Beginning Anyconnect WebVPN Portal

Similar Questions

• WebVPN Portal Clientless - Solution of the entrepreneur

  I'll set up a ASA 5520 to a Clientless WebVPN portal.  It is for others that the companies, access outside contractor only.

  The goal is to ensure that each different entrepreneur will have their own very specific access for what is needed inside.

  It looks like I can do this with a filter on a URL or an address and Web ACL / Service then assign to a policy group or a DAP.

  I'll have the ASA pointing using RADIUS to an Entrust server for authentication with a password.

  Hang up I'm having, that's how I identify uniquely different entrepreneurs so that they only connect with their specific group policy / Tunnel Group / Web ACL and not connect to all others and have their access.  Or the other case installation so that they choose their specific group of the Portal login page or if you are using a DAP of dynamically assign only.

  The old configuration that we had was just using the old VPN client IPSEC.  Would create the Group of Tunnel and the group policy for the entrepreneur / company and provide them with the information PCF file and have a VPN-filter to allow only specific access.

  I have now just trying to understand the best way more appropriate to do that, but with the portal without customer and possibly the AnyConnect client.

  All recommendations / help would be appreciated.

  Ben,

  You can provide that URL (Group) separate contractors for each of the groups of entrepreneur.

  i.e. https://asa.mycompany.tld/Contractor_CompanyA

  and https://asa.mycompany.tld/JohnContractorsky

  The Group-url maps to a particular group of tunnel.

  On top (if entrust can do) you can send group-lock server to ensure that the user belonging to group A do not connect to the resources in the Group B.

  M.

• ASA5520 and ACS 4.0 - AnyConnect WebVPN (Clientless SSL Tunnel) does not downloadable ACLs (DACL)

  I'm having a lot of problems called "Clientless SSL-Tunnel" AnyConnect VPN sessions - i.e. those that are enacted by visit https:// via a browser, and let the Java/ActiveX plugin will automatically run Fat Client AnyConnect VPN for you - downloadable ACL honor.

  Our installation is integrated via RADIUS Cisco ACS 4.0.

  Dynamic group-> connection profile strategy seems to work for either (direct according to AnyConnect VPN Client heavy or indirectly via a browser-> /Java Client ActiveX), however, our only downloadable ACL take affect if the user instantiates the SSL VPN via AnyConnect VPN Client Fat; first of all, users who access the site through the "Browser-> https://" route seem to have no ACLs applied to all?

  I understand that I can change the custom "Cisco VPN/3000/etc" parameters RADIUS, such as 'WebVPN-filters' and 'WebVPN-Access-List' to apply an ACL configured locally on the firewall of the SAA, but what I have to configure to make the sessions ' WebVPN/Clientless-SSL-Tunnel"to honor the DACL that sends our ACS?

  It is a known problem with some Software ASA Versions see bug cisco CSCtv19046 - DACL is not applied to acre during connection via the Web portal. You probably need to update your ASA 8.4 (4.1) or a later version.

• Cisco Anyconnect/WebVPN license for ASA 5510

  Hello

  Someone could please check the licenses for ASA 5510 attachment and let me know. We currently have ASA 5510 with basic license. According to the table attached under VPN sessions, he mentions that "250 combined SESSIONS IPSec and WebVPN" and to "Max box of WebVPN Session" it is mentioned that 2nd meeting, exceeding that we must buy license optional webvpn. While we the 250 combined license for IPSec and webVPN. We must purchase additional anyconnect license to set up remote access for users who want to use the internal resources from outside the network. OrElse, we don't have to purchase license and can configure webvpn/anyconnect of existing combined license existing users basic ASA license? Waiting for your response. Thank you.

  You are welcome.

  1 Yes

  2 AnyConnect requires no Java, but it can he use when connecting to one AnyConnect SSL VPN client and launch the Web browser option start Java-based. There was a bug with the AnyConnect old versions had later who should have addresses. You also have the option to launch via IE and using ActiveX or simply throw AnyConnect directly - neither of these two methods require Java.

