AnyConnect VPN Microsoft CA and a Public certificate

Hello

I'm looking for some help with a script. I'm no expert in networks by any stretch and I won't implement myself but I need to try to understand if it is possible what I'm looking for.

We are implementing an Anyconnect VPN with certificate of our own internal CA of Microsoft authentication. I have a product which will distribute certificates from a model for mobile devices rather than the SAA itself. We have our CA and a certificate of identity on the SAA and the operation of the authentication.

However, the IOS Anyconnect application complains that no reliable VPN.

So from there, I get that I need a public certificate on the SAA, but can I still have the certificate of the Microsoft CA and certificate of identity making the authentication of end users?

Can I have written some of it wrong, but I think this gives an idea where I'm going.

Pointers would be greatly appreciated.

Yes - IOS is somewhat capricious won't trust internal CA issued certificates. You can buy and install a certificate from a well known public certification authority and to identify your ASA. That will be the certificate bound to the ASA outside interface and it will allow the customers based on IOS (and all others) to connect using this certificate.

This part is distinguished by the device or user certificates on clients. Those who can still be used, as long the ASA has imported the Microsoft CA on trusts and the public key of the server, the two can co-exist.

Tags: Cisco Security

Similar Questions

  • IOS anyconnect vpn group lock and user restrictions

    Dear Experts,

    I now have two questions about cisco IOS vpn on ISR G2:

    1 is it possible to lock user group in IOS anyconnect VPN we can do in ASA? If so, can someone share the steps for her?

    2 - a customer wishes to restrict the anyconnect user login as it might turn the connection to the user on request. That is to say whenever the user wants to connect via vpn to ask the administrator to allow connection. can we do without deleting the username and create again?

    the other may be on ASA or IOS.

    Please see this guide:

    http://www.Cisco.com/c/en/us/support/docs/security/iOS-easy-VPN/117634-c...

    As he points out, "for the Cisco IOS group-lock and the ipsec: use vpn-group, it only works for IPSec (the easy VPN server)." In order to group-lock specific users in specific contexts of WebVPN (and strategies Group attached), authentication domains should be used. »

    If you lock a user to a policy that authenticates, but does provide real access permissions (say an ACL that blocks all traffic to the private network) then you have essentially made their ability to non-functional connection.

    If you use an external AAA server (for example, RADIUS or LDAP), then you can move in and out of the group which is authorized without disable VPN access / delete their account altogether.

  • AnyConnect VPN session disconnect and reconnect

    I have a firewall cisco ASA 5525-X set up to accept the AnyConnect VPN client (IKEv2) connection.

    AnyConnect VPN client can successfully connect.

    During the 1st 10 minutes after logging in, will the client Anyconnect VPN lost VPN connection for a few seconds (ranging from 3 seconds to 10 seconds), then it automatically reconnect back. After that, no more lost connection times.

    The lost connection happened at all multiple. So far, all at least 4 show the same problem.

    It does not affect the operation of the network, but it gives an unpleasant impression for users.

    I tried to surveillance of the ASDM firewall logs, no newspaper of no errors.

    I use Wireshark to capture traffic on the client side, also no errors detected.

    Can idea how I can continue to troubleshoot this problem?

    Hi Limlayhin,

    You can go ahead and capture logs of dart. You can download the Pack of dart for the anyconnect version you use and that you run after you experience this problem. Please make sure that everything you clear observer logs event before you launch you the Anyconnect client.

    To clear the observer event logs, follow these steps:

    1. start > run > Eventvwr

    2. it will then open Event Viewer Window

    3 maximize the application logs and services and that you will find an option "Cisco Anyconnect Secure Mobility Client"

    4. right click on the Cisco Anyconnect Secure Mobility Client and select clear logs. Select clear after that.

    Once you are done with this, launch the anyconnect connection and allow the problem to happen. Once the problem occurs, unplug the anyconnect client and run newspapers dart. It will create a Zip file on your desktop (by default) and you can go through the logs of connection Anyconnect to look for the root cause.

