Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6483
Views
0
Helpful
1
Replies

Need help with ASA 5515-X (8.6) Anyconnect VPN configuration

KUNAL HANS
Level 1
Level 1

‎07-18-2012 11:24 AM - edited ‎02-21-2020 06:13 PM

Hi,

I'm trying to configure Anyconnect SSL RA VPN. I have followed the config guide for 8.4 & 8.6 but can't even get the Anyconnect page to load. I'm pasting the config below. Plz check and let me know what I have missed. Objectives are:

1. The user simply opens https://<outside-ip> and is prompted to install the anyconnect vpn client.

2. Is able to access internal LAN resources and browse the internet simultaneously (is split-tunneling required?)

ASA Version 8.6(1)

!

hostname Harpoon

domain-name xxxxx.com

enable password xxxxxxxxxx encrypted

passwd xxxxxxxxxxxx encrypted

names

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.252

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.29.0.100 255.255.0.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

banner motd -----------------------------------------------------------------------------

banner motd This system is solely for the use of authorised users for official purposes.

banner motd You have no expectation of privacy in its use and to ensure that the system

banner motd is functioning properly, individuals using this computer system are subject

banner motd to having all their activities monitored and recorded by system personell.

banner motd Use of this system evidence an express consent to such monitoring and

banner motd agreement that if such monitoring reveals evidence of possible abuse or

banner motd criminal activity, system personnel may provide the result of such

banner motd monitoring to appropiate officials.

banner motd -----------------------------------------------------------------------------

boot system disk0:/asa861-smp-k8.bin

ftp mode passive

clock timezone IST 5 30

dns server-group DefaultDNS

domain-name xxxxx.com

object network obj-172.29.0.0

subnet 172.29.0.0 255.255.0.0

object network obj-172.28.0.0

subnet 172.28.0.0 255.255.254.0

object network obj-172.28.2.0

subnet 172.28.2.0 255.255.254.0

object network obj-172.28.6.0

subnet 172.28.6.0 255.255.254.0

access-list 101 extended permit icmp any any

access-list 101 extended permit udp host x.x.x.x any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool anyconnect-vpn 172.28.6.0-172.28.7.254 mask 255.255.254.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static obj-172.29.0.0 obj-172.29.0.0 destination static obj-172.28.6.0 obj-172.28.6.0

!

object network obj-172.29.0.0

nat (inside,outside) dynamic interface

object network obj-172.28.0.0

nat (inside,outside) dynamic interface

object network obj-172.28.2.0

nat (inside,outside) dynamic interface

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 172.28.0.0 255.255.254.0 172.29.0.1 1

route inside 172.28.2.0 255.255.254.0 172.29.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

no crypto isakmp nat-traversal

telnet 172.29.0.0 255.255.0.0 inside

telnet 172.28.0.0 255.255.254.0 inside

telnet timeout 7

ssh 0.0.0.0 0.0.0.0 inside

ssh 172.29.0.0 255.255.0.0 inside

ssh timeout 10

ssh version 2

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

enable outside

enable inside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3

anyconnect enable

tunnel-group-list enable

group-policy anyconnect-vpn-policy internal

group-policy anyconnect-vpn-policy attributes

dns-server value 172.29.0.116 172.29.0.127

vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless

address-pools value anyconnect-vpn

username testvpn password xxxxxxxxxxxxxxxx encrypted

username testvpn attributes

service-type remote-access

username mak password xxxxxxxxxxxx encrypted

tunnel-group anyconnect-vpn type remote-access

tunnel-group anyconnect-vpn general-attributes

default-group-policy anyconnect-vpn-policy

tunnel-group anyconnect-vpn webvpn-attributes

group-alias anyconnect-vpn-client enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect ipsec-pass-thru

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:8ea4cde746169523b128c2a306d0ce1f

: end

Labels:
0 Helpful
1 Reply 1

KUNAL HANS
Level 1
Level 1

‎07-18-2012 12:36 PM

Could this be the reason?

https://supportforums.cisco.com/docs/DOC-24550

Haven't had a chance to test it out yet.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents