IP phone SSL VPN by ASA

Similar Questions

• Customization of SSL VPN Cisco ASA version 8

  Is there a way to customize the appearance of the SSL VPN? To change the features of the ASA custmization? To change the total look of the portal page the way we like it and not the Cisco default settings? For example, the RDP plugin has always display the help text on the right side, and we would like to show different text in this area. We were able to change it but could not import to the area of the asa.

  Import of SSL vpn customization ASA is not possible. Impossible also to change the appearance of the portal page.

• SSL VPN using ASA 5520 mode cluster - several problems

  I configured 2 ASA 5520 s in the load balancing cluster mode. I connect using anyconnect and I download the customer the first time and everything works well except outlook. I don't know why outlook does not work.

  The second problem is after the anyconnect client is installed on your machine, he remembers that ASA (say ASA2) he first connected and the GUI shows the address IP of ASA2 instead of the virtual IP address of the cluster. I want users always connect using the virtual IP address.

  The third problem I have is there is a default group of SSL VPN and I want all users to use this group. In the initial web page, there is a drop down menu which shows that this group, but I still want to disable this menu drop-down.

  Any suggestions?

  To disable the drop-down menu, you can turn it off with the command

  WebVPN

  no activation of tunnel-group-list

  This will take care of your last issue.

  ***************************

  You can create a profile of the Anyconnect client with the name of the server you want to connect with and that make the ASA that will solve your problem of virtual IP.

  **************************

  Regarding Outlook, do you use specific ports which allows inspection of the ASA. Take a look at the list of inspection on the SAA and perhaps try to disable inspection and see if it works.

  *****************************

• New for mapping SSL VPN ACS ASA - ASA groups

  Greetings,

  I am new to ASA, so any help is greatly appreciated.

  I just installed and installed an ASA 5520. I installed an SSL VPN. What I'm trying to achieve is to configure profiles of different groups and different users can access various resources when they access the VPN.

  Current config-

  ASA 5520 v8.3

  ACS 4.0

  Field of Windwos 2003

  I have different installation profiles in the ASA. (i.e. business Dept.) When I choose in the drop down menu, it allows me to open a session and displays the options I've chosen for this group. The problem is that I can connect in this group with any account. GBA, all windows domain users are in the default group. I guess the default group is being processed and which has hosted and user logon.

  Can anyone provide a good article or tips on how to configure the ASA and the ACS for several groups of users. We have several departments that will have to get the parameters when they connect. The ACS groups are mapped to the Windows groups that correspond to each Department

  Any help is greatly appreciated.

  Thank you

  Tim

  Hello

  I think that you need to activate locking group.

  In order to configure Group locking, send group policy name in the attribute class 25 on the Authentication Dial - In User Service (RADIUS Remote) server and choose the group to lock the user in policy.  For example, to lock the user 123 of Cisco in the RemoteGroup group, define the class of attributes 25 Internet Engineering Task Force (IETF) UO = RemotePolicy; for this user on the RADIUS server.

• CME SSL VPN with ASA

  Hi all

  We are working on a new deployment of CME 9.1 for a small office. As part of this deployment, our plan was to have several remote phones connect via SSLVPN to an ASA on our network border allowing them to communicate with the router of the CME. We bought the appropriate of the VPN to ASA and licenses of paper for phones remotely.

  I'm following the instructions in this document: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configura...

  However, the penalty, I'm having is that when I try to enter the settings for vpn-Group (page 19 of the pdf) the command is not available on my router - unrecognized command. I fear that this could mean that I'm missing a license/feature set to my router CME, is that correct? We bought a C2921CME-SRSTK9 router, but I may need the SEC/K9 license? If this is the case, can someone show me the part number or SKU, I would need to buy?

  Moreover, is anyway that I could get around to adding this to the router config - perhaps change the configuration of phone XML directly?

  Thanks in advance!