    Let me know if it helps.

    Vishnu

  • The ID attribute of the station call needs for Anyconnect VPN client MAC address

    Hi all

    We test tring Anyconnect VPN users to connect using the certificate. ASA East of validation / authentication user based on cert and approval it requires Radius server (ISE). Currently ASA sends the Ip address of the VPN client in «calling station ID» We want ASA to send the Anyconnect VPN client MAC address to the radius server in RADIUS attribute «calling station ID»  Is it possible to do this. Get around them?

    Parag salvation,

    The calling Station ID always contains the IP if Anyconnect VPN.

    L3 is originally unlike wireless which has L2 Assoc.

    Currently no work around.

    Respect of

    Ed

  • Cisco ASA 5505 and comodo SSL certificate

    Hey all,.

    I'm having a problem with setting up the piece of Certificate SSL of Cisco AnyConnect VPN. I bought the certificate and installed it via the ASDM under Configuration > VPN remote access > Certificate Management > identity certificates. I also placed the piece of 2 CA under the CA certificates. I have http redirect to https and under my browser, it is green.

    Once the AnyConnect client installs and automatically connect I get no error or anything. The minute I disconnect and try to reconnect again, I get the "VPN Server untrusted certificates! ' which is not true because the connection information to be https://vpn.mydomain.com and the SSL certificate is configured as vpn.mydomain.com.

    On that note, it lists the IP address instead of the vpn.mydomain.com as the unreliable piece of this. Now of course I don't have the IP as part of the SSL-cert, just the web address. On the side of the web, I have a record A Setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.

    What I'm missing here? I can post config if anyone needs.

    (My Version of the Software ASA is 9.0 (2) and ASDM Version 7.1 (2))

    Yes that's correct. technically, it will take you to EKU as keys to authenticate server who was a little forced in version 3.1. But eventually, he was taken away. If you get no error using the browser and ot only comes with the anyconnect client. Most likely, you do not have to configured values. I can confirm that if you can share the fqdn with me also, you can try the upgrade and check it out.

    Thank you

    Bad Boy

  • Cisco ASA and AnyConnect VPN certificate error

    Hello

    I am trying to configure Cisco AnyConnect VPN and everything works, but I get this warning message when the connection is opened:

    I don't have public certificate in ASA. Is it possible to use the self-signed certificate and get rid of this warning message?

    Hello

    This is expected behavior on the SAA for an SSL connection. You can certainly use the certificate self-signed on the SAA and then apply it on the external interface.
    Once done, you will need to install this certificate on the clients and this will alleviate the popup error message.

    Here is a document that you can refer to create a self-signed certificate.
    https://supportforums.Cisco.com/document/44116/ASA-self-signed-certificate-WebVPN

    Kind regards
    Dinesh Moudgil

    PS Please note the useful messages.

  • AnyConnect VPN client authentication using certificates

    Guys, I'm trying to configure my ASA5505 to authenticate the AnyConnect VPN clients using certificates. I have 'Certificates' defined as my method of authentication in my AnyConnect connection profile (see screenshot), but I get 'Certificate Validation failure' whenever I try to connect. The certificate I want to use is a computer issued by my CA certificate company root (Windows Server 2008 running Active Directory Certificate Services). Screenshot of certificate is attached. I added the root certificate on the SAA, and I tried all kinds of combinations by using the corresponding certificate in the AnyConnect Client profile. Each attempt failed, and I'm having no luck finding documentation on how to proceed. Any help would be greatly appreciated!

    Hello Shaun,

    The problem you're describing, not be able to authenticate through certificate through Microsoft Internet Explorer, is the fact that the certificate is in the computer store.  You do not want to confirm with Microsoft, but, I understand that only Microsoft Internet users explore the user store, this certificate is not available to attend the ASA via the Internet browser.

