AnyConnect VPN phone

Similar Questions

• ASA 5510 Anyconnect licenses with Cisco Anyconnect VPN IP phone

  Hi, hoping someone can shed some light on what I'm just more confused over trying to get by. Not sure if this goes in the section IP Telehpony or here...

  We have an ASA 5510 with the base license. We need to install IP phones to home teleworkers, and I understand there are Cisco IP phones that have built-in VPN clients to enable a tunnel to the central private network. IT seems that you can't use Anyconnect VPN to do this, and I am trying to establish what upgrade licenses, we must apply to the ASA, as both Anyconnect licenses that you get for free on the SAA is not enough.

  This is the phone that we seek;

  http://www.Cisco.com/en/us/prod/collateral/voicesw/ps6788/phones/ps10499/ps11005/data_sheet_c78-603725.html

  I want to know is the Anyconnect Essentials license will work with these IP phones?

  When I do a version of the show,

  The devices allowed for this platform:

  The maximum physical Interfaces: unlimited

  VLAN maximum: 50

  Internal hosts: unlimited

  Failover: disabled

  VPN - A: enabled

  VPN-3DES-AES: enabled

  Security contexts: 0

  GTP/GPRS: disabled

  SSL VPN peers: 2

  The VPN peers total: 250

  Sharing license: disabled

  AnyConnect for Mobile: disabled

  AnyConnect for Linksys phone: disabled

  AnyConnect Essentials: disabled

  Assessment of Advanced endpoint: disabled

  Proxy sessions for the UC phone: 2

  Total number of Sessions of Proxy UC: 2

  Botnet traffic filter: disabled

  This platform includes a basic license.

  It shows "AnyConnect for Linksys phone: Disabled", it is the same for the Cisco IP phones? It is the kind of specific license, should I seek for Anyconnect on IP phones or will Essentials?

  Hi Leo,

  you will need 2 licenses: an Anyconnect Premium license and a permit «Anyconnect of Cisco VPN phone»

  ASA 8.2 and earlier license "for Cisco VPN Phone" has been named "for phone Linksys' it's the same.

  CFR. http://www.Cisco.com/en/us/docs/security/ASA/asa84/license/license_management/license.html#wp1487574

  HTH

  Herbert

• Phones AnyConnect VPN cannot connect to network ASA high-speed AT & T uverse

  Phones AnyConnect VPN are configured to connect to the ASA 5510 running 8.4 (4), and it uses the Active Directory credentials to connect. The connection is successful external ISP systems including Comcast and smaller independent service providers. However, when all of us at the AT & T uverse service take this phone 7965 even at home it networks fails to make any connection to the ASA at all. A capture of packets on the ASA shows no activity connection to the IP address of our uverse.

  What's more, is that we can successfully authenticate the VPN of the phone when using the local account credentials (e.g. username admin password * priv 15) that are entered on the SAA. AT & T said that they are not blocking the ports. It is the confusion that this works for users to access local connection, but not with A/D.

  So I guess the question is: what is the first handshake TCP/UDP composed when a Cisco IP phone links AnyConnect SSL to an ASA and negotiates the authentication of the number of A/D? For example, what are the port numbers used in this handshake?  I couldn't find all the diagrams illustrating the HRT and the RFC for DTLS do not seem to have the answer either.

  Thanks in advance.

  -Athonia

  Note: we have a TAC case open currently with subject ASA 5510 VPN Edition w / 250 annyconnect user - SSL VPN for phones. Configuration

  I too ran on this issue and here is a description of what I found.

  If you use automatic network detection first trys phone ping the TFTP server, he has learned from the DHCP server or manually set with the parameter of the alternate TFTP server.  If the TFTP server is accessible the VPN will not connect and will not allow the user to connect manually.

  ATT Uverse use DHCP option 150, the same option as Cisco UC uses to automatically set the TFTP servers, to locate the local home gateway so that the STB can join him.  For this reason, you should notice that when you have a VPN phone on the network and view network settings the IP address of the TFTP server is the IP address of your default gatewat (The ATT router).

