005 disable

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

icmp permit any guest

icmp permit any inside

icmp permit any insidewifi

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

static (inside,outside) tcp interface 3389 172.16.1.200 3389 netmask 255.255.255.255

static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-group Outside_In in interface outside

access-group guest in interface guest

access-group inside in interface inside

access-group insidewifi in interface insidewifi

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

fragment chain 1 outside

sysopt noproxyarp outside

service resetoutside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn sslvpn.moore.net

subject-name CN=sslvpn.moore.net

keypair sslvpnkeypair

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 956e1350

    308201ef 30820158 a0030201 02020495 6e135030 0d06092a 864886f7 0d010105

    0500303c 31193017 06035504 03131073 736c7670 6e2e6d6f 6f72652e 6e657431

    1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e6d 6f6f7265 2e6e6574

    301e170d 31323037 32383034 34363133 5a170d32 32303732 36303434 3631335a

    303c3119 30170603 55040313 1073736c 76706e2e 6d6f6f72 652e6e65 74311f30

    1d06092a 864886f7 0d010902 16107373 6c76706e 2e6d6f6f 72652e6e 65743081

    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c8 167e2c3d

    04c16a6c b6639fda c60f085a 8ea6a2ea 6e0bcafb acb3ec8e 3c659274 37636c34

    0df9e770 17fb97f6 c2b8641e ff3675f3 3d906e01 a7056bb0 9c0bf54c 3475729e

    74caf157 068464d3 e235c46f a8525867 c3911d9c 760253d0 c7bbb7c8 84f91f92

    858866c6 e0c1033d 6cfba6f0 b732158f 3d2d7ef5 9bbb0821 4d093f02 03010001

    300d0609 2a864886 f70d0101 05050003 81810062 65e2455a cb4e87ea 7879099d

    06ed1c5e 7eab180a 4d7564be c36810eb fe6a5bb9 94348ded 1336d811 d0949342

    2718400c 8cc32395 23e7d722 3e2758a9 a2116a38 07500bd5 5b96f3c2 1d7c5769

    dc5b876b 858cb447 355aa323 abbaf45d bed3814d a04f503a 21cddb47 aaecd5aa

    1c82f701 22969424 f6845937 a21568a1 ecaa0e

  quit

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

dhcpd ping_timeout 750

!

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay setroute guest

dhcprelay setroute insidewifi

dhcprelay timeout 60

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.0.0

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 211.233.40.78

ntp server 61.153.197.226

ntp server 202.150.213.154 prefer

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

svc image disk0:/anyconnect-dart-win-2.5.6005-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value 172.16.1.102 172.16.1.103

vpn-tunnel-protocol svc

default-domain value moore.net

address-pools value SSLClientPool

username gmoore_a password PNUmTwjDhevRqhkT encrypted privilege 15

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

smtp-server 68.1.17.8

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:847a9a2b25e6a8ea2d4b68d17cdd41d2

: end

no asdm history enable

25 REPLIES

Cisco AnyConnect Configuration

Hi,

According to your group-policy you are tunneling all the traffic through the VPN tunnel. Is this what you want?

Do you want your users to access the Internet through their local network? If so, which networks is the VPN client supposed to access?

Thanks.

Portu

New Member

Cisco AnyConnect Configuration

No, users should access the internet through the local internet drain.  They should only cross the VPN tunnel when accessing the remote lan.  They should have access to both 172.16.1.0 and 172.16.2.0.

Re: Cisco AnyConnect Configuration

Thanks Garland,

Please make the following changes:

access-list SSLClientProfile_SPLIT permit  172.16.1.0 255.255.255.0

access-list SSLClientProfile_SPLIT permit  172.16.2.0 255.255.255.0

group-policy SSLClientPolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SSLClientProfile_SPLIT

!

access-list nonat_inside permit ip 172.16.1.0 255.255.255.0 172.16.9.0 255.255.255.0

access-list nonat_insidewifi permit ip 172.16.2.0 255.255.255.0 172.16.9.0 255.255.255.0

nat (inside) 0 access-list nonat_inside

nat (insidewifi) 0 access-list nonat_insidewifi

Then try to connect again and let me know.

Portu.

Please rate this post if you find it helpful.

New Member

Re: Cisco AnyConnect Configuration

Javier,

Thanks for the assistance that worked!  I've ben getting more familiar with the ASA but Im still learning.  Can you explain to me what the above commands do so that I make sure I understand?  I would appreciate it!  Thanks again for your help.

