Cisco ASA AnyConnect SSL VPN - certificates + token?

Hello

I'm looking for an answer is it possible such configuration:

The Cisco AnyConnect SSL VPN service with two-factor - first method is the Microsoft CA certificate local and second method - a token solution Symantec VIP password?

I don't know if two-factor authentication is user/password from Active Directory + OTP by Symantec VIP there is no problem, because you can send the user + pass with Radius, but with certificates I do not really understand who will check the validity of the certificate, which certificate, we will send you to the RADIUS for the validation server and how the configuration of the point of view of ASA will look like.

Thank you very much for the help!

Hi Alex,

I don't see a problem with having certificate + token to connect to the VPN. Certificate authentication must be performed on the SAA, see an example below:

https://supportforums.Cisco.com/blog/152941/AnyConnect-certificate-based-authentication

Authentication token can be specified as primary/secondary (authentication SDI) on the SAA, an example below:

http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/anyconnect31/Administration/Guide/anyconnectadmin31/ac11authenticate.html#pgfId-1060345

It may be useful

-Randy-

Tags: Cisco Security

Similar Questions

Cisco AnyConnect SSL VPN

Hi guys,.

I am currently ut setting for the first time on a Cisco ASA 5505 Cisco AnyConnect SSL VPN.

I enclose my topology.

I ran the wizard of the ASDM on the ASA2 I want to use for my VPN connections.

Everything works fine except that I can't access any internal computer servers on my network.

I do a specific configuration because my servers have a different default gateway of the ASA that I use for my VPN?

I have since the ASA2 the 192.168.10.0 network.

my remote ip address of the pool is 10.0.0.1-10.0.0.10/24

config (I've included what, in my view, is necessary, please let me know if you need to see more):

ASA 2.0000 Version 8

Sysopt connection permit VPN

tunnel of splitting allowed access list standard 192.168.10.0 255.255.255.0

network of the NETWORK_OBJ_10.0.0.0 object

10.0.0.0 subnet 255.255.255.0

NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.0.0.0 NETWORK_OBJ_10.0.0.0 non-proxy-arp-search to itinerary

internal GroupPolicy_vpn group strategy

attributes of Group Policy GroupPolicy_vpn

value of 192.168.10.20 WINS server

value of server DNS 192.168.10.15

client ssl-VPN-tunnel-Protocol ikev2

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value split tunnel

domain.local value by default-field

WebVPN

User PROFILE of value type profiles AnyConnect

type tunnel-group tunnel_vpn remote access

tunnel-group tunnel_vpn General-attributes

address ra_vpn_pool pool

Group Policy - by default-GroupPolicy_vpn

tunnel-group tunnel_vpn webvpn-attributes

activation of the Group tunnel_vpn alias

!

Thanks in advance!

Hello

The unit behind your ASAs on the internal LAN should really be a router switch or L3 and not a basic L2 switch.

You now have an asymmetric routing on your network, and this is the reason why the connection of the VPN device will not work.

The problem comes from the fact that internal devices use the ASA1 for the default gateway. When trying to connect to the VPN Client, the following happens
- Client VPN armed sends TCP SYN that happens by the VPN with the ASA2
- ASA2 passes the TCP SYN to the server
- Server responds with TCP SYN ACK for the VPN Client and sends this information to the ASA1 as the destination host is in another network (vpn pool)
- ASA1 sees the TCP SYN ACK, but never saw the TCP SYN so he abandoned the connection.
To work around the problem, you need to essentially configure TCP State Bypass on the ASA1 although I wouldn't really say that, but rather to change the configuration of the network so that traffic makes this way to start.

An option, even if not the best, would be to set the LAN of the ASA2 to ASA1 on some physical ports and set up a new network connection between them (not the same 192.168.10.x/yy). In this way the ASA1 would see the entire conversation between servers and VPN Clients and there are no problems with the flow of traffic.

But as I said it probably still isn't the best solution, but in my opinion better than having recourse to special configurations ASA1.

There could be a 'special' configuration on the ASA2 that you could use to make the Client VPN connections operate in their current configuration, without changing anything in the physical topology.

