ASA 8.2(5) anyconnect hairpinning

Similar Messages

• Question of my asa if it support anyconnect vpn

  does my asa current license support using cisco any connect
  or
  easy  vpn cisco ??
  http://www9.0zz0.com/2014/03/04/11/979253014.png

  CSCO,
  Looks like you have an ASA 5505. Usually you can have up to 2 Anyconnect peers unless you specifically purchase more.
  I'm not sure aout Easy VPN though.

• ASA fails over upon anyconnect image activation

  I'm running into an odd thing here that I can't find any reference at all to in a search.  I am setting up anyconnect on an active/standby pair of ASA 5510 running 8.3(2).  Everything works great and I've got the MacOS package installed.  The odd thing is that when I try to enter the "svc image" command for the Win package, it causes the firewalls to failover every time.  I'm working with the 3.1 package and have tried both 3.1.07021 and 3.1.08009.  I've got plenty of flash space since these packages are sitting by themselves on a 2g card.  I thought that maybe the CPU was getting pegged installing the package, causing it to miss a failover poll so I increased the poll time to 15 seconds and still no go.  The failover occurs instantly when I enter the config command.  Interestingly, the win 2.5 client installs just fine but I need to be able to use it with win 8.1 so I need the 3.1 client.
  Would certainly appreciate any insight that someone might have.
  Thanks,
    Brian

  I actually don't have an xml profile defined at all.
  The failover log looks like this.  There's more, but these seem to be the relevant bits from when I attempt to activate the pkg.
  15:21:39 EDT May 1 2015
  Standby Ready Just Active HELLO not heard from mate
  15:21:39 EDT May 1 2015
  Just Active Active Drain HELLO not heard from mate
  15:21:39 EDT May 1 2015
  Active Drain Active Applying Config HELLO not heard from mate
  15:21:39 EDT May 1 2015
  Active Applying Config Active Config Applied HELLO not heard from mate
  15:21:39 EDT May 1 2015
  Active Config Applied Active HELLO not heard from mate
  As for an upgrade, I realize it might be necessary but this is a tough controlled environment where there are only quarterly maintenance windows and a long RFC process.  I'd have to point to a known bug of some sort to push an upgrade through.  Unfortunately, I can't just try to see if it works.
  Thanks for taking the time on this.

• Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access

  Greetings,
  I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
  Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
  OR 
  Am I forced to put the ASA behind the filtering device somehow?

  Hi Jim,
  You can use tunnel default route for vpn traffic:
  ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
  configure mode commands/options:
    <1-255>   Distance metric for this route, default is 1
    track     Install route depending on tracked item
    tunneled  Enable the default tunnel gateway option, metric is set to 255
  This route is applicable for only vpn traffic.
  HTH,
  Shetty

• ISE 1.3 -- ASA ssh and anyconnect attribute

  Hi,
  I've created a compound condition to match the anyconnect client and authorize them as required but the problem is , if the user does not match the anyconnect group and match the ssh group (user group only to ssh the ASA)  he get authenticated to anyconnect and get access to the default tunnel group.
  anyconnect condition :  device type , NAS-PORT-Type=Virtual and Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type=Anyconnect-client
  SSH condition  : Device type, NAS-PORT-Type=Virtual
  basically , if user does not match the anyconnect condition he still can vpn through the SSH condition .
  Thanks,
  Khaled

  Hi Neno,
  I  will try to break the problem down. I use AND all the time .
  User, NOT part of the VPN  group BUT part of the SSH group , if he try to vpn he will be authenticated (default authentication rule, which is not a problem) and will be authorized, but because the VPN authorization does NOT found it will not give access (normal), but as you now the request jump to the next rule to find a match, in this case the next rule is the SSH.
  In the SSH rule, the user is configured but not for VPN only for SSH ,he will be granted access to the VPN, he will hit the DEFAULT Tunnel group and by default the DefaultGrupPolicy.
  Is there any Unique attribute to lock down the SSH rule to only ssh?
  Thanks for your help

• ASA 5520 Anyconnect License on Active/Standby Failover pair

  Hi
  Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)
  Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"
  Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver
  Any help would be much appreciated on this one please
  Regards
  Graham

  Thanks Marvin
  Below is the show ver, but I was kind of expecting there to be a mention of Anyconnect if I had activated the license
  We previously had the VPN Plus License, and it still shows VPN Plus
  Licensed features for this platform:
  Maximum Physical Interfaces : Unlimited
  Maximum VLANs               : 150      
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                     : Enabled  
  VPN-3DES-AES                 : Enabled  
  Security Contexts           : 2        
  GTP/GPRS                     : Disabled
  VPN Peers                   : 750      
  WebVPN Peers                 : 2        
  AnyConnect for Mobile       : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions           : 2        
  This platform has an ASA 5520 VPN Plus license.

• Cisco any connect does not reconnect to backup ASA

  Hi
  In Cisco ASA ssl vpn using ANY connect, I have a question on ASA failover. There is an option in the ASDM (AnyConnect Client profile) where one can set a number of backup ASAs in case the primary ASA goes down, So Client can connect to backup ASA in case primary goes down.
  Primary ASA = vpn1.test.com
  Backup ASA = vpn2.test.com
  I have added backup ASA in the backup server list in the client profile section. In the first case, when primary ASA is down, and ANY connect client try to connect to primary ASA (vpn1.test.com) then after few seconds ANYConnect client realizes primary ASA is down and then anyconnect client connect to the backup ASA .
  But in case the primary ASA is up and ANYconnect cleint is connected. If I shutdown the primary ASA, then ANY connect client never switch to backup ASA " vpn2.test.com".
  Can Someone guide me here why client not try to reconnect to the backup in case the primary ASA gets down.
  Any connect version : 3.1.02040
  ASA IoS : 9.1
  //umair

  If you want to make use of the Cisco Connect Software then the connection should be in the following way:
  Connect the Modem with the Router on the Internet Port and connect the computer with the Router to any one of the Ethernet Port [Numbered 1, 2, 3 and 4]…
  So if you try to make the connection to any other form then in that case the Cisco Connect Software may get installed but it won’t detect the Router and will not get the Internet…. If you want to configure the Router then you can do it manually…
  So if you have a DSL connection you can refer to this link:
  http://www6.nohold.net/Cisco2/ukp.aspx?pid=93&login=1&vw=1&app=search&articleid=4020&userrole=Linksy...
  So if you have a Cable Internet Connection you can refer to this link:
  http://www6.nohold.net/Cisco2/ukp.aspx?pid=93&vw=1&articleid=3686

• Cisco anyconnect 3.1 - Certificate Validation Failure.

  When i try to start a SSL VPN connection to the ASA(8.4) with anyconnect 3.1, Cisco anyconnect receives a message saying "No Valid Certificates Available for Authentication".
  Prior to the test;
       On the ASA, i have obtain CA certificate and its identity certificate. (Both certificates obtain from windows 2008 CA).
            * ASA identity certificate's have EKU attribute = Server Authentication,   Key Usage = Digital Signature, Key Encipherment.
       On the PC in which anyconnect installed, i have obtain User Certificate (this User certificate also obtain from the same windows 2008 CA)
            * Prior to obtaining User certificate from the windows2008 CA, ASA acts as a SCEP proxy onbehalf of the client PC.
            * User Certificate's has EKU attribute = Client Authentication.
  As in the ASDM Logs, it almost work.
  In days of troubleshooting, i still could not find the cause of this problem. Error message as appeared on anyconnect;
  Is there anyone could help.???
  Keshara from Sri Lanka.

  Just run into this as well. We have CRL checking turned on. Turned out to be the CRL server was down. But that was the same message I got when the client wouldn't connect. 

• AnyConnect 3.1 - Failed to perform required client update checks

  I upgraded to ASA 9, and asdm 7, everything went perfect except AnyConnect IKEV2 doesnt work anymore, I have a lot of errors under my event viewer:
  When it goes to install I get this error: Failed to perform required client update checks. Contact your system administrator
  Under Eventviewer I find:
  Function: CDownloadTask::Run
  File: .\DownloadTask.cpp
  Line: 413
  Invoked Function: CDownloadTask::getAggCfgFromSG
  Return Code: -23855090 (0xFE94000E)
  Description: DOWNLOADTASK_ERROR_PARSE_CONFIG:Could not parse configuration from secure gateway
  Function: CDownloadTask::getAggCfgFromSG
  File: .\DownloadTask.cpp
  Line: 2218
  Invoked Function: CDownloaderArgs::ParseConfigXml
  Return Code: -26673142 (0xFE69000A)
  Description: DNLDRARGS_ERROR_PARSING_CONFIG_XML:Failed to parse aggregate config xml.
  Function: CDownloaderArgs::ParseConfigXml
  File: .\DownloaderArgs.cpp
  Line: 504
  Invoked Function: CDownloaderArgs::getManifestFromConfigXml
  Return Code: -26673142 (0xFE69000A)
  Description: DNLDRARGS_ERROR_PARSING_CONFIG_XML:Failed to parse aggregate config xml.
  Function: CDownloaderArgs::getManifestFromConfigXml
  File: .\DownloaderArgs.cpp
  Line: 562
  Core manifest not present
  Function: CAutoProxy::GetAutoProxyStrings
  File: ..\Common\Proxy\AutoProxy.cpp
  Line: 1055
  Invoked Function: CAutoProxy::LoadAutoProxyStrings
  Return Code: -30539766 (0xFE2E000A)
  Description: AUTOPROXY_ERROR_NO_AUTO_PROXY

  Found a workaround, it is a bug which will be sent off to developer
  With ASA 9.0 and AnyConnect, you have to enabled SSL on the IKEv2 Profile, it seems that disabling this disables the ability to deliver the Profile, with is enabled on the IKEv2 Profile, the actual profiles get delivered without error.
  Previously I only allowed IKEv2 connections and had SSL disable on the profile itself, now in order for the profile to get delivered to the end user, it must also be enabled.

• Unable to use proxy server with MAC OS X Anyconnect client

  Hi All,
  I have a VPN setup thru a Cisco 5520, Windows clients connect just find and the end users configure there browser to use our internal proxy servers.   Users with the MAC OS X Anyconnect client can connect, they configure their Mac to use our proxy server, but the broswers will not work, clients can reach networks and resources behind the VPN gateway and have access to the Proxy(Tried a telnet to that hostname/port).  Anyone run into this issue before?  I am running ASA 8.3(2), Anyconnect(OS X) 3.1.01065.
  Thank You

  We had the same problem.
  We are behind government firewall so I don't know which Cisco firewall is used but we are using AnyConnect to establish VPN from internet to LAN behind firewall. We have no problems with Windows. With Mac OS X connection through proxy didn't work with Safari and Chrome (both are using system Proxy setting), but it did work with Firefox (which has it's own Proxy).
  Finally we found out that ethernet MTU size was the culprit. When we set it to manual, with size being 1347 (or less), proxy started to work.

• ASA Load-Balancing intriguing question

  I have a setup where the inside interface may be in the same private subnet, but the outside interfaces, are most likely in different public subnets.
  For example. inside on both ASA: 192.168.1.1 and 192.168.1.2 /24 and the public connected even to two different ISPs.
  My guess is that I would probably lose the possibility for failover of the master for load-balancing, in case this ASA goes down, but nevertheless, I would be still interested in that users connect to the same public ip, and that the master gives the fqdn of the other ASA, and balance their Anyconnect entry into the network between both ASAs. Does this works this way?
  I mean, does this vpn load-balance feature talks only accross the inside network, or it needs to have same outside subnet mask? Is it a trick of the mask in the interface? 
  If not, is there a way around that? like this, if use a bogus outside interface and tunnel it somehow to the other outside in the other ASA, will still the offering of fqdn be on, so that the client connects to the other "real" public IP? 

  you cant route based on source ip with firewall only with router possiable by PBR
  you can make to static routes each one point to deffrent router with deffrent metric
  in this case it will make the topology like active standby which not good in your case
  but you can use sub interfaces on your ASA intis case make each subinterface in deffrent subnet and deffrent security level
  and let each subinterface use deffrent hsrp instance
  or there is another way
  IF you dont use VPN on your ASA u can achive it by useing multiple context
  in multiple context you gonna separate your firewall virtualy
  so if you have two vlans in your inside network (two deffrent subnets)
  then each subnet will use deffrent firewall virtually
  u goona divide the internal interface to two subinterfaces
  and you can use one outside interface shred between the context or also separate it to two subinterfaces
  and allocate those interface to each context
  so you gonna deal with each context as deffrent firewall
  and you can use deffrent HSRP instance on each context
  but with multiple context you cant use VPN on the firewall
  *****use the following method*****
  THE OTHER WAY WHICH ALSO I SUGIST YOU TO TRY IT WHICH IS THE Transparent Firewall
  in the case your firewall will operate in L2 mode
  so you can use the routers HSRP IPS AS there is no firewall in the path
  which i thnk helpful in you case aslo
  in transperante mode the defaultgate way for your client will be the hsrp IP because the firewall will not have any IPs exept for managment
  also the useres will be in the same IP subnet as the gateway in your case HSRP VIP
  and also you can control the network security through the firewall normally
  try this way and let me know
  see the following link for configuration
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
  please, Rate if helpful

• AnyConnect Secure Mobility Client with Oracle ESSO 11.1.1.5

  Hello,
  we are about to implement Oracle SSO for our client whose employees use Cisco AnyConnect Secure Mobility Client 3.0.5080 to access their internal network. The VPN access requires having the correct certificate installed on the client computers and users are required to enter their credentials (the same credentials that are stored in MS AD). All the client computers run Win 7.
  Now - what we want to achieve is following: A client's employee logs into a domain, using domain account and starts the Cisco AnyConnect. The best option would be that the Oracle SSO would take it from here and do the rest in setting up the VPN connection - confirming the pre-selected profile, clicking the connect button, then filling the user credentials (from Oracle SSO database) in and confirming the dialog. Or, which is probably more viable way - the user will start AnyConnect, selecting which network to login in and the SSO will only enter the credentials and submit them to establish the connection.
  So far we have been able to create templates for Oracle SSO to automatically enter the credentials for various applications, including SAP, but we are not able to create working template for AnyConnect. We are able to catch all the fields in the login window - Username, Password, Ok/Submit - when creating the template in ESSO-LM Admin Console but once the template is published to the repository and added to the test user in ESSO-PG, the SSO does not fill the credentials in. We also tried to "bypass this" using SendKeys with no result as well. All other applikcatios work.
  Do you have any experience with such situation or have any hints what can we try?
  Thank you for any answers,
  Ondrej
  PS: I have found https://supportforums.cisco.com/message/3852541. Is it really that the AnyConnect does not allow any application any input?

  Here is a link to an example of configuring AnyConnect to use IKEv2. According to this ASA 8.4 and AnyConnect 3.1 should be ok.
  http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/113692-ac-ikev2-ca-00.html
  HTH
  Rick

• Cisco AnyConnect Secure Mobility Client with IPsec

  Hello,
  Current equipment
  ASA 5520
  ASA Version 8.4(6)
  ASDM Version 7.1(3)
  IPsec(IKEv1)
  Cisco VPN Client
  Cisco AnyConnect Secure Mobility Client
  Version 3.1.04072
  I need to configure the vpn client with ipsec using the version of the vpn client what i'm talk.
  The first time I complete all the parameters. I note what file was edit. The file what was edit is this file "preferences.xml"
  c:\users\user\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client
  If I edit this file "preference.xml" all setting change but not help me in made a solution.
  The file contains this
  <?xml version="1.0" encoding="UTF-8"?>
  <AnyConnectPreferences>
  <DefaultUser>user</DefaultUser>
  <DefaultSecondUser></DefaultSecondUser>
  <ClientCertificateThumbprint></ClientCertificateThumbprint>
  <ServerCertificateThumbprint></ServerCertificateThumbprint>
  <DefaultHostName>server</DefaultHostName>
  <DefaultHostAddress></DefaultHostAddress>
  <ProxyHost></ProxyHost>
  <ProxyPort></ProxyPort>
  <SDITokenType>none</SDITokenType>
  <ControllablePreferences>
  <LocalLanAccess>false</LocalLanAccess>
  <AutoConnectOnStart>false</AutoConnectOnStart>
  <BlockUntrustedServers>false</BlockUntrustedServers></ControllablePreferences>
  </AnyConnectPreferences>
  What i need to know is the "sentence" or line of configuration what i have to introduce in this file to reference the different ipsec profile. If I am told that I must update the handle or asdm version. I can do it.
  Somebody can help me please

  Here is a link to an example of configuring AnyConnect to use IKEv2. According to this ASA 8.4 and AnyConnect 3.1 should be ok.
  http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/113692-ac-ikev2-ca-00.html
  HTH
  Rick

• Anyconnect license for ASA5520

  Dear Team,
  Below is the configuration of one of our clients and they have requested for 50 Users Anyconnect License with software being installed on client.
  ABC # sh ver
  Cisco Adaptive Security Appliance Software Version 8.2(2)
  Device Manager Version 5.2(3)
  Compiled on Mon 11-Jan-10 14:19 by builders
  System image file is "disk0:/asa822-k8.bin"
  Config file at boot was "startup-config"
  PSO-ASA up 110 days 22 hours
  failover cluster up 110 days 22 hours
  Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
  Internal ATA Compact Flash, 256MB
  BIOS Flash M50FW080 @ 0xffe00000, 1024KB
  Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                                Boot microcode   : CN1000-MC-BOOT-2.00
                                SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                                IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
    0: Ext: GigabitEthernet0/0  : address is 001e.f760.a75c, irq 9
    1: Ext: GigabitEthernet0/1  : address is 001e.f760.a75d, irq 9
    2: Ext: GigabitEthernet0/2  : address is 001e.f760.a75e, irq 9
    3: Ext: GigabitEthernet0/3  : address is 001e.f760.a75f, irq 9
    4: Ext: Management0/0       : address is 001e.f760.a760, irq 11
    5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
    6: Int: Not used            : irq 5
    7: Ext: GigabitEthernet1/0  : address is 001e.f760.b729, irq 255
    8: Ext: GigabitEthernet1/1  : address is 001e.f760.b72a, irq 255
    9: Ext: GigabitEthernet1/2  : address is 001e.f760.b72b, irq 255
  10: Ext: GigabitEthernet1/3  : address is 001e.f760.b72c, irq 255
  11: Int: Internal-Data1/0    : address is 0000.0003.0002, irq 255
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled
  VPN-3DES-AES                   : Enabled
  Security Contexts              : 2
  GTP/GPRS                       : Disabled
  SSL VPN Peers                  : 2
  Total VPN Peers                : 750
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled
  AnyConnect for Cisco VPN Phone : Disabled
  AnyConnect Essentials          : Disabled
  Advanced Endpoint Assessment   : Disabled
  UC Phone Proxy Sessions        : 2
  Total UC Proxy Sessions        : 2
  Botnet Traffic Filter          : Disabled
  This platform has an ASA 5520 VPN Plus license.
  Serial Number: JMX1210L21K
  Running Activation Key: 0x7c1f6a6e 0x44e5b71d 0xa8b04110 0x9e043c5c 0x0d329294
  Configuration register is 0x1
  Configuration last modified by enable_15 at 10:58:52.275 UTC Wed Dec 18 2013
  I have quoted them "L-ASA-SSL-50=" but confused about the ASA Licensing.
  Please let me know if this is the right one or I have to quote something else?
  Kindly let me know if we need to purchase client software for client based SSL VPN?
  Regards,
  Farhan.

  Syed,
  As per the "show version" output:
  SSL VPN Peers                  : 2
  Total VPN Peers                : 750
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled
  AnyConnect for Cisco VPN Phone : Disabled
  AnyConnect Essentials          : Disabled
  Do you need AnyConnect Essentials or Premium?
  Check:
  AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 3.1
  Cisco AnyConnect Secure Mobility Client Licensing Options
  Table 2 lists licensing options for the Cisco AnyConnect Secure Mobility Client.
  Table 2. Cisco AnyConnect Secure Mobility Client Licensing Options
  License Requirements (each license below is required)
  Description
  Cisco ASA Platform License
  Cisco AnyConnect Essentials[2] (P/N: (L-ASA-AC-E-55**=) 05, 10, 20, 40, 50,80, 85)
  • Highly secure remote-access connectivity
  • Single license per ASA device model (not a per user license); enables maximum simultaneous users on platform
  • Full-tunneling access to enterprise applications
  Cisco AnyConnect Premium[3] (P/N: (L-ASA-SSL-***=) 10, 25, 50, 100, 250, 500, 1000, 2500, 5000, 10,000
  • Also provides support for clientless SSL VPN and capabilities available on desktop AnyConnect platforms including Cisco Secure Desktop HostScan and always-on VPN connectivity
  • License is based on number of simultaneous users, and is available as a single device or shared license (part number above is for a single device license)
  Cisco AnyConnect Mobile License5
  P/N: (L-ASA-AC-M-55*=)
  05, 10, 20, 40, 50,80, 85
  • Enables Mobile OS platform compatibility
  • Single license per ASA device model (not a per user license) is required in addition to Essentials or Premium licenses
  Cisco AnyConnect Secure Mobility Client Licensing Options
  Let me know if you have any further questions.
  HTH.

• Please tell me part numbers for ASA and VPN licence order

  Hi all
  I wish to order a ASA 5515-X firewall with 250 vpn ssl licences plus the licences for mobile devices
  Can anyone tell me the part numebers for this ?
  cheers
  Carl

  I was expecting pooch pooch's recommendation to be the cheaper, but I get a slightly lower price this way, BUT check with your own in-country Cisco partner first!
  SKU
  Description
  Quantity
  ASA5515-K9
  ASA 5515-X with SW 6GE Data   1GE Mgmt AC 3DES/AES
  1
  ASA5500-SSL-250
  ASA 5500 SSL VPN 250 Premium User License
  1
  ASA-AC-M-5515
  AnyConnect Mobile - ASA 5515-X (req. Essentials   or Premium)
  1
  ASA5525VPN-PM250K9 is a VPN bundle for the 5525-X that might be worth a look. As you probably realise, there isn't a 5515-X VPN bundle for 250 connections.