Im not sure what the random disconnects were cause by.  I was in a hotel when I was testing and I seen the random disconnects when I connected to the VPN tunnel.  On a Verizon Mifi I didnt see them.  What made the situation more strange is when I was connected to the hotel wifi and accessed a corporate VPN I have access to, I didnt see the random disconnects.

Re: Cisco AnyConnect Configuration

Garland,

I am happy to hear such good news.

Let me explain the previous commands:

access-list SSLClientProfile_SPLIT permit  172.16.1.0 255.255.255.0

access-list SSLClientProfile_SPLIT permit  172.16.2.0 255.255.255.0

* The previous lines define the protected traffic, for VPN clients like the IPsec and AnyConnect client you create a standard ACL to define the specific networks you want them to access.

group-policy SSLClientPolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SSLClientProfile_SPLIT

* Then you assign the ACL to the correct group-policy and define the "split-tunnel-policy tunnelspecified" which basically allows the previously defined ACL to be pushed down to the client during the VPN establishment.

access-list nonat_inside permit ip 172.16.1.0 255.255.255.0 172.16.9.0 255.255.255.0

access-list nonat_insidewifi permit ip 172.16.2.0 255.255.255.0 172.16.9.0 255.255.255.0

* This ACL defines the traffic we dont want to translate.

nat (inside) 0 access-list nonat_inside

nat (insidewifi) 0 access-list nonat_insidewifi

* And these are the NAT exempt rules, which refer to the ACLs to know when to not translate the traffic,

Further information:

ASA 8.x : Allow Split Tunneling for AnyConnect VPN Client on the ASA

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml

Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

ASA: 8.3 "Nat Exemption" Example - Basic L2L VPN and Basic RA VPN

DOC-11639

Let me know if you still have any questions.

Please rate if you find helpful.

New Member

Re: Cisco AnyConnect Configuration

Javier,

Thanks for the explaination.  I have one more question, maybe I should open a seperate discussion.  If so please let me know...

After I got the Anyconnect VPN configuraiton working I tried to configure LDAP configuration.  Now when I try to connect I get and error stating

"Login denied.  Your environment does not meet the access criteria defined by your administrator."

Then at the bottom of the AnyConnect client I see

"Access Denied: Your system does not meet policy requirement (DAP)

Looking at the DAP configuration I cant see what the policy is not accepting.  The partial config is below

ASA Version 8.2(2) 