  Because of the automatic detection of network works in ping the TFTP server that the phone will always think that it is connected to the local network.  The workaround is to manually set the TFTP server on the phone * to the IP address that the TFTP server would have been if she had leared it from the DHCP server on your corporate network.  The reason you should do this instead of just using a Bogon address, is that once the VPN is connected it tryes to register to the address that you specified.

  Please let me know if this solves your problem as it did in our case.

  * If you do not know how to set the TFTP replacement setting you must first select the "replacement" TFTP protocol and press on * #.  This will allow you to change the default no to Yes.  The below named parameter TFTP Server 1 will then allow you to manually specify the address.

• CISCO ANYCONNECT VPN CISCO VPN CLIENT

  Hi, I was in the process of configuring cisco anyconnect vpn for ip phones to our local obtained the license for them either, the question that I get is that I already have remote configured cisco connect via the old cisco vpn client.

  now, if I activate the anyconnect ssl on the same outside the interface both can exist without conflict or maybe I need to migrate users to install the end customer for anyconnect system software to connect.

  I also need help with authentication of certification.

  concerning

  You can run both VPN at the same time without problems.

  However, you should try and migrate everyone to the latest technology Anyconnect SSL anyway.

• AnyConnect VPN application

  Hi all

  There is a single query on the anyconnect ASA 5510 deployment. We have the ASA 5510 with security more lic. and for lack of run (client) anyconnect VPN for concurrent users. It requires a separate licence for Anyconnect (client).

  5510 a security more lic.

  Firewall settings:

  AnyConnect Essentials: disabled

  AnyConnect Premium: 2

  Max VPN session: 250

  If I run anyconnect VPN it takes max 2 session. But need more sessions.

  Thank you

  Vishaw

  If you just want to use computers to connect to anyconnect using the AnyConnect client and not the clientless SSL, you only need to purchase the license AnyConnect Essentials for the amount of connection you need (supports up to 250).  If you need SSL clientless also, then you must purchase the Premium license.  If you also require that mobile phones, tabs, etc. need to connect to the AnyConnect client, then you need client AnyConnect mobility.

  The following link gives you an overview of the licnenses for the 5510 and other models ASA.

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa84/configuration/guide/asa_84_cli_config/intro_license.html#wp2142486

  In addition, here Pete does a good job of explaining AnyConnect licenses.

  http://www.petenetlive.com/kb/article/0000628.htm

  --

  Please do not forget to select a correct answer and rate useful posts

• AnyConnect VPN setup problem

  Hi all, I'm going to have bad configure anyconnect VPN on my router. I'm CCENT pre level and especially followed a tutorial, but feel I'm missing something simple here.

  It's a fairly simple installation on a Cisco No. 2851 - faces of a single interface my LAN 192.168.1.0/24, the other has a public IP address.

  I created a network 192.168.2.0/24 VPN users, mainly to have phones Android connection of their mobile phone networks, and have access to the servers/security cameras/etc by using their local IP addresses. When my phone connects, it gets an IP address and is connected, but is not communicating with my LAN correctly.

  The VPN client can ping 192.168.1.254 (the router's LAN IP) - but not the other devices on the network. However, the devices on my LAN can ping the VPN clients to their address 192.168.2.x.

  Here's a copy of my current config, I have reorganized some elements with #s. Also pasted my ip sh road under him. Do not forget that I am a novice, please forgive the hack :)

  Router (config) #do sh run
  Building configuration...

