Profile SSL VPN question

Similar Questions

• Multi frame ASA SSL VPN Question

  Hello

  We have a pair of firewalls, we do multiple contexts on clients.  We have recently updated their and have been using the newly Anyconnect customer support.  This all works fine but I feel I'm missing something.  If the customer does not have the anyconnect client already how do get?  Normally, you go to the web page and it will download the client, but all I get is "Clientless VPN is not supported in context mode Multiple." which is good, but how is the customer supposed to to get the customer in the first place?

  Any information would be helpful.

  Chris L.

  Hi Chris,

  The AnyConnect WebLaunch feature is not supported in ASA running on multi-contexte mode.

  There is a demand of improvement that has been opened to allow this as other characteristics while ASA in multi mode context. Here is the link, you can refer:

  https://Tools.Cisco.com/bugsearch/bug/CSCuw19758/?reffering_site=dumpcr

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• Control the access of the user for the SSL VPN profile.

  I have two ssl vpn profile, can I restricted the user to access only ssl vpn profile, when they get to the page of the ssl vpn service. Each profile to create different types of access, and they will have different client IP address.

  Hello

  Yes, using different ways; one of them is using group-lock, which is a simple check to validate if the Tunnel group or the connection profile as you called it with that sign corresponds to what you have defined under group policy. If the value of Tunnel-Group-Lock (condition true), the VPN remote access session is allowed to install;  otherwise the session is not allowed to be implemented.

  The tunnel-group-lock featurecan be defined as follows:

  • via the group-policy setting locally on ASA
  • via the LDAP attribute
  • via the Radius attribute

  http://www.Cisco.com/en/us/partner/docs/security/ASA/asa82/configuration/guide/vpngrp.html#wp1134870

  Step 4

  Kind regards

• Classic question: SSL VPN Client and Vista 64 - bit OS

  Material: 64-bit software architecture: Windows Vista Home Cisco Hardware (64-bit): 871w router Cisco Software: base of 12.4 T having a challenge with Windows Vista (64) using the SSL VPN. Use of IE, I can navigate to the url, both using the DNS name and IP address. I do not have a signed certificate, so I get the standard warning screen where you will need to click on the red x to continue. At this point, the progress bar moves for a fraction of a second and it's there. For troubleshooting I tried: - clearing cookies, cache, etc. - add url and IP to the Zone of confidence - reset areas rest default - disabled options window popup and phisher IE7 - off all 3rd party Manager BHO - withdrawal of MacAfee software suite - disable User Control that allowed me to make the sign in page, but after the signature - I had a blank white screen. Then, I downloaded Firefox 3.0 (newer) and tried to connect. After a series of guests to accept and download the certificate, I was able to connect and click on the Start button to start the session. The next little screen came as expected and he chose Java. I received a message that it could not install the Cisco AnyConnect Client's and I had to download it manually. Downloaded and installed the client software. Logging out of the browser and its closure - I could not access the page again. It appeared to hang again with a progress bar. I went to empty cache, cookies, passwords etc in Firefox and reloaded the application. Still, I was able to connect. However, I always received the message that the customer could not install and download manually. For fun, I exported the certificate on the desktop and imported into Internet Explorer. I tried the connection with IE, but he had a similar problem. I was told there was no client IPSEC for OS 64 bit (Vista at startup), but most of the new machines are 64 - bit OS systems. I would appreciate any support. Lucky me, the computer to which it is impossible to connect to the VPN is the home of the CEO of the company. The last person that wants to make him miserable.

  Cisco AnyConnect VPN Client is now available for the Windows operating systems, which includes Vista 32 and 64 bit. The Cisco AnyConnect VPN Client, Version 2.2 supports SSL and DTLS. It does not support IPSec at the moment.

  See the url below for more information on troubleshooting anyconnect vpn client:

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00809b4754.shtml

  See the following url for the release notes for the version of the client anyconnect vpn 2.2 for use with windows vista:

  http://www.Cisco.com/en/us/docs/security/vpn_client/AnyConnect/anyconnect22/release/notes/anyconnect22rn.html#wp815989

• AnyConnect and SSL - VPN without client

  Are there problems in running Cisco AnyConnect and SSL - VPN without client side by side?

  I am currently looking into adding features for an ASA AnyConnect who currently set up to operate without SSL - VPN client. The system without client is not removed. I don't know how to set it up, I wonder if someone has already set up this or if there is no problem with this Setup?

  Hi Daniel

  It's a little complicated if you want a granular authentication and authorization, but it works.