You can change the NAT for VPN Clients configuration so that the VPN ALL users would actually PATed to 192.168.10.4 IP address when they connect to your internal network. Given that the server would see the connection coming from the same network segment, they would know to forward traffic back with the ASA2 rather than ASA1 like her today.

If this is not an ideal solution.

No source (indoor, outdoor) nat static any any static destination NETWORK_OBJ_10.0.0.0 NETWORK_OBJ_10.0.0.0 non-proxy-arp-search to itinerary

the object of the LAN network

192.168.10.0 subnet 255.255.255.0

NAT (exterior, Interior) 1 dynamic source NETWORK_OBJ_10.0.0.0 destination static LAN LAN interface

Hope this helps

-Jouni

Anyconnect SSL - VPN fails after restart of 2811

Hi all

I installed an Anyconnect SSL - VPN in my 2811 and it just works great, but then after the restart fails. I think it has something to do with being ereased SSL certificate. Here is my setup, please let me know if you need anything else:

! Last configuration change to 02:03:27 CDT Thu Sep 27/2012

version 15.1

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

AAA new-model

AAA - the id of the joint session

Crypto pki token removal timeout default 0

Crypto pki trustpoint TP-self-signed-XXXXXXXXXX

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - XXXXXXXXXX

revocation checking no

TP-self-signed-XXXXXXXXXX crypto pki certificate chain

certificate self-signed 01

3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 04050030 A0030201

2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

69666963 31363535 34343437 6174652D 3534301E 170 3132 30393237 30373033

34365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 36353534 65642D

34343735 3430819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

810096FE 9114BCED E2FA2297 CE41A6F5 73078E18 C1109993 48E2629E B 78713, 48

E6EA7C79 17C8E159 C057A05B F3CAFB4D 36AE9196 AAC4A2BF 586CF144 A81E50FC

5261BFCF 0A11064F C9F19A4C 953DFBF8 65194AD2 73100EE0 FBFE7EB6 0AD16875

7C1C03AE B3A461E2 9837E057 E2A8AE94 F11FDA8A 98AF8107 C0D9FF14 3CF1C62E

010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355 BE090203

551 2304 18301680 1425F172 BAFEAA95 A90FA3D7 A3482174 6F951194 52301 06

03551D0E 04160414 25F172BA FEAA95A9 0FA3D7A3 4821746F 95119452 300 D 0609

2A 864886 04050003 81810064 30DCCC2D 0506EDF6 61C37B9E DF5D8F9A F70D0101

A9FE0646 FC72C3F8 A7E10E55 CE6AA592 7385931A DDFE95B7 47ED3690 2C3F8B43

9A 637526 1464D94E 3A71D235 A14C0551 70E3ED2F F51B07E3 4379E2AF CCA03416

10DDF3E1 784D053B A9E4A624 E34BDDFB BA638658 58E30B74 55A62B02 BDC493A8

23191E2E E4BF390B 351 09 D62DAA2B

quit smoking

username username privilege 15 secret $5 1$Pc/.$y6kJb0xpe.77ciRHZTJ8A.

local IP SSL - VPN 192.168.11.5 pool 192.168.11.8

IP forward-Protocol ND

IP http server

local IP http authentication

IP http secure server

bvpn gateway gateway_1

interface IP Dialer1 port 443

trustpoint SSL SSL - VPN

development

WebVPN install svc flash:/webvpn/anyconnect-win-2.5.2014-k9.pkg sequence 1

WebVPN context SSL - VPN

secondary-color white

color of the title #CCCC66

text-color black

SSL authentication check all

policy_1 political group

functions compatible svc

SVC-pool of addresses "SSL - VPN"

SVC-domain default "DOMAIN."

SVC Dungeon-client-installed

SVC split include 192.168.0.0 255.255.0.0

SVC primary dns SERVER DNS server

Group Policy - by default-policy_1

Gateway gateway_1

development

Here is the description of the bug that fits your explanation of the issue:

MF: HTTPS generates a new cert signed automatically at reboot, even if there
Symptom: With secure HTTP Server active, IOS device generates a new self-signed certificate when it reloads even if a valid self-signed certificate already exists. Conditionsof : When there is no CA (Certificate Authority) provided the certificate on the deviceWorkaround: Use of provided CA certificate.