  It is correct, you will need the license of security. SKU is: L-SL-29-SEC-K9 =

  http://www.Cisco.com/c/en/us/products/collateral/routers/1900-series-int...

• SSL VPN on ASA-

  Everyone,

  I went up to a SSL VPN router and now migrate to ASA firewall and was looking for a doc that documents the installation using the ASDM or CLI.

  Thanks for your help.

  Sheldon.

  These should contribute.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808efbd2.shtml

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080975e83.shtml

• site to site vpn with ASA 5500 series SSL?

  We have routers DLink DIR - 130 5505 s ASA and PIXen, all work well with our PIX 515E, we need to replace.

  We also have Internet satellite in two places. High latency makes IPsec VPN to DLinks on these very slow sites.

  We were informed by HughesNet that a SSL VPN will mitigate some of the problems of latency.

  However, we cannot use a VPN client for the biometric timeclocks in these places, the clocks need static IP addresses and are more or less "dumb terminals".

  The machine of series 5000 ASA VPN site to site similar to OpenVPN or only the most comment client-server type SSL VPN connections?

  Thank you, Tom

  Hi Thomas,

  The SSL VPN on ASAs feature is a client/server relationship where the remote computer can connect without client (browser) or clientbased (AnyConnect) to the ASA.

  Federico.

• SSL VPN Client username and passwords save

  Hello

  We use SSL VPN with ASA, we want to save the user name and password to connect to the customers in the SSL VPN client, if user only has not to type again to connect to the enterprise resources, employees normally use iPhone IOS and Android for VPN access.

  Is their a way, we can save the credentials username and password for iphone and android?

  I googled for it and found a way using URIS to pre-fill the name of user and password but I'm not sure how it works, and it will be beneficial.

  http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/ANYC...

  Hello

  You can use the URIs, if your method of methods must use WBS for the password pre-population.

  I would recommed you use certificate authentication, so they don't have to use the user name and password, and the process will be done automatically.

  You can take a look at this Document that created one of my peers:

  - https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based...

  He has the details you will need.

  Don t forget to rate and score as correct the helpful post!

  David Castro,

  Kind regards

• SSL VPN WEB cannot connect

  Hello

  I'm deploying an SSL VPN in ASA 8.0, I have access to the public interface and authentication configured radius.

  I have the debug RADIUS in asa and I see authentication is OK, I also checked Ray asa and works for the authentication test button, but

  It does work for approval.

  I've already set up a local user to the radius server.

  Thanks for your help.

  Best regards

  Fran

  You may be hitting a license limit if a few sessions have not stopped correctly and that you have only the default value of 2 licenses SSL... Do 'show worm' to see how much you have licenses webvpn. Also try "vpn-sessiondb disconnection of all" to delete all existing connections.

  -heather

• Routing IP will on SAA for SSL VPN

  I have a question let internal DHCP network is 192.168.0.0 and if you configure SSL VPN on ASA to assign the ip address of 10.0.0.0 network routing where must be configured so that the customer can route between network?

  2 lets say im using im 192.168.10.0/.20.0/.30.0 my network if I place ASA to assign 30.0 will be ther be conflict DHCP? or ASA DHCP will ONLY respond outside requests? (I mean Anyconnect)

  Hello

  You don't have to use a dynamic routing protocol if you need / want. In a simple network you could just use static routes.

  That is the way that manage you routing I don't think it really changes the configuration at all.

  This of course provided that the ASA is the default route outside of your network. Then all traffic to the networks VPN pool naturally would be always accessible from the local network as the default route would already be transfer all traffic to networks outside the local network to the ASA.

  However if the ASA is not device gateway for all Internet traffic on your network then you will need to manage the routing so that the networks/subnets used as the VPN pools would be routed to the ASA on the local network.

  -Jouni

• ASA 5520 - SSL VPN (Anyconnect) licenses

  Hello

  Can someone clarify for me the SSL VPN/AnyConnect for the ASA 5520 license?  Specifically, the differences between the AnyConnect Essentials and AnyConnect Premium.  Our current license looks like this:

  The devices allowed for this platform:
  The maximum physical Interfaces: unlimited
  VLAN maximum: 150
  Internal hosts: unlimited
  Failover: Active/active
  VPN - A: enabled
  VPN-3DES-AES: enabled
  Security contexts: 2
  GTP/GPRS: disabled
  SSL VPN peers: 2
  Total of the VPN peers: 750
  Sharing license: disabled
  AnyConnect for Mobile: disabled
  AnyConnect Cisco VPN phone: disabled
  AnyConnect Essentials: disabled
  Assessment of Advanced endpoint: disabled
  Proxy sessions for the UC phone: 2
  Total number of Sessions of Proxy UC: 2
  Botnet traffic filter: disabled

  This platform includes an ASA 5520 VPN Plus license.

  I guess that means that we have just the 2 'free trial' SSL VPN licenses and nothing else.

  I would like to add 25 or maybe 50 SSL VPN licenses and be able to use a combination of full free client, thin client and groups client AnyConnect.  The 'ASA5500-SSL-25' (or 50) would be the correct license I need to buy?

  Thank you

  Rob

  Hello

  The essentials license is per device and does not allow full-tunnel.

  If you need other features like Secure Desktop, without client SSL and other optional features such as shared licenses, you must go to the Premium license.

  http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494_ps10884_Products_Data_Sheet.html

  Federico.

• Phone IP VPN SSL - necessary licenses.

  Hello

  Can someone confirm the necessary linceses for me to get this working. I understand that he needs to license "AnyConnect of Cisco VPN Phone" but what I also than anyconnec essentials? He is ASA 8.2 version and the license below news is for the ASA I hear delpoy it work on.

  Thank you

  The devices allowed for this platform:

  The maximum physical Interfaces: unlimited

  VLAN maximum: 250

  Internal hosts: unlimited

  Failover: Active/active

  VPN - A: enabled

  VPN-3DES-AES: enabled

  Security contexts: 2

  GTP/GPRS: disabled

  SSL VPN peers: 2

  Total of the VPN peers: 5000

  Sharing license: disabled

  AnyConnect for Mobile: disabled

  AnyConnect Cisco VPN phone: disabled

  AnyConnect Essentials: disabled

  Assessment of Advanced endpoint: disabled

  Proxy sessions for the UC phone: 2

  Total number of Sessions of Proxy UC: 2

  Botnet traffic filter: disabled

  This platform includes an ASA 5550 VPN Premium license.

  Hello

  You need Anyconnect Premium license with Cisco Ip phone functionality enabled on ASA for the Cisco IP phone to use the anyconnect vpn functionality.

  You can find more details from the following link:

  http://www.Cisco.com/en/us/products/ps12726/products_qanda_item09186a0080bf292f.shtml

  Kind regards

  Bad Boy

  P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

• Phone to the Migration of SSL VPN proxy telephone

  We are working with a client who moves from UCM 7.x to 9.x and a proxy phone in place today. With the Proxy of phone is no longer supported in 9.x, they are forced to move to the SSL VPN for IP phones. The design doc indicates that phones need to be high on the internal network first download configs, certificates, etc. before going out on the field.

  Yes, there is no known workaround solution to configure remote users phones WITHOUT bringing within the network. For multinationals, this could prove to be a HUGE headache.

  jyoungta replied to another thread with this:

  "If you can get a copy of the new phone config file and put it on a tftp which is accessible via the internet, then you can just point the phone to the server tftp (alternate tftp server option).  He's going to go and grab the new config file. »

  It sounds good (Thanks Jay) but it looks easy... too easy. Is there a procedure that we follow documented, we can follow?

  (Forgive my lack of specific technical knowledge, I'm in management)

  -Sam

  Hello Sam:

  I was able to convert a phone of attorney to anyconnect vpn with a single deployment of standard certificate.  The phone had something to do with the CallManager via TFTP outside the network as part of the phone proxy configuration.