  I'm running an ASA with IPSec, SSL Client and clientless SSL.

  Each of these virtual private networks with user/one-time-password name and certificate based authentic.

  The main challenge is to put in place its own structure of profile cards, connection profiles, group policies and dynamic access policies.

  Feel free to ask questions...

  Stephan

• Number of SSL VPN - a weird

  I ran into an issue using SSL VPN to connect remotely to our society and I am the only one in question (which is good because it still works for everyone).  I've been tinkering with the profile editor Anyconnect trying to get work always based on Anyconnect and it seems that I watered something along the way.  I uninstalled and reinstalled the Anyconnect client, but it causes problems.  It seems locked my laptop where I can't on a network, like a customer of the NAC.  However, when I log on the Anyconnect site for my business, I get the following error:

  AnyConnect can confirm that it is connected to your secure gateway.  The local network cannot be trusted.  Please try another network.

  According to what I found on the Cisco site, it can be a certificate problem, but I get no ceritifcate error when I try to connect.  I'm puzzled.  I went through the registry to remove everything about Anyconnect, but he has not made a difference.

  Any ideas would be great.

  TIA,

  Dan

  You may need to remove the profiles and preferences files that will be present even after uninstall.

  For the profile, delete the contents of this folder (Win XP):

  C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client

  Remove the contents of these preferences:

  C:\Documents and Settings\\Local Settings\Application Data\Cisco\Cisco AnyConnect VPN Client

  Please try after removing all these files.

• AnyConnect SSL VPN Split tunneling problem

  Hello

  We have home users that VPN in on a regular basis, but when they VPN in they cannot print locally or to connect to local resources.  Is there a way to activate the split for all remote users VPN tunneling?  It is not possible to add all the remote subnets, especially since I don't know which subnets are used and it would be a question of management.  I noticed that when I connect to the House a new route is added to my PC, who prefers the VPN link.

  I noticed one of the options with the client Anyconnect is 'enable local LAN access (if configured) '.  Can I use?

  Thanks in advance.

  Hello

  According to my understanding, you need to connect to your local printers while you are connected to the ASA via SSL VPN.

  You can do this by creating a policy of exclusion of tunnel split on SAA and the local lan access on the client option, or you can use the profile AnyConnect allowing local lan access.

  Please find the link below: -.

  https://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080702992.shtml#dsfg

  I hope it helps.

  Thank you

  Shilpa

• RVL200 - SSL VPN and firewall rules

  Forgive my ignorance, but I have been immersed in the configuration of this device RVL200 to allow Remoting SSL VPN to a customer site, sight unseen.  I have the basics of the VPN set up in config, but now move the firewall rules.  We want to block all internal devices to access the Internet, but I don't want to cripple the remote clients that will be borrowed by blocking their return via the SSL VPN traffic.  This leads to my questions:

  (1) a rule of DENIAL of coverage for all traffic OUTBOUND will prevent the primary function of the VPN (to allow the administration away from machines on the local network)?

  (2) if the answer to #1 is 'Yes', what ports/services do I need to open the side LAN?

  (3) building # 2, configuring authorized outbound rules apply only for VPN clients, rather than all the hosts on LAN?

  (4) as the default INCOMING traffic rule is to REFUSE EVERYTHING, do I have to create a rule to allow the VPN tunnel, or guess that in the configuration of the router?

  Here are some other details:

  • The LAN behind the RVL200 is also isolated LAN in a manufacturing environment
  • All hosts on this network have a static IP address on a single subnet.
  • The RVL200 has been configured with a static, public IP on the WAN/INTERNET side.
  • DHCP has been disabled on the RVL200
  • Authentication to the device will use a local database.
  • There is no such thing as no DNS server on the local network
  • The device upstream of the RVL200 is a modem using PPPoE DSL, and the device has been configured for this setting.
  • Several database of local users accounts were created to facilitate the SSL VPN access.

  I worked with other aspects of it for a long time, but limited experience with VPN and the associated firewall rules and zero with this family of aircraft.  Any help will be greatly appreciated.

  aponikikay, there is no port forwarding necessary to the function of the RVL200 SSL - VPN.

  Topic 1. That is not proven. It shouldn't do. The router should automatically make sure that the SSL - VPN router service is functional and accessible.

  Re 2. No transfer necessary. In addition, never before TCP/UDP port 47 or 50 for VPN functions. The TCP 1723 port is used for PPTP. UDP 500 is used for ISAKMP. You usually also to transmit TCP/UDP 4500 port for IPSec encapsulation.

