[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4637
  • Last Modified:

URGENT!! VPN connection on Vista 64 to ASA Setup??

I have a client who purchased a new laptop with Vista Home x64 and needs to make a VPN connection to their work.  They have a Cisco ASA Version 8.  I only have access to the ASDM.  How the heck can we get this VPN tunnel established?  We installed Cisco AnyConnect 2.3 and it prompts for username/password but it says "unable to establish VPN".  We tried using the built-in microsoft tool to make a VPN tunnel over IPSEC and that fails as well.....NEED HELP!!
0
lkingpinl
Asked:
lkingpinl
  • 17
  • 10
  • 5
  • +4
1 Solution
 
ciscoguy69Commented:
The anyconnect client will not work with standard IPSEC, it uses DTLS(SSL) as its tunneling mechanism. The windows client will only support L2TP/IPSEC, not the same IPSEC as the cisco VPN client. How is the tunnel built on the ASA? Is it just IPSEC? What transform doe it use if it is?
Either way, if you have only done IPSEC tunnels using the Cisco VPN client, modifications to the config and or licensing is required.  
0
 
lkingpinlAuthor Commented:
I read that about AnyConnect so I enabled SSL tunneling on the ASA.  The client machine can talk to the ASA but it seems like the authentication is not being passed.  I'm using the same authentication (AD via RADIUS) as I do for the IPSEC tunnel.
Also, I enabled L2TP on the ASA so why does that not work when using the windows client?
0
 
ciscoguy69Commented:
On the L2TP, you have to use a transport transform using SHA as vista does not do MD5. You also have to use the default tunnel group / policy. For the SSL, you have 2 licenses by default. If you want to post the config, I can verify and or correct it. Sometimes it just takes a second set of eyes.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
Pete LongConsultantCommented:
How to configure Anyconnect SSL VPN to ASA? see my website here http://www.petenetlive.com/Tech/Firewalls/Cisco/SSLvpn.htm
0
 
ciscoguy69Commented:
If you don't want to post the config, here is the L2TP example from Cisco. The L2TP setup is well outlined here but for Vista change the transform from MD5 to SHA in either ASDM or Cli config.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030products_configuration_example09186a00807213a7.shtml
0
 
lkingpinlAuthor Commented:
Here is the config:
 

