akalbfell
asked on
AnyConnect Config on ASA 5520
Trying to get the anyconnect to work but if i put in the correct username and pass on the client it says AnyConnect is not enabled on the VPN server. But if i put in a wrong password it says login failed. Looks like everything is enabled to me but maybe someone will see something im missing.
Thanks...
Thanks...
ASA Version 8.0(3)
!
hostname xxxxxxxxx
domain-name xxxxxxx.local
no names
name 10.170.1.208 -BES
name 10.170.1.207 -FS1-2
name 10.170.1.206 -FS1
name 10.170.1.205 -BAK
name 10.170.1.204 MAILVS
name 10.170.1.203 -MS2-2
name 10.170.1.202 -MS2
name 10.170.1.201 -MS1
name 10.170.1.200 -DC1
name 10.170.1.209 WUG
name 10.170.1.222 -EDAT
name 10.170.1.221 -EAP2
name 10.170.1.220 -EAP1
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.38.2 255.255.255.0 standby x.x.38.3
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.170.1.250 255.255.252.0 standby 10.170.1.251
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.170.1.200
name-server 10.170.1.205
domain-name xxxxxx.local
object-group service RDP tcp
description Remote Desktop Protocol
port-object eq 3389
object-group service DM_INLINE_UDP_1 udp
port-object eq radius
port-object eq radius-acct
object-group service Citrix tcp
port-object eq 2598
object-group service DM_INLINE_TCP_1 tcp
port-object eq 2598
port-object eq citrix-ica
port-object eq www
object-group service Netflow udp
description Netflow
port-object eq 9999
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
object-group network DM_INLINE_NETWORK_1
network-object host 10.170.1.209
network-object host x.x.38.209
object-group network DM_INLINE_NETWORK_2
network-object host 10.170.1.220
network-object host 10.170.1.221
network-object host 10.170.1.222
network-object host 10.170.0.148
object-group network DM_INLINE_NETWORK_3
network-object host 10.170.1.200
network-object host 10.170.1.205
object-group service DM_INLINE_SERVICE_2
service-object tcp eq domain
service-object udp eq domain
access-list outbound extended deny ip 172.0.0.0 255.0.0.0 any
access-list outbound extended deny ip 169.254.0.0 255.255.0.0 any
access-list acl_outside extended permit udp any eq domain any
access-list acl_outside extended permit udp any any eq domain
access-list acl_outside extended permit tcp any host x.x.38.201 eq smtp
access-list acl_outside remark Permit Access to Citrix Server from outside
access-list acl_outside extended permit tcp any host x.x.38.216 object-group DM_INLINE_TCP_1
access-list acl_outside extended permit udp any host x.x.38.208 object-group DM_INLINE_UDP_1
access-list acl_outside extended permit tcp any host x.x.38.202 eq smtp
access-list acl_outside extended permit tcp any host x.x.38.203 eq smtp
access-list acl_outside extended permit tcp any host x.x.38.204 eq www
access-list acl_outside extended permit tcp any host x.x.38.204 eq smtp
access-list acl_outside extended permit tcp any host x.x.38.204 eq https
access-list acl_outside extended permit tcp any host x.x.38.210 eq https
access-list acl_outside extended permit tcp any host x.x.38.210 eq smtp
access-list acl_outside extended permit tcp any host x.x.38.210 eq www
access-list acl_outside remark RADIUS authentication for routers to BES server/RADIUS server
access-list acl_outside extended permit udp x.x.38.0 255.255.255.0 host x.x.38.208 range 1812 1813
access-list acl_outside extended permit tcp any host x.x.38.228 eq https
access-list acl_outside extended permit udp any host x.x.38.197 eq 2055
access-list acl_outside extended permit tcp any host x.x.38.220 eq 1400
access-list acl_outside extended permit tcp any host x.x.38.230 eq www
access-list acl_outside extended permit udp any host x.x.38.209 eq syslog
access-list acl_outside remark Allow Whats Up Gold to ping Verizon and XO router to verify they are still up
access-list acl_outside extended permit object-group DM_INLINE_SERVICE_1 x.x.38.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list acl_outside extended permit ip 10.10.170.0 255.255.255.0 10.170.0.0 255.255.252.0
access-list test extended permit udp any eq domain any
access-list test extended permit udp any any eq domain
access-list vpn01_splitTunnelAcl extended permit ip 10.170.0.0 255.255.252.0 10.10.170.0 255.255.255.0
access-list vpn01_splitTunnelAcl extended permit ip 192.168.170.0 255.255.255.0 10.10.170.0 255.255.255.0 inactive
access-list NONAT extended permit ip any 10.10.170.0 255.255.255.0