  Here is a document TAC on the Java questions if you want more details.

  Please take a moment to note the useful messages and mark your answers questions.

• ASA Cisco Anyconnect Web portal Redirect

  How can I have my portal ASA Anyconnect redirect to https? The problem is that, unless the user types https:// , they cannot solve the page. I need the ability to something like vpn.domain.com redirect to https://vnp.domain.com in the users browser.

  http redirect outside 80

  Michael

  Please note all useful posts

• AnyConnect/Webvpn different ip address

  Hello

  We have an ASA5510 with the Anyconnect Essentials license. I'm trying to configure Anyconnect and immediately run a question. We have a 29 configuration of the subnet and as far as I know, I have to use the address of the external interface for Anyconnect. However I have a https service PAT forward on this address. So, I Anyconnect configuration to listen on for example. the second ip address in my public subnet?

  Thank you

  Pascale

  Sent by Cisco Support technique iPhone App

  In short, no..

  But you can use the command 'port' under webvpn to listen on a port other than 443.

• ASA anyconnect Webvpn does not work after upgrade to 9.42

  Hello

  I updated ASA5512x to version 9.4 (2) 6. Since the upgrade only anyconnect vpn connection works, if another connection starts, he launched the first out and struggled to start the connection. The ASA has 10 premium licenses and worked at 8.6

  Any advice would be appreciated. Thank you very much.

  Try going to asa942-11-smp - k8.bin.

• DHCP and IOS AnyConnect/WebVPN

  I've had a good look and can't seem to find the documentation referring to the ability to use DHCP to distribute addresses for the clients of AnyConnect using IOS, only pools defined on the router.

  Someone at - it an external DHCP Server distributing customer addresses AnyConnect on IOS? If so how did you get this job?

  https://Tools.Cisco.com/bugsearch/bug/CSCsr56125

• WEBVPN is not opening in a few PC Portal

  I have an ASA 5520 with WEBVPN portal, but few users was "cannot display page" someone knows why it's happening?

  It's a problem isolate in nature of 4 PC... I don't know why this is happening... I need some ideas why this might occur in some equipment

  Thanks in advance for your support.

  I would like to begin by ensuring that the portal WebVPN what URL is added to the list of trusted sites in your browser.  You'll want to also validate what SSL encryption algorithms you have turned on the ASA and make sure the browsers on the machines in question can support their.

• Can not type 'url-list' without client Anyconnect VPN setup

  Hi I am trying set Anyconnect VPN client based on Cisco documents below. There is a command like below. When I typed 'url-list', I can't enter.

  Here is example of Cisco:

  WebVPN
  allow outside
   list of URLS ServerList "WSHAWLAP" cifs://10.2.2.2 1
   list of URLS ServerList "FOCUS_SRV_1" https://10.2.2.3 2
   list of URLS ServerList "FOCUS_SRV_2" http://10.2.2.4 3

  Here's my ASA:

  VPNFW-70/PRI/Act(config-WebVPN) # url -?

  set up the mode commands/options:
  URL-block url-url-cache server

  My ASA has no choice of the list of URLs when you type '?

  Can anyone give me some suggestions? Thank you.

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  Hello

  In the 7.x code all customizations without client was included in the running configuration.
  However, referring to this document from cisco:- http://goo.gl/XRkrcO, you can see that this command has been deprecated in 8.X ASA codes.

  The best way to configure the bookmarks will use the ASDM or create them on a server and then bring import them to ASA.

  Why we can not create bookmarks CLI?

  With the introduction of 8.x many more options have been added, allowing greater flexibility.  These new options would make the running configuration passes, so they were moved into separate xml files.  Indeed, it eliminated the ability to configure a list of bookmark via the CLI.