: Saved
:
ASA Version 8.0(3)
!
hostname RPP-ASA-FW
domain-name riverfrontplastic.com
enable password pyK6E51yj4aWw3T7 encrypted
names
name 74.94.234.197 RPP-SBS-EXT
name 10.1.10.5 RPP-SBS-INT description Small Business Server
name 10.1.10.4 RPP-CITRIX-INT description Windows 2003 with Citrix Essentials
name 74.94.234.195 RPP-CITRIX-EXT description External Address for Citrix
name 208.65.144.0 MXLogic
name 208.81.64.0 MXLogic2
name 74.94.234.196 RPP-SBS-VPN
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.10.6 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address RPP-SBS-VPN 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd PtucGu2afRsUFb1e encrypted
banner exec Riverfront Plastics Products ASA Security Appliance 5505
banner exec ***UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED***
banner login ***UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED***
banner login Disconnect now if you are not authorized.  All actions on this device are logged.
banner motd Riverfront Plastics Products ASA 5505 Adaptive Security Appliance
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name riverfrontplastic.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in_inside extended permit tcp any any eq smtp
access-list inside_out_outside extended permit tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host RPP-CITRIX-EXT eq https
access-list outside_access_in extended permit tcp any host RPP-CITRIX-EXT eq www
access-list outside_access_in extended permit tcp any host RPP-SBS-EXT eq https
access-list outside_access_in extended permit tcp 64.18.0.0 255.255.240.0 host RPP-SBS-EXT eq smtp inactive
access-list outside_access_in extended permit tcp any host RPP-SBS-EXT eq smtp inactive
access-list outside_access_in extended permit tcp any host RPP-SBS-EXT eq www
access-list outside_access_in remark RLN Access
access-list outside_access_in extended permit tcp 38.102.15.16 255.255.255.240 host RPP-SBS-EXT eq 3389 inactive
access-list outside_access_in remark RLN Access
access-list outside_access_in extended permit tcp host 64.233.217.71 host RPP-SBS-EXT eq 3389 inactive
access-list outside_access_in extended permit tcp any any range 500 500
access-list outside_access_in extended permit tcp any host RPP-SBS-EXT eq 9675
access-list outside_access_in extended permit tcp MXLogic 255.255.248.0 host RPP-SBS-EXT eq smtp
access-list outside_access_in extended permit tcp MXLogic2 255.255.252.0 host RPP-SBS-EXT eq smtp
access-list outside_access_in extended permit tcp any host RPP-SBS-VPN eq https
access-list TimcoVPN_splitTunnelAcl standard permit 10.1.10.0 255.255.255.0
access-list 101 extended permit ip 10.1.11.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list vpninside extended permit ip 10.1.10.0 255.255.255.0 10.1.11.0 255.255.255.0
access-list vpninside extended permit ip any 10.1.11.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 10.1.11.1-10.1.11.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit any inside
icmp permit any echo-reply outside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpninside
nat (inside) 1 10.1.10.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) RPP-SBS-EXT RPP-SBS-INT netmask 255.255.255.255
static (inside,outside) RPP-CITRIX-EXT RPP-CITRIX-INT netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.94.234.198 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS_Timco protocol radius
aaa-server RADIUS_Timco host RPP-SBS-INT
 timeout 5
 key timcovPn
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.1.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 10.1.10.0 255.255.255.0 inside
telnet timeout 5
ssh 10.1.10.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.10.100-10.1.10.130 inside
!
threat-detection basic-threat
threat-detection statistics access-list
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
webvpn
 enable outside
 svc image disk0:/sslclient-win-1.1.4.179-anyconnect.pkg 1
 svc profiles Timco disk0:/sslclient-win-1.1.4.179-anyconnect.pkg
 svc enable
 internal-password enable
group-policy WebVPNUsers internal
group-policy WebVPNUsers attributes
 wins-server value 10.1.10.5
 dns-server value 10.1.10.5
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value TimcoVPN_splitTunnelAcl
 webvpn
  svc keep-installer installed
  svc rekey time 180
  svc rekey method ssl
  svc ask enable
group-policy TimcoVPN internal
group-policy TimcoVPN attributes
 wins-server value 10.1.10.5
 dns-server value 10.1.10.5
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value TimcoVPN_splitTunnelAcl
 default-domain value Timco.local
username fwadmin password a./0qBvPide0.9h. encrypted privilege 15
username timcosslvpn password JvbST0LUExHWY3uB encrypted privilege 0
username timcosslvpn attributes
 vpn-group-policy WebVPNUsers
username rlnfw password UT38yYykfvRaKcGa encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPN_Pool
 authentication-server-group RADIUS_Timco LOCAL
 default-group-policy WebVPNUsers
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server RPP-SBS-INT master timeout 5 retry 2
tunnel-group TimcoVPN type remote-access
tunnel-group TimcoVPN general-attributes
 address-pool VPN_Pool
 authentication-server-group RADIUS_Timco LOCAL
 authentication-server-group (inside) RADIUS_Timco
 authorization-server-group RADIUS_Timco
 authorization-server-group (inside) RADIUS_Timco
 default-group-policy TimcoVPN
tunnel-group TimcoVPN ipsec-attributes
 pre-shared-key *
tunnel-group TimcoVPN ppp-attributes
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d3ab534e6a000e9920272a027b0027a2
: end
asdm image disk0:/asdm-603.bin
asdm location MXLogic 255.255.248.0 inside
asdm location MXLogic2 255.255.252.0 inside
asdm location RPP-SBS-VPN 255.255.255.255 inside
no asdm history enable
 