The resolution is to upgrade to version 15.2 (1) T or higher.

Unfortunately, you need SmartNet contract in order to download the software of EAC.

AnyConnect SSL VPN Split tunneling problem

Hello

We have home users that VPN in on a regular basis, but when they VPN in they cannot print locally or to connect to local resources. Is there a way to activate the split for all remote users VPN tunneling? It is not possible to add all the remote subnets, especially since I don't know which subnets are used and it would be a question of management. I noticed that when I connect to the House a new route is added to my PC, who prefers the VPN link.

I noticed one of the options with the client Anyconnect is 'enable local LAN access (if configured) '. Can I use?

Thanks in advance.

Hello

According to my understanding, you need to connect to your local printers while you are connected to the ASA via SSL VPN.

You can do this by creating a policy of exclusion of tunnel split on SAA and the local lan access on the client option, or you can use the profile AnyConnect allowing local lan access.

Please find the link below: -.

https://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080702992.shtml#dsfg

I hope it helps.

Thank you

Shilpa

ACL and anyconnect ssl vpn

Hello world

I was testing the few things at my lab at home.

PC - running ssl vpn - sw - router - ISP - ASA (anyconnect ssl)

AnyConnect ssl works very well and I am also able to access the internet.

I use full tunnel

I have ACLs on the external interface of the ASA

1 True any any intellectual property Deny 0 By default []

I know that the ACL is used to traffic passing by ASA.

I need to understand the flow of traffic for internet via ssl vpn access. ?

Concerning

MAhesh

As you correctly say, the ACL interface is not important for that because the VPN traffic is not inspected by the ACL. Of the at least not by default.

You can control the traffic with a different ACL that is applied to the group policy with the command "vpn-filter". And of course you need a NAT rule that translates your traffic when running to the internet. This rule should work on the pair of interface (outside, outside).

ASA 5505 SSL VPN license update

Hi all.

Our ASA 5505 with DATABASE default license allowing only 10 simultaneous vpn sessions (including 2 Anyconnect + IPsec). attached a TXT file with the license information. This Firewall is's use only for vpn access, and we less vpn tunnel vpn IPSec-L2L, anyconnect client SSL and IPSec client access configurations vpn to the top and race walk,.

We are in terms of upgrading vpn license to archive IPSec 10 and 10 Anyconnect and 1 anyconect mobile VPN sessions in time. so my questions are;

1. can I buy "ASA5500-SSL-10 =" accounting and to upgrade our ASA 5505 without having to buy "L-ASA5505-SEC-PL =" license of pus of security.

2. asa use to upgrade only Anyconnect SSL vpn license while keeping 10 vpn IPSec comes with the base license.

Thank you & you expects value comment

Thank you

JCK

1. Yes.

2.Yes.

If you want to keep Clientless SSL VPN you do not want to continue with the addition of the ASA5500-SSL-10 = part. If you can do without client (including the conversion the two existing ones), more economically, you can opt for Security Plus and AnyConnect Essentials licenses. (US$ 800 vs price $1250).

In both cases, the Mobile requires the AnyConnect Mobile (ASA-AC-M-5505) license.

Cannot access internal network so AnyConnect SSL VPN, ASA 9.1 (6)

Hello Cisco community support,

I have a lab which consists of two virtual environments connected to a 3750-G switch that is connected to a 2901 router which is connected to an ASA 5512 - X which is connected to my ISP gateway. I configured SSL VPN using AnyConnect and can establish a VPN to the ASA from the outside but once connected, I can't access internal network resources or access the internet. My information network and ASA configuration is listed below. Thank you for any assistance you can offer.