  For more information on this discussion, please refer to this thread: -.
  https://supportforums.Cisco.com/discussion/11010546/how-do-i-create-URL-bookmark-WebVPN-Portal-CLI

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Restrict access to userid AnyConnect

  My client has 8.2 ASA and is a webvpn portal.  He wants to allow some users to use AnyConnect, but others would be e onky authorized client access.  It uses NT authentication.  I've implemented two strategies of different groups, which doi what he wants and correspondent of tunnel groups, but I don't see an obvious way to force a set of users on a single tunnel, and another set on the other.  Using Group-url as security through obscurity was the onky thing I could come up with.  Is it possible to do what he wants?  Thank you.

  Belonging to a group of pub would be the attribute "memberOf", and if you are running "debug ldap 255" on the firewall of ASA whole trying to authenticate, he will provide all the LDAP attributes and are looking for the complete path of belonging to a group via the "memberOf" attribute.

  Here is another example of configuration that can help others (check out of 'debugging ldap 255' at the bottom and highlight "memberOf" attribute):

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

  (In the example above, you need to map the following memberOf attribute: "CN = employees, CN is Users, DC = ftwsecurity, DC = cisco, DC = com")

  You can get your complete attribute memberOf organization of LDAP via the output path "debugging ldap 255" on SAA.

  Hope that helps.

• Client certificate and router WebVPN

  Hello!

  In my test harness I can not to run my webvpn configuration =.

  I have several components: AD MS, MS CS (but without NDE), 2911 router and client computer. Client and router have a certificate of MS CS. In my setup I use certificate or aaa (LDAP) authentication and authentication work aaa good. But the client certificate authentication does not work. And my internal https services do not work too--"no certificate or invalid", but this strange because I imported the CA certificate for that.

  Can you help me it work?

  My version of 2911:

  Cisco IOS software, software C2900 (C2900-UNIVERSALK9-M), Version 15.1 (3) T, RELEASE SOFTWARE (fc1)

  My Config:

  AAA authentication login webvpn group local ldap

  IP local pool webvpn 192.168.200.1 192.168.200.254

  bind authenticates root-dn cn = webvpn, OU = team, dc = domain, dc = com password [email protected]/ * /.

  WebVPN vpn gateway

  IP address port 4443

  SSL root-ca trustpoint

  development

  !

  WebVPN install svc flash0:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 1

  !

  employee framework WebVPN

  SSL authentication check all

  !

  connection message 'Portal VPN'

  !

  the policy group peche1

  List of URLS "on the inside".

  functions compatible svc

  filter VPN SPLIT tunnel

  SVC-pool of addresses "webvpn" netmask 255.255.255.0

  SVC by default-domain "domain.com".

  SVC Dungeon-client-installed

  SVC split dns "domain.com".

  SVC split include 192.168.0.0 255.255.0.0

  SVC-Server primary dns 192.168.1.1

  SVC-Server secondary dns 192.168.1.2

  Citrix enabled

  virtual-model 1

  strategy-group-by default peche1

  AAA authentication list webvpn

  vpn gateway

  authentication certificate

  user name - sign up

  root CA trustpoint-AC

  User location flash0 profile: / userprof

  development

  !

  Crypto pki trustpoint root-ca

  Terminal registration

  revocation checking no

  rsakeypair root-ca

  !

  I imported with CA pkcs12 certificate.

  My debug (it happened so I am trying to access my webvpn portal and I choose my certificate of MS CS for access)

  5 Jun 11:22:39: WV: validated_tp: cert_username: matched_ctx:

  5 Jun 11:22:39: WV: could not get opssl appinfo sslvpn

  5 Jun 11:22:39: WV: could not get opssl appinfo sslvpn

  5 Jun 11:22:39: WV: error: no certificate validated for the customer

  Can someone explain to me why it does not work?

  Resolved by the update IOS - version 15.2 (4) M2.

  Concerning

• Disabling push client AnyConnect

  Hello

  We DO NOT get the Anyconnect client automatically. Can someone help me on how to disable this feature?