0
 
ciscoguy69Commented:
Which config would you prefer? L2TP(windows client) or DTLS(cisco client)?  I can give you the changes for either.
0
 
lkingpinlAuthor Commented:
Windows client would be better.
0
 
ciscoguy69Commented:
You will want to change the x's in the access list below to <internal access subnet><internal access subnet mask><dhcp subnet of client><dhcp subnet mask of client>. If you have more than one subnet they will need to get tow, just repeat the line and substiture the first two sets of x's. You will need to modify the DHCP local pool command to match what you want to use for your network. You will also want to change the values for your DNS / WINS servers. You will also want to set a preshared key. Basically, if you replace all the x's, you should be able to paste this in config mode and it will allow any user to connect L2TP. This includes Mac's, XP, or Vista. This will use the account you create in the first line.

username vpnuser password vpnpassword nt-encrypted
!
access-list nonat extended permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x
nat (inside) 0 access-list nonat
!
global (outside) 1 interface
!
ip local pool clientVPNpool x.x.x.x-x.x.x.x mask x.x.x.x
!
group-policy DefaultRAGroup internal
!
group-policy DefaultRAGroup attributes
 wins-server value x.x.x.x
 dns-server value x.x.x.x
!
vpn-tunnel-protocol IPSec l2tp-ipsec
!
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
!
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp nat-traversal 20
!
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
tunnel-group DefaultRAGroup general-attributes
 address-pool clientVPNpool
 authentication-server-group LOCAL
!
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key xxxxxx
!
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2

0
 
ciscoguy69Commented:
Then you can use http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml#win to configure the client. Just remember this only sets MSCHAPv2 not MSCHAPv1 or PAP
0
 
lkingpinlAuthor Commented:
I'm going to give this a try.  Can you also post the changes if I want to use Cisco Anyconnect client on this vista x64 machine?
0
 
lkingpinlAuthor Commented:
Also, will the changes you suggested affect exisiting users using the IPSEC VPN tunnel?  Most other clients use Cisco VPN Client 5.0 and connect via IPSec
0
 
ciscoguy69Commented:
Just so there is no surprise, you will lose IPSEC with the current config when you change the IPSEC transform. But all of your clients can use the windows client instead of Cisco. I will work on the changes for the anyconnect.
0
 
lkingpinlAuthor Commented:
Yeah I think I would prefer to have all clients continue using the Cisco VPN with IPSec and have this one guy use SSL VPN.....why did he have to buy Vista x64.  My other alternative was to install VMware on his machine he can use the Cisco client through that.
0
 
ciscoguy69Commented:
We could also create a different policy and bind the IPsec for the cisco clients to that. That way you could do both.
0
 
DonbooCommented:
Since you are authenticating local make sure your users are either locked to the right group policy or to none else you will get auth ok but be denied connection access due to user landing in the wrong group policy.

you can always configure access to SSH to the ASA and debug:

term mon
debug webvpn 127

0
 
lkingpinlAuthor Commented:
the guy wants to use anyconnect.  please help...
0
 
lkingpinlAuthor Commented:
Ok, using the changes for the Windows client I can connect with my machine (XP pro 32bit) but when trying with the Vista Home x64 machine I get:
Error 789:  The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.
Here's the latest config:
 
 