  I have configured the anyconnect VPN settings phone on the SAA.

  Pushed the ASA SSL certificate to the CallManager

  Configured the CallManager to the VPN phone settings appropriate.

  Apply the common on the phone phone settings and reset the phone.

  -Until ' at this point, you just follow the guide.  https://supportforums.Cisco.com/docs/doc-21469

  In the network settings on the phone, I changed the TFTP replacing (necessary for telephone proxy) public IP address to the private IP (required for anyconnect VPN).

  Delete the CTL under settings - configuring security - trusted list

  Reset the phone

  -At this moment, I saw the phone reboot, connect to the VPN and I could check the operation of the VPN on the phone and make a few prank calls.

• Phones AnyConnect VPN cannot connect to network ASA high-speed AT & T uverse

  Phones AnyConnect VPN are configured to connect to the ASA 5510 running 8.4 (4), and it uses the Active Directory credentials to connect. The connection is successful external ISP systems including Comcast and smaller independent service providers. However, when all of us at the AT & T uverse service take this phone 7965 even at home it networks fails to make any connection to the ASA at all. A capture of packets on the ASA shows no activity connection to the IP address of our uverse.

  What's more, is that we can successfully authenticate the VPN of the phone when using the local account credentials (e.g. username admin password * priv 15) that are entered on the SAA. AT & T said that they are not blocking the ports. It is the confusion that this works for users to access local connection, but not with A/D.

  So I guess the question is: what is the first handshake TCP/UDP composed when a Cisco IP phone links AnyConnect SSL to an ASA and negotiates the authentication of the number of A/D? For example, what are the port numbers used in this handshake?  I couldn't find all the diagrams illustrating the HRT and the RFC for DTLS do not seem to have the answer either.

  Thanks in advance.

  -Athonia

  Note: we have a TAC case open currently with subject ASA 5510 VPN Edition w / 250 annyconnect user - SSL VPN for phones. Configuration

  I too ran on this issue and here is a description of what I found.

  If you use automatic network detection first trys phone ping the TFTP server, he has learned from the DHCP server or manually set with the parameter of the alternate TFTP server.  If the TFTP server is accessible the VPN will not connect and will not allow the user to connect manually.

  ATT Uverse use DHCP option 150, the same option as Cisco UC uses to automatically set the TFTP servers, to locate the local home gateway so that the STB can join him.  For this reason, you should notice that when you have a VPN phone on the network and view network settings the IP address of the TFTP server is the IP address of your default gatewat (The ATT router).

  Because of the automatic detection of network works in ping the TFTP server that the phone will always think that it is connected to the local network.  The workaround is to manually set the TFTP server on the phone * to the IP address that the TFTP server would have been if she had leared it from the DHCP server on your corporate network.  The reason you should do this instead of just using a Bogon address, is that once the VPN is connected it tryes to register to the address that you specified.

  Please let me know if this solves your problem as it did in our case.

  * If you do not know how to set the TFTP replacement setting you must first select the "replacement" TFTP protocol and press on * #.  This will allow you to change the default no to Yes.  The below named parameter TFTP Server 1 will then allow you to manually specify the address.

• ASA from Site to Site and SSL VPN stop working

  Thanks in advance for any advice

  We have an ASA 5510, users were able to connect via to all connect without any problems. We opened a new office with an ASA 5505 and decided to give VPN site-to-site on IPSec. We used the basic wizard and everything went smoothly at both ends. However, users who always used SSL VPN says so that they can connect to the original site, they are no longer in their RDP virtual machines or get anywhere on the network. I don't know why something like this can happen.

  You can change the SSL VPN DHCP scope to give a different subnet for IP addresses. Maybe try 192.168.10.0 255.255.255.0. Let me know if you can and if that corrects the issue.

  Sent by Cisco Support technique iPhone App