  Current configuration: 5782 bytes
  !
  ! Last modification of the configuration at 02:24:24 UTC Sat Sep 5 2015 by #.
  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  host name #.
  !
  boot-start-marker
  boot-end-marker
  !
  !
  enable secret $5 1$ 0 #.
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login local sslvpn
  AAA authorization exec default local
  !
  !
  !
  !
  !
  AAA - the id of the joint session
  !
  !
  dot11 syslog
  no ip source route
  !
  !
  IP cef
  !
  DHCP excluded-address 192.168.1.200 IP 192.168.1.254
  DHCP excluded-address 192.168.1.1 IP 192.168.1.10
  !
  pool of dhcp IP LAN
  network 192.168.1.0 255.255.255.0
  Server DNS 192.168.1.254
  by default-router 192.168.1.254
  !
  !
  IP domain name # '.com'
  host IP Switch 192.168.1.253
  8.8.8.8 IP name-server
  block connection-for 2000 tent 4 within 60
  connection access silencer-class SSH_MGMT
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  voice-card 0
  !
  Crypto pki token removal timeout default 0
  !
  Crypto pki trustpoint TRUSTPOINT-MY
  enrollment selfsigned
  Serial number
  name of the object CN = 117-certificate
  crl revocation checking
  rsakeypair my-rsa-keys
  !
  !
  MY-TRUSTPOINT crypto pki certificate chain
  certificate self-signed 01
  ##########################

  #########################
  quit smoking
  !
  !
  license udi pid CISCO2851 sn FTX1026A54Y
  # 5 secret username $1$ yv # E9.
  # 5 secret username $1$ X0nL ###kO.
  !
  redundancy
  !
  !
  property intellectual ssh version 2
  !
  !
  !
  !
  !
  !
  !
  !
  interface GigabitEthernet0/0
  LAN description
  IP 192.168.1.254 255.255.255.0
  IP nat inside
  No virtual-reassembly in ip
  automatic duplex
  automatic speed
  !
  interface GigabitEthernet0/1
  WAN description
  No dhcp client ip asks tftp-server-address
  No dhcp ip client application-domain name
  DHCP IP address
  IP access-group ACL-WAN_INTERFACE in
  no ip redirection
  no ip proxy-arp
  NAT outside IP
  No virtual-reassembly in ip
  automatic duplex
  automatic speed
  No cdp enable
  !
  interface Serial0/0/0
  no ip address
  Shutdown
  !
  interface virtual-Template1
  !
  local IP 192.168.2.100 WEBVPN-POOL pool 192.168.2.110
  IP forward-Protocol ND
  no ip address of the http server
  no ip http secure server
  !
  !
  The dns server IP
  IP nat inside source list INSIDE_NAT_ADDRESSES interface GigabitEthernet0/1 overload
  !
  IP access-list standard INSIDE_NAT_ADDRESSES
  permit 192.168.1.0 0.0.0.255
  permit 192.168.2.0 0.0.0.255
  IP access-list standard SSH_MGMT
  permit 192.168.1.0 0.0.0.255
  permit 207.210.0.0 0.0.255.255
  !
  IP extended ACL-WAN_INTERFACE access list
  deny udp any any eq snmp
  TCP refuse any any eq field
  TCP refuse any any eq echo
  TCP refuse any any day eq
  TCP refuse any any eq chargen
  TCP refuse any any eq telnet
  TCP refuse any any eq finger
  deny udp any any eq field
  deny ip 127.0.0.0 0.255.255.255 everything
  deny ip 192.168.0.0 0.0.255.255 everything
  permit any any eq 443 tcp
  allow an ip
  !
  exploitation forest esm config
  NLS RESP-timeout 1
  CPD cr id 1
  !
  !
  !
  !
  !
  !
  !
  control plan
  !
  !
  !
  !
  profile MGCP default
  !
  !
  !
  !
  !
  access controller
  Shutdown
  !
  !
  !
  Line con 0
  exec-timeout 0 0
  Synchronous recording
  line to 0
  exec-timeout 0 0
  Synchronous recording
  line vty 0 4
  exec-timeout 0 0
  Synchronous recording
  entry ssh transport
  line vty 5 15
  exec-timeout 0 0
  Synchronous recording
  entry ssh transport
  !
  Scheduler allocate 20000 1000
  !
  Gateway Gateway-WebVPN-Cisco WebVPN
  IP interface GigabitEthernet0/1 port 443
  SSL rc4 - md5 encryption
  SSL trustpoint TRUSTPOINT-MY
  development
  !
  WebVPN install svc flash:/webvpn/anyconnect-linux-3.1.03103-k9.pkg sequence 1
  !
  WebVPN context Cisco WebVPN
  title "Firewall.cx WebVPN - powered by Cisco"
  SSL authentication check all
  !
  list of URLS "rewrite".
  !
  ACL "ssl - acl.
  ip permit 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
  Licensing ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
  !
  login message "Cisco Secure WebVPN"
  !
  webvpnpolicy political group
  functions required svc
  filter tunnel ssl - acl
  SVC-pool of addresses 'WEBVPN-POOL' netmask 255.255.255.0
  generate a new key SVC new-tunnel method
  SVC split include 192.168.1.0 255.255.255.0
  Group Policy - by default-webvpnpolicy
  AAA authentication list sslvpn
  Gateway Cisco WebVPN bridge
  Max-users 5
  development
  !
  end

  Gateway of last resort is #. ###. ###. # network 0.0.0.0

  S * 0.0.0.0/0 [254/0] via #. ###. ###.1
  (###ISP))) is divided into subnets, subnets 1
  S (# #ISP #) [254/0] via (# publicgateway #) GigabitEthernet0/1
  ###.###.0.0/16 is variably divided into subnets, 2 subnets, 2 masks
  C ###.###.###.0/23 is directly connected, GigabitEthernet0/1
  The ###.###.###.###/32 is directly connected, GigabitEthernet0/1
  192.168.1.0/24 is variably divided into subnets, 2 subnets, 2 masks
  C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
  The 192.168.1.254/32 is directly connected, GigabitEthernet0/0
  192.168.2.0/32 is divided into subnets, subnets 1
  S 192.168.2.100 [0/0] via 0.0.0.0, Virtual Network1

  can you try to disable the FW on your internal lan hosts and then try and ping from users of vpn client

• Would become Anyconnect essentials Premium AnyConnect vpn on asa

  Dear team,

  We have a pair of cisco ASA 5520 with version 8.2 (5) works well with active mode / standby. As the situation requires, we intend to change the SSL vpn to clientless SSL VPN (AnyConnect Premium) to anyconnect vpn with mobile clients (IOS & Android)

  Please specify below

  (1) I have read, we cannot have two Anyconnect Essentials & AnyConnect Premium on the same system time. We need to disable accordingly to our need-pl correct me?

  (2) what is the best way to have the device for end-user client deployment? pushing of ASA or install individually on the system? Can I have the best, I mean the latest version of windows, client MAC e.t.c I shud get?

  While pushing ASA LU that much memory cache will be used, since we have IPS (AIP - SSM) modules has also installed on ASA who shud method I adopt here?

  (3) what is the exact product for license Anyconnect Essentials & customer name mobile (IOS & Android) we get from cisco?

  (4) once I get the correct license how do I active in systems? should I remove the failover command and install the license in two devices separately?

  (5) Finally, I need to authenticate vpn anyconnect essentials with LDAP that is already configured for clientless SSL VPN(AnyConnect Premium). any suggestions here?

  Below the version Sh emitted by the devices, it seems essential Anyconnect is already active... Please correct me?

  Active Firewall
  ===============

  System image file is "disk0: / asa825 - k8.bin.
  The configuration file to the startup was "startup-config '.