: Saved
:
ASA Version 8.0(3) 
!
hostname RPP-ASA-FW
domain-name riverfrontplastic.com
enable password pyK6E51yj4aWw3T7 encrypted
names
name 74.94.234.197 RPP-SBS-EXT
name 10.1.10.5 RPP-SBS-INT description Small Business Server
name 10.1.10.4 RPP-CITRIX-INT description Windows 2003 with Citrix Essentials
name 74.94.234.195 RPP-CITRIX-EXT description External Address for Citrix
name 208.65.144.0 MXLogic
name 208.81.64.0 MXLogic2
name 74.94.234.196 RPP-SBS-VPN
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.10.6 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address RPP-SBS-VPN 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd PtucGu2afRsUFb1e encrypted
banner exec Riverfront Plastics Products ASA Security Appliance 5505
banner exec ***UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED***
banner login ***UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED***
banner login Disconnect now if you are not authorized.  All actions on this device are logged.
banner motd Riverfront Plastics Products ASA 5505 Adaptive Security Appliance
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name riverfrontplastic.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in_inside extended permit tcp any any eq smtp 
access-list inside_out_outside extended permit tcp any any eq smtp 
access-list inside_access_in extended permit ip any any 
access-list outside_access_in extended permit tcp any host RPP-CITRIX-EXT eq https 
access-list outside_access_in extended permit tcp any host RPP-CITRIX-EXT eq www 
access-list outside_access_in extended permit tcp any host RPP-SBS-EXT eq https 
access-list outside_access_in extended permit tcp 64.18.0.0 255.255.240.0 host RPP-SBS-EXT eq smtp inactive 
access-list outside_access_in extended permit tcp any host RPP-SBS-EXT eq smtp inactive 
access-list outside_access_in extended permit tcp any host RPP-SBS-EXT eq www 
access-list outside_access_in remark RLN Access
access-list outside_access_in extended permit tcp 38.102.15.16 255.255.255.240 host RPP-SBS-EXT eq 3389 inactive 
access-list outside_access_in remark RLN Access
access-list outside_access_in extended permit tcp host 64.233.217.71 host RPP-SBS-EXT eq 3389 inactive 
access-list outside_access_in extended permit tcp any any range 500 500 
access-list outside_access_in extended permit tcp any host RPP-SBS-EXT eq 9675 
access-list outside_access_in extended permit tcp MXLogic 255.255.248.0 host RPP-SBS-EXT eq smtp 
access-list outside_access_in extended permit tcp MXLogic2 255.255.252.0 host RPP-SBS-EXT eq smtp 
access-list outside_access_in extended permit tcp any host RPP-SBS-VPN eq https 
access-list TimcoVPN_splitTunnelAcl standard permit 10.1.10.0 255.255.255.0 
access-list 101 extended permit ip 10.1.11.0 255.255.255.0 10.1.10.0 255.255.255.0 
access-list vpninside extended permit ip 10.1.10.0 255.255.255.0 10.1.11.0 255.255.255.0 
access-list vpninside extended permit ip any 10.1.11.0 255.255.255.0 
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 10.1.11.1-10.1.11.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit any inside
icmp permit any echo-reply outside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpninside
nat (inside) 1 10.1.10.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) RPP-SBS-EXT RPP-SBS-INT netmask 255.255.255.255 
static (inside,outside) RPP-CITRIX-EXT RPP-CITRIX-INT netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.94.234.198 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS_Timco protocol radius
aaa-server RADIUS_Timco host RPP-SBS-INT
 timeout 5
 key timcovPn
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http 10.1.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.1.10.0 255.255.255.0 inside
telnet timeout 5
ssh 10.1.10.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.10.100-10.1.10.130 inside
! 
threat-detection basic-threat
threat-detection statistics access-list
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
webvpn
 enable outside
 svc image disk0:/sslclient-win-1.1.4.179-anyconnect.pkg 1
 svc profiles Timco disk0:/sslclient-win-1.1.4.179-anyconnect.pkg
 svc enable
 internal-password enable
group-policy WebVPNUsers internal
group-policy WebVPNUsers attributes
 wins-server value 10.1.10.5
 dns-server value 10.1.10.5
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value TimcoVPN_splitTunnelAcl
 webvpn
  svc keep-installer installed
  svc rekey time 180
  svc rekey method ssl
  svc ask enable
group-policy TimcoVPN internal
group-policy TimcoVPN attributes
 wins-server value 10.1.10.5
 dns-server value 10.1.10.5
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value TimcoVPN_splitTunnelAcl
 default-domain value Timco.local
username fwadmin password a./0qBvPide0.9h. encrypted privilege 15
username timcosslvpn password JvbST0LUExHWY3uB encrypted privilege 0
username timcosslvpn attributes
 vpn-group-policy WebVPNUsers
username timcovpn password AuOzzNzO0aVjOwXT+S9Hhg== nt-encrypted
username rlnfw password UT38yYykfvRaKcGa encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) VPN_Pool
 address-pool VPN_Pool
 authentication-server-group (inside) LOCAL
 authorization-server-group LOCAL
 authorization-server-group (inside) LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:2a8bc160f27a882a9132376477bfd5ef
: end
asdm image disk0:/asdm-603.bin
asdm location MXLogic 255.255.248.0 inside
asdm location MXLogic2 255.255.252.0 inside
asdm location RPP-SBS-VPN 255.255.255.255 inside
no asdm history enable 

Open in new window

0
 
lkingpinlAuthor Commented:
I also tried the SSL way and I can get it to work on XP but on Vista says "unable to establish VPN".  On the firewall I see it building up and then terminating repeatedly....man this is frustrating.
0
 
lkingpinlAuthor Commented:
here's a screenshot of the logging as I try an SSL connection using Cisco AnyConnect on a vista machine....
 
HELP!!!

asdm.jpg
0
 
ciscoguy69Commented:
Try "crypto isakmp policy 10" then "hash md5". I am trying to remember whether we had to change the IKE, to make Vista work with the windows client. XP plays so much better than Vista when it comes to L2TP or the anyconnect.  I was called away to a family emergency that I am still at. I will be more than happy to continue working with you tomorrow when I get back and can access my lab to verify the settings.
0
 
ciscoguy69Commented:
Try the previous post and please post screen shots of how you configured the Vista client. If that fixes the issue, great. If not try "crypto isakmp policy 10" "hash sha" and while connected via Vista, can you send me "show crypto ipsec sa" and "show crypto isakmp sa" from the ASA? Then try connecting again and this time have "debug crypto ipsec 7" and "debug crypto isakmp 7" going. Please post the captures. Thanks. I will load the config in the lab tomorrow and verify the results.
0
 
lkingpinlAuthor Commented:
problem is I can't connect via vista.  I'm looking at the ASA logs in real-time and I don't even see the requests coming through when using the Windows client.  When using SSL via AnyConnect, I see the request but it doesn't establish a finished connection.
0
 
DonbooCommented:
Try to move the internal websever of the ASA to another port "http server enable 5444" and then try anyconnect again.
0
 
lkingpinlAuthor Commented:
Nope.  Same issue.
 
 

asdm2.jpg
0
 
DonbooCommented:
SSH to the asa and do the debug command and post the output.

term mon
debug webvpn 128
0
 
lkingpinlAuthor Commented:
I can't get in via CLI....
Is this just not possible with Vista Home edition?  Does he need Vista business?
0
 
lkingpinlAuthor Commented:
Attempting SSL via AnyConnect I see this in the ASDM logs:
It repeats the lines below about 20 times in the log and then stops.  It then shows that there is a clientless ssl VPN tunnel in use, but on the client side you get "unable to establish vpn" near immediately....
What am I doing wrong?
 

SSL session with client outside:66.188.49.250/49198 terminated.
Device completed SSL handshake with client outside:66.188.49.250/49198
SSL client outside:66.188.49.250/49199 request to resume previous session. 
Starting SSL handshake with client outside:66.188.49.250/49198 for TLSv1 session.
Built inbound TCP connection 9506 for outside:66.188.49.250/49198 (66.188.49.250/49198) to NP Identity Ifc:RPP-SBS-VPN/443 (RPP-SBS-VPN/443)
Group <SSLUsers> User <timcosslvpn> IP <66.188.49.250> Authentication: successful, Session Type: WebVPN. 

