Cisco 1841 SSL VPN and Anyconnect Help

Similar Messages

• Works windows mobile with SSL VPN and anyconnect

  Hello,
  do anyone know if the following OS works with ASA 8.x SSL VPN client ,SSL clientless VPN and anyconnect client and Secure Desktop :
  windows mobile 5.0 Premium phone edition
  windows mobile 6.0
  windows embedded CE,Net
  windows mobile 2003
  Thank you for your help
  Michael

  [url=http://fztodds.24fast.info/washington225.html] washington [/url]
  [url=http://fztodds.24fast.info/washington16e.html] washington [/url]
  [url=http://fztodds.24fast.info/washingtond66.html] washington [/url]
  [url=http://fztodds.24fast.info/washington4e0.html] washington [/url]
  [url=http://fztodds.24fast.info/washington00b.html] washington [/url]
  [url=http://fztodds.24fast.info/washington1e7.html] washington [/url]
  [url=http://ioinlfu.zotzoo.com/washington0a8.html] washington [/url]
  [url=http://ioinlfu.zotzoo.com/washington9de.html] washington [/url]
  [url=http://ioinlfu.zotzoo.com/washingtone4a.html] washington [/url]
  [url=http://ioinlfu.zotzoo.com/washington4ec.html] washington [/url]
  [url=http://ioinlfu.zotzoo.com/washington184.html] washington [/url]
  [url=http://ioinlfu.zotzoo.com/washingtonb73.html] washington [/url]
  [url=http://ioinlfu.zotzoo.com/washington853.html] washington [/url]
  [url=http://ygkbfvp.wipou.com/washington1a5.html] washington [/url]
  [url=http://ygkbfvp.wipou.com/washingtonde7.html] washington [/url]
  [url=http://ygkbfvp.wipou.com/washington2b8.html] washington [/url]
  [url=http://ygkbfvp.wipou.com/washington902.html] washington [/url]
  [url=http://ygkbfvp.wipou.com/washingtonc99.html] washington [/url]
  [url=http://ygkbfvp.wipou.com/washingtoncc7.html] washington [/url]
  [url=http://ygkbfvp.wipou.com/washington598.html] washington [/url]
  [url=http://yfldvbz.webheri.net/washingtonbe2.html] washington [/url]
  [url=http://yfldvbz.webheri.net/washingtone9b.html] washington [/url]
  [url=http://yfldvbz.webheri.net/washington4e0.html] washington [/url]
  [url=http://yfldvbz.webheri.net/washington327.html] washington [/url]
  [url=http://yfldvbz.webheri.net/washingtonada.html] washington [/url]
  [url=http://yfldvbz.webheri.net/washingtond2b.html] washington [/url]
  [url=http://yfldvbz.webheri.net/washington317.html] washington [/url]
  [url=http://odwjneh.yourfreehosting.net/washington7cb.html] washington [/url]
  [url=http://odwjneh.yourfreehosting.net/washingtoneaf.html] washington [/url]
  [url=http://odwjneh.yourfreehosting.net/washington259.html] washington [/url]
  [url=http://odwjneh.yourfreehosting.net/washington8e0.html] washington [/url]
  [url=http://odwjneh.yourfreehosting.net/washingtonc03.html] washington [/url]
  [url=http://odwjneh.yourfreehosting.net/washington092.html] washington [/url]
  [url=http://odwjneh.yourfreehosting.net/washington79c.html] washington [/url]
  [url=http://aeaukol.rack111.com/washington766.html] washington [/url]
  [url=http://aeaukol.rack111.com/washingtona2e.html] washington [/url]
  [url=http://aeaukol.rack111.com/washington4c4.html] washington [/url]
  [url=http://aeaukol.rack111.com/washingtonb9f.html] washington [/url]
  [url=http://aeaukol.rack111.com/washingtond3a.html] washington [/url]
  [url=http://aeaukol.rack111.com/washington54a.html] washington [/url]
  [url=http://aeaukol.rack111.com/washington777.html] washington [/url]
  [url=http://uhbayoe.hostrator.com/washington300.html] washington [/url]
  [url=http://uhbayoe.hostrator.com/washington239.html] washington [/url]
  [url=http://uhbayoe.hostrator.com/washington7b4.html] washington [/url]
  [url=http://uhbayoe.hostrator.com/washingtonad5.html] washington [/url]
  [url=http://uhbayoe.hostrator.com/washingtone03.html] washington [/url]
  [url=http://uhbayoe.hostrator.com/washington399.html] washington [/url]
  [url=http://uhbayoe.hostrator.com/washington9e9.html] washington [/url]
  [url=http://ggaubio.hostevo.com/washington878.html] washington [/url]
  [url=http://ggaubio.hostevo.com/washington525.html] washington [/url]