    -Craig

  • AnyConnect vpn client gives error of certificate on ios cisco 2800 series

    Dear all,

    I set up a vpn on cisco router ios simple anyconnect 2811

    I also configured natting on the inorder of router to access the internet for local users

    My problem

    I can not connect same vpn if I use the method of the anyconnect vpn client

    Also please tell me how to access internal resources by configuring split tunneling

    the error I get is as below


    * 08:16:35.947 Feb 8: 252:error:14094416:SSL routines: SSL3_READ_BYTES:sslv3 certificate alert unknown:../../../../cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_pkt
    .c:1062:SSL alert number 46

    Here is my configuration

    ABC host name
    !

    start the flash system: c2800nm-advsecurityk9 - mz.124 - 24.T1.bin

    !
    AAA new-model
    !
    !
    AAA authentication login default local
    local connection SSL-VPN-AUTH authentication AAA
    !
    !
    AAA - the id of the joint session
    !
    dot11 syslog
    IP source-route
    !
    !
    IP cef
    !
    !
    IP-server names 4.2.2.2
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    !
    Crypto pki trustpoint ABC
    enrollment selfsigned
    crl revocation checking
    rsakeypair ABC 1024
    !
    !
    ABC crypto pki certificate chain
    self-signed certificate 04
    3082023 HAS 308201 3 A0030201 02020104 300 D 0609 2A 864886 F70D0101 04050030
    27312530 2306092A 864886F7 0D 010902 73 732 6569 6173742D 6B 686177 16166D
    616E6565 6A2D7261 31313032 30383038 32333036 5A170D32 30303130 301E170D
    3030305A 31303030 30273125 30230609 2 A 864886 F70D0109 0216166D 65 73732
    2D6B6861 69617374 77616E65 656A2D72 6130819F 300 D 0609 2A 864886 F70D0101
    01050003 818 0030 81890281 8100C16D 1007E434 AFAEE3C1 90141205 E7785754
    FA3C4589 3D6B3D47 57BC54A5 7237E7FE 9B7CA69C 999B4DAF 835B98E9 972CFD03
    5A43488C 05E82E10 9B540AB9 5A54AB0C 525FED0E 05B6F2FF 6703F0BD F28AE6F2
    9E98298D E184CCDC 2D54741D 589 9731 C2BA5191 59DC7DC8 1F03C116 DDCF21EB D
    0BB4E931 02F61F64 D64A6F36 92F70203 010001A 3 76307430 0F060355 1 130101
    FF040530 030101FF 30210603 551D 1104 1A 301882 7373 656961 2 73742D6B 166D
    68617761 2 726130 1 230418 30168014 2FA1E05E 1BD981A0 1F060355 6E65656A
    A3485444 0B151D9E 44A3F6F6 301D 0603 551D0E04 1604142F A1E05E1B D981A0A3
    4854440B 151D9E44 A3F6F630 0D06092A 864886F7 010104 05000381 810096EF 0D
    39D4EEED E3CA162B E6BC1B61 0C3C66ED 02884209 0F4B54F1 BA7BEFF4 CAA206CE
    44 C 99817 134363 2 F29A9E6A 945AA1B4 E4B85ED7 1800DAA1 30BE25C3 8340AE80
    714F8FBD 9A433C4B 3EE2204D 88F7AB6D 929B5C88 5E7BC2B9 25754390 1622DB7B
    EEB11694 F381E995 59C825BE 52EA5923 F87C43A3 98744BE8 BB27C381 BE14
    quit smoking
    !
    !
    privilege of username XXXX XXXX 15
    username password ABC ABC
    Archives
    The config log
    hidekeys
    !
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    IP address | public IP address. 255.255.255.252
    NAT outside IP
    IP virtual-reassembly
    automatic duplex
    automatic speed
    !
    interface FastEthernet0/1
    IP 192.168.0.7 255.255.255.0
    IP nat inside
    IP virtual-reassembly
    automatic duplex
    automatic speed
    !
    interface FastEthernet0/2/0
    no ip address
    Shutdown
    automatic duplex
    automatic speed
    !
    local pool IP 10.10.10.1 intranet 10.10.10.254
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 GATEWAY
    no ip address of the http server
    IP http secure server
    !
    !
    IP nat inside source map route sheep interface FastEthernet0/0 overload
    !
    extended IP access allow-traffic-to-lan list
    deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
    Licensing ip 192.168.0.0 0.0.0.255 any
    !
    access-list 101 permit ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
    !
    !
    !
    sheep allowed 10 route map
    match ip address allow-traffic-to-lan
    !
    !
    !
    WebVPN EIAST gateway
    IP address | public-ip | port 443
    redirect http port 80
    SSL trustpoint ABC
    development
    !
    WebVPN install svc flash:/webvpn/anyconnect-win-2.5.2018-k9.pkg sequence 1
    !
    WebVPN context XYZ
    SSL authentication check all
    !
    !
    political group XYZ
    functions compatible svc
    SVC-pool of addresses "intranet".
    SVC split include 10.10.10.0 255.255.255.0
    SVC-Server primary dns 213.42.20.20
    Group Policy - by default-XYZ
    list of authentication SSL-VPN-AUTH of AAA.
    area of bridge XYZ XYZ
    10 Max-users
    development
    !
    end

