Cisco ASA and AnyConnect VPN certificate error
Hello
I am trying to configure Cisco AnyConnect VPN and everything works, but I get this warning message when the connection is opened:
I don't have public certificate in ASA. Is it possible to use the self-signed certificate and get rid of this warning message?
Hello
This is expected behavior on the SAA for an SSL connection. You can certainly use the certificate self-signed on the SAA and then apply it on the external interface.
Once done, you will need to install this certificate on the clients and this will alleviate the popup error message.
Here is a document that you can refer to create a self-signed certificate.
https://supportforums.Cisco.com/document/44116/ASA-self-signed-certificate-WebVPN
Kind regards
Dinesh Moudgil
PS Please note the useful messages.
Tags: Cisco Security
Similar Questions
-
Cisco ASA and dynamic VPN L2L Fortigate configuration
I met a problem recently with an ASA 5510 (7.0) and a bunch of Fortigate 50 (3.0 MR7). The ASA is the hub and Fortigates are rays with a dynamic public IP.
I followed this document on the site Web of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml) to set up my ASA and the parameters passed to my counterparts to set up their Fortigates.
However, the ASA journal reveals that attemtps Fortigate connection always tried with DefaultRAGroup before falling back to DefaultL2LGroup and finally died. Experience with putting in place a dynamic VPN between Cisco and Fortigate someone? Which could not fail at each end? Here's a typical piece of error log ASA. The ASA is currently having a static VPN tunnel and a site-2-client VPN in two groups by default.
6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:41 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:41 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
4. January 10, 2011 20:58:39 | 713903: Group = DefaultL2LGroup, IP = 116.230.243.205, ERROR, had decrypt packets, probably due to problems not match pre-shared key. Abandonment
5. January 10, 2011 20:58:39 | 713904: Group = DefaultL2LGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
6. January 10, 2011 20:58:39 | 713905: Group = DefaultRAGroup, IP = 116.230.243.205, WARNING, had decrypt packets, probably due to problems not match pre-shared key. User switching to the tunnel-group: DefaultL2LGroup
5. January 10, 2011 20:58:39 | 713904: Group = DefaultRAGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
4. January 10, 2011 20:58:33 | 713903: Group = DefaultRAGroup, IP = 116.230.243.205, error: cannot delete PeerTblEntry
3. January 10, 2011 20:58:33 | 713902: Group = DefaultRAGroup, IP = 116.230.243.205, Removing peer to peer table has no, no match!
6. January 10, 2011 20:58:33 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:33 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:25 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:25 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:21 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:21 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
5. January 10, 2011 20:58:19 | 713904: IP = 116.230.243.205, encrypted packet received with any HIS correspondent, dropYes, sounds about right. He will try to match with the DefaultRAGroup first, and when you know that it's a dynamic IPSec in LAN-to-LAN, it will be
then back to the DefaultL2LGroup, because he doesn't know if the VPN Client or L2L again when he is contacted fist as they are connecting from dynamic IP peer.
You must ensure that your L2L tunnel-group by default has been configured with the corresponding pre-shared key.
Assuming that you have configured the dynamic map and assign to the card encryption.
Here is an example of configuration where ASA has a static and peripheral ip address pair has dynamic IP:
Hope that helps.
-
The traffic load between the power of Cisco ASA and FireSight Management Center fire
Hi all
I have a stupid question to ask.
Can I know what is the traffic load and the e/s flow between firepower Cisco ASA and FireSight Management Center?
Currently working on a project, client require such information to adapt to their network. Tried to find in the document from Cisco, but no luck.
Maybe you all have no idea to provide.
It varies depending on the number of events reported from the module to the CSP. No event = only health controls and policy changes are exchanged. 10,000 events per second = much more traffic.
Generally it is not a heavy load, however.
-
Configure to integrate Cisco ASA and JOINT
Hello
We have Cisco ASA and JOINT, need assistance on the integration of the same thing; Please email me so that I'll share the details of the architecture.
Thank you best regards &,.
REDA
Hi reda,.
If I correctly your diagram, you do not want to send any traffic from the external switch to the JOINT with a SPAN port and all traffic from your DMZ interfaces with another.
Is this correct?
If so, can you tell me why you want to inspect the traffic before it goes through the firewall? As I said in my original answer, we generally advise putting IP addresses after the firewall.
Not to mention that in your case, I guess that some traffic will be inspected twice so you will need to assign a different virtual sensors to each JOINT internal interfaces to ensure that the same instance does not see the traffic of several times.
Kind regards
Nicolas
-
IPSec vpn cisco asa and acs 5.1
We have configured authentication ipsec vpn cisco asa acs 5.1:
Here is the config in cisco vpn 5580:
standard access list acltest allow 10.10.30.0 255.255.255.0
RADIUS protocol AAA-server Gserver
AAA-server host 10.1.8.10 Gserver (inside)
Cisco key
AAA-server host 10.1.8.11 Gserver (inside)
Cisco key
internal group gpTest strategy
gpTest group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list acltest
type tunnel-group test remote access
tunnel-group test general attributes
address localpool pool
Group Policy - by default-gpTest
authentication-server-group LOCAL Gserver
authorization-server-group Gserver
accounting-server-group Gserver
IPSec-attributes of tunnel-group test
pre-shared-key cisco123
GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.
When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get
error:
22040 wrong password or invalid shared secret
(pls see picture to attach it)
the system still works, but I don't know why, we get the error log.
Thanks for any help you can provide!
Duyen
Hello Duyen,
I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.
Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:
authentication-server-group LOCAL Gserver
authorization-server-group Gserver
As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.
Please remove the authorization under the Tunnel of Group:
No authorization-server-group Gserver
Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.
Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.
I hope this helps.
Kind regards.
-
MAC and PC can reach the same an ASA for Anyconnect VPN?
Hi, we have MAC and PC users. We configure the Anyconnect VPN in an ASA. But two users need two image of sorts. We must therefore use the two commands:
AnyConnect image disk0: / anyconnect -win- 3.1.04066 - k9.pkg
AnyConnect image disk0: / anyconnect -macosx- i386 - 2.5.2014 - k9.pkg.
This is what two commands cannot coexist in an ASA. How to solve the problem? I hope your suggestion. Thank you
They can co-exist, but you must add different sequence numbers at the end of each command.
-
ASA checks AnyConnect VPN computer name
Hi all
I have searched the Forum and documentation, but have not found a solution to my problem. I'm guessing it happens sometimes, but maybe I'm looking for the wrong thing. We AnyConnect deployed across our cell phones, but have trouble with employees who do get the software from other sources AnyConnect and install on personal computers. We are an agency, although relatively small, but we have policies in place and I need to lock for users unable to connect to the VPN unless you're a book PC connected to our AD domain. I found a possible solution is to use dynamic access within the ASA policies to check the Windows computer name. So I set up LDAP and has created a policy to check an AAA attribute. It lets me select "MemberOf", which I assume it is the Group of users, but I need to check the name of the computer on the client before allowing access.
Step by step of what I did, does anyone know of a more logical or easier way to lock on what AnyConnect VPN client computers can be used?
Or if I go about this common sense with dynamic access policies, anyone have any suggestions or knowledge of documentation that helps to configure things properly when you check the computer name LDAP attribute?
Thank you!
JD
Hey Joe,
You do not need LDAP to do this, what you need is CSD (Cisco Secure Desktop) combined with DAP.
Once you enable SSC, edit your DAP strategy and instead of an IPN to attribute you to try, add an attribute of endpoint (on the right hand side).
To verify the host name, select the type of the attribute "peripheral".
Alternatively, you can also activate the sweep of host (under Contract) and let the CSD to check the presence of a file with a certain file name, or a registry entry or a process name. CSD passes the result of this verification to the PAD, so you can use it in a policy (attributes of endpoint of type process, registry and files).
Another alternative is to use the CSD with a policy before opening session - that you cannot check the host name, but it does not have control over the IP, OS type, certificate as well as the presence of a process, the registry key, the file. In this case you need not to DAP.
HTH
Herbert
-
Hello!
I have a 5515 ASA with the configuration below. I have configure the ASA as remote access with anyconnect VPN server, now my problem is that I can connect but I can not ping.
ASA Version 9.1 (1)
!
ASA host name
domain xxx.xx
names of
local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask
!
interface GigabitEthernet0/0
nameif inside
security-level 100
192.168.11.1 IP address 255.255.255.0
!
interface GigabitEthernet0/1
Description Interface_to_VPN
nameif outside
security-level 0
IP 111.222.333.444 255.255.255.240
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
192.168.5.1 IP address 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
www.ww domain name
permit same-security-traffic intra-interface
the object of the LAN network
subnet 192.168.11.0 255.255.255.0
LAN description
network of the SSLVPN_POOL object
255.255.255.0 subnet 192.168.12.0
VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 711.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN
Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
WebVPN
list of URLS no
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
LOCAL AAA authorization exec
Enable http server
http 192.168.5.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_TrustPoint5
Terminal registration
E-mail [email protected] / * /
name of the object CN = ASA
address-IP 111.222.333.444
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint6
Terminal registration
domain name full vpn.domain.com
E-mail [email protected] / * /
name of the object CN = vpn.domain.com
address-IP 111.222.333.444
pair of keys sslvpn
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint6 certificates
Telnet timeout 5
SSH 192.168.11.0 255.255.255.0 inside
SSH timeout 30
Console timeout 0
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assign
192.168.5.2 management - dhcpd addresses 192.168.5.254
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint6 point
WebVPN
allow outside
CSD image disk0:/csd_3.5.2008-k9.pkg
AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal VPN_CLIENT_POLICY group policy
VPN_CLIENT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - 5 concurrent connections
VPN-session-timeout 480
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
myComp.local value by default-field
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
time to generate a new key 30 AnyConnect ssl
AnyConnect ssl generate a new method ssl key
AnyConnect client of dpd-interval 30
dpd-interval gateway AnyConnect 30
AnyConnect dtls lzs compression
AnyConnect modules value vpngina
value of customization DfltCustomization
internal IT_POLICY group policy
IT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - connections 3
VPN-session-timeout 120
Protocol-tunnel-VPN-client ssl clientless ssl
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
field default value societe.com
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
AnyConnect dtls lzs compression
value of customization DfltCustomization
username vpnuser password PA$ encrypted $WORD
vpnuser username attributes
VPN-group-policy VPN_CLIENT_POLICY
type of remote access service
Username vpnuser2 password PA$ encrypted $W
username vpnuser2 attributes
type of remote access service
username admin password ADMINPA$ $ encrypted privilege 15
VPN Tunnel-group type remote access
General-attributes of VPN Tunnel-group
address VPN_CLIENT_POOL pool
Group Policy - by default-VPN_CLIENT_POLICY
VPN Tunnel-group webvpn-attributes
the aaa authentication certificate
enable VPN_to_R group-alias
type tunnel-group IT_PROFILE remote access
attributes global-tunnel-group IT_PROFILE
address VPN_CLIENT_POOL pool
Group Policy - by default-IT_POLICY
tunnel-group IT_PROFILE webvpn-attributes
the aaa authentication certificate
enable IT Group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
: end
Help me please! Thank you!
Hello
Please set ACLs to allow ICMP between these two subnets (192.168.11.0 and 192.168.12.0) and check. It should ping. Let me know if it does not work.
Thank you
swap
-
SSH for indoor or outdoor IP de ASA over anyconnect vpn
Hello world
I have ssl anyconnect vpn for my lab at home.
When I connect via anyconnect SSL I am unable to ssh to ASA inside and outside IP is this default behavior?
I have access to administration config inside configured on the SAA.
VPN IP 10.10.10.10 pool
SSH 10.10.10.0 255.255.255.0 outside
Concerning
Mahesh
Try adding a line like:
nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside no-proxy-arp
-
IKE Dead Peer Detection between Cisco ASA and Cisco PIX
I have a network environment in Star with about 30 offices of satellite remote using VPN Site to Site connectivity. The majority of remote satellite offices have the features of Cisco PIX 501 running PIX Version 6.3. The hub office runs a version 8.2 (1) Cisco ASA.
I configured Dead Peer Detection on the Cisco ASA device at the office hub with the default settings of the following-
Confidence interval - 10 seconds
Retry interval - 2 seconds
I think I'm right assuming that raises are limited to 3 before the tunnel is completely demolished. Basically, the problem that I am facing is with several remote satellite offices. What seems to be the case, the tunnel between the remote offices and the hub is demolished (probably because of the length of IKE, always 86400 seconds) and the tunnel then fails to renegotiate unless traffic is physically forced from the hub office. The tunnel NOT to renegotiate after satellite office, ONLY the end of the hub; so that means sending traffic to the satellite when the VPN tunnel is out of service, not to renegotiate the tunnel. The Hub office is a colo and therefore traffic rarely comes to that end, the tunnel remains so down until manual intervention occurs and the ICMP traffic is forced into the tunnel.
Should the KeepAlive and retry interval settings corresponds to both ends, for example if the two devices be configured for DPD?
What are the potential pitfalls to the extension of the life of IKE, and this will help or even hinder the problem?
Thank you in advance for helping out with this.
Hi Nicolas,.
I think that the two DPD settings must match on both ends, if these do not match then problems like yours might arise which seems to happen here, is that one end shows a tunnel down, but the other end may not detect it down, we could have to watch debugs, or record two ends to see if this is the case , setting in the meantime ike DPD for same timers could hetlp on.
In regard to the increase in the life expectancy of IKE, well you just need to be aware that this could allow keys to be discovered since these are not renegotiated unless the tunnel is down on the level of IKE. Other than that I don't see why this would affect you.
-
AnyConnect VPN - certificate expired error Java
Hello
Since April 4, 2015, Java has been blocking the process of installing AnyConnect via web-deployment (see screenshot). It indicates there is a certificate expired with these details:
Issuer CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Validity [From: Wed Jan 02 19:00:00 EST 2013, To: Sat Apr 04 19:59:59 EDT 2015] <----------------------------- Subject CN="Cisco Systems, Inc.", <----------------------------- OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Cisco Systems, Inc.", L=Boxborough, ST=Massachusetts, C=US
This certificate is not detected at the entry "show crypto ca cert" on the SAA - it is NOT our certificate, as it is given to "Cisco Systems, Inc.", and he has clearly exceeded.
We manage the Software ASA 9.1.6 and this behavior happens (at least) the past three versions of Java.
Does anyone else have this problem? Is there something that can be done (server side) to solve this problem?
Thanks in advance...
Hi mknaebelcu
The problem has to do with the AnyConnect Client deployed and not with any certificate on the SAA.
See bug CSCut80840
https://Tools.Cisco.com/bugsearch/bug/CSCut80840/?reffering_site=dumpcr
Should contribute to an upgrade to 3.1.8009 or 4.0.2052
-
SSL VPN from Cisco ASA and ACS 5.1 change password
Dear Sir.
I am tring configure ASA to change the local password on ACS 5.1. When the user access with ssl vpn if the ACS 5.1 password expiration date. ASA will display the dialog box or window popup to change the password. But it does not work. I'm tring to Setup with the functionality of password management on the SAA. When I enable password management it will not work and is unable to change the password. Could you tell me about this problem?
Thank you
Aphichat
Dear Sir,
I'm tring to setup ASA to change local password on ACS 5.1. When user access with ssl vpn if password on ACS 5.1 expire. ASA will show dialog box or pop-up to change password. But It don't work. I'm tring to setup with password management feature on ASA . When I enable password management it don't work and can't to change password. Could you advise me about this problem?
Thank you
Aphichat
Hi Aphichat,
Go to the password link below change promt via AEC in ASA: -.
https://supportforums.Cisco.com/docs/doc-1328;JSESSIONID=A51E68318579261787BD60DDA0707819. Node0
Hope to help!
Ganesh.H
Don't forget to note the useful message
-
IPSec VPN between Cisco ASA and Fortigate1000
Hello
I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000...
the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG...
The question is: How do I configure the interface on the SAA ACCORD?
Thanks in advance, Experts...
Kind regards...
ASA firewall does not support the interface/GRE GRE tunnel.
If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS.
If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml
Hope that helps.
-
ASA 5512 Anyconnect VPN cannot connect inside the network 9.1 x
Hello
I'm new to ASA, can I please help with this. I managed to connect to the vpn through the mobility cisco anyconnect client, but I am unable to connect to the Internet. the allocated ip address was 172.16.1.60 and it seems OK, I thought my acl and nat is configured to allow and translate the given vpn ip pool but I'm not able to ping anything on the inside.
If anyone can share some light... There's got to be something escapes me...
Here's my sh run
Thank you
Raul
-------------------------------------------------------------------------------
DLSYD - ASA # sh run
: Saved
:
ASA 9.1 Version 2
!
hostname DLSYD - ASA
domain delo.local
activate the encrypted password of UszxwHyGcg.e6o4z
names of
mask 172.16.1.60 - 172.16.1.70 255.255.255.0 IP local pool DLVPN_Pool
!
interface GigabitEthernet0/0
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/1
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/2
Post description
10 speed
full duplex
nameif Ext
security-level 0
IP 125.255.160.54 255.255.255.252
!
interface GigabitEthernet0/3
Description Int
10 speed
full duplex
nameif Int
security-level 100
IP 192.168.255.2 255.255.255.252
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa912-smp - k8.bin
passive FTP mode
clock timezone IS 10
clock daylight saving time EDT recurring last Sun Oct 02:00 last Sun Mar 03:00
DNS lookup field inside
DNS domain-lookup Int
DNS server-group DefaultDNS
192.168.1.90 server name
192.168.1.202 server name
domain delo.local
permit same-security-traffic intra-interface
network dlau40 object
Home 192.168.1.209
network dlausyd02 object
host 192.168.1.202
network of the object 192.168.1.42
host 192.168.1.42
dlau-utm network object
host 192.168.1.50
network dlauxa6 object
Home 192.168.1.62
network of the 192.168.1.93 object
host 192.168.1.93
network dlau-ftp01 object
Home 192.168.1.112
dlau-dlau-ftp01 network object
network dlvpn_network object
subnet 172.16.1.0 255.255.255.0
the object-group Good-ICMP ICMP-type
echo ICMP-object
response to echo ICMP-object
ICMP-object has exceeded the time
Object-ICMP traceroute
ICMP-unreachable object
DLVPN_STAcl list standard access allowed 192.168.0.0 255.255.0.0
Standard access list DLVPN_STAcl allow 196.1.1.0 255.255.255.0
DLVPN_STAcl list standard access allowed 126.0.0.0 255.255.0.0
Ext_access_in access list extended icmp permitted any object-group Good-ICMP
Ext_access_in list extended access permitted tcp dlau-ftp01 eq ftp objects
Ext_access_in list extended access permit tcp any object dlausyd02 eq https
Ext_access_in list extended access permit tcp any object dlau-utm eq smtp
Ext_access_in list extended access permit tcp any object dlauxa6 eq 444
Ext_access_in access-list extended permitted ip object annete-home everything
pager lines 24
Enable logging
asdm of logging of information
MTU 1500 Ext
MTU 1500 Int
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 713.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (Int, Ext) static source any any destination static dlvpn_network dlvpn_network non-proxy-arp
!
network dlausyd02 object
NAT (Int, Ext) interface static tcp https https service
dlau-utm network object
NAT (Int, Ext) interface static tcp smtp smtp service
network dlauxa6 object
NAT (Int, Ext) interface static tcp 444 444 service
network dlau-ftp01 object
NAT (Int, Ext) interface static tcp ftp ftp service
Access-group Ext_access_in in Ext interface
Route Ext 0.0.0.0 0.0.0.0 125.255.160.53 1
Route Int 192.168.0.0 255.255.0.0 192.168.255.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication enable LOCAL console
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
the ssh LOCAL console AAA authentication
http server enable 44310
http server idle-timeout 30
http 192.168.0.0 255.255.0.0 Int
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec pmtu aging infinite - the security association
trustpool crypto ca policy
Telnet 192.168.1.0 255.255.255.0 management
Telnet timeout 30
SSH 192.168.0.0 255.255.0.0 Int
SSH timeout 30
SSH group dh-Group1-sha1 key exchange
Console timeout 0
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assign
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 61.8.0.89 prefer external source
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
WebVPN
port 44320
allow outside
Select Ext
AnyConnect essentials
AnyConnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_DLVPN group strategy
attributes of Group Policy GroupPolicy_DLVPN
WINS server no
value of server DNS 192.168.1.90 192.168.1.202
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DLVPN_STAcl
delonghi.local value by default-field
WebVPN
AnyConnect Dungeon-Installer installed
time to generate a new key 30 AnyConnect ssl
AnyConnect ssl generate a new method ssl key
AnyConnect ask flawless anyconnect
encrypted vendor_ipfx pb6/6ZHhaPgDKSHn password username
vendor_pacnet mIHuYi1jcf9OqVN9 encrypted password username
username admin password encrypted tFU2y7Uo15ahFyt4
type tunnel-group DLVPN remote access
attributes global-tunnel-group DLVPN
address pool DLVPN_Pool
Group Policy - by default-GroupPolicy_DLVPN
tunnel-group DLVPN webvpn-attributes
enable DLVPN group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
Review the ip options
inspect the ftp
inspect the tftp
!
global service-policy global_policy
SMTPS
Server 192.168.1.50
Group Policy - by default-DfltGrpPolicy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:67aa840d5cfff989bc045172b2d06212
: end
DLSYD - ASA #.Hello
Add just to be sure, the following configurations related to ICMP traffic
Policy-map global_policy
class inspection_default
inspect the icmp
inspect the icmp errorYour NAT0 configurations for traffic between LAN and VPN users seem to. Your Split Tunnel ACL seems fine too because it has included 192.168.0.0/16. I don't know what are the other.
I wonder if this is a test installation since you don't seem to have a dynamic PAT configured for your local network at all. Just a few static PAT and the NAT0 for VPN configurations. If it is a test configuration yet then confirmed that the device behind the ASA in the internal network has a default route pointing to the ASAs interface and if so is it properly configured?
Can you same ICMP the directly behind the ASA which is the gateway to LANs?
If you want to try ICMP interface internal to the VPN ASA then you can add this command and then try ICMP to the internal interface of the ASA
Int Management-access
As the post is a little confusing in the sense that the subject talk on the traffic doesn't work not internal to the network, while the message mentions the traffic to the Internet? I guess you meant only traffic to the local network because you use Split Tunnel VPN, which means that Internet traffic should use the VPN local Internet users while traffic to the networks specified in the ACL Tunnel Split list should be sent to the VPN.
-Jouni
-
Only IPSEC AnyConnect VPN certificate authentication
How can I activate "authentication certificate only" for AnyConnect IPSec IKEv2 VPN connections, so that users do not have to enter the user name and password.
Basically, deploy the CA, and then deploy the VPN.
This example uses the Microsoft CA, but you can use the built in place.
https://supportforums.Cisco.com/blog/152941/AnyConnect-certificate-based-authentication
Maybe you are looking for
-
G62-34OUS: reset the bios password Code: 76280850
I get a msg instantly sayingenter psw or psw administrator on my code is: 76280850 plse help
-
Question mark in my battery bar?
Help, please! Last night, a question mark (?) appeared in my player battery life bar. It is not showing my battery life and when I had it plugged to charge that she showed, he was in charge, but I guess it's because he's not dead. I read through the
-
HP Photosmart 7515 photo printing paper is no good
Fine, I can print a color picture on plain paper. When I print the same photo on glossy photo paper black clothes all look green. My print quality diagnostic report shows NO problem. This happens for two 4 X 6 and 8 1/2 X 11 paper.
-
Hello I wonder why I can't send or receive mail. Just happened a few days ago. This error message appears: Account: 'mail2.eircom.net', server: 'mail2.eircom.net', Protocol: POP3, server response: '-ERR failed authorization ', Port: 110, secure (SSL)
-
suddenly, my memory card reader does, no idea why?
Suddenly, my memory card reader no longer works, any ideas on why it has stopped working?