• Anyconnect ssl vpn and acl

   Hi Everyone,
  I was testing few things at my home lab.
  PC---running ssl vpn------------sw------router------------ISP--------------ASA(ssl anyconnect)
  anyconnect ssl is working fine and i am also able to access internet.
  I am using full tunnel
  i have acl on outside interface of ASA
  1
  True
  any
  any
  ip
  Deny
  0
  Default
  i know that ACL is used for traffic passing via ASA.
  I need to understand the traffic flow for access to internet via ssl vpn.?
  Regards
  MAhesh

  As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.
  You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

• SSL VPN and dedicated IP address

  Hello
  I have an ASA 5505 8.3 and i setup it with ADSL 6.3
  I am trying to dedicate IP addresses to clientless SSL VPN user: is it possible ?
  If not is it possible with Anyconnect client ?
  If yes i can't perform it !
  I have a user test and i want dedicated him an IP address . After authentification user can connect to a web application but when i see the netstat, it is the IP adress of the ASA which is connected ...
  Could you help me ?
  Regards
  L.Malandain

  Two ways -
  Frist create pool with one IP address and assign that to group policy.
  Second- modify the user atributes-
  username test password xxxxx
  username test attributes
  vpn-framed-ip-address
  Thanks
  Ajay

• Ssl vpn and soft phone

  Does the ASA or IOS support an SSL VPN that includes the Cisco softphone like it does say RDP, SSH, etc?  I'm trying to determine if I can have a user connect a soft phone to our parent company's SSL VPN so they can use their Cisco phone system, while simultaneously having a remote access vpn tunnel to our division's data network.  In short, our employees need to use phones that don't exist on our network while having access to our data network.  I've been able to test having an SSL vpn session open at the same time as an IPSec remote access session, but the softphone is not an option in my current code of 8.4 on the ASA.  I thought I heard it might be available in 9.0.  It seems like it would work in reverse, i.e. having my users connect to my SSL VPN to use my data network and then IPSec to our parent company for the client's locally installed soft phone, but that's not an option for me.  The link below seems to suggest it's possible in IOS at least, but I haven't been able to find any details beyond the sales pitch it offers.
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_securing_voice_traffic_with_cisco_ios_ssl_vpn.html
  thank you

  Following links may help you
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008072462a.shtml

• Cisco IOS SSL VPN Not Working - Internet Explorer

  Hi All,
  I seem to be having a strange SSL VPN issue.  I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7).  Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage".  It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens).  It only seems to work with Firefox.  It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
  Below is the config snippet:
  username vpntest password XXXXX
  aaa authentication login default local
  crypto pki trustpoint TP-self-signed-1873082433
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1873082433
  revocation-check none
  rsakeypair TP-self-signed-1873082433
  crypto pki certificate chain TP-self-signed-1873082433
  certificate self-signed 01
  --- omitted ---
          quit
  webvpn gateway SSLVPN
  hostname Router
  ip address X.X.X.X port 443 
  ssl encryption aes-sha1
  ssl trustpoint TP-self-signed-1873082433
  inservice
  webvpn context SSLVPN
  title "Blah Blah"
  ssl authenticate verify all
  login-message "Enter the magic words..."
  port-forward "PortForwardList"
     local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
  policy group SSL-Policy
     port-forward "PortForwardList" auto-download
  default-group-policy SSL-Policy
  gateway SSLVPN
  max-users 3
  inservice
  I've tried:
  *Enabling SSL 2.0 in IE
  *Adding the site to the Trusted Sites in IE
  *Adding it to the list of sites allowed to use Cookies
  At a loss to figure this out.  Has anyone else come across this before?  Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
  Thanks

  Hi,
  I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
  Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try.