  Material: ASA5520, 2048 MB RAM, Pentium 4 Celeron 2000 MHz processor
  Internal ATA Compact Flash, 256 MB
  BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

  Hardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)
  Start firmware: CN1000-MC-BOOT - 2.00
  SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
  Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

  0: Ext: GigabitEthernet0/0: the address is a493.4ca3.ce0a, irq 9
  1: Ext: GigabitEthernet0/1: the address is a493.4ca3.ce0b, irq 9
  2: Ext: GigabitEthernet0/2: the address is a493.4ca3.ce0c, irq 9
  3: Ext: GigabitEthernet0/3: the address is a493.4ca3.ce0d, irq 9
  4: Ext: Management0/0: the address is a493.4ca3.ce09, irq 11
  5: Int: internal-Data0/0: the address is 0000.0001.0002, irq 11
  6: Int: internal-Control0/0: the address is 0000.0001.0001, irq 5

  The devices allowed for this platform:
  The maximum physical Interfaces: unlimited
  VLAN maximum: 150
  Internal hosts: unlimited
  Failover: Active/active
  VPN - A: enabled
  VPN-3DES-AES: enabled
  Security contexts: 2
  GTP/GPRS: disabled
  SSL VPN peers: 2
  Total of the VPN peers: 750
  Sharing license: disabled
  AnyConnect for Mobile: disabled
  AnyConnect Cisco VPN phone: disabled
  AnyConnect Essentials: enabled
  Assessment of Advanced endpoint: disabled
  Proxy sessions for the UC phone: 2
  Total number of Sessions of Proxy UC: 2
  Botnet traffic filter: disabled

  This platform includes an ASA 5520 VPN Plus license.

  =====================================================

  Firewall standby
  ================

  Updated Saturday, May 20, 11 16:00 by manufacturers
  System image file is "disk0: / asa825 - k8.bin.
  The configuration file to the startup was "startup-config '.

  Material: ASA5520, 2048 MB RAM, Pentium 4 Celeron 2000 MHz processor
  Internal ATA Compact Flash, 256 MB
  BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

  Hardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)
  Start firmware: CN1000-MC-BOOT - 2.00
  SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
  Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

  0: Ext: GigabitEthernet0/0: the address is 6073.5cab.3fae, irq 9
  1: Ext: GigabitEthernet0/1: the address is 6073.5cab.3faf, irq 9
  2: Ext: GigabitEthernet0/2: the address is 6073.5cab.3fb0, irq 9
  3: Ext: GigabitEthernet0/3: the address is 6073.5cab.3fb1, irq 9
  4: Ext: Management0/0: the address is 6073.5cab.3fb2, irq 11
  5: Int: internal-Data0/0: the address is 0000.0001.0002, irq 11
  6: Int: internal-Control0/0: the address is 0000.0001.0001, irq 5

  The devices allowed for this platform:
  The maximum physical Interfaces: unlimited
  VLAN maximum: 150
  Internal hosts: unlimited
  Failover: Active/active
  VPN - A: enabled
  VPN-3DES-AES: enabled
  Security contexts: 2
  GTP/GPRS: disabled
  SSL VPN peers: 2
  Total of the VPN peers: 750
  Sharing license: disabled
  AnyConnect for Mobile: disabled
  AnyConnect Cisco VPN phone: disabled
  AnyConnect Essentials: enabled
  Assessment of Advanced endpoint: disabled
  Proxy sessions for the UC phone: 2
  Total number of Sessions of Proxy UC: 2
  Botnet traffic filter: disabled

  This platform includes an ASA 5520 VPN Plus license.

  Thank you

  1 correct. You can run one or the other, but not both.

  2 since you have the upgrade memory to 2 GB, you should be fine perform web deployment via the pkg file method.

  3. for a 5520, you need:

  L-ASA-AC-E-5520 =
  L-ASA-AC-M-5520

  .. .to the Essentials and Mobile licenses respectively.

  4. on ASA 8.2, you need licenses for both units. If you upgrade to 8.3 + (8.4 (7) recommend at least), you can share licenses between members of a pair of HA. If you choose not to upgrade, just apply the key of activation on the rescue unit, then on the unit activates. You don't need to move on and in the failover configuration. Failover of the rescue unit status will show as ineligible briefly while he holds the new license is not the case of the active unit. Which will be resolved after you have applied the same license on the main unit. (If you were on 8.3 + would not happen at all).