access-list Block_VPN_ACCESS extended permit ip 10.10.170.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list Block_VPN_ACCESS extended permit object-group DM_INLINE_SERVICE_2 10.10.170.0 255.255.255.0 object-group DM_INLINE_NETWORK_3
pager lines 24
logging enable
logging timestamp
logging trap errors
logging asdm alerts
logging facility 16
logging host inside 10.170.1.209
logging message 106001 level warnings
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPN_POOL 10.10.170.110-10.10.170.200 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover link failover GigabitEthernet0/3
failover interface ip failover 192.168.55.1 255.255.255.252 standby 192.168.55.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (outside) 1 x.x.38.10-x.x.38.100 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.38.200 10.170.1.200 netmask 255.255.255.255
static (inside,outside) x.x.38.216 10.170.1.216 netmask 255.255.255.255
static (inside,outside) x.x.38.201 10.170.1.201 netmask 255.255.255.255
static (inside,outside) x.x.38.202 10.170.1.202 netmask 255.255.255.255
static (inside,outside) x.x.38.203 10.170.1.203 netmask 255.255.255.255
static (inside,outside) x.x.38.204 10.170.1.204 netmask 255.255.255.255
static (inside,outside) x.x.38.205 10.170.1.205 netmask 255.255.255.255
static (inside,outside) x.x.38.206 10.170.1.206 netmask 255.255.255.255
static (inside,outside) x.x.38.208 10.170.1.208 netmask 255.255.255.255
static (inside,outside) x.x.38.207 10.170.1.207 netmask 255.255.255.255
static (inside,outside) x.x.38.209 10.170.1.209 netmask 255.255.255.255
static (inside,outside) x.x.38.220 10.170.1.220 netmask 255.255.255.255
static (inside,outside) x.x.38.199 10.170.1.127 netmask 255.255.255.255
static (inside,outside) x.x.38.221 10.170.1.221 netmask 255.255.255.255
static (inside,outside) x.x.38.222 10.170.1.222 netmask 255.255.255.255
static (inside,outside) x.x.38.223 10.170.1.225 netmask 255.255.255.255
static (inside,outside) x.x.38.195 10.170.0.31 netmask 255.255.255.255
static (inside,outside) x.x.38.194 10.170.0.35 netmask 255.255.255.255
static (inside,outside) x.x.38.224 10.170.1.226 netmask 255.255.255.255
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.38.1 1
route inside 10.170.5.0 255.255.255.0 10.170.1.254 1
route inside 10.171.0.0 255.255.252.0 192.168.170.20 1
route inside 192.168.170.0 255.255.255.0 192.168.170.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Rad_Serv protocol radius
aaa-server Rad_Serv host 10.170.1.208
timeout 5
key xxxxxxx
eou allow none
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.170.0.0 255.255.252.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
no sysopt connection permit-vpn
service resetoutside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_map 30 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
client-update type Windows url http://10.170.1.225/new/vpnclient_setup.exe rev-nums 5.0.03.0560
telnet timeout 30
ssh 10.170.0.0 255.255.252.0 inside
ssh 10.171.0.0 255.255.252.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
ntp server 10.170.1.253 source inside prefer
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
svc enable
auto-signon allow ip 0.0.0.0 0.0.0.0 auth-type all
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
webvpn
url-list value xxxxx
group-policy vpn01 internal
group-policy vpn01 attributes
wins-server value 10.170.1.205 10.170.1.207
dns-server value 10.170.1.200 10.170.1.205
vpn-idle-timeout 240
vpn-session-timeout 480
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn01_splitTunnelAcl
default-domain value xxxxxny.local
backup-servers y.y.165.115
tunnel-group DefaultRAGroup general-attributes
authentication-server-group Rad_Serv
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group Rad_Serv
tunnel-group vpn01 type remote-access
tunnel-group vpn01 general-attributes
address-pool VPN_POOL
authentication-server-group Rad_Serv LOCAL
default-group-policy vpn01
tunnel-group vpn01 ipsec-attributes
pre-shared-key *
tunnel-group xxxxx type remote-access
tunnel-group xxxxx general-attributes
address-pool VPN_POOL
authentication-server-group Rad_Serv
default-group-policy vpn01
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map global-policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e9351539f1c022137940e435bae6b05b
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER