obautista
asked on
CISCO ASA5505 VPN
With the help of the community, I configured VPN access on my ASA5505. It's been a handful of months since I last used it and now it doesnt work. It may be that I am overlooking something. I am showing my current running config. Does anyone see a problem with VPN configuration? I am browsing 75.150.224.111 to connect from the outside, which should install AnyConnect. I am prompted to supply username and password, but I am not getting authenticated. 75.150.224.111 is not a real IP, but for the sake of illustration - I am using it here. Thank you for any help provided.
ciscoasa# show running-config
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ** encrypted
passwd ** encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 75.150.224.111 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service HTTP tcp
port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.150.224.111 eq https
access-list outside-access-in extended permit tcp any host 75.150.224.111 eq www
access-list outside-access-in extended permit tcp any host 75.150.224.111 eq smtp
access-list outside-access-in extended deny ip any any log
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 75.150.224.112 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
enrollment self
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
port 500
enable inside
enable outside
svc image disk0:/AnyConnect-Windows.pkg 1
svc enable
tunnel-group-list enable
group-policy cisco internal
group-policy cisco attributes
dns-server value 192.168.1.2
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
default-domain value techblendshost
address-pools value RemoteClientPool
username abc password ** encrypted privilege 15
username abc password ** encrypted privilege 15
username abc password ** encrypted privilege 15
username abc attributes
vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
address-pool RemoteClientPool
default-group-policy cisco
tunnel-group cisco ipsec-attributes
pre-shared-key *
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
class global-class
inspect ftp
!
prompt hostname context
Cryptochecksum:**
: end
ciscoasa#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When I attempt to browse: http://75.150.224.169/ ,from the outside, I am prompted with the login Window, but not able to login. I am able to login, with the credentials I am testing with, using Putty inside the network, so credentials appear to be okay.
try the below commands for the user u are trying
username <username> attributes
vpn-group-policy cisco
i can see for user abc u have added , this...
username <username> attributes
vpn-group-policy cisco
i can see for user abc u have added , this...
ASKER
Still not able to connect. I have attached my updated running config. I am trying to login with "obautista" username from the outside. The machine I am at doesnt have the VPN client installed, so when I go to http://75.150.224.111, after authenticating, I should be prompted to download the client, correct? This is not happening. (note - 75.150.224.111 is a fictional IP).
Thanks
Thanks
User Access Verification
ciscoasa> enable
Password: **********
ciscoasa# config t
ciscoasa(config)# username obautista attributes
ciscoasa(config-username)# vpn-group-policy cisco
ciscoasa(config-username)# show running-config
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ** encrypted
passwd ** encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 75.150.224.111 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service HTTP tcp
port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.150.224.111 eq https
access-list outside-access-in extended permit tcp any host 75.150.224.111 eq www
access-list outside-access-in extended permit tcp any host 75.150.224.111 eq smtp
access-list outside-access-in extended deny ip any any log
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 75.150.224.112 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set **
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
enrollment self
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
port 500
enable inside
enable outside
svc image disk0:/AnyConnect-Windows.pkg 1
svc enable
tunnel-group-list enable
group-policy cisco internal
group-policy cisco attributes
dns-server value 192.168.1.2
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
default-domain value techblendshost
address-pools value RemoteClientPool
username test1 password ** encrypted privilege 15
username admin password ** encrypted privilege 15
username obautista password ** encrypted privilege 15
username obautista attributes
vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
address-pool RemoteClientPool
default-group-policy cisco
tunnel-group cisco ipsec-attributes
pre-shared-key *
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
class global-class
inspect ftp
!
prompt hostname context
Cryptochecksum:**
: end
ciscoasa(config-username)#
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
why u are including ip address in the username feild ?
instead of http , u have to use https.
https://75.150.224.111
instead of http , u have to use https.
https://75.150.224.111
ASKER
In IE using https://75/150/224/169 appears to be being forwarding to my Exchange. I have attached a screenshot. Using Firefox isnt authenticating at all. I have attached both screenshots. I have included my latest running config. I have Exchange running on 192.168.1.3. I have https traffic being forwarded to this Exchange.
4.jpg
Username: obautista
Password: *********
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: *********
ciscoasa# config t
ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ** encrypted
passwd ** encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 75.150.224.169 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service HTTP tcp
port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.150.224.169 eq https
access-list outside-access-in extended permit tcp any host 75.150.224.169 eq www
access-list outside-access-in extended permit tcp any host 75.150.224.169 eq smtp
access-list outside-access-in extended deny ip any any log
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 75.150.224.170 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set **
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
enrollment self
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
port 500
enable inside
enable outside
svc image disk0:/AnyConnect-Windows.pkg 1
svc enable
tunnel-group-list enable
group-policy cisco internal
group-policy cisco attributes
dns-server value 192.168.1.2
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
default-domain value techblendshost
address-pools value RemoteClientPool
webvpn
svc ask none default svc
customization value DfltCustomization
username test1 password ** encrypted privilege 15
username admin password ** encrypted privilege 15
username obautista password ** encrypted privilege 15
username obautista attributes
vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
address-pool RemoteClientPool
default-group-policy cisco
tunnel-group cisco ipsec-attributes
pre-shared-key *
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
class global-class
inspect ftp
!
prompt hostname context
Cryptochecksum:**
: end
ciscoasa(config)#
4.jpg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ERROR: mapped-address conflict with existing static
TCP inside:HTTP_ACCESS/80 to outside:75.150.224.169/80 netmask 255.255.255.255