  Let's not port 47. ERM is an IP protocol that is used for virtual private networks. It is a TCP or UDP protocol. GRE has 47 IP protocol number. It has nothing to do with TCP or UDP port 47. TCP and UDP are completely different protocols of free WILL.

  It goes the same for 50: ESP is the payload for IPSec tunnels. ESP is the Protocol IP 50. It has nothing to do with TCP or UDP port 50.

  'Transfer' of the GRE is configured with PPTP passthrough option.

  'Transfer' of the ESP is configured with IPSec passthrough option.

• Error of java SSL VPN "ClassNotFoundException".

  I have a user who cannot access their bookmarks of Sonicwall Java running on our appliance virtual sonciwall. 5 HTML5 works, but it's slow and Active X works, but she would like to remotely from his mac, so I thought that java would be the best bet except that I cannot make it work in Internet Explorer. U45 8 Java is installed and active, however, when you click on the bookmark, we receive the below error.

  In the control panel under mixed Code Java, I've already activated "enable - hide warning and run with protections" and I added to the URL of the site on the Security tab, does anyone else have this problem?

  The firmware on our virtual appliance of Sonicwall's SonicOS SSL - VPN 8.0.0.1 - 16sv

  

  Pstoric you can open a support ticket with us?

  There are a few things, we want to check.

  It will be when you have access to the machine in question, of course.

• SSL VPN and Windows 7 32 bit

  I wonder if it is possible to have 2 SSL VPN client running simultaneously at the same time. When I'm working out of the site, I have to do the following:

  1. I call Array SSL VPN network to connect to the corporate network. I need it to be able to read emails.

  2. I invoke some other developed internal SSL VPN client to connect to the customer's network. This is necessary to get access to access the Citrix customer environment.

  When I run the 2nd SSL VPN, my vision behaves erratically as the gel or the loss of connection to the exchange server.

  SSL VPN network table is a SSL VPN split, which means that it routes web traffic of the company and nothing else.

  Developed internal SSL VPN is configured to route specific IP range.

  I wonder if there is any limitation in Windows 7 32 - bit OS that prevent me to simultaneously run 2 SSL VPN clients.

  Appreciate your comments and your support.

  Hi SamPersis,

  Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. Appropriate in the TechNet forums.

  Please post your question in the Windows 7 IT Pro TechNet Forums: http://social.technet.microsoft.com/Forums/windows/en-US/home?category=w7itpro

  Thank you.

• VPN IPSec/SSL VPN concentrator

  Hi all

  Can a simple question, I activate both IPSec and SSL VPN on the same hub box?

  Kind regards

  MAK

  Yes

• SSL VPN problems with Internet Explorer

  Well, first of all, you need 64-bit to run Internet Explorer web based VPN devices in the SA500 series (we use SA540). After that we thought that out, we cannot always past SSL VPN Client install on client computers. It keeps reloading the Web page or simply nothing at all. Any ideas?

  In addition, that the CA guys do you use SSL VPN? GoDaddy certificates are not compatible, as I just discovered the hard way.

  Hi Qasim,

  The question seems to be more localized with windows blocks everything. I actually spent much time working on this yesterday to finally make it work with a 64 bit vista and a window 7 64 bit machines.

  The few details that I did have some success;

  Tools-> Internet Options-> security-> trust Sites

  • Move down
  • Disable protected mode
  • Click sites, and then add the SSL VPN page to become a member of trust
  • When adding the trusted site, uncheck 'require a server secure for all sites in this zone.

  Tools-> Internet Options-> Advanced-> Security section

  • Select "Allow downloads to run or install even if the signature is not valid"

  In addition, you must download Microsoft Visual C++ Distribution 2010 and ensure that you are running the latest version of Java.

  These are the things I had to do to allow Windows to allow me to connect. I hope it has some help for you.

  -Tom

• CSCun53913 ISA500: SSL VPN stops accepting connections.

  Since the beginning when put into production ISA570 had this problem (SSL VPN stops and the solution is to reboot the device) used 3 new firmwares and none of them has solved this problem.
  I don't understand the company like CISCO not solving this problem in an acceptable time.
  When I bought the ISA570, the cisco to the Portugal told me it was ideal solution to use SSL VPN AnyConnect, omitted this question.

  And now, I request this is a serious company?
  Who is responsible?

  Thank you

  JL

  I have the same problem.