same-security-traffic permit inter-interface
access-list inside extended permit ip any any 
access-list outside extended permit ip any any 
access-list guest extended permit udp any host 172.16.1.102 eq domain 
access-list guest extended permit udp any host 172.16.1.103 eq domain 
access-list guest extended permit udp any any range bootps tftp 
access-list guest extended deny ip any 172.16.1.0 255.255.255.0 log 
access-list guest extended deny ip any 172.16.2.0 255.255.255.0 log 
access-list guest extended permit ip any any 
access-list insidewifi extended permit ip any any 
access-list Outside_In extended permit tcp any any eq 3389 
access-list SSLClientProfile_SPLIT standard permit 172.16.1.0 255.255.255.0 
access-list SSLClientProfile_SPLIT standard permit 172.16.2.0 255.255.255.0 
access-list nonat_inside extended permit ip 172.16.1.0 255.255.255.0 172.16.9.0 255.255.255.0 
access-list nonat_insidewifi extended permit ip 172.16.2.0 255.255.255.0 172.16.9.0 255.255.255.0 
pager lines 50
logging enable
logging list TEST level alerts
logging buffered debugging
logging asdm informational
logging mail TEST
logging from-address FW01@fw01.com
logging recipient-address gdmoore85@gmail.com level errors
mtu outside 1500
mtu guest 1500
mtu inside 1500
mtu insidewifi 1500
ip local pool SSLClientPool 172.16.9.1-172.16.9.2 mask 255.255.255.0
ip audit name FW01-INFO info action alarm
ip audit name FW01-ATTACK attack action alarm reset
ip audit interface outside FW01-INFO
ip audit interface outside FW01-ATTACK
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any guest
icmp permit any inside
icmp permit any insidewifi
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 0 access-list nonat_inside
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 0 access-list nonat_insidewifi
nat (insidewifi) 1 172.16.2.0 255.255.255.0
static (inside,outside) tcp interface 3389 172.16.1.200 3389 netmask 255.255.255.255 
static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 
static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 
access-group Outside_In in interface outside
access-group guest in interface guest
access-group inside in interface inside
access-group insidewifi in interface insidewifi
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record SSLVPNPolicy
 description "SSL VPN Policy (AD Login)"
dynamic-access-policy-record DfltAccessPolicy
 action terminate
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.16.1.102
 server-port 389
 ldap-base-dn DC=MOORE,DC=NET
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=LDAP Service Account,OU=ServiceAccounts,OU=MooreNetwork,DC=moore,DC=net
 server-type microsoft
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment chain 1 outside
sysopt noproxyarp outside
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn sslvpn.moore.net
 subject-name CN=sslvpn.moore.net
 keypair sslvpnkeypair
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 956e1350
    308201ef 30820158 a0030201 02020495 6e135030 0d06092a 864886f7 0d010105 
    0500303c 31193017 06035504 03131073 736c7670 6e2e6d6f 6f72652e 6e657431 
    1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e6d 6f6f7265 2e6e6574 
    301e170d 31323037 32383034 34363133 5a170d32 32303732 36303434 3631335a 
    303c3119 30170603 55040313 1073736c 76706e2e 6d6f6f72 652e6e65 74311f30 
    1d06092a 864886f7 0d010902 16107373 6c76706e 2e6d6f6f 72652e6e 65743081 
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c8 167e2c3d 
    04c16a6c b6639fda c60f085a 8ea6a2ea 6e0bcafb acb3ec8e 3c659274 37636c34 
    0df9e770 17fb97f6 c2b8641e ff3675f3 3d906e01 a7056bb0 9c0bf54c 3475729e 
    74caf157 068464d3 e235c46f a8525867 c3911d9c 760253d0 c7bbb7c8 84f91f92 
    858866c6 e0c1033d 6cfba6f0 b732158f 3d2d7ef5 9bbb0821 4d093f02 03010001 
    300d0609 2a864886 f70d0101 05050003 81810062 65e2455a cb4e87ea 7879099d 
    06ed1c5e 7eab180a 4d7564be c36810eb fe6a5bb9 94348ded 1336d811 d0949342 
    2718400c 8cc32395 23e7d722 3e2758a9 a2116a38 07500bd5 5b96f3c2 1d7c5769 
    dc5b876b 858cb447 355aa323 abbaf45d bed3814d a04f503a 21cddb47 aaecd5aa 
    1c82f701 22969424 f6845937 a21568a1 ecaa0e
  quit
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
management-access inside
dhcpd dns 172.16.1.102
dhcpd ping_timeout 750
!
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay setroute guest
dhcprelay setroute insidewifi
dhcprelay timeout 60

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.0.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 211.233.40.78
ntp server 61.153.197.226
ntp server 202.150.213.154 prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 svc image disk0:/anyconnect-dart-win-2.5.6005-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 dns-server value 172.16.1.102 172.16.1.103
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SSLClientProfile_SPLIT
 default-domain value moore.net
 address-pools value SSLClientPool
username gmoore_a password PNUmTwjDhevRqhkT encrypted privilege 15
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
 authentication-server-group LDAP LOCAL
 default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
 group-alias SSLVPNClient enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
smtp-server 68.1.17.8
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:db7d3afda8f35ce1733b3fcd3f5f468d
: end
no asdm history enable
New Member

Re: Cisco AnyConnect Configuration

If I change the DfltAccessPolicy to "continue" then I can authenticate.  But from my understanding the DfltAccesspolicy should be changed to "terminate."

Re: Cisco AnyConnect Configuration

Hi Garland,

I guess your default DAP is still in top priority and blocking your Anyconnect VPN connection. Either you can delete the default DAP policy or you can try to prioritize the other policy which you have configured to continue instead of terminate.

Else you need map your SSL VPN ACL in the DAP policies to filter it out correctly.

Please do rate if the given information helps.

By

Karthik

New Member

Re: Cisco AnyConnect Configuration

I gave my SSLVPNAccessPolicy an ACL priority of 1 but Im still getting blocked by the default DAP.  I didnt think mapping the SSL VPN ACL in the DAP policies were necessary.  Is that the case here or am I missing something?

Cisco AnyConnect Configuration

Can you post a screenshot of the SSLVPNAccessPolicy?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Cisco AnyConnect Configuration

Ive attached a screenshot of the policy.  Let me know if this is what you are refering to.