ISP network gateway: 10.1.10.0/24

ASA to the router network: 10.1.40.0/30

Pool DHCP VPN: 10.1.30.0/24

Network of the range: 10.1.20.0/24

Development network: 10.1.10.0/24

: Saved
:
: Serial number: FCH18477CPT
: Material: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA 6,0000 Version 1
!
hostname ctcndasa01
activate bcn1WtX5vuf3YzS3 encrypted password
names of
cnd-vpn-dhcp-pool 10.1.30.1 mask - 255.255.255.0 IP local pool 10.1.30.200
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 10.1.40.1 255.255.255.252
!
interface GigabitEthernet0/1
nameif outside
security-level 0
address IP X.X.X.237 255.255.255.248
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa916-1-smp - k8.bin
boot system Disk0: / asa912-smp - k8.bin
passive FTP mode
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_10.1.30.0_24 object
10.1.30.0 subnet 255.255.255.0
network obj_any object
network obj_10.1.40.0 object
10.1.40.0 subnet 255.255.255.0
network obj_10.1.30.0 object
10.1.30.0 subnet 255.255.255.0
outside_access_in list extended access permitted ip object NETWORK_OBJ_10.1.30.0_24 all
FREE access-list extended ip 10.1.40.0 NAT allow 255.255.255.0 10.1.30.0 255.255.255.0
access-list 101 extended allow any4 any4-answer icmp echo
access-list standard split allow 10.1.40.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source obj_10.1.40.0 destination obj_10.1.40.0 static static obj_10.1.30.0 obj_10.1.30.0 non-proxy-arp-search to itinerary
NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.1.30.0_24 NETWORK_OBJ_10.1.30.0_24 non-proxy-arp-search to itinerary
Access-group outside_access_in in interface outside
!
Router eigrp 1
Network 10.1.10.0 255.255.255.0
Network 10.1.20.0 255.255.255.0
Network 10.1.30.0 255.255.255.0
Network 10.1.40.0 255.255.255.252
!
Route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
without activating the user identity
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
http X.X.X.238 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
full domain name no
name of the object CN = 10.1.30.254, CN = ctcndasa01
ASDM_LAUNCHER key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate c902a155
308201cd 30820136 a0030201 020204c 0d06092a 864886f7 0d 010105 9 02a 15530
0500302b 31133011 06035504 03130 has 63 61736130 31311430 12060355 74636e64
0403130 31302e31 2e33302e 32353430 1e170d31 35303731 32303530 3133315a b
170d 3235 30373039 30353031 33315 has 30 2 b 311330 0403130a 11060355 6374636e
64617361 30313114 30120603 55040313 0b31302e 312e3330 2e323534 30819f30
0d06092a 864886f7 010101 05000381 8 d 0d 003081 89028181 00a47cfc 6b5f8b9e
9b106ad6 857ec34c 01028f71 d35fb7b5 6a61ea33 569fefca 3791657f eeee91f2
705ab2ea 09207c4f dfbbc18a 749b19ae d3ca8aa7 3370510b a5a96fd4 f9e06332
4355 db1a4b88 475f96a1 318f7031 40668a4d afa44384 819d fa164c05 2e586ccc
3ea59b78 5976f685 2abbdcf6 f3b448e5 30aa96a8 1ed4e178 0001300 020301 4 d d
06092a 86 01010505 00038181 0093656f 639e138e 90b69e66 b50190fc 4886f70d
42d9b4a8 11828da4 e0765d9c 52d84f8b 8e70747e e760de88 c43dc5eb 1808bd0f
fd2230c1 53f68ea1 00f3e956 97eb313e 26cc49d7 25b927b5 43d8d3fa f212fcaf
59eb8104 98e3a1d9 e05d3bcb 428cd7c6 61b530f5 fe193d15 ef8c7f08 37ad16f5
d8966b50 917a88bb f4f30d82 6f8b58ba 61
quit smoking
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
VPN-addr-assign local reuse / 360 time
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Trust ASDM_Launcher_Access_TrustPoint_0 vpnlb-ip SSL-point
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 4
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 5
AnyConnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 6
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_cnd-vpn group policy
GroupPolicy_cnd-vpn group policy attributes
WINS server no
value of server DNS 8.8.8.8
client ssl-VPN-tunnel-Protocol
by default no
xxxx GCOh1bma8K1tKZHa username encrypted password
type tunnel-group cnd - vpn remote access
tunnel-group global cnd-vpn-attributes
address-cnd-vpn-dhcp-pool
strategy-group-by default GroupPolicy_cnd-vpn
tunnel-group cnd - vpn webvpn-attributes
activation of the alias group cnd - vpn
!
ICMP-class class-map
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map icmp_policy
icmp category
inspect the icmp
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
service-policy icmp_policy outside interface
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:261228832f3b57983bcc2b4ed5a8a9d0
: end
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history

Can you confirm that this is correct, your diagram shows your IP address public on ASA as 30 while you have assinged on 'outside' interface like 29?