  But I do not restart the unit. I changed the service (such as 444) ssl port, I stop the service; I starts the service and in replace port 443.

  A few days later, the problem is back.

  Thanks for solving the problem.

• Should what license I for 25 SSL VPN peers

  Hi all

  I want to implement cluster active / standby with a pair of ASAs 5550 and I have a licensing question. Here's the "sh - key retail activation" leave two output devices...

  ASA1:

  SH - activation in detail key:

  Serial number: XXXXX

  No temporary key assets.

  Activation key running: XXXXX XXXXX XXXXX XXXXX XXXXX

  The devices allowed for this platform:

  The maximum physical Interfaces: unlimited

  VLAN maximum: 250

  Internal hosts: unlimited

  Failover: Active/active

  VPN - A: enabled

  VPN-3DES-AES: enabled

  Security contexts: 2

  GTP/GPRS: disabled

  SSL VPN peers: 2

  Total of the VPN peers: 5000

  Sharing license: disabled

  AnyConnect for Mobile: disabled

  AnyConnect Cisco VPN phone: disabled

  AnyConnect Essentials: disabled

  Assessment of Advanced endpoint: disabled

  Proxy sessions for the UC phone: 2

  Total number of Sessions of Proxy UC: 2

  Botnet traffic filter: disabled

  This platform includes an ASA 5550 VPN Premium license.

  Flash activation key is the SAME as the key running.

  ASA2:

  SH - activation in detail key:

  Serial number: XXXXX

  No temporary key assets.

  Activation key running: XXXXX XXXXX XXXXX XXXXX XXXXX

  The devices allowed for this platform:

  The maximum physical Interfaces: unlimited

  VLAN maximum: 250

  Internal hosts: unlimited

  Failover: Active/active

  VPN - A: enabled

  VPN-3DES-AES: enabled

  Security contexts: 2

  GTP/GPRS: disabled

  VPN SSL counterparts: 25

  Total of the VPN peers: 5000

  Sharing license: disabled

  AnyConnect for Mobile: disabled

  AnyConnect Cisco VPN phone: disabled

  AnyConnect Essentials: disabled

  Assessment of Advanced endpoint: disabled

  Proxy sessions for the UC phone: 2

  Total number of Sessions of Proxy UC: 2

  Botnet traffic filter: disabled

  This platform includes an ASA 5550 VPN Premium license.

  Flash activation key is the SAME as the key running.

  --------------------------------------------------------------

  It seems so obvious that I have to upgrade the first ASA to support 25 SSL VPN peers in order to create the cluster HA, right?

  Now, I want to know do I need the license "ASA5505-SSL25-K9" or something else.

  Thank you very much in advance for any help!

  Ah OK I see - right then: upgading pole will allow the license to share.

  Re the version target, I would recommend going directly to 8.4 (4.1). I have it deployed on several sites without problem.

• ASA to AWS VPN question

  I have problems with our VPN to AWS. The configuration of the firewall is below:

  Firewall 1

  !
  hostname FW
  activate the password
  names of

  !
  interface GigabitEthernet0/0
  Description Inside_To_SW-DISTRIBUTION-01_Gi1/0/2
  nameif LAN
  security-level 100
  IP address 172.16.x.1 255.255.252.0
  !
  interface GigabitEthernet0/1
  Description Outside_To_SW-DISTRIBUTION-01_Gi1/0/1
  nameif WAN
  security-level 0
  IP address 212.x.x.201 255.255.255.248 watch 212.x.x.202
  !
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP address 10.x.x.x 255.255.255.0
  !
  boot system Disk0: / asa913-smp - k8.bin
  passive FTP mode
  clock timezone GMT/UTC 0
  summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
  DNS domain-lookup LAN
  DNS server-group DefaultDNS
  Name-Server 8.8.8.8
  4.4.4.4 server name
  permit same-security-traffic intra-interface
  network of the object OBJ-LAN-SUB-NETWORK
  subnet 172.x.128.0 255.255.252.0
  object OBJ-POOL-A network
  range 212.x.x.195 212.x.x.196
  object obj-SrcNet network
  subnet 0.0.0.0 0.0.0.0
  network of object obj-amzn
  10.32.0.0 subnet 255.255.0.0

  gamma of network object
  subnet 88.215.48.0 255.255.240.0
  tinet network object
  subnet 89.149.128.0 255.255.192.0

