[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

NEED HELP:  Setup of Cisco's AnyConnect VPN from a ASA 5505

Posted on 2010-03-30
11
Medium Priority
?
2,144 Views
Last Modified: 2012-05-09
I am new to the Cisco world.  I setup an ASA 5505 - with help from my Cisco tech buddies - and am having issues getting my VPN to work.  They helped me here - but I have worked on it as well.  

I can get the client to install - sign into the Anyconnect client - get an IP address assigned from the address pool - but once here - I can't go to anything anymore.  Looks like IPv6 is used - even though I have disabled it on my Windows 7 laptops (registry and network configs) and think this may be part of the issue.  

One more thing - my friend updated the software to close to the lastest versions.

Any help would be appreciated!!
0
Comment
Question by:bergstpg
  • 8
  • 2
11 Comments
 
LVL 1

Author Comment

by:bergstpg
ID: 29142061
Anyconnect version: 2.4.0202
ASA Version: 8.0(4)23
ADSM Version: 6.1(5)57
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 29212063
Would you post the ASA code here for review.    

Most of the time, if the VPN client connects, but there is no traffic, its usually a missing NONAT ACL entry...   but lets have a look.
0
 
LVL 1

Author Comment

by:bergstpg
ID: 29253973
Here is a modified version of the running config - minus passwords, some IP addresses, fqdns, and a user name.

Let me know if you need more.
running-config-modified.cfg.txt
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 33

Expert Comment

by:MikeKane
ID: 29264082
Try adding the following.   It will create a nonat that should allow the internal network to speak with the ip local pool addresses:


access-list nonat extended permit ip 192.168.15.0 255.255.255.0 10.0.0.0 255.255.255.240

nat (inside) 0 access-list nonat



That will allow all of 192.168.15.0/24 to get back to 10.0.0.0/28 and should allow the communication through.
0
 
LVL 1

Author Comment

by:bergstpg
ID: 29271251
Below is the result after I ran this from the command line:

Result of the command: "access-list nonat extended permit ip 192.168.15.0 255.255.255.0 10.0.0.0 255.255.255.240"

The command has been sent to the device


Result of the command: "nat (inside) 0 access-list nonat"

The command has been sent to the device
0
 
LVL 1

Author Comment

by:bergstpg
ID: 29272203
Unfortunately - that didn't do it.  I am getting the following errors before I try connecting using the Anyconnect client:

regular translation creation failed for protocol 41

After I make the connection I get messages like (I replace the user with xxxxxx to protect my identity):

Starting SSL handshake with client inside:192.168.15.107/60609 for TLSv1 session.
Device completed SSL handshake with client inside:192.168.15.107/60609
IPAA: Client assigned 10.0.0.6 from local pool
IPAA: Local pool request succeeded for tunnel-group 'CONNECTVPN'
TunnelGroup <CONNECTVPN> GroupPolicy <CONNECTPOLICY> User <davidb> IP <192.168.15.107> No IPv6 address available for SVC connection
Group <CONNECTPOLICY> User <xxxxxx> IP <192.168.15.107> First TCP SVC connection established for SVC session.
Group <CONNECTPOLICY> User <xxxxxx> IP <192.168.15.107> TCP SVC connection established without compression
Group <CONNECTPOLICY> User <xxxxxx> IP <192.168.15.107> Address <10.0.0.6> assigned to session
DAP: User davidb, Addr 192.168.15.107, Connection AnyConnect: The following DAP records were selected for this connection: CONNECTACCESSPOLICY
Built outbound UDP connection 1929898 for outside:128.177.28.170/123 (128.177.28.170/123) to inside:192.168.15.159/123 (69.180.138.81/231)
Built inbound UDP connection 1929899 for inside:192.168.15.107/51738 (192.168.15.107/51738) to identity:192.168.15.1/443 (192.168.15.1/443)
Starting SSL handshake with client inside:192.168.15.107/51738 for DTLSv1 session.
Deny IP from 10.0.0.6 to 224.0.0.22, IP options: "Router Alert"
SSL client inside:192.168.15.107/51738 request to resume previous session.
Device completed SSL handshake with client inside:192.168.15.107/51738
Group <CONNECTPOLICY> User <davidb> IP <192.168.15.107> First UDP SVC connection established for SVC session.
Group <CONNECTPOLICY> User <davidb> IP <192.168.15.107> UDP SVC connection established without compression
Device completed SSL handshake with client inside:192.168.15.107/51738
Group <CONNECTPOLICY> User <davidb> IP <192.168.15.107> First UDP SVC connection established for SVC session.
Group <CONNECTPOLICY> User <davidb> IP <192.168.15.107> UDP SVC connection established without compression
Deny IP from 10.0.0.6 to 224.0.0.22, IP options: "Router Alert"
Deny IP from 10.0.0.6 to 224.0.0.22, IP options: "Router Alert"
Teardown TCP connection 1929893 for inside:192.168.15.107/60607 to identity:192.168.15.1/443 duration 0:00:10 bytes 1459 TCP Reset-O
SSL session with client inside:192.168.15.107/60607 terminated.
etc................................................

There is also another message later on that might help:
Failed to locate egress interface for UDP from inside:fe80::3d7d:c3fa:fa7b:25cc/546 to ff02::1:2/547

Thanks a ton in advance!!!
0
 
LVL 1

Author Comment

by:bergstpg
ID: 29272315
Well I didn't get all the users in the log erased.  Whoops...  Will be changing that.
0
 
LVL 1

Author Comment

by:bergstpg
ID: 29275379
One more note - I have been trying to disable IPv6, but it seems to still show up in the ipconfig and the messages above.  Could this be an issue?  I have had issues with IPv6 on Windows 7 and 2008, so I have been disabling as I go.  These tests are running on Windows 7 boxes.  

Another note : I do have an Astaro intrusion detection server running but I should at least be able to get to the ASA  5505 after connection - and still no luck.  The last time I tried I connected from the internet to the ASA.  Same error messages, but at least the ping of the ASA only came back with no respose instead of general network failure.
0
 
LVL 1

Author Comment

by:bergstpg
ID: 29352561
I remember having issues setting up a SSL VPN Client Profile.  If I don't have one - is this my issue?

Also - in the Firewall section - I noticed the first NAT rule was the one added above - Type[Exempt], source[inside-network/24], destination(10.0.0.0/28), and interface[(outbound)]
0
 
LVL 1

Accepted Solution

by:
bergstpg earned 0 total points
ID: 29394693
Anyconnect is a pain - switching to VPN client.  Works.  Closing ticket.
0
 

Expert Comment

by:elmtree_support_team
ID: 34413771
I just had similar issue on ASA 8.0(4) running Client 2.3 then 2.5.
Workstations were Windows 7 and it didn't affect all machines.
Disabling DTLS resolved the issue and performance with TLS seems to be fine.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question