  Thank you

  Dave

  In group policy, you can configure AnyConnect request to confirm it downloads automatically, or you can also set the default value to be redirected to the web portal only, not download AnyConnect client.

  Command under Group Policy:

  AnyConnect ask no webvpn default

  --> means, it will not download or ask the user to download, and by default would be the ssl of webvpn portal.

  Here is the command for your reference:

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/A2.html#wp1743347

  I hope this helps.

• WebVPN not works of harbors (https or http) with IOS - 12, 4 (24) T5

  I have a router with IOS-12-877, 4 (24) T5

  My problem is when I try to connect to https (or http) from outside to open the web portal to connect using WebVPN (SSL VPN)

  He never answers!

  I can connect to the public IP address of the inside of LAN, instead may open the webvpn Portal download anyconnect and establishing the SSL VPN.

  I can connect to my local network using Cisco VPN Client from outside and I have a VPN from Site to Site also works.

  This is my config (without data):

  ---------------------------------------------------------------------------------------------

  ---------------------------------------------------------------------------------------------

  877_Feria #.

  877_Feria #show run

  Building configuration...

  Current configuration: 7756 bytes

  !

  version 12.4

  no service button

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  hostname 877_Feria

  !

  boot-start-marker

  boot-end-marker

  !

  forest-meter operation of syslog messages

  logging buffered 52000

  !

  AAA new-model

  !

  !

  AAA authentication login ciscocp_vpn_xauth_ml_1 local

  AAA authentication login ciscocp_vpn_xauth_ml_2 local

  AAA authorization ciscocp_vpn_group_ml_1 LAN

  !

  !

  AAA - the id of the joint session

  clock timezone Paris 1

  summer time clock Paris date March 30, 2003 02:00 October 26, 2003 03:00

  !

  Crypto pki trustpoint SSL

  enrollment selfsigned

  full domain name no

  name of the object CN = vpnferia

  crl revocation checking

  rsakeypair SSL_FERIA

  !

  !

  pki encryption SSL certificate chain

  self-signed certificate 03

  3082020E 30820177 02020103 300 D 0609 2A 864886 F70D0101 04050030 A0030201

  13311130 0F060355 04031308 76706E66 65726961 31313033 31343037 301E170D

  5A170D32 33353338 30303130 31303030 3030305A 30133111 55040313 300F0603

  0876706E 66657269 300 D 0609 2A 864886 F70D0101 01050003 6130819F 818D 0030

  81009F30 81890281 1B5E0CF6 F3376884 9C8D3749 237D3F13 CB9728D1 B 0712, 635

  7293B 978 6BE81A2F 06951D 72 C30178C0 91B4786B 7E701B59 62622 HAS 31 96D023C1

  BDB82295 E4E77FC8 97BF34CA 16B03F53 5EC21F5E 88BA12E1 E5D12729 58136 HAS 53

  76E35D33 1A99EF9F E7B034D6 EB3CF17C A73ECAA1 326573DE 164BB1F3 5EA8EE17

  4AB73CD3 22950203 010001A 3 72307030 1 130101 FF040530 030101FF 0F060355

  0603 551 1104 16301482 12383737 5F466572 69612E66 65726961 301D 2E657330

  1 230418 30168014 51E4D8C7 6347B08A D3CB8F2E F4E4C400 061DB6B4 1F060355

  301D 0603 551D0E04 16041451 E4D8C763 47B08AD3 CB8F2EF4 E4C40006 1DB6B430

  010104 05000381 81008160 0AAD04E3 D247EA6C C1F6E93C 0D 864886F7 0D06092A

  5D0B4C8F 25319E30 8EBABE6F 50E53F7D 57DE0F8A 13BB3212 642C4EAC A32610A6

  75D6568E DA5CEF92 E59D511B 80186AF8 73CC11E6 F1E82065 C47E6B60 82BCA939

  9FF3F06D E3858349 3007AFC2 A2F0CE59 809FA1E1 F2B7FEA1 9B13E8AA 1FEF6AF1

  96E627FC 481642F4 A466EFE7 C 8124, 374 044F

  quit smoking

  dot11 syslog

  IP source-route

  DHCP excluded-address IP 10.10.10.1

  !

  DHCP IP CCP-pool

  import all

  Network 10.10.10.0 255.255.255.248

  default router 10.10.10.1

  Rental 2 0

  !

  !

  IP cef

  IP domain name feria.net

  name of the IP-server 192.168.254.3

  !

  !

  !

  !

  username privilege 15 secret 5 user1 zMca $1$ $ 0AkwxrsfBY63XPUHxv31N0

  username userVPN secret 5 $1$ $8iKr 8WV5IhFUmI671.XGp3Gb11

  username userWebVPN secret 5 $1$ $3HPK tvFjfrQd86iAoHGsa5Uu01

  !

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto keys interkey address 8.2.24.3

  !

  Configuration group isakmp crypto CiscoVPN client

  key 123456

  pool ippool

  10 Max-users

  netmask 255.255.255.0

  ISAKMP crypto ciscocp-ike-profile-1 profile

  identity CiscoVPN group match

  client authentication list ciscocp_vpn_xauth_ml_1

  ISAKMP authorization list ciscocp_vpn_group_ml_1

  client configuration address respond

  virtual-model 2

  !

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

  !

  Profile of crypto ipsec CiscoCP_Profile1

  game of transformation-ESP-3DES-SHA1

  set of isakmp - profile ciscocp-ike-profile-1

  !

  !

  map SDM_CMAP_1 1 ipsec-isakmp crypto

  Description Tunnel to8.2.24.3

  defined by peer 8.2.24.3

  game of transformation-ESP-3DES-SHA

  match address 101

  !

  Archives

  The config log

  hidekeys

  !

  !

  property intellectual ssh source interface Vlan1

  !

  !

  !

  ATM0 interface

  no ip address

  No atm ilmi-keepalive

  waiting-224 in

  !

  point-to-point interface ATM0.1

  IP 8.3.8.6 255.255.255.240

  NAT outside IP

  IP virtual-reassembly

  PVC 8/32

  aal5snap encapsulation

  !

  map SDM_CMAP_1 crypto

  Crypto ipsec df - bit clear

  !

  interface FastEthernet0

  !

  interface FastEthernet1

  !

  interface FastEthernet2

  !

  interface FastEthernet3

  !

  interface virtual-Template1

  ATM0.1 IP unnumbered

  !

  tunnel type of interface virtual-Template2

  ATM0.1 IP unnumbered

  ipv4 ipsec tunnel mode

  Tunnel CiscoCP_Profile1 ipsec protection profile

  !

  interface Vlan1

  Description $ETH - SW - LAUNCH, INTF-INFO-HWIC $$ $4ESW

  IP 192.168.254.240 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  IP tcp adjust-mss 1452

  !

  IP local pool ippool 192.168.253.1 192.168.253.10

  no ip forward-Protocol nd

  IP route 0.0.0.0 0.0.0.0 ATM0.1

  IP http server

  access-class 2 IP http

  local IP http authentication

  IP http secure server

  IP http timeout policy slowed down 60 life 86400 request 10000

  !

  IP nat inside source map route SDM_RMAP_1 interface ATM0.1 overload

  !

  access-list 1 permit 192.168.254.0 0.0.0.255 connect

  access-list 2 allow one

  access-list 23 allow 10.10.10.0 0.0.0.7

  Note access-list 100 CCP_ACL category = 19

  Note access-list 100 IPSec rule

  access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.0.0 0.0.0.255

  access ip-list 100 permit a whole

  Note access-list 101 category CCP_ACL = 4

  Note access-list 101 IPSec rule

  access-list 101 permit ip 192.168.254.0 0.0.0.255 192.168.0.0 0.0.0.255

  !