ASA 5520 - SSL VPN (Anyconnect) licenses

Hello

Can someone clarify for me the SSL VPN/AnyConnect for the ASA 5520 license? Specifically, the differences between the AnyConnect Essentials and AnyConnect Premium. Our current license looks like this:

The devices allowed for this platform:
The maximum physical Interfaces: unlimited
VLAN maximum: 150
Internal hosts: unlimited
Failover: Active/active
VPN - A: enabled
VPN-3DES-AES: enabled
Security contexts: 2
GTP/GPRS: disabled
SSL VPN peers: 2
Total of the VPN peers: 750
Sharing license: disabled
AnyConnect for Mobile: disabled
AnyConnect Cisco VPN phone: disabled
AnyConnect Essentials: disabled
Assessment of Advanced endpoint: disabled
Proxy sessions for the UC phone: 2
Total number of Sessions of Proxy UC: 2
Botnet traffic filter: disabled

This platform includes an ASA 5520 VPN Plus license.

I guess that means that we have just the 2 'free trial' SSL VPN licenses and nothing else.

I would like to add 25 or maybe 50 SSL VPN licenses and be able to use a combination of full free client, thin client and groups client AnyConnect. The 'ASA5500-SSL-25' (or 50) would be the correct license I need to buy?

Thank you

Rob

Hello

The essentials license is per device and does not allow full-tunnel.

If you need other features like Secure Desktop, without client SSL and other optional features such as shared licenses, you must go to the Premium license.

http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494_ps10884_Products_Data_Sheet.html

Federico.

Cisco ASA Anyconnect LAN access problem

I have very simple network at home with the WAN IP address, ASA uses DHCP and gateway. plain of network of all no complications.

X.X.X.X like a WAN

192.168.1.0/24 as a LAN

IP Pool 192.168.6.0/24 (VPN Pool)

I am trying to configure AnyConnect (AC) so that I can connect remotely and get my resources on the LAN while out. I am to connect with AC and when you use split tunnel I'm browsing the web very well, but I have no access to the local network (without ICMP or TCP/UDP)

Route looks good in customer AC

unsecured network 0.0.0.0/0
secure network 192.168.1.0/24

What I'm missing for LAN access?, nat statement, list of access...?

_____________________________

Output of the command: "show run".

: Saved
:
ASA Version 9.1 (5)
!
hostname asa01
domain name asa

names of
192.168.6.2 mask - 192.168.6.100 local pool Pool VPN IP 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
Outside description
nameif outside
security-level 0
IP address XXXX
!
interface Vlan5
nameif dmz
security-level 50
IP 192.168.100.1 address 255.255.255.0
!
boot system Disk0: / asa915 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS lookup field inside
DNS domain-lookup outside
DNS domain-lookup dmz
DNS server-group DefaultDNS
domain naisus.local
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.6.0_25 object
subnet 192.168.6.0 255.255.255.128
object-group Protocol DM_INLINE_PROTOCOL_1
icmp protocol object
icmp6 protocol-object
outside_access_in list extended access permit icmp any any idle state
outside_access_in extended access list allow icmp6 all all idle state
outside_access_in_1 list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
list of access allowed standard LAN 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
host of logging inside 192.168.1.99
forest-hostdown operating permits
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 741.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.6.0_25 NETWORK_OBJ_192.168.6.0_25 non-proxy-arp-search of route static destination
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in_1 in interface outside
Route outside 0.0.0.0 0.0.0.0 X > X > X >
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
full domain name no
name of the object CN = asa01, CN = 192.168.1.1
ASDM_LAUNCHER key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate 8b541b55
308201c 3 c 3082012 a0030201 0202048b 0d06092a 864886f7 0d 010105 541b 5530
XXXX
quit smoking
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 access remote trustpoint ASDM_Launcher_Access_TrustPoint_0
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH stricthostkeycheck
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0

dhcpd outside auto_config
!
dhcpd address 192.168.1.100 - 192.168.1.199 inside
dhcpd dns 8.8.8.8 75.75.75.75 interface inside
dhcpd naisus.home area inside interface
dhcpd allow inside
!
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 50.116.56.17 source outdoors
NTP server 108.61.73.243 source outdoors
NTP server 208.75.89.4 prefer external source
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
Trust ASDM_Launcher_Access_TrustPoint_0 inside the vpnlb-ip SSL-point
SSL-trust ASDM_Launcher_Access_TrustPoint_0 inside point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-3.1.07021-k9.pkg 1 regex 'Windows NT'
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.07021-k9.pkg 2 regex "Intel Mac OS X.
AnyConnect image disk0:/anyconnect-linux-64-3.1.07021-k9.pkg 3 regex "Linux".
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
VPN - connections 30
VPN-idle-timeout 5
internal GroupPolicy_AC_Profile group strategy
attributes of Group Policy GroupPolicy_AC_Profile
WINS server no
4.2.2.2 DNS server value
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value LAN
naisus.local value by default-field
XX XX encrypted privilege 15 password username
name of user XX attributes
WebVPN
chip-tunnel tunnel-policy tunnelall
type tunnel-group AC_Profile remote access
attributes global-tunnel-group AC_Profile
address pool VPN-pool
Group Policy - by default-GroupPolicy_AC_Profile
tunnel-group AC_Profile webvpn-attributes
enable AC_Profile group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:xxx
: end

I'm not positive that's causing the problem, but I noticed that you have defined incoherent poolside VPN as a 24 (in the command name and that name is associated with the tunnel group) and 25 (in the command object on the network that is also referenced in the statement of NAT exempting NAT to that object). True your pool assigns addresses from the lower half of the 24, but still...

I try to simplify things by using a single object for something like that, which is used in several places. With the help of objects the way they are intended, and which allows to avoid any discrepancies.

ASA 5500 SSL VPN Failover license

Hello

I have a partner who request assistance with SSL VPN licenses on the ASA 5500 firewall sharing:

His question is:

Both SSL, provided with the firewall of the SAA, licenses can be shared across a couple active / standby? I would therefore have a total of (4) licenses of SSL VPN to use?

This would also be true for two security contexts that are included with the firewall?

For example, I buy two base ASA 5520 firewall, running active / standby, that each machine is supplied with SSL VPN licenses (2) and (2) licensing of security contexts? In version 8.3, the licenses are cumulative by failover pairs, so I should a total SSL VPN (4) and (4) security contexts?

Here is my response to his request:

Based on this link (http://www.cisco.com/en/US/partner/docs/security/asa/asa83/license_standalone/license_management/license.html#wp1449664)

It was mentioned that:

"You can have one active license type, either the AnyConnect Essentials license or the AnyConnect Premium license. By default, the Adaptive security apparatus includes an AnyConnect Premium license for 2 sessions. If you install the AnyConnect Essentials license, it is used by default. See not anyconnect-essentials control or in ASDM Configuration > remote access VPN > network (Client) access > advanced > component AnyConnect Essentials to activate the Premium license instead. »

It will be able to share the included license on the ASA 5500 4. It will be able to share these licenses, but I'm not sure the security context. My answer would be, it can use only 2 context Security licenses since only the VPN licenses are shared on the version 8.3 and other licenses not characteristic. My understanding is correct? or there are other explanations on my customer survey?

Thanks in advance!

Ice Flancia

Cisco partner Helpline Tier 2 team

Only from ASA 8.3 version and following, the license can be combined on a failover pair active / standby.

2 SSL included license on SAA in failover pair is combined as 4 license SSL.

2 license of background on ASA in failover pair is combined as license frame 4.

Here's the URL on ASA combined license failover:

http://www.Cisco.com/en/us/partner/docs/security/ASA/asa83/license_standalone/license_management/license.html#wp1450094

Hope that helps.

Cisco 1900 series ssl vpn license

Hello

Since the FL-SSLVPN10-K9 license cannot be purchased, I wonder what are the options on my router CISCO1921-SEC/K9 should I now if I want to use SSL VPN, if any?