  5. simply create a new connection profile for customers of Essentials by using the same AAA server group.

• AnyConnect VPN Mobile disabled 5505 SEC no more questions

  Hi all

  I have a 5505-SEC-BUN-K9, must purchase a license of Mobile Anyconnect vpn.

  For the question now, I was able to active the anyconnect for mobile but the sec as well as features all failed. How can I check the question?

  The devices allowed for this platform:
  The maximum physical Interfaces: 8 perpetual
  VLAN: 20 unrestricted DMZ
  Double ISP: Activated perpetual
  VLAN Trunk Ports: 8 perpetual
  Guests of the Interior: perpetual unlimited
  Failover: Active / standby perpetual
  Encryption - A: enabled perpetual
  AES-3DES-Encryption: activated perpetual
  AnyConnect Premium peers: 2 perpetual
  AnyConnect Essentials: 25 perpetual
  Counterparts in other VPNS: 25 perpetual
  Total VPN counterparts: 25 perpetual
  Shared license: disabled perpetual
  AnyConnect for Mobile: 76 days allowed
  AnyConnect Cisco VPN phone: disabled perpetual
  Assessment of Advanced endpoint: disabled perpetual
  Proxy UC phone sessions: 2 perpetual
  Proxy total UC sessions: 2 perpetual
  Botnet traffic filter: disabled perpetual
  Intercompany Media Engine: Disabled perpetual
  Cluster: Disabled perpetual
   
  Internal guests: 10
  Failover: disabled
  Encryption - A: enabled
  Encryption-3DES-AES: enabled
  Security contexts: by default
  GTP/GPRS: disabled
  Premium AnyConnect peers: by default
  Other VPN peers: by default
  Assessment of Advanced endpoint: disabled
  AnyConnect for Mobile: enabled
  AnyConnect Cisco VPN phone: disabled
  Shared license Premium AnyConnect server: disabled
  Sharing license: disabled
  Proxy sessions for the UC phone: by default
  Total number of Sessions of Proxy UC: default
  AnyConnect Essentials: enabled
  Botnet traffic filter: disabled
  Intercompany media engine: disabled
  Cluster license: disabled

  Have you tried to re-apply your activation key for the license of security more?

  If you don't have it available, you may need to open a TAC case to get worldwide license team to regenerate it for you.

• ASA checks AnyConnect VPN computer name

  Hi all

  I have searched the Forum and documentation, but have not found a solution to my problem.  I'm guessing it happens sometimes, but maybe I'm looking for the wrong thing.  We AnyConnect deployed across our cell phones, but have trouble with employees who do get the software from other sources AnyConnect and install on personal computers.  We are an agency, although relatively small, but we have policies in place and I need to lock for users unable to connect to the VPN unless you're a book PC connected to our AD domain.  I found a possible solution is to use dynamic access within the ASA policies to check the Windows computer name.  So I set up LDAP and has created a policy to check an AAA attribute.  It lets me select "MemberOf", which I assume it is the Group of users, but I need to check the name of the computer on the client before allowing access.

  Step by step of what I did, does anyone know of a more logical or easier way to lock on what AnyConnect VPN client computers can be used?

  Or if I go about this common sense with dynamic access policies, anyone have any suggestions or knowledge of documentation that helps to configure things properly when you check the computer name LDAP attribute?

  Thank you!

  JD

  Hey Joe,

  You do not need LDAP to do this, what you need is CSD (Cisco Secure Desktop) combined with DAP.

  Once you enable SSC, edit your DAP strategy and instead of an IPN to attribute you to try, add an attribute of endpoint (on the right hand side).

  To verify the host name, select the type of the attribute "peripheral".

  Alternatively, you can also activate the sweep of host (under Contract) and let the CSD to check the presence of a file with a certain file name, or a registry entry or a process name. CSD passes the result of this verification to the PAD, so you can use it in a policy (attributes of endpoint of type process, registry and files).