Cisco AnyConnect Configuration

Garland,

Just for grins, if you remove the ldap.memberOf attribute from this condition and leave the default DAP to terminate can you see if you are able to connect?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

Cisco AnyConnect Configuration

Also one more suggestion, can you please issue a debug ldap 255 and see if the ASA can bind to your ldap server. I noticed that the following line has a space:

ldap-login-dn CN=LDAP Service Account,OU=ServiceAccounts,OU=MooreNetwork,DC=moore,DC=net

Try to change it like this:

ldap-login-dn CN="LDAP Service Account",OU=ServiceAccounts,OU=MooreNetwork,DC=moore,DC=net

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Cisco AnyConnect Configuration

ldap appears to be working fine.  For some reason it doesnt like the

ldap-login-dn CN="LDAP Service Account",OU=ServiceAccounts,OU=MooreNetwork,DC=moore,DC=net

[108] Session Start

[108] New request Session, context 0xd9769fd8, reqType = Authentication

[108] Fiber started

[108] Creating LDAP context with uri=ldap://172.16.1.102:389

[108] Connect to LDAP server: ldap://172.16.1.102:389, status = Successful

[108] supportedLDAPVersion: value = 3

[108] supportedLDAPVersion: value = 2

[108] Binding as LDAP Service Account

[108] Performing Simple authentication for LDAP Service Account to 172.16.1.102

[108] LDAP Search:

        Base DN = [DC=MOORE,DC=NET]

        Filter  = [sAMAccountName=gmoore]

        Scope   = [SUBTREE]

[108] User DN = [CN=Garland Moore,OU=Users,OU=MooreNetwork,DC=moore,DC=net]

[108] Talking to Active Directory server 172.16.1.102

[108] Reading password policy for gmoore, dn:CN=Garland Moore,OU=Users,OU=MooreNetwork,DC=moore,DC=net

[108] Read bad password count 0

[108] Binding as gmoore

[108] Performing Simple authentication for gmoore to 172.16.1.102

[108] Processing LDAP response for user gmoore

[108] Message (gmoore):

[108] Authentication successful for gmoore to 172.16.1.102

[108] Retrieved User Attributes:

[108]   objectClass: value = top

[108]   objectClass: value = person

[108]   objectClass: value = organizationalPerson

[108]   objectClass: value = user

[108]   cn: value = Garland Moore

[108]   sn: value = Moore

[108]   givenName: value = Garland

[108]   distinguishedName: value = CN=Garland Moore,OU=Users,OU=MooreNetwork,DC=moore,DC=net

[108]   instanceType: value = 4

[108]   whenCreated: value = 20111129211520.0Z

[108]   whenChanged: value = 20120726123750.0Z

[108]   displayName: value = Garland Moore

[108]   uSNCreated: value = 16526

[108]   memberOf: value = CN=MOORE-APP-SSLVPNUsers-GS,OU=Groups,OU=MooreNetwork,DC=moore,DC=net

[108]   memberOf: value = CN=MOORE-FS-MediaWriters-GS,OU=Groups,OU=MooreNetwork,DC=moore,DC=net

[108]   uSNChanged: value = 234955

[108]   name: value = Garland Moore

[108]   objectGUID: value = .`.S~q.H.60....o

[108]   userAccountControl: value = 512

[108]   badPwdCount: value = 0

[108]   codePage: value = 0

[108]   countryCode: value = 0

[108]   homeDirectory: value = \\nas01\homedirs\gmoore

[108]   homeDrive: value = U:

[108]   badPasswordTime: value = 129880845168926000

[108]   lastLogoff: value = 0

[108]   lastLogon: value = 129882068155418000

[108]   pwdLastSet: value = 129848995487709085

[108]   primaryGroupID: value = 513

[108]   objectSid: value = ............p.wuL...x.%^S...

[108]   accountExpires: value = 9223372036854775807

[108]   logonCount: value = 60

[108]   sAMAccountName: value = gmoore

[108]   sAMAccountType: value = 805306368

[108]   userPrincipalName: value = gmoore@moore.net

[108]   objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=moore,DC=net

[108]   dSCorePropagationData: value = 20111203044619.0Z

[108]   dSCorePropagationData: value = 20111203044602.0Z

[108]   dSCorePropagationData: value = 20111129211711.0Z

[108]   dSCorePropagationData: value = 20111129211638.0Z

[108]   dSCorePropagationData: value = 16010714042016.0Z

[108]   lastLogonTimestamp: value = 129877798638567319

[108] Fiber exit Tx=610 bytes Rx=2829 bytes, status=1

[108] Session End

Cisco AnyConnect Configuration

I couldnt tell what the ldap.memberof attribute was set to, but does it match what the ASA retrieved?

