IP Phone SSL VPN through ASA

Similar Messages

• IP Phone SSL VPN to ASA using AnyConnect

  I have a CUCM 7.1.5. We are using Phone proxy today. I wanted to upgrade to IP phone SSL VPN.
  I know in 8.x and 9.x the Proxy phone is not supported and Cisco supports SSL VPN.
  However, The question is: if CUCM 7.1.5 supports Phone SSL VPN.
  Lastly,
  I hear about Collaboration Edge in CUCM 10.x
  If CUCM 10.x is deployed then how the ASA concept plays a role here.
  What type of license I would need for Collaboration Edge to register the endpoints\phones from outside of network. 
  I cant find any information about the Colaboration Edge on the Internet...
  Message was edited by: Sean Poure

  The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
  http://www.cisco.com/en/US/netsol/ns1246/index.html
  PS- Jason could have found out details in advance since DiData has partner NDA status.
  Please remember to rate helpful responses and identify helpful or correct answers.

• IP Phone SSL VPN to ASA for multiple CUCM (CallManager)

  hi all,
  I have a case to support multiple CallManager clusters in different locations for internet SSL VPN IP Phone. We will deploy one ASA firewall for SSL VPN IP Phone connections. So, can we use single ASA firewall for mulitple CUCM clusters?? In order words, Internet IP Phone will connect to different CUCM via a single ASA firewall (by using SSL VPN).
  I tested I need to upload the ASA's certificate into CUCM and upload CUCM's certificate into ASA for one ASA to one CUCM. If I create multiple profile (e.g. different URL for phone logins) for different CUCM. Is it possible to do that?
  thanks for your input!
  Samuel

  Samuel,
  Did you ever find an answer to your question? I have a similar scenario.
  Any input would be appreciated.

• Jabber client and IP Phone SSL VPN to ASA using AnyConnect

  Also for Jabber 9.1 can the Jabber for X softphone client (CUCM) can fireup a SSL VPN direct to ASA, similar to how 7965s can? Anyone aware if Jabber 10 or next version will support Jabber client with ASA? I have this delpoyed with 7965s and certificates but I have to manually start a AnyConnect session for Jabber for Windows on my laptop.
  https://supportforums.cisco.com/docs/DOC-9124

  The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
  http://www.cisco.com/en/US/netsol/ns1246/index.html
  PS- Jason could have found out details in advance since DiData has partner NDA status.
  Please remember to rate helpful responses and identify helpful or correct answers.

• IP Phone SSL VPN - Licenses required.

  Hi,
  Can someone confirm the linceses required for me to get this working. I understand that it needs the 'AnyConnect for Cisco VPN Phone' license but do I also need to have anyconnec essentials? This is for ASA version 8.2 and the a license info below is for the ASA i intend to delpoy this on.
  Thanks
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 250
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled
  VPN-3DES-AES                   : Enabled
  Security Contexts              : 2
  GTP/GPRS                       : Disabled
  SSL VPN Peers                  : 2
  Total VPN Peers                : 5000
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled
  AnyConnect for Cisco VPN Phone : Disabled
  AnyConnect Essentials          : Disabled
  Advanced Endpoint Assessment   : Disabled
  UC Phone Proxy Sessions        : 2
  Total UC Proxy Sessions        : 2
  Botnet Traffic Filter          : Disabled
  This platform has an ASA 5550 VPN Premium license.

  Hi,
  You would need Anyconnect Premium license along with Cisco Ip phone feature enabled on ASA for Cisco IP phone to use anyconnect vpn feature.
  You can find more details from following link:
  http://www.cisco.com/en/US/products/ps12726/products_qanda_item09186a0080bf292f.shtml
  Regards,
  Varinder
  P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

• IP phone SSL VPN configuration issue

  Hello,
  I am trying to configure the SSL VPN for the IP phone.
  I am using the CM8.0.2 and 7975.
  - I configured ASA and tested with my PC. PC can ping the CM.
  - I uploaded the ASA cert as a Phone-VPN-trust
  - I uploaded the CA root cert. Tried both, Phone-VPN-trust and Phone-trust. Which one is correct?
  - I created a VPN gateway and typed URL and selected the cert
  - I created the VPN group and added the VPN gateway to it.
  - I created the VPN profile and added the VPN group to it.
  - I disabled the Host ID check
  - I configured the Common Phone Profile with VPN group and VPN profile and added it to a 7975 phone.
  When I go into the phone settings, the VPN option is disabled and the Enable soft button is greyed out.
  What is missing? What am I doing wrong?

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• IP Phone SSL VPN and Split tunneling

  Hi Team,
  I went throught the following document which is very useful:
  https://supportforums.cisco.com/docs/DOC-9124
  The only things i'm not sure about split-tunneling point:
  Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
  I could see many implementation when they used split-tunneling, like one of my customer:
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  banner value This system is only for Authorized users.
  dns-server value 10.64.10.13 10.64.10.14
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value prod.mobily.lan
  address-pools value SSLClientPool
  webvpn
    anyconnect keep-installer installed
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask none default anyconnect
  username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
  username manager-max attributes
  vpn-group-policy GroupPolicy1
  tunnel-group PhoneVPN type remote-access
  tunnel-group PhoneVPN general-attributes
  address-pool SSLClientPool
  authentication-server-group AD
  default-group-policy GroupPolicy1
  tunnel-group PhoneVPN webvpn-attributes
  group-url https://84.23.107.10 enable
  ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
  access-list split-tunnel remark split-tunnel network list
  access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
  It is working for them w/o any issue.
  My question would be
  - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
  Thanks!
  Eva

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• OWA not accessible after setting up vpn through ASA 5505

  I have a client that is running Win2003 Server R2 with Exchange Server 2003. OWA was setup and clients could connect to their exchange mailbox from the internet with no problems.
  We recently configured vpn on the ASA 5505 and now no-one can connect to OWA since that time.
  Here is what I have for a configuration.
  Any thoughts?

  I thought OWA uses tcp port 80 by default, or 443 if you use https. Ignore the rest if this fact is wrong. Otherwise ...
  In your config there is nothing to allow the www traffic in the access-list outside_access_in
  access-list outside_access_in extended permit tcp any interface outside eq 80
  and no static nat for this
  static (inside,outside) tcp interface 80 192.168.0.254 80 netmask 255.255.255.255
  I think these must have got deleted when you made the other changes ? Hope this helps.

• SA540 SSL VPN Client will not install on Windows 7

  I had the SSL VPN Client working on my Windows 7 laptop.  I tried to use the SSL VPN through Firefox and now my client does not work on IE anymore.
  The install process beings and the progress bar makes it halfway before I get an error saying the install failed.
  I tried everything I could to remove the SSL VPN client manually.  I even followed the instructions posted at the end of this forum posting:  https://cisco-support.hosted.jivesoftware.com/thread/2018716?decorator=print&displayFullThread=true
  Nothing has worked.
  The best I can find is the VPN Client is crashing during install.  I saw this in the Event Log.
  Fault bucket 177244756, type 5
  Event Name: PnPDriverInstallError
  Response: Not available
  Cab Id: 0
  Problem signature:
  P1: x64
  P2: E0000234
  P3: ssldrv.inf
  P4: 93775c2b0faa616bc11a47d4ff617aa8d00cd56f
  P5: SSLDrv.Ndi
  P6:
  P7:
  P8:
  P9:
  P10:
  Attached files:
  C:\Users\shudson\AppData\Local\Temp\DMIE984.tmp.log.xml
  C:\Windows\inf\oem54.inf
  These files may be available here:
  C:\Users\shudson\AppData\Local\Microsoft\Windows\WER\ReportArchive\NonCritical_x64_d317f66069d2e3b17f6bc1e7306afd9085494a_1020fe2c
  Analysis symbol:
  Rechecking for solution: 0
  Report Id: 75c67e96-1882-11e0-8e4d-5c260a0235ed
  Report Status: 0
  I then used AppCrashView to see the crash report and I get this:
  Version=1
  EventType=APPCRASH
  EventTime=129386443518175301
  ReportType=2
  Consent=1
  UploadTime=129386443518799293
  ReportIdentifier=2a4c4f0a-183c-11e0-aac2-5c260a0235ed
  IntegratorReportIdentifier=2a4c4f09-183c-11e0-aac2-5c260a0235ed
  WOW64=1
  Response.BucketId=2007535968
  Response.BucketTable=1
  Response.type=4
  Sig[0].Name=Application Name
  Sig[0].Value=VirtualPassageExe.exe
  Sig[1].Name=Application Version
  Sig[1].Value=1.7.3.1
  Sig[2].Name=Application Timestamp
  Sig[2].Value=4b20cf25
  Sig[3].Name=Fault Module Name
  Sig[3].Value=OLEAUT32.dll
  Sig[4].Name=Fault Module Version
  Sig[4].Value=6.1.7600.16567
  Sig[5].Name=Fault Module Timestamp
  Sig[5].Value=4bbc2f3d
  Sig[6].Name=Exception Code
  Sig[6].Value=c0000005
  Sig[7].Name=Exception Offset
  Sig[7].Value=00004660
  DynamicSig[1].Name=OS Version
  DynamicSig[1].Value=6.1.7600.2.0.0.256.48
  DynamicSig[2].Name=Locale ID
  DynamicSig[2].Value=1033
  DynamicSig[22].Name=Additional Information 1
  DynamicSig[22].Value=0a9e
  DynamicSig[23].Name=Additional Information 2
  DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789
  DynamicSig[24].Name=Additional Information 3
  DynamicSig[24].Value=0a9e
  DynamicSig[25].Name=Additional Information 4
  DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789
  UI[2]=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
  UI[3]=VirtualPassageExe MFC Application has stopped working
  UI[4]=Windows can check online for a solution to the problem.
  UI[5]=Check online for a solution and close the program
  UI[6]=Check online for a solution later and close the program
  UI[7]=Close the program
  LoadedModule[0]=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
  LoadedModule[1]=C:\Windows\SysWOW64\ntdll.dll
  LoadedModule[2]=C:\Windows\syswow64\kernel32.dll
  LoadedModule[3]=C:\Windows\syswow64\KERNELBASE.dll
  LoadedModule[4]=C:\Windows\system32\MFC42.DLL
  LoadedModule[5]=C:\Windows\syswow64\msvcrt.dll
  LoadedModule[6]=C:\Windows\syswow64\USER32.dll
  LoadedModule[7]=C:\Windows\syswow64\GDI32.dll
  LoadedModule[8]=C:\Windows\syswow64\LPK.dll
  LoadedModule[9]=C:\Windows\syswow64\USP10.dll
  LoadedModule[10]=C:\Windows\syswow64\ADVAPI32.dll
  LoadedModule[11]=C:\Windows\SysWOW64\sechost.dll
  LoadedModule[12]=C:\Windows\syswow64\RPCRT4.dll
  LoadedModule[13]=C:\Windows\syswow64\SspiCli.dll
  LoadedModule[14]=C:\Windows\syswow64\CRYPTBASE.dll
  LoadedModule[15]=C:\Windows\syswow64\ole32.dll
  LoadedModule[16]=C:\Windows\syswow64\OLEAUT32.dll
  LoadedModule[17]=C:\Windows\system32\ODBC32.dll
  LoadedModule[18]=C:\Windows\syswow64\SHELL32.dll
  LoadedModule[19]=C:\Windows\syswow64\SHLWAPI.dll
  LoadedModule[20]=C:\Windows\system32\apphelp.dll
  LoadedModule[21]=C:\Windows\AppPatch\AcLayers.DLL
  LoadedModule[22]=C:\Windows\system32\USERENV.dll
  LoadedModule[23]=C:\Windows\system32\profapi.dll
  LoadedModule[24]=C:\Windows\system32\WINSPOOL.DRV
  LoadedModule[25]=C:\Windows\system32\MPR.dll
  LoadedModule[26]=C:\Windows\system32\IMM32.DLL
  LoadedModule[27]=C:\Windows\syswow64\MSCTF.dll
  LoadedModule[28]=C:\Windows\system32\odbcint.dll
  LoadedModule[29]=C:\Windows\system32\uxtheme.dll
  LoadedModule[30]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7600.16661_none_ebfb56996c72aefc\COMCTL32.DLL
  LoadedModule[31]=C:\Windows\system32\dwmapi.dll
  State[0].Key=Transport.DoneStage1
  State[0].Value=1
  FriendlyEventName=Stopped working
  ConsentKey=APPCRASH
  AppName=VirtualPassageExe MFC Application
  AppPath=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
  None of this makes any sense to me, but may someone can tell me why the install is failing?
  Thanks,
  Scott

  Mario,
  I tried everything you mentioned.  I cleared cookies and temporary files.  I enabled SSL 3.0. I restarted IE.
  I get the same thing.  The install process starts and then ends at suddenly saying the install failed.
  Scott

• ASA license for Cisco IP Phone over VPN

  Hi,
  Are there special licenses required on the ASA to use Cisco IP Phones (Hard phone) over SSL VPN connection?
  Thanks

  Hi,
  You can purchase the phone proxy license. This elimiates the need to build a VPN tunnel for voice traffic.
  It is not mandatory to purchase this license however.
  From the ASA configuration guide:
  http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/unified_comm_phoneproxy.html#wp1144845
  "The  Cisco Phone Proxy on the adaptive security  appliance bridges IP  telephony between the corporate IP telephony  network and the Internet  in a secure manner by forcing data from remote  phones on an untrusted  network to be encrypted. "
  Don't forget to rate all posts that are helpful.