Open in new window

0
 
lkingpinlAuthor Commented:
see screenshot of session.  Again, client gets nothing....
ssl1.JPG
0
 
lkingpinlAuthor Commented:
why is it not getting an IP address....I just noticed that....
0
 
DonbooCommented:
This is my working Anyconnect configuration. I havnt had time to compare it with yours but I will try later tonight unless you do it first.
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.x y.y.y.y 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.101 255.255.255.0 
 
access-list outside_access_in extended permit icmp any any 
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.35.0 255.255.255.0 
 
ip local pool VPNPool 192.168.35.1-192.168.37.254 mask 255.255.224.0
 
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.255.0
access-group outside_access_in in interface outside
 
http server enable 5444
 
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 subject-name CN=*******,OU=IT,O=***** ,C=**,St=******,L=*****
 keypair SSL-VPN
 crl configure
crypto ca certificate chain ASDM_TrustPoint2
 ---- Cert output ommitted ----
  quit
 
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint2 outside
 
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy ANY-TEST internal
group-policy ANY-TEST attributes
 dns-server value z.z.z.z
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 split-tunnel-policy tunnelall
 default-domain value something.com
 msie-proxy except-list none
 address-pools value VPNPool
 webvpn
  svc dpd-interval client 30
  svc dpd-interval gateway 30
  svc ask none default svc
tunnel-group TEST-ANYCONNECT type remote-access
tunnel-group TEST-ANYCONNECT general-attributes
 address-pool VPNPool
 authentication-server-group (inside) LOCAL
 authorization-server-group LOCAL
 default-group-policy ANY-TEST
tunnel-group TEST-ANYCONNECT webvpn-attributes
 group-alias ANY-TEST enable

Open in new window

0
 
lkingpinlAuthor Commented:
I'm getting closer.  I was able to get a Vista 32bit system working with the ssl vpn web-based deployment of the anyconnect.  
I had to upgrade the firmware on the ASA so 2.3.0254 will work with it.  However, through the x64 machine, I can't get it to work.  I use the webvpn and start anyconnect link.  It runs through the activex and java and then tells me to manually install.  I did.  Yet it still will not connect....frustrating....more frustrating for the client who is ready to fire me.
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Please be advised that per Cisco's release notes for the VPN client (5.0.02.0090 and above):

The Cisco VPN Client for Windows Vista does NOT support the following:

* System upgraded from Windows XP to Vista (clean OS installation required).
* Start Before Logon
* SmartCard Authentication
* Integrated Firewall
* InstallShield
* 64bit support
* AutoUpdate
* Translated Online Help - Provided only in English

Vista sometimes has a problem with VPNs due to its TCP Stack. Sometimes these steps also work...

netsh int ip reset %TEMP%\resetlog.txt
netsh interface tcp set global autotuning=disabled
netsh interface tcp set global chimney=disabled
netsh interface tcp set global rss=disabled

---

If you are running Windows Vista x64, there is a third party client called NCP Secure Entry Client.  You can import your Cisco VPN client settings to this client.  It's not freeware, but it solves the x64 Vista compatibility issue.

NCP Secure Entry Client: http://www.ncp-e.com/en/solutions/vpn-products/secure-entry-client.html
0
 
DonbooCommented:
Ciscos Anyconnect supports x64 so no worries there. There is some requirements when installing the client first time as you must be an administrator on the local machine.
0
 
VNECommented:
Microsoft and Vista strike again!!!!
0
 
allenfloCommented:
Alternatively, you could use a 3rd party client that works with Cisco and can be installed on Windows 64 bit systems.   This one is very similar to the Cisco client.  Tested with no issues on Windows 7 64 bit.

http://www.shrew.net/
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 17
  • 10
  • 5
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now