[108]   memberOf: value = CN=MOORE-APP-SSLVPNUsers-GS,OU=Groups,OU=MooreNetwork,DC=moore,DC=net

[108]   memberOf: value = CN=MOORE-FS-MediaWriters-GS,OU=Groups,OU=MooreNetwork,DC=moore,DC=net

Also did you try to remove this condition to see if you were able to get access (just as a test).

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Cisco AnyConnect Configuration

It does match what was retrieved by the ASA.  I removed the ldap attribute and I was unable to login.

Cisco AnyConnect Configuration

Garland,

Can you check this DAP record and force the access method to use the anyconnect client and see if that changes your luck?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Cisco AnyConnect Configuration

Unfortunately it didnt change my luck. This is very mind boggling!

Re: Cisco AnyConnect Configuration

Can you post a new running config after the changes we made.

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*
New Member

Cisco AnyConnect Configuration

My apologies for the delayed response. The truncated config is below...

same-security-traffic permit inter-interface
access-list inside extended permit ip any any 
access-list outside extended permit ip any any 
access-list guest extended permit udp any host 172.16.1.102 eq domain 
access-list guest extended permit udp any host 172.16.1.103 eq domain 
access-list guest extended permit udp any any range bootps tftp 
access-list guest extended deny ip any 172.16.1.0 255.255.255.0 log 
access-list guest extended deny ip any 172.16.2.0 255.255.255.0 log 
access-list guest extended permit ip any any 
access-list insidewifi extended permit ip any any 
access-list Outside_In extended permit tcp any any eq 3389 
access-list SSLClientProfile_SPLIT standard permit 172.16.1.0 255.255.255.0 
access-list SSLClientProfile_SPLIT standard permit 172.16.2.0 255.255.255.0 
access-list nonat_inside extended permit ip 172.16.1.0 255.255.255.0 172.16.9.0 255.255.255.0 
access-list nonat_insidewifi extended permit ip 172.16.2.0 255.255.255.0 172.16.9.0 255.255.255.0 
pager lines 50
logging enable
logging list TEST level alerts
logging buffered debugging
logging asdm informational
logging mail TEST
logging from-address FW01@fw01.com
logging recipient-address gdmoore85@gmail.com level errors
mtu outside 1500
mtu guest 1500
mtu inside 1500
mtu insidewifi 1500
ip local pool SSLClientPool 172.16.9.1-172.16.9.2 mask 255.255.255.0
ip audit name FW01-INFO info action alarm
ip audit name FW01-ATTACK attack action alarm reset
ip audit interface outside FW01-INFO
ip audit interface outside FW01-ATTACK
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any guest
icmp permit any inside
icmp permit any insidewifi
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 0 access-list nonat_inside
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 0 access-list nonat_insidewifi
nat (insidewifi) 1 172.16.2.0 255.255.255.0
static (inside,outside) tcp interface 3389 172.16.1.200 3389 netmask 255.255.255.255 
static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 
static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 
access-group Outside_In in interface outside
access-group guest in interface guest
access-group inside in interface inside
access-group insidewifi in interface insidewifi
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record SSLVPNAccessPolicy
 description "Access Policy for AnyConnect VPN Users"
 priority 1
 webvpn
  svc ask none default svc
dynamic-access-policy-record DfltAccessPolicy
 action terminate
aaa-server SSLVPNUsers protocol ldap
aaa-server SSLVPNUsers (inside) host 172.16.1.102
 ldap-base-dn DC=MOORE,DC=NET
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=LDAP Service Account,OU=ServiceAccounts,OU=MooreNetwork,DC=moore,DC=net
 server-type microsoft
aaa-server SSLVPNUsers (inside) host 172.16.1.103
 ldap-base-dn DC=MOORE,DC=NET
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=LDAP Service Account,OU=ServiceAccounts,OU=MooreNetwork,DC=moore,DC=net
 server-type microsoft
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment chain 1 outside
sysopt noproxyarp outside
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn sslvpn.moore.net
 subject-name CN=sslvpn.moore.net
 keypair sslvpnkeypair
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 956e1350
    308201ef 30820158 a0030201 02020495 6e135030 0d06092a 864886f7 0d010105 
    0500303c 31193017 06035504 03131073 736c7670 6e2e6d6f 6f72652e 6e657431 
    1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e6d 6f6f7265 2e6e6574 
    301e170d 31323037 32383034 34363133 5a170d32 32303732 36303434 3631335a 
    303c3119 30170603 55040313 1073736c 76706e2e 6d6f6f72 652e6e65 74311f30 
    1d06092a 864886f7 0d010902 16107373 6c76706e 2e6d6f6f 72652e6e 65743081 
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c8 167e2c3d 
    04c16a6c b6639fda c60f085a 8ea6a2ea 6e0bcafb acb3ec8e 3c659274 37636c34 
    0df9e770 17fb97f6 c2b8641e ff3675f3 3d906e01 a7056bb0 9c0bf54c 3475729e 
    74caf157 068464d3 e235c46f a8525867 c3911d9c 760253d0 c7bbb7c8 84f91f92 
    858866c6 e0c1033d 6cfba6f0 b732158f 3d2d7ef5 9bbb0821 4d093f02 03010001 
    300d0609 2a864886 f70d0101 05050003 81810062 65e2455a cb4e87ea 7879099d 
    06ed1c5e 7eab180a 4d7564be c36810eb fe6a5bb9 94348ded 1336d811 d0949342 
    2718400c 8cc32395 23e7d722 3e2758a9 a2116a38 07500bd5 5b96f3c2 1d7c5769 
    dc5b876b 858cb447 355aa323 abbaf45d bed3814d a04f503a 21cddb47 aaecd5aa 
    1c82f701 22969424 f6845937 a21568a1 ecaa0e
  quit
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
management-access inside
dhcpd dns 172.16.1.102
dhcpd ping_timeout 750
!
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay setroute guest
dhcprelay setroute insidewifi
dhcprelay timeout 60

