NEED HELP: Setup of Cisco's AnyConnect VPN from a ASA 5505

I am new to the Cisco world.  I setup an ASA 5505 - with help from my Cisco tech buddies - and am having issues getting my VPN to work.  They helped me here - but I have worked on it as well.  

I can get the client to install - sign into the Anyconnect client - get an IP address assigned from the address pool - but once here - I can't go to anything anymore.  Looks like IPv6 is used - even though I have disabled it on my Windows 7 laptops (registry and network configs) and think this may be part of the issue.  

One more thing - my friend updated the software to close to the lastest versions.

Any help would be appreciated!!
LVL 1
bergstpgAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bergstpgAuthor Commented:
Anyconnect version: 2.4.0202
ASA Version: 8.0(4)23
ADSM Version: 6.1(5)57
0
MikeKaneCommented:
Would you post the ASA code here for review.    

Most of the time, if the VPN client connects, but there is no traffic, its usually a missing NONAT ACL entry...   but lets have a look.
0
bergstpgAuthor Commented:
Here is a modified version of the running config - minus passwords, some IP addresses, fqdns, and a user name.

Let me know if you need more.
running-config-modified.cfg.txt
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

MikeKaneCommented:
Try adding the following.   It will create a nonat that should allow the internal network to speak with the ip local pool addresses:


access-list nonat extended permit ip 192.168.15.0 255.255.255.0 10.0.0.0 255.255.255.240

nat (inside) 0 access-list nonat



That will allow all of 192.168.15.0/24 to get back to 10.0.0.0/28 and should allow the communication through.
0
bergstpgAuthor Commented:
Below is the result after I ran this from the command line:

Result of the command: "access-list nonat extended permit ip 192.168.15.0 255.255.255.0 10.0.0.0 255.255.255.240"

The command has been sent to the device


Result of the command: "nat (inside) 0 access-list nonat"

The command has been sent to the device
0
bergstpgAuthor Commented:
Unfortunately - that didn't do it.  I am getting the following errors before I try connecting using the Anyconnect client:

regular translation creation failed for protocol 41

After I make the connection I get messages like (I replace the user with xxxxxx to protect my identity):

Starting SSL handshake with client inside:192.168.15.107/60609 for TLSv1 session.
Device completed SSL handshake with client inside:192.168.15.107/60609
IPAA: Client assigned 10.0.0.6 from local pool
IPAA: Local pool request succeeded for tunnel-group 'CONNECTVPN'
TunnelGroup <CONNECTVPN> GroupPolicy <CONNECTPOLICY> User <davidb> IP <192.168.15.107> No IPv6 address available for SVC connection
Group <CONNECTPOLICY> User <xxxxxx> IP <192.168.15.107> First TCP SVC connection established for SVC session.
Group <CONNECTPOLICY> User <xxxxxx> IP <192.168.15.107> TCP SVC connection established without compression
Group <CONNECTPOLICY> User <xxxxxx> IP <192.168.15.107> Address <10.0.0.6> assigned to session
DAP: User davidb, Addr 192.168.15.107, Connection AnyConnect: The following DAP records were selected for this connection: CONNECTACCESSPOLICY
Built outbound UDP connection 1929898 for outside:128.177.28.170/123 (128.177.28.170/123) to inside:192.168.15.159/123 (69.180.138.81/231)
Built inbound UDP connection 1929899 for inside:192.168.15.107/51738 (192.168.15.107/51738) to identity:192.168.15.1/443 (192.168.15.1/443)
Starting SSL handshake with client inside:192.168.15.107/51738 for DTLSv1 session.
Deny IP from 10.0.0.6 to 224.0.0.22, IP options: "Router Alert"
SSL client inside:192.168.15.107/51738 request to resume previous session.
Device completed SSL handshake with client inside:192.168.15.107/51738
Group <CONNECTPOLICY> User <davidb> IP <192.168.15.107> First UDP SVC connection established for SVC session.
Group <CONNECTPOLICY> User <davidb> IP <192.168.15.107> UDP SVC connection established without compression
Device completed SSL handshake with client inside:192.168.15.107/51738
Group <CONNECTPOLICY> User <davidb> IP <192.168.15.107> First UDP SVC connection established for SVC session.
Group <CONNECTPOLICY> User <davidb> IP <192.168.15.107> UDP SVC connection established without compression
Deny IP from 10.0.0.6 to 224.0.0.22, IP options: "Router Alert"
Deny IP from 10.0.0.6 to 224.0.0.22, IP options: "Router Alert"
Teardown TCP connection 1929893 for inside:192.168.15.107/60607 to identity:192.168.15.1/443 duration 0:00:10 bytes 1459 TCP Reset-O
SSL session with client inside:192.168.15.107/60607 terminated.
etc................................................

There is also another message later on that might help:
Failed to locate egress interface for UDP from inside:fe80::3d7d:c3fa:fa7b:25cc/546 to ff02::1:2/547

Thanks a ton in advance!!!
0
bergstpgAuthor Commented:
Well I didn't get all the users in the log erased.  Whoops...  Will be changing that.
0
bergstpgAuthor Commented:
One more note - I have been trying to disable IPv6, but it seems to still show up in the ipconfig and the messages above.  Could this be an issue?  I have had issues with IPv6 on Windows 7 and 2008, so I have been disabling as I go.  These tests are running on Windows 7 boxes.  

Another note : I do have an Astaro intrusion detection server running but I should at least be able to get to the ASA  5505 after connection - and still no luck.  The last time I tried I connected from the internet to the ASA.  Same error messages, but at least the ping of the ASA only came back with no respose instead of general network failure.
0
bergstpgAuthor Commented:
I remember having issues setting up a SSL VPN Client Profile.  If I don't have one - is this my issue?

Also - in the Firewall section - I noticed the first NAT rule was the one added above - Type[Exempt], source[inside-network/24], destination(10.0.0.0/28), and interface[(outbound)]
0
bergstpgAuthor Commented:
Anyconnect is a pain - switching to VPN client.  Works.  Closing ticket.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
elmtree_support_teamCommented:
I just had similar issue on ASA 8.0(4) running Client 2.3 then 2.5.
Workstations were Windows 7 and it didn't affect all machines.
Disabling DTLS resolved the issue and performance with TLS seems to be fine.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.