• Clientless SSL VPN and ActiveX question

  Hey All,
  First post for me here, so be gentle.  I'll try to be as detailed as possible.
  With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports.  However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center.  I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup.  Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective.  My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
  First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server).  I am unable to browse (via bookmark) to the internal address of the remote web server.  Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal.  I am testing this external connectivity using a cell card to be able to simulate outside access.  Is accessing the external IP address by design, or do I have something hosed?
  Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions.  I am not able to use controls that require my company's ActiveX controls (video, primarily).  I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through.  The stream only runs at about 5 fps, so it's not an intense stream.
  I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail.  I do see a decent number of "no translates" from a show nat:
    match ip inside any outside any
      NAT exempt
      translate_hits = 8915, untranslate_hits = 6574
  access-list nonat extended permit ip any any log notifications
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
  access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
  access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
  access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
  access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list outside_in extended permit icmp any any log notifications
  access-list outside_in extended permit tcp any any log notifications
  pager lines 24
  logging enable
  logging asdm informational
  logging ftp-server 192.168.16.34 / syslog *****
  mtu inside 1500
  mtu outside 1500
  ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (inside) 1 interface
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 192.168.16.32 255.255.255.224
  nat (inside) 1 192.168.17.0 255.255.255.0
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group outside_in in interface outside
  192.168.2.0 is my corp network range
  192.168.2.171 is my internal IP for corp ASA5510
  97.x.x.x is the external interface for my corp ASA5510
  192.168.16.34 is the internal interface for the remote ASA5505
  64.x.x.x is the external interface for the remote ASA5505
  192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
  As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out   Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505.  I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
  I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN.  Am I going about this the right way?  Anyone have any suggestions, or do I have my config royally hosed?
  Thanks much for any and all ideas!

  Hey All,  I appreciate all of the views on this post.  I would appreciate any input - even if you think it might be far-fetched.  I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself.  Thanks, in advance!!

• SSL VPN and Dynamic DNS - ddns on IOS

  Hello,
  I'm trying to configure a SSL VPN tunnel via SDM on a 877 Router. The router gets the public IP address dynamically from the ISP, so I have configured the DDNS to access remotely to the router. I would like to know if it's possible to configure the SSL VPN to support the dynamic IP via SDM o CLI.
  Regards
  Gerard

  Seems like i have fixed the problem using:
  webvpn gateway gateway_1
  ip interface Dialer0 port 443
  ssl trustpoint local
  inservice
  However when the router is rebooted, it results in this error:
  Invalid ip address First configure an IP address for the gateway
  Any idea how to delay the webvpn commands at startup until dialer0 gets a dynamic IP ?

• IP Phone SSL VPN and Split tunneling

  Hi Team,
  I went throught the following document which is very useful:
  https://supportforums.cisco.com/docs/DOC-9124
  The only things i'm not sure about split-tunneling point:
  Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
  I could see many implementation when they used split-tunneling, like one of my customer:
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  banner value This system is only for Authorized users.
  dns-server value 10.64.10.13 10.64.10.14
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value prod.mobily.lan
  address-pools value SSLClientPool
  webvpn
    anyconnect keep-installer installed
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask none default anyconnect
  username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
  username manager-max attributes
  vpn-group-policy GroupPolicy1
  tunnel-group PhoneVPN type remote-access
  tunnel-group PhoneVPN general-attributes
  address-pool SSLClientPool
  authentication-server-group AD
  default-group-policy GroupPolicy1
  tunnel-group PhoneVPN webvpn-attributes
  group-url https://84.23.107.10 enable
  ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
  access-list split-tunnel remark split-tunnel network list
  access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
  It is working for them w/o any issue.
  My question would be
  - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
  Thanks!
  Eva

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• SSL VPN Webauth/anyconnect failue