  !

  !

  allowed SDM_RMAP_1 1 route map

  corresponds to the IP 100

  !

  !

  control plan

  !

  !

  Line con 0

  no activation of the modem

  line to 0

  line vty 0 4

  access-class 100 in

  privilege level 15

  connection of authentication AutClient

  transport input telnet ssh

  !

  max-task-time 5000 Planner

  !

  WebVPN gateway gateway_1

  hostname 877_Feria

  IP address 8.3.8.6 port 443

  redirect http port 80

  trustpoint SSL SSL

  development

  !

  WebVPN install svc flash:/webvpn/anyconnect-dart-win-2.5.2017-k9.pkg sequence 1

  !

  WebVPN context VPN-Feria

  secondary-color white

  color of the title #FF9900

  text-color black

  SSL authentication check all

  !

  !

  policy_1 political group

  functions compatible svc

  SVC-pool of addresses "ippool.

  SVC Dungeon-client-installed

  virtual-model 1

  Group Policy - by default-policy_1

  AAA authentication list ciscocp_vpn_xauth_ml_2

  Gateway gateway_1 field vpnferia

  10 Max-users

  development

  !

  end

  ---------------------------------------------------------------------------------------------

  ---------------------------------------------------------------------------------------------

  This who can miss?

  Thank you all!

  Try adding a NAT statement for outdoors.

  IP nat inside source static tcp 8.3.8.6 443 8.3.8.6 443

  assuming that 8.3.8.6 is your public IP address.

  -Brian

• Cannot access within LAN of Cisco Anyconnect

  I'm new to the firewall and try to get my Anyconnect test configuration to connect to addresses within my Local network. The Anyconnect client connects easily, I can get to addresses Internet and tracer package told me it falls to phase 6, svc-webvpn. Can someone post my config? I don't know I'm missing something pretty obvious. Config is pasted below:

  !

  interface Ethernet0/0

  Description< uplink="" to="" isp="">

  switchport access vlan 20

  !

  interface Ethernet0/1

  Description< inside="">

  switchport access vlan 10

  Speed 100

  full duplex

  !

  interface Ethernet0/2

  Description< home="" switch="">

  switchport access vlan 10

  !

  interface Ethernet0/3

  switchport access vlan 10

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  Shutdown

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  Shutdown

  !

  interface Vlan10

  nameif inside

  security-level 100

  IP 192.168.1.99 address 255.255.255.0

  !

  interface Vlan20

  nameif OUTSIDE

  security-level 0

  DHCP client dns update

  IP address dhcp setroute

  !

  Vlan30 interface

  No nameif

  no level of security

  no ip address

  !

  Banner motd

  Banner motd +... +

  Banner motd |

  Banner motd | Any unauthorized use or access prohibited * |

  Banner motd |

  Banner motd | The Officer allowed the exclusive use.

  Banner motd | You must have explicit permission to access or |

  Banner motd | configure this device. All activities performed.

  Banner motd | on this unit can be saved and violations of.

  Banner motd | This strategy may result in disciplinary action, and |

  Banner motd | may be reported to the police authorities. |

  Banner motd |

  Banner motd | There is no right to privacy on this device. |

  Banner motd |

  Banner motd +... +

  Banner motd

  boot system Disk0: / asa824-k8

  passive FTP mode

  clock timezone cst - 6

  clock to summer time recurring cdt

  permit same-security-traffic intra-interface

  ICMP-type of object-group DEFAULT_ICMP

  Description< default="" icmp="" types="" permit="">

  response to echo ICMP-object

  ICMP-unreachable object

  ICMP-object has exceeded the time

  object-group network obj and AnyConnect

  host of the object-Network 192.168.7.20

  host of the object-Network 192.168.7.21

  host of the object-Network 192.168.7.22

  host of the object-Network 192.168.7.23

  host of the object-Network 192.168.7.24

  host of the object-Network 192.168.7.25

  access-list 101 extended allow icmp a whole

  !