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.0.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 211.233.40.78
ntp server 61.153.197.226
ntp server 202.150.213.154 prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 svc image disk0:/anyconnect-dart-win-2.5.6005-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 dns-server value 172.16.1.102 172.16.1.103
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SSLClientProfile_SPLIT
 default-domain value moore.net
 address-pools value SSLClientPool
username gmoore_a password fcIL7rCtqCtPWWUm encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group SSLVPNUsers LOCAL
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group SSLVPNUsers LOCAL
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
 authentication-server-group SSLVPNUsers LOCAL
 default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
 group-alias SSLVPNClient enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
smtp-server 68.1.17.8
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2255d97f90c650fd6818ad3d604ba697
: end
no asdm history enable

Cisco AnyConnect Configuration

Garland,

Can  you turn on the webvpn attributes under your group policy, here is what  i have on my ASA (I am running 8.4 so adjust commands accordingly):

webvpn

  anyconnect ask none default anyconnect

  url-entry disable

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Cisco AnyConnect Configuration

Tarik,

I apologize I slightly confused on what you are asking me to do.  My skills with the ASA arent that diverse, Im on version 8.2 and when I go to the group policy I dont see the option to do what youve asked me to do.

Re: Cisco AnyConnect Configuration

Garland,

Under the group-policy, expand the more options, and uncheck the inherit option for the tunnel protocol and set it to ssl.

I attached a screenshot for reference.

Hope this helps,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Cisco AnyConnect Configuration

Made the changes that you suggested and Im still unable to login with a domain account.

New Member

Cisco AnyConnect Configuration

Here is the partial config I came up with to solve this LDAP issue...

ldap attribute-map LDAPMAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf CN=MOORE-APP-SSLVPNUsers-DL,OU=Groups,OU=MooreNetwork,DC=moore,DC=net SSLVPNPolicy

dynamic-access-policy-record SSLVPNAccessPolicy

description "Access Policy for AnyConnect VPN Users"

priority 1

webvpn

  svc ask none default svc

dynamic-access-policy-record DfltAccessPolicy

action terminate

aaa-server SSLVPNUsers protocol ldap

aaa-server SSLVPNUsers (inside) host 172.16.1.102

ldap-base-dn DC=MOORE,DC=NET

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=LDAP Service Account,OU=ServiceAccounts,OU=MooreNetwork,DC=moore,DC=net

server-type microsoft

ldap-attribute-map LDAPMAP

aaa-server SSLVPNUsers (inside) host 172.16.1.103

ldap-base-dn DC=MOORE,DC=NET

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=LDAP Service Account,OU=ServiceAccounts,OU=MooreNetwork,DC=moore,DC=net

server-type microsoft

ldap-attribute-map LDAPMAP

9703
Views
10
Helpful
25
Replies