Solved

CISCO ASA5505 VPN

Posted on 2010-09-01
10
702 Views
Last Modified: 2012-08-13
With the help of the community, I configured VPN access on my ASA5505.  It's been a handful of months since I last used it and now it doesnt work.  It may be that I am overlooking something.  I am showing my current running config.  Does anyone see a problem with VPN configuration?  I am browsing 75.150.224.111 to connect from the outside, which should install AnyConnect.  I am prompted to supply username and password, but I am not getting authenticated.  75.150.224.111 is not a real IP, but for the sake of illustration - I am using it here.  Thank you for any help provided.
ciscoasa# show running-config
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ** encrypted
passwd ** encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.150.224.111 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.150.224.111 eq https
access-list outside-access-in extended permit tcp any host 75.150.224.111 eq www
access-list outside-access-in extended permit tcp any host 75.150.224.111 eq smtp
access-list outside-access-in extended deny ip any any log
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 75.150.224.112 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 crl configure
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 port 500
 enable inside
 enable outside
 svc image disk0:/AnyConnect-Windows.pkg 1
 svc enable
 tunnel-group-list enable
group-policy cisco internal
group-policy cisco attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool
username abc password ** encrypted privilege 15
username abc password ** encrypted privilege 15
username abc password ** encrypted privilege 15
username abc attributes
 vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
 address-pool RemoteClientPool
 default-group-policy cisco
tunnel-group cisco ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
 class global-class
  inspect ftp
!
prompt hostname context
Cryptochecksum:**
: end
ciscoasa#

Open in new window

0
Comment
Question by:obautista
  • 5
  • 4
10 Comments
 
LVL 2

Accepted Solution

by:
astergiou earned 167 total points
Comment Utility
Hello,

try removing the bellow statements and try again

static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255

with this for http and https the ASA does not reply but the inside 2 PCs!!!
0
 

Author Comment

by:obautista
Comment Utility
I am getting this error message when I run the first command:

ERROR: mapped-address conflict with existing static
  TCP inside:HTTP_ACCESS/80 to outside:75.150.224.169/80 netmask 255.255.255.255
0
 

Author Comment

by:obautista
Comment Utility
When I attempt to browse:  http://75.150.224.169/   ,from the outside, I am prompted with the login Window, but not able to login.  I am able to login, with the credentials I am testing with, using Putty inside the network, so credentials appear to be okay.
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
try the below commands for the user u are trying

username <username> attributes  
 vpn-group-policy cisco

i can see for user abc u have added , this...
0
 

Author Comment

by:obautista
Comment Utility
Still not able to connect.  I have attached my updated running config.  I am trying to login with "obautista" username from the outside.  The machine I am at doesnt have the VPN client installed, so when I go to http://75.150.224.111, after authenticating, I should be prompted to download the client, correct?  This is not happening.  (note - 75.150.224.111 is a fictional IP).

Thanks
User Access Verification

ciscoasa> enable

Password: **********

ciscoasa# config t

ciscoasa(config)# username obautista attributes

ciscoasa(config-username)# vpn-group-policy cisco

ciscoasa(config-username)# show running-config

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password ** encrypted

passwd ** encrypted

names

name 192.168.1.6 HTTP_ACCESS

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 75.150.224.111 255.255.255.252

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

object-group service HTTP tcp

 port-object eq www

access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside-access-in extended permit tcp any host 75.150.224.111 eq https

access-list outside-access-in extended permit tcp any host 75.150.224.111 eq www

access-list outside-access-in extended permit tcp any host 75.150.224.111 eq smtp

access-list outside-access-in extended deny ip any any log

access-list INSIDE extended permit ip any any

access-list HTTP_access extended permit tcp any interface outside eq https inactive

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm623.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255

access-group INSIDE in interface inside

access-group outside-access-in in interface outside

route outside 0.0.0.0 0.0.0.0 75.150.224.112 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console LOCAL

http server enable 448

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set **

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint localtrust

 enrollment self

 crl configure

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point localtrust outside

webvpn

 port 500

 enable inside

 enable outside

 svc image disk0:/AnyConnect-Windows.pkg 1

 svc enable

 tunnel-group-list enable

group-policy cisco internal

group-policy cisco attributes

 dns-server value 192.168.1.2

 vpn-tunnel-protocol svc webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value cisco_splitTunnelAcl

 default-domain value techblendshost

 address-pools value RemoteClientPool

username test1 password ** encrypted privilege 15

username admin password ** encrypted privilege 15

username obautista password ** encrypted privilege 15

username obautista attributes

 vpn-group-policy cisco

tunnel-group cisco type remote-access

tunnel-group cisco general-attributes

 address-pool RemoteClientPool

 default-group-policy cisco

tunnel-group cisco ipsec-attributes

 pre-shared-key *

!

class-map global-class

 match default-inspection-traffic

!

!

policy-map global_policy

policy-map global-policy

 class global-class

  inspect ftp

!

prompt hostname context

Cryptochecksum:**

: end

ciscoasa(config-username)#

Open in new window

0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 333 total points
Comment Utility
now authentication is happening or not ?  

try below commands

group-policy cisco attributes
webvpn
    svc ask none default svc
customization value DfltCustomization

tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group LOCAL
0
 

Author Comment

by:obautista
Comment Utility
That didnt work.  I have attached a couple screenshots of what I am getting.  It shows that I am not authenticating.
1.jpg
2.jpg
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
why  u are including ip address in the username feild ?

instead of  http , u have to use  https.
https://75.150.224.111
0
 

Author Comment

by:obautista
Comment Utility
In IE using https://75/150/224/169 appears to be being forwarding to my Exchange.  I have attached a screenshot.  Using Firefox isnt authenticating at all.  I have attached both screenshots.  I have included my latest running config.  I have Exchange running on 192.168.1.3.  I have https traffic being forwarded to this Exchange.
Username: obautista
Password: *********
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: *********
ciscoasa# config t
ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ** encrypted
passwd ** encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.150.224.169 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.150.224.169 eq https
access-list outside-access-in extended permit tcp any host 75.150.224.169 eq www
access-list outside-access-in extended permit tcp any host 75.150.224.169 eq smtp
access-list outside-access-in extended deny ip any any log
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 75.150.224.170 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set **
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 crl configure
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 port 500
 enable inside
 enable outside
 svc image disk0:/AnyConnect-Windows.pkg 1
 svc enable
 tunnel-group-list enable
group-policy cisco internal
group-policy cisco attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool
 webvpn
  svc ask none default svc
  customization value DfltCustomization
username test1 password ** encrypted privilege 15
username admin password ** encrypted privilege 15
username obautista password ** encrypted privilege 15
username obautista attributes
 vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
 address-pool RemoteClientPool
 default-group-policy cisco
tunnel-group cisco ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
 class global-class
  inspect ftp
!
prompt hostname context
Cryptochecksum:**
: end
ciscoasa(config)#

Open in new window

3.jpg
4.jpg
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 333 total points
Comment Utility
try like this

 https://75.150.224.169:500

see the image what I am getting
Untitled.jpg
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now