  Another alternative is to use the CSD with a policy before opening session - that you cannot check the host name, but it does not have control over the IP, OS type, certificate as well as the presence of a process, the registry key, the file. In this case you need not to DAP.

  HTH

  Herbert

• AnyConnect VPN for Cisco ASA 5505 refused connections

  I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access.  Here is the relevant information of my config:

  interface Vlan2
  
      mac-address xxxx.xxxx.xxxx
  
      nameif outside
  
      security-level 0
  
      ip address A.A.A.A 255.255.255.240
  
      !
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq https
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq https
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq www
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
  
      access-list outside_access_in extended permit icmp any any
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
  
      access-list outside_access_in extended permit gre any host C.C.C.C
  
      access-list outside_access_out extended permit ip any any
  
      access-list inside_access_in extended permit ip any any
  
      access-list inside_access_in extended permit ip any interface outside
  
      access-list inside_access_out extended permit ip any any
  access-group inside_access_in in interface inside
  
      access-group inside_access_out out interface inside
  
      access-group outside_access_in in interface outside
  
      access-group outside_access_out out interface outside
  webvpn
  
      enable inside
  
      enable outside
  
      svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  
      svc enable
  group-policy DfltGrpPolicy attributes
  
      dns-server value X.X.X.X
  
      vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  
      split-tunnel-policy tunnelspecified
  
      split-tunnel-network-list value
  
      address-pools value palm
  
      webvpn
  
        svc rekey time 30
  
        svc rekey method ssl
  
        svc ask enable default webvpn
  policy-map global_policy
  
      class inspection_default
  
        inspect pptp
  
        inspect http
  
        inspect icmp
  
        inspect ftp
  
      !
  

  When I try to connect, I get this error in the real-time log viewer:

  TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443
  

  Here are the details of the license:

  Licensed features for this platform:
  
      Maximum Physical Interfaces  : 8
  
      VLANs                        : 3, DMZ Restricted
  
      Inside Hosts                 : Unlimited
  
      Failover                     : Disabled
  
      VPN-DES                      : Enabled
  
      VPN-3DES-AES                 : Enabled
  
      SSL VPN Peers                : 2
  
      Total VPN Peers              : 10
  
      Dual ISPs                    : Disabled
  
      VLAN Trunk Ports             : 0
  
      Shared License               : Disabled
  
      AnyConnect for Mobile        : Disabled
  
      AnyConnect for Linksys phone : Disabled
  
      AnyConnect Essentials        : Disabled
  
      Advanced Endpoint Assessment : Disabled
  
      UC Phone Proxy Sessions      : 2
  
      Total UC Proxy Sessions      : 2
  
      Botnet Traffic Filter        : Disabled
  This platform has a Base license.
  

  Can someone tell me what I am doing wrong or what access list I'm missing?

  I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.

  Hi Matt,

  You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:

  WebVPN

  tunnel-group-list activate

  Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.

  HTH

  Herbert

• AnyConnect VPN license on ASA 5510

  Hello

  We have ASA 5510 IPS with basic license. We must now Anyconnect support for more than 2 users.

  Anyconnect (tunnel mode) but essentially Anyconnect license enough? Do need me a license for SSL VPN peers?

  What about Anyconnect without customer, I see that I need a premium license?

  This one is pretty ASA5510-SSL50-K9? It's really expensive compared the Anyconnect Essentials.

  Here is my worm out sh:

  The devices allowed for this platform:
  The maximum physical Interfaces: unlimited
  VLAN maximum: 50
  Internal hosts: unlimited
  Failover: disabled
  VPN - A: enabled
  VPN-3DES-AES: enabled
  Security contexts: 0
  GTP/GPRS: disabled
  SSL VPN peers: 2
  The VPN peers total: 250
  Sharing license: disabled
  AnyConnect for Mobile: disabled
  AnyConnect Cisco VPN phone: disabled
  AnyConnect Essentials: disabled
  Assessment of Advanced endpoint: disabled
  Proxy sessions for the UC phone: 2
  Total number of Sessions of Proxy UC: 2
  Botnet traffic filter: disabled

  This platform includes a basic license.