  So with our setup we're using the SSL webauth page as it uses RSA Adaptive Authentication as the second factor for auth. In the DAP we then push the connection over to anyconnect. The result is this.
  1. Webauth to AD
  2. RSA auth with questions
  3. DAP match
  4. Anyconnect verification/download/upgrade/connect
  At the 4th stage the anyconnect downloader completes all the apropriate checks for install, version upgrade, and then connect.
  We have a user with a windows 7 machine that's failing on this 4th step. I've watched the 1st three phases succeed each time and then when it comes time for the 4th step there's no indication of an issue. The webpage just defaults back to the login page with no error or any information as to what occured or didn't occur.
  In the logs I see the following
  - Primary auth pass
  - Secondary auth pass
  - DAP match success
  - Unknown logs
  Below is what I see in the logs for the issue user and my session
  Jan 10 2013 17:51:00: %ASA-6-734001: DAP: user issueuser, Addr x.x.x.x, Connection Clientless: The following DAP records were selected for this connection: xxx
  Jan 10 2013 17:51:00: %ASA-7-720041: (VPN-Primary) Sending Create RAMFS message change path sessions/27017216/user:issueuser to standby unit
  Jan 10 2013 17:51:00: %ASA-6-716001: Group <company> user <issueuser> IP <x.x.x.x> WebVPN session started.
  Jan 10 2013 17:51:00: %ASA-7-720041: (VPN-Primary) Sending Create WebVPN Session message user issueuser, IP x.x.x.x to standby unit
  Jan 10 2013 17:51:00: %ASA-6-716038: Group <company> user <issueuser> IP <x.x.x.x> Authentication: successful, Session Type: WebVPN.
  Jan 10 2013 18:21:25: %ASA-7-720041: (VPN-Primary) Sending Delete WebVPN Session message user issueuser, IP x.x.x.x to standby unit
  Jan 10 2013 18:21:25: %ASA-6-716002: Group <company> user <issueuser> IP <x.x.x.x> WebVPN session terminated: Idle Timeout.
  Jan 10 2013 20:12:50: %ASA-6-734001: DAP: user mysession, Addr x.x.x.x, Connection Clientless: The following DAP records were selected for this connection: company-Non-Owned
  Jan 10 2013 20:13:06: %ASA-4-722041: TunnelGroup <company> GroupPolicy <company> issueuser <mysession> IP <x.x.x.x> No IPv6 address available for SVC connection
  Jan 10 2013 20:13:06: %ASA-5-722033: Group <company> user <mysession> IP <x.x.x.x> First TCP SVC connection established for SVC session.
  Jan 10 2013 20:13:06: %ASA-6-722022: Group <company> user <mysession> IP <x.x.x.x> TCP SVC connection established without compression
  Jan 10 2013 20:13:06: %ASA-7-746012: issueuser-identity: Add IP-user mapping x.x.x.x - LOCAL\mysession Succeeded - VPN user
  Jan 10 2013 20:13:06: %ASA-7-746012: issueuser-identity: Add IP-user mapping session.ip.address - LOCAL\mysession Succeeded - VPN user
  Jan 10 2013 20:13:06: %ASA-4-722051: Group <company> user <mysession> IP <x.x.x.x> Address <session.ip.address> assigned to session
  Thanks for any help and/or suggestions.

  Agree with Andrew, DG is something you cannot change as it is virtualy assigned, unless indicated by Andrew.
  Where is the tunnel terminated at inside, outside interfaces? I suspect you are probably using Webvpn Pool IP range scheme as an already used subnet from inside where your DC resides, if this is the case use a different private IP network for WebVPN tunnel group.
  HTH
  Jorge

• Trying to set up a ssl vpn and can't get to it from outside?

  I have a barracuda sslvpn and a
  Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
  Internal ATA Compact Flash, 256MB
  BIOS Flash M50FW016 @ 0xfff00000, 2048KB
  When I try and edit the vpn service object to say destination 444 source default insted of source 444 I get this.
  [OK] object service VPN
        object service VPN
  [ERROR] service tcp destination eq 444
  Object is used in IPv6 access-list out_in. Can't change IP to IPv4.
  ERROR: object (VPN) updation failed due to internal error