    Thank you

    Jvalin

    You could hit the next bug

    CSCtb73337    AnyConnect does not work with IOS if cert not trust/name of offset
    which is set at 12.4 (24) T02.

    Please update the code and give it a try.

  • Cisco AnyConnect VPN connection has not changed my public IP address on Windows 7 64 bit

    Hello

    I installed a customer Cisco AnyConnect VPN from my school, so that I can access school of my Windows 7 laptop at home network. I was able to connect, but when I used http://www.whatismyip.com/, it still shows the IP address assigned by my ISP.  The "network and sharing Center", I have my original LAN and LAN VPN upward but access to LAN VPN type is 'without Internet access. The VPN connection seems to have activities based on evolution bytes sent and received.

    I searched the Web for solutions and changed something like adding the entry door. But it did not help.

    Thanks for your help.

    Split tunnel is probably configured so that traffic destined to school networks pass through the VPN tunnel, and traffic destined to the Internet goes outward through your local ISP. That's why whatismyip show your public IP address from ISP.

  • AnyConnect VPN and HP Office Jet Pro 8500 A910

    I can print from my laptop IBM T400 running Windows 7 64 bit. However, when I log in work AnyConnect VPN, I can't print. He says that the printer is disconnected from the network, even if it is connected. IT support at work said he can't change or adjust the VPN settings. The only way I can print is to disconnect from the VPN. Is this what I can adjust on the software of the printer or the printer itself?

    Hello

    To be able to print on the local network when you are connected to a network remote VPN might be possible by changing the VPN split tunneling configuration.

    However, it is depands on the VPN features and cannot be authorized because of the security requirements of your IT Department.

    Anyway, there is no way to configure such a thing by the printer or the printer software... It is directly affected by the configuration of the network and therefore require to modify VPN settings.

    Kind regards

    Shlomi

  • AnyConnect VPN and LAN access

    When remote users to connect to the Cisco ASA VPN and authenticate with Cisco AnyConnect client, they then full access to the environment internal of LAN of business as if they were sitting at their desks in the Office of the Corporation.

    Right?

    After that the remote client authenticates to the AnyConnect VPN, it is sensible to then run remote users of traffic through the corporate firewall (outside to inside) before allowing LAN access full corporate?

    Remote_User - vpn - ANYCONNECT-(outside) (inside) firewall - CORP_LAN

    Thank you

    Frank

    Hello

    Yes, by default, all traffic will be sent through the tunnel.

    If there are users VPN shouldn't be able to reach the resources, you need to establish rules for access to it. The best way to do this is by using VPN filter.

  • MAC and PC can reach the same an ASA for Anyconnect VPN?

    Hi, we have MAC and PC users. We configure the Anyconnect VPN in an ASA. But two users need two image of sorts. We must therefore use the two commands:

    AnyConnect image disk0: / anyconnect -win- 3.1.04066 - k9.pkg

    AnyConnect image disk0: / anyconnect -macosx- i386 - 2.5.2014 - k9.pkg.

    This is what two commands cannot coexist in an ASA. How to solve the problem? I hope your suggestion. Thank you

    They can co-exist, but you must add different sequence numbers at the end of each command.

  • ASA5505 SSL AnyConnect VPN and NAT Reverse Path failure

    I worked on it for a while and just have not found a solution yet.

    I have a Cisco ASA5505 Setup at home and I try to use the AnyConnect VPN client to it.  I followed the example of ASA 8.x split Tunnel but still miss me something.

    My home network is 10.170.x.x and I install the VPN address to 10.170.13.x pool I have a Windows workstation running at 10.170.0.6, printers 10.170.0.20 and 21 and inside the router itself is 10.170.0.1

    I can connect from the outside and am assigned an IP address of 10.170.13.10, but when I try to access network resources via ICMP or open a web page, the newspaper of the ASDM shows a bunch of this:

    5. January 27, 2010 | 10: 33:37 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:36 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33: 35 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:34 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10:33:30 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:29 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10:33:23 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10:33:17 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10: 33: 13 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10:33:07 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT

    I tried several things with NAT, but were not able to go beyond that.  Does anyone mind looking at my config running and help me with this?  Thanks a bunch!

    -Tim

    Couple to check points.

    name 10.17.13.0 UFP-VPN-pool looks like it should be the name 10.170.13.0 UFP-VPN-pool

    inside_nat0_outbound to access extended list ip allow list zero 255.255.0.0 255.255.255.0 UFP-VPN-pool

    Looks like that one

    inside_nat0_outbound to list extended ip access list zero UFP-VPN-pool 255.255.255.0 255.255.255.0 allow

  • AnyConnect vpn and a tunnel vpn Firewall even outside of the interface.

    I have a (no connection) remote access vpn and ipsec tunnel connection to return to our supplier is on the same firewall outside interface.

    The problem is when users remote vpn in they are not able to ping or join the provider above the tunnel network.

    now, I understand that this is a Bobby pin hair or u turn due to traffic but I'm still not able to understand how the remote vpn users can reach the network of the provider on the tunnel that ends on the same interface where remote access vpn is also configured.

    The firewall is asa 5510 worm 9.1

    Any suggestions please.

    Hello

    You are on the right track. Turning U will be required to allow vpn clients access to resources in the L2L VPN tunnel.

    The essence is that the split tunneling to access list must include subnets of the remote VPN to peer once the user connects they have directions pertaining to remote resources on anyconnect VPN

    Please go through this post and it will guide you how to set up the u turn on the SAA.
    https://supportforums.Cisco.com/document/52701/u-turninghairpinning-ASA

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/100918-ASA-sslvpn-00.html

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • Cisco Anyconnect VPN and IPSEC coexist on ASA 5520?

    Can a Cisco ASA 5520 which has been configured as IPSEC VPN gateway and also be configured as a gateway ANYCONNECT VPN and vpn IPSEC service anyconnect vpn clients clients maintenance at the same time? Any negative impact on the performance or any other problem that everyone knows?

    I guess that by 2 connection limit, you are referring to the 2 licenses for anyconnect?  You should consider using the anyconnect essentials license, which is relatively cheap (100-200 dollars I think) and will take you to the edge of the platform with anyocnnect.

    You shouldn't have any problem using IPSEC with LDAP client.  It is quite common - my company is IPSEC as Anyconnect off the coast of the same interface using authentication ldap (even same-group policy) for the two.

    -Jason

Maybe you are looking for