  Yes, AnyConnect Premium includes all the SSL features (including the complete tunnel mode AnyConnect - which is what sustains essential AnyConnect).

  So if you buy the 50 user for AnyConnect Premium license, you can have up to 50 SSL VPN connections, if they are the combination of all without customer, or combination of tunnel without customer and full, or just full tunnel. All with a maximum of 50 simultaneous SSL tunnels.

• EasyVPN for VPN phones?

  Can I use a router 2911 like EasyVPN server for VPN phones or EasyVPN is only for the router-to-router VPN?

  EasyVPN server can stop sessions IPSec client.  I know not at all with native features of IPSec Cisco phones. There is version phone Cisco AnyConnect SSL VPN support including a 2911 can be dismissed to support.

  http://www.Cisco.com/en/us/customer/docs/voice_ip_comm/cucme/Admin/Configuration/Guide/cmevpn.html#wp1019169

  Todd

• AnyConnect VPN and HP Office Jet Pro 8500 A910

  I can print from my laptop IBM T400 running Windows 7 64 bit. However, when I log in work AnyConnect VPN, I can't print. He says that the printer is disconnected from the network, even if it is connected. IT support at work said he can't change or adjust the VPN settings. The only way I can print is to disconnect from the VPN. Is this what I can adjust on the software of the printer or the printer itself?

  Hello

  To be able to print on the local network when you are connected to a network remote VPN might be possible by changing the VPN split tunneling configuration.

  However, it is depands on the VPN features and cannot be authorized because of the security requirements of your IT Department.

  Anyway, there is no way to configure such a thing by the printer or the printer software... It is directly affected by the configuration of the network and therefore require to modify VPN settings.

  Kind regards

  Shlomi

• Cisco AnyConnect VPN Client maintains reconnection

  Hello

  We have recently installed an ASA5505 and activated the VPN access.

  Two of my colleagues have no problems connecting to the VPN using Cisco AnyConnect VPN Client, but I do.

  I am still disconnected after a few seconds with the message:

  "A VPN reconnect gave rise to different configuration settings. VPN network interface is to be reset. Applications using the private network may be required to restart. »

  Cisco AnyConnect VPN Client Version 2.5.2019

  I work with Windows 7 but the same thing happens when I try to connect using my computer that is running Windows Vista.

  My colleagues also using Win7

  I also tried to disable the Windows Firewall.

  Any help would be appreciated.

  Best regards

  Peter

  TAC has been able to solve the problem.   For webvpn mtu changed default from 1406 to 1200.

  Not sure why 2 other ASAs we work very well otherwise though!

  WebVPN
  SVC mtu 1200

• IOS anyconnect vpn group lock and user restrictions

  Dear Experts,

  I now have two questions about cisco IOS vpn on ISR G2:

  1 is it possible to lock user group in IOS anyconnect VPN we can do in ASA? If so, can someone share the steps for her?

  2 - a customer wishes to restrict the anyconnect user login as it might turn the connection to the user on request. That is to say whenever the user wants to connect via vpn to ask the administrator to allow connection. can we do without deleting the username and create again?

  the other may be on ASA or IOS.

  Please see this guide:

  http://www.Cisco.com/c/en/us/support/docs/security/iOS-easy-VPN/117634-c...

  As he points out, "for the Cisco IOS group-lock and the ipsec: use vpn-group, it only works for IPSec (the easy VPN server)." In order to group-lock specific users in specific contexts of WebVPN (and strategies Group attached), authentication domains should be used. »

  If you lock a user to a policy that authenticates, but does provide real access permissions (say an ACL that blocks all traffic to the private network) then you have essentially made their ability to non-functional connection.

  If you use an external AAA server (for example, RADIUS or LDAP), then you can move in and out of the group which is authorized without disable VPN access / delete their account altogether.