  HI franklyhollywood:
  Joomla is easy to set up (install) once Mysql and PHP is properly set up. CMS (Content Management
  System) websites are the way to go. I am migrating all my sites to CMS, either full CMS or Partial
  CMS. The Server Guys (and Girls) can help you get it set up properly. If you don't want the hassle
  of configuring MySql and PHP on your Mac, use the preconfigured MAMP setup:
  http://www.mamp.info/en/index.html
  I am only interested in the final product (the website), so I chose MAMP to handle the database and
  scripting language (PHP) chores. MAMP can be Installed, configured and up and running in minutes,
  leaving me free to develop and make ready my sites for uploading to their eventual home on my
  hosting provider's server.
  Kj ♘

• IP Phone SSL VPN to ASA using AnyConnect

  I have a CUCM 7.1.5. We are using Phone proxy today. I wanted to upgrade to IP phone SSL VPN.
  I know in 8.x and 9.x the Proxy phone is not supported and Cisco supports SSL VPN.
  However, The question is: if CUCM 7.1.5 supports Phone SSL VPN.
  Lastly,
  I hear about Collaboration Edge in CUCM 10.x
  If CUCM 10.x is deployed then how the ASA concept plays a role here.
  What type of license I would need for Collaboration Edge to register the endpoints\phones from outside of network. 
  I cant find any information about the Colaboration Edge on the Internet...
  Message was edited by: Sean Poure

  The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
  http://www.cisco.com/en/US/netsol/ns1246/index.html
  PS- Jason could have found out details in advance since DiData has partner NDA status.
  Please remember to rate helpful responses and identify helpful or correct answers.

• Anyone using Cisco Clean Access with Juniper SSL VPN?

  We're testing Cisco Clean Access with Juniper SSL VPN, and are running into a problem with single sign on. The Juniper box is sending the user's source IP as the framed-ip-address, and not the Network Connect assigned IP, which is why we need to get SSO to work. Has anyone done this, and what did you do to get it working? Thanks.

  Hi,
  I've no experience with this app but it does list
  Juniper as a sujpported client:
  http://www.equinux.com/us/products/vpntracker/interoperability.html

• SSL VPN with client, anyconnect.

  I've set up a simple test on SSL VPN with client on a 3800.
  It didnt work. I assume i have to turn on the IP http server so that the client can hit it.
  but when I turned it on, the client goes to SDM, nothing with ssl vpn happened. it tells me the pay is not available.
  The underlying routing is fine.
  Could you tell me where it is configured wrong?
  Config is copied below.
  thanks,
  Han
  =======
  Current configuration : 3340 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  enable password cisco
  aaa new-model
  aaa authentication login default local
  aaa session-id common
  no network-clock-participate slot 1
  crypto pki trustpoint TP-self-signed-3551041125
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3551041125
  revocation-check none
  rsakeypair TP-self-signed-3551041125
  crypto pki certificate chain TP-self-signed-3551041125
  certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33353531 30343131 3235301E 170D3131 31313135 31383238
  30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35353130
  34313132 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CFCF CFFAD76A 50DA82C9 8D4E3F90 64AD24EB 5409C5E2 43BC64F3 07F6C0E0
  29FF2D71 0DA0D897 2F814BD2 7F817503 429D4BC6 6AD6EEA4 DFA74BAD 0EAF84D5
  6ED55EC0 6C637178 BEEBCD1D 184BB90C CA84E974 48003885 87B53F2E 36A04661
  23DA2CBB DD8EEE1D 2F25AF9A E21DC288 BF76A17C C1F4BA07 95F09377 A12BE01A
  53750203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17526F75 7465722E 776E7362 6E6F632E 696E7465 726E616C
  301F0603 551D2304 18301680 14BE9E8F ED788928 560D7CA1 EED89B0D DE34D772
  5D301D06 03551D0E 04160414 BE9E8FED 78892856 0D7CA1EE D89B0DDE 34D7725D
  300D0609 2A864886 F70D0101 04050003 818100BC 4A2A3C47 7BF809AF 78EE0FD9
  73692913 F280765E BAFAECAB ED32C38D 3030810B C62C7F45 13C8A6EE AE96A891
  CDD4C78B 803299AD EB098B27 383CEF6F 0E2B811F 3ECFADBA 07CD0AC6 BBB8C5FE
  B2FC0FD8 562B7100 BB28036E 4575D1F5 B17687C6 8EACBD66 A9E52FEE A030E69A
  CAAE9F1B 618FA59D 02C25BC8 77D6CAC2 C7E56F
  quit
  dot11 syslog
  ip cef
  multilink bundle-name authenticated
  voice-card 0
  no dspfarm
  username cisco1 privilege 15 secret 5 $1$L2RA$Zqs6FLce5Ns5fny5aRL49/
  archive
  log config
  hidekeys
  interface GigabitEthernet0/0
  ip address dhcp
  duplex auto
  speed auto
  media-type rj45
  end
  interface Loopback1
  ip address 1.1.1.1 255.255.255.0
  interface GigabitEthernet0/0
  ip address dhcp
  duplex auto
  speed auto
  media-type rj45
  ip local pool svc-poll 1.1.1.50 1.1.1.100
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 192.168.1.254
  ip http server
  no ip http secure-server
  control-plane
  line con 0
  logging synchronous
  line aux 0
  line vty 0 4
  scheduler allocate 20000 1000
  webvpn gateway SSLVPN
  ip interface GigabitEthernet0/0 port 443
  ssl trustpoint local
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn context SSLVPN
  ssl authenticate verify all
  policy group default
     functions svc-required
     svc default-domain "test.org"
     svc keep-client-installed
     svc split dns "primary"
  default-group-policy default
  gateway SSLVPN
  inservice
  end