Thanks in advance

Kind regards

Herman

I think the best way is to allow the new AnyConnect 4 which is also valid for the IOS-based VPN gateways:

http://www.Cisco.com/c/dam/en/us/products/security/AnyConnect-og.PDF

ASA 5510 - SSL VPN without CLIENT - remote desktop

Is it possible to make a desktop connection remote clientless SSL VPN with a browser? I know that I can do with client anyconnect SSL but I can do without a customer?

Yes it is possible, you must first make sure that you have transferred to the ASA RDP plugin. When you are editing you bookmarks, you will see an option for RDP.

Essential AnyConnect SSL VPN?

Hello

I'm a bit confused. What is the difference between licenses(L-ASA-SSL-PR-25=) SSL VPN and Anyconnect Essential(L-ASA-AC-E-5510=)? I'm trying to be more objective and confused about what to buy.

1 allow users to VPN through SSL and telnet on the unix system.

2. allow users to use RDP sessions, once connected to the windows system.

3 allow users to leave their outlook to connect to the Exchange once connected server.

I need a solution that would download the client (just the browser to https://x.x.x.x) and let the customer gets pushed. I also need another VPN profile that uninstalls all customer downloaded when you are offline. The second profile is for people who are using public PC of the trip.

Also, do I need license Anyconnect Mobile wanted to use iPhone or iPad to access vpn SSL url?

Any response would be greatly appreciated.

Thank you

Sam

Clientless SSL means you are tunneling SSL to the ASA without (AnyConnect) client.

In other words, the remote computer needs only a browser to establish the secure HTTPS connection and access a potal web that may redirect access to internal resources. This type of connection (without customer) allows access to web applications and via port-forwarding to enable access to other TCP applications.

When you need full network access (imitating the IPsec VPN client) you need the connection SSL (AnyConnect) Client-centred.

This does not require a Web portal, provides with a complete full network access.

If you use AnyConnect, the client can be pushed from the ASA to the customer via the HTTPS connection (and kept on the remote system or removed) depending on the configuration.

If you are looking for a remote SSL connection that can access a portal and newspaper via telnet/RDP, you can use clientless SSL with port forwarding.

If you want to that remote clients have full network access (everything as if they are sitting in the local network), will need you the AnyConnect.

Federico.

ASA 5520: SSL VPN by using a different IP address that the ASA public IP address

Hi guys,.

I'm trying to configure an SSL VPN on a Cisco ASA5520.

Unfortunately port 443 interface OUTSIDE of the SAA is already used by Microsoft Outlook Web Access and I can not change the configuration of Outlook. This configuration already in place allows me to use the public IP address of the ASA as IP Cisco VPN for the Web page.

I don't not want to use a different port so to keep life easy for users.

I have a few available public IPs that I can use so I wanted to use one of them instead of the OUTSIDE of the ASA interface. Any idea how I could do?

Thank you

Dario

Unfortunately you can not use any other public ip address, except the ASA outside IP interface to complete the SSL VPN.

The only options that you have is to change the Outlook to use another port or the SSL VPN to use a different port.

Try to customize login page for ASA 5505 SSL - VPN

Nice day

I'm looking for help to customize the login page for the ssl - vpn as mentioned. When the vpn is configured, the default template allows my customers to connect with this: IMAGE 1

While trying to change the login page, I have to create a new customization without CLIENT SSL VPN ACCESS-> PORTAL-> CUSTOMIZATION file in the ASDM. When I do this and I'm trying to change the login page, it comes up with 2 forms of authentication and a fast internal password like this: IMAGE 2

How can I change the login page, I created so that users only see the fields username and password for regular as the default template?

Thank you all for your time and assistance

Joel

Hi Joel,

What you see is just the preview, right?

Preview displays the purpose of customization, since the password internal and the second authentication controls are the features that are activated in different parts of the configuration.

WebVPN

allow outside

internal-password enable

!

attributes global-tunnel-group DefaultWEBVPNGroup

secondary-authentication-server-group second_authentication_server

INFO: This command applies only to the SSL VPN - Clientless and AnyConnect.

So I recommend to assign this object of customization to a group policy and test access to the content of the specific connection profile.

Thank you.

Portu.

Please note all useful posts

Cisco ASA AnyConnect SSL VPN - certificates + token?

Similar Questions

Maybe you are looking for