  object-group service DM_INLINE_SERVICE_1
  ICMP service object
  the purpose of the echo icmp message service
  response to echo icmp service object
  object-group service DM_INLINE_SERVICE_2
  ICMP service object
  the purpose of the echo icmp message service
  response to echo icmp service object
  object-group service DM_INLINE_SERVICE_3
  ICMP service object
  the purpose of the echo icmp message service
  response to echo icmp service object
  object-group service DM_INLINE_SERVICE_4
  ICMP service object
  the purpose of the echo icmp message service
  response to echo icmp service object
  DM_INLINE_TCP_1 tcp service object-group
  port-object eq www
  EQ object of the https port
  object-group Protocol TCPUDP
  object-protocol udp
  object-tcp protocol
  object-group service DM_INLINE_SERVICE_5
  SIP service-purpose tcp - udp destination eq
  the purpose of the service tcp destination eq www
  the purpose of the tcp destination eq https service
  the purpose of the tcp destination eq ldap service
  area of service-object udp destination eq
  the purpose of the udp destination eq ntp service
  object-group service tcp imp
  EQ object Port 5222
  rtp udp service object-group
  60000 10000 port-object range
  object-group service tcp sip1
  port-object eq 8011
  object-group service sip2 tcp
  port-object eq 5080
  DM_INLINE_TCP_2 tcp service object-group
  port-object eq ftp
  port-object eq ftp - data
  EQ port ssh object
  object-group service DHCP udp
  port-object eq bootps
  DHCPrange udp service object-group
  ports of DHCP Description
  Beach of port-object bootps bootpc

  object-group grp-voip network
  gamma of network-object object
  network-object object tinet

  LAN_access_in list extended access allowed object-group DM_INLINE_SERVICE_3 object OBJ-LAN-SUB-NETWORK any4
  LAN_access_in list extended access allowed object-group TCPUDP object OBJ-LAN-SUB-NETWORK any eq field
  LAN_access_in list extended access allowed object OBJ-LAN-SUB-NETWORK ip everything
  LAN_access_in list extended access permitted ip 10.x.x.x 255.255.255.0 everything
  LAN_access_in list extended access udp allowed any any DHCP object-group
  list of access TUNNEL of SPLIT standard allowed 172.16.x.0 255.255.252.0

  extended access list acl-amzn allow any4 ip 10.32.0.0 255.255.0.0
  extended access list acl-amzn allow icmp any4 10.32.0.0 255.255.0.0

  global_access deny ip extended access list a whole

  10.32.0.0 IP Access-list extended filter amzn 255.255.0.0 allow 172.16.128.0 255.255.252.0
  refuse the access-list extended ip a whole amzn-filter

  WAN_access_out list extended access allowed object-group DM_INLINE_SERVICE_4 object OBJ-LAN-SUB-NETWORK any4
  WAN_access_out list extended access allowed object-group DM_INLINE_SERVICE_5 object OBJ-SUB-LAN-NETWORK-object-group grp-voip
  WAN_access_out list extended access permitted udp object OBJ-SUB-LAN-NETWORK-object-group grp-voip-group of objects rtp
  permit WAN_access_out to access extensive ip list object OBJ-LAN-SUB-NETWORK object obj-amzn
  WAN_access_out list extended access allowed object-group TCPUDP object OBJ-LAN-SUB-NETWORK any eq field
  WAN_access_out list extended access permitted tcp object OBJ-LAN-SUB-NETWORK any4 object-group DM_INLINE_TCP_1
  WAN_access_out list extended access permit tcp any any DM_INLINE_TCP_2 object-group
  WAN_access_out of access allowed any ip an extended list
  permit access list extended ip host 52.17.201.49 WAN_access_in 212.84.183.201
  permit access list extended ip host 52.18.197.187 WAN_access_in 212.84.183.201

  pager lines 24
  Enable logging
  emergency logging console
  emergency logging monitor
  exploitation forest asdm warnings
  MTU 1500 LAN
  MTU 1500 WAN
  management of MTU 1500

  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any WAN

  ARP timeout 14400
  no permit-nonconnected arp
  NAT (LAN, WAN) source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
  NAT (LAN, WAN) static source any any destination static OBJ ANYCONNECT-SUB-NETWORK-OBJ-ANYCONNECT-UNDER-NETWORK non-proxy-arp-search directions
  !
  network of the object OBJ-LAN-SUB-NETWORK
  OBJ-POOL-A dynamic pool pat flat interface include the NAT (LAN, WAN) reserves
  !
  OBJ-ANYCONNECT-SUB-NETWORK dynamic interface source NAT (all, WAN) after the automatic termination
  LAN_access_in access to the LAN by-user-override interface group
  WAN_access_in access to the WAN interface group
  Access-group WAN_access_out WAN interface
  Access-Group global global_access
  Route WAN 0.0.0.0 0.0.0.0 212.x.x.x 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
  Sysopt connection tcpmss 1387
  SLA 1 monitor
  type echo protocol ipIcmpEcho 10.x.x.x WAN interface
  frequency 5
  SLA monitor Appendix 1 point of life to always start-time now