  Note access-list ACL_OUTSIDE < anyconnect="" permit=""> >

  ACL_OUTSIDE list extended access permitted tcp everything any https eq

  ACL_OUTSIDE list extended access permit icmp any any DEFAULT_ICMP object-group

  !

  VPN_NAT list extended access permit ip host 192.168.7.20 all

  VPN_NAT list extended access permit ip host 192.168.7.21 all

  VPN_NAT list extended access permit ip host 192.168.7.22 all

  VPN_NAT list extended access permit ip host 192.168.7.23 all

  VPN_NAT list extended access permit ip host 192.168.7.24 all

  VPN_NAT list extended access permit ip host 192.168.7.25 all

  access-list extended sheep allowed ip group object obj-AnyConnect 192.168.1.0 255.255.255.0

  pager lines 24

  Enable logging

  timestamp of the record

  logging buffered information

  logging trap information

  exploitation forest asdm errors

  MTU 1500 inside

  Outside 1500 MTU

  mask 192.168.7.20 - 192.168.7.25 255.255.255.0 IP local pool AnyconnectPool

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 645.bin

  don't allow no asdm history

  ARP timeout 14400

  Global (1 interface OUTSIDE)

  NAT (INSIDE) 1 192.168.1.0 255.255.255.0

  NAT (OUTSIDE) 1 access-list VPN_NAT

  Access-group ACL_OUTSIDE in interface OUTSIDE

  !

  router RIP

  network 192.168.1.0

  passive-interface OUTSIDE

  version 2

  !

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  AAA authentication http LOCAL console

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  http 192.168.2.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Sysopt connection tcpmss 1200

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4688000 association

  Crypto-map dynamic dynmap 20 the value transform-set ESP-3DES-SHA

  map outside_map 64553-isakmp ipsec crypto dynamic dynmap

  outside_map interface card crypto OUTSIDE

  !

  ISAKMP crypto identity hostname

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  VPN-addr-assign local reuse-delay 120

  SSH 192.168.1.0 255.255.255.0 inside

  SSH 192.168.2.0 255.255.255.0 inside

  SSH timeout 60

  Console timeout 0

  management-access INTERIOR

  DHCP-client broadcast-flag

  dhcpd x.x.x.x dns

  dhcpd rental 43200

  dhcpd ping_timeout 2000

  dhcpd auto_config OUTSIDE

  !

  dhcpd address 192.168.1.150 - 192.168.1.180 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  NTP 216.229.0.179 Server

  SSL encryption, 3des-sha1-aes128-sha1 aes256-sha1 sha1 rc4

  localtrust point of trust SSL outdoors

  WebVPN

  allow outside

  AnyConnect essentials

  SVC disk0:/anyconnect-win-4.2.01035-k9.pkg 1 image

  SVC disk0:/anyconnect-linux-64-4.2.01035-k9.pkg 2 image

  Picture disk0:/anyconnect-macosx-i386-4.2.01035-k9.pkg 3 SVC

  enable SVC

  tunnel-group-list activate

  attributes of Group Policy DfltGrpPolicy

  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

  internal Anyconnect group strategy

  attributes Anyconnect-group policy

  value x.x.x.x DNS server

  VPN-tunnel-Protocol svc

  the address value AnyconnectPool pools

  type tunnel-group remotevpn remote access

  tunnel-group Anyconnect type remote access

  tunnel-group Anyconnect General attributes

  strategy-group-by default Anyconnect

  tunnel-group Anyconnect webvpn-attributes

  enable MY_RA group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  Auto-update 30 3 1 survey period

  Update automatic timeout 1

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

  : end

  Hello

  You are missing a NAT FREE for Anyconnect traffic would allow you to access inside the network.

  access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0

  NAT (inside) 0 access-list sheep

  Add these two lines in the config file and you should be able to access the network interior.

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.