  Using the SDM follow the below config example
  http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml
  The text "cisco 3800 ssl vpn configuration" in my favorite search engine, identified the above.
  HTH>

• EasyVPN on RV320 + SSL-VPN + Mac IPSec

  I just bought a Cisco RV320, and am trying to get it configured for providing VPN connectivity
  Starting with the EasyVPN I have setup a full tunnel using the defaults, and it shows it created to the ip address 192.168.168.0/24 - which makes sense to me as that is the local LAN the device is connected to.
  When I go the "Summary" page, it shows the Virtual IP Range as 172.16.100.100-100.129.
  I've installed the EasyVPN client on my target (Windows) machine, I get a connect, and I am tunnelled through the VPN, I can get out to the internet, but I have no access to the 192.168.168.0/24 network which is the desired local LAN I want to connect to.
  It would appear that I am missing a route from the virtual 172.16.100.0 network to the local LAN.  Any suggestions on how to resolve this?
  As a backup, I tried setting up the SSL-VPN, and while I authenticate and connect, every time I try to launch the VirtualPassage get an error that the "Port is in use", and the adapter fails to install.
  I also have a Mac that I want to use with this device.  The CD came with a client - vpnclient-darwin-4.9.01.0280-universal-k9.dmg - which installs, but gives an error saying it cannot talk to the VPN subsystem.
  Is an EasyVPN an actual IPSec VPN, and will the native Mac Cisco IPSec VPN work as a client?
  My priorities are:
  1.  Get the EasyVPN working in full tunnel mode on my Win-7 x32, and be able to connect to the target 192.168.168.0 network.
  2.  Get the VPN going on my Macbook (running Mavericks)
  3.  Get the SSL VPN working.
  If anyone can help me with this it would be greatly appreciated.
  One last question - the RV320 also allows the creation of a "Group VPN".  What is the difference between it and the EasyVPN?  It looks pretty similar except for the "Remote Client Domain Name" which can't be left empty.  The remote client will be multiple laptops: what would one put for a Domain Name?
  The EasyVPN is just that, but if I want a real IPSec VPN with a "shared secret", and be compatible with the Mac, what is the best way to configure the RV320?
  As an aside, I know the Mac Cisco IPSec client works as I use it to connect to my work VPN which is an enterprise level ASA device.
  Thanks for any help you can give.

  The short answer is , get rid of the RV320 and get a different router.
  The RV320 VPN is buggy and Cisco apparently couldn't care less since the last firmware was released over 7 month ago.
  I haven't been able to get mine to work consistently and found out that I'm not alone after searching the web for an answer.
  You could give PPTP a try if you are not too concerned about security.
  Good luck.