  Crypto ipsec transform-set transform-amzn ikev1 aes - esp esp-sha-hmac
  replay window-size 128 ipsec encryption security association
  Crypto ipsec pmtu aging infinite - the security association
  Crypto ipsec WAN clear-df df - bit

  card crypto amzn_vpn_map 1 match address acl-amzn
  card crypto amzn_vpn_map 1 set pfs
  amzn_vpn_map card crypto peer 52.17.201.x 52.18.197.x 1jeu
  amzn_vpn_map 1 set transform-set transform-amzn ikev1 crypto card
  amzn_vpn_map card crypto 1 lifetime of security set association, 3600 seconds
  card crypto amzn_vpn_map WAN interface
  Crypto ca trustpoint ASDM_TrustPoint0
  Terminal registration
  name of the object CN = FW-INTERNET-LON
  Configure CRL
  trustpool crypto ca policy
  crypto isakmp identity address
  Crypto ikev2 enable port 443 of the WAN-customer service
  Crypto ikev1 enable WAN
  IKEv1 crypto policy 201
  preshared authentication
  aes encryption
  sha hash
  Group 2
  lifetime 28800
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 WAN
  SSH timeout 5
  SSH version 2
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  source of x.x.x.x server NTP WAN
  WebVPN
  Select the WAN
  AnyConnect enable
  tunnel-group-list activate
  GroupPolicy_ANYCONNECT-group-policy PROFILE internal
  attributes of Group Policy GroupPolicy_ANYCONNECT-PROFILE
  value of server DNS 8.8.8.8 4.4.4.4
  client ssl-VPN-tunnel-Protocol
  Split-tunnel-policy tunnelspecified
  IPv6-split-tunnel-policy excludespecified
  crowdmix.me value by default-field
  activate dns split-tunnel-all
  internal filter group policy
  attributes to filter group policy
  VPN-value amzn-filter

  tunnel-group ANYCONNECT-PROFILE type remote access
  tunnel-group ANYCONNECT-PROFILE general-attributes
  ANYCONNECT-POOL address pool
  GroupPolicy_ANYCONNECT-PROFILE of default-group-strategy
  tunnel-group ANYCONNECT-PROFILE webvpn-attributes
  enable ANYCONNECT-PROFILE Group-alias
  tunnel-group 52.17.201.x type ipsec-l2l
  tunnel-group 52.17.201.x General-attributes
  filter by default-group-policy
  52.17.201.x group of tunnel ipsec-attributes
  IKEv1 pre-shared-key *.
  ISAKMP keepalive retry threshold 10 3
  tunnel-group 52.18.197.x type ipsec-l2l
  tunnel-group 52.18.197.x General-attributes
  filter by default-group-policy
  52.18.197.x group of tunnel ipsec-attributes
  IKEv1 pre-shared-key *.
  ISAKMP keepalive retry threshold 10 3
  tunnel-group 52.30.177.x type ipsec-l2l
  tunnel-group 52.31.131.x type ipsec-l2l
  !
  ICMP-class class-map
  match default-inspection-traffic
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map icmp_policy
  icmp category
  inspect the icmp
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  icmp_policy service-policy interface WAN
  context of prompt hostname
  !
  Booking Jumbo-image
  !
  no remote anonymous reporting call
  Cryptochecksum:ff493f0ff375e83710e6bc9d19476e0e
  : end

  When I add a second VPN connection by using the commands below:

  object obj-amzn2 network

  10.34.0.0 subnet 255.255.0.0

  NAT (LAN, WAN) source static obj-SrcNet obj-SrcNet destination static obj-amzn2 obj-amzn2

  I see the tunnels going up, however, we immediately begin to see the Voip system lose the SIP traffic with its servers, and even if you can still use internet if you have an open socket you can not create a new session. It looks like a problem of routing for me, but I can't seem to find the place where

  Any help greatly appreciated

  So, you want to have two virtual private networks from Amazon to blocks of different destinations, 10.32.0.0/16, and 10.34.0.0/16, correct?