• ASA 5505 8.2 - SSL VPN - Cannot Ping inside host's

  Hello All,
  I'm an ASA Newb. 
  I feel like I have tried everything posted and still no success.
  PROBLEM:  When connected to the SSL VPN I cannot ping any internal host's.  I cannot ping anything on this inside?
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.2(5)
  hostname MCASA01
  domain-name mydomain.org
  enable password xxbtzv6P4Hqevn4N encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.2.0 VLAN
  name 192.168.5.0 VPNPOOL
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  switchport access vlan 3
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ddns update hostname MC_DNS
  dhcp client update dns server both
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  no forward interface Vlan1
  nameif outside
  security-level 0
  ip address 11.11.11.202 255.255.255.252
  interface Vlan3
  no nameif
  security-level 50
  ip address 192.168.2.1 255.255.255.0
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns server-group DefaultDNS
  domain-name mydomain.org
  access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNPOOL 192.168.5.1-192.168.5.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 74.7.217.201 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  http authentication-certificate inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment terminal
  subject-name CN=vpn.mydomain.org,OU=IT,O="mydomain",C=US,St=CA,L=Chino
  keypair digicert.key
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate 00b63edadf5efa057ea49da56b179132e8
      3082051c 30820404 a0030201 02021100 b63edadf 5efa057e a49da56b 179132e8
      300d0609 2a864886 f70d0101 05050030 72310b30 09060355 04061302 4742311b
      30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
      03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
      41204c69 6d697465 64311830 16060355 0403130f 45737365 6e746961 6c53534c
      20434130 1e170d31 33313130 35303030 3030305a 170d3134 30323033 32333539
      35395a30 52312130 1f060355 040b1318 446f6d61 696e2043 6f6e7472 6f6c2056
      616c6964 61746564 3111300f 06035504 0b130846 72656520 53534c31 1a301806
      03550403 13117670 6e2e6d65 74726f63 656c6c2e 6f726730 82012230 0d06092a
      864886f7 0d010101 05000382 010f0030 82010a02 82010100 a0d97d51 fcd18293
      eaf8e9b2 d632b2e3 e4d92eb1 5b639766 52677a26 2aa7d09d 437be3b6 dfb8649c
      4d715278 e1745955 27e8aab2 9c9da997 694a73e8 c1c426f3 a519adba acc2ad94
      aa0e09af 6db7bfc6 bad90bf2 b057dc56 c69a4276 1b826c83 6cd7ae09 af39bd7d
      4abe60b4 9b04613a 287a1ae6 9d117d05 c7cdc15f 09d588b0 fcc05c47 c1cb6d67
      c3701389 d3b7691d b05ff82c b0be475d 746a4916 0bbf11a6 7ee1b7ec bd05e1d2
      dda305a6 918bfd35 17447b04 bca1e6d9 10955649 d8211878 168c4c21 279a6584
      4b560a9f 414aea15 91e21581 a71d6b98 86d9eac3 47ea3a1d a172c71a ecf77aaa
      536d73e4 bc53eb68 c7bfacdd fab87ea5 121baf55 067dbd19 02030100 01a38201
      cb308201 c7301f06 03551d23 04183016 8014dacb eaad5b08 5dccfffc 2654ce49
      e555c638 f4f8301d 0603551d 0e041604 14fabb1d f439c41f e59207c7 202c2fda
      b46bcacc ee300e06 03551d0f 0101ff04 04030205 a0300c06 03551d13 0101ff04
      02300030 34060355 1d25042d 302b0608 2b060105 05070301 06082b06 01050507
      0302060a 2b060104 0182370a 03030609 60864801 86f84204 01304f06 03551d20
      04483046 303a060b 2b060104 01b23101 02020730 2b302906 082b0601 05050702
      01161d68 74747073 3a2f2f73 65637572 652e636f 6d6f646f 2e636f6d 2f435053
      30080606 67810c01 0201303b 0603551d 1f043430 323030a0 2ea02c86 2a687474
      703a2f2f 63726c2e 636f6d6f 646f6361 2e636f6d 2f457373 656e7469 616c5353
      4c43412e 63726c30 6e06082b 06010505 07010104 62306030 3806082b 06010505
      07300286 2c687474 703a2f2f 6372742e 636f6d6f 646f6361 2e636f6d 2f457373
      656e7469 616c5353 4c43415f 322e6372 74302406 082b0601 05050730 01861868
      7474703a 2f2f6f63 73702e63 6f6d6f64 6f63612e 636f6d30 33060355 1d11042c
      302a8211 76706e2e 6d657472 6f63656c 6c2e6f72 67821577 77772e76 706e2e6d
      6574726f 63656c6c 2e6f7267 300d0609 2a864886 f70d0101 05050003 82010100
      2484b72c 56161585 c9caa1a3 43cbc754 d3b43cef 7902a775 d40d064f 6918d52f
      0aaaea0c ad873124 11b68847 406812da fd0c5d71 6e110898 1ebddcab ddf980e4
      b95be4e2 0633cc23 7a4cbc27 f1f5e4e8 1de3c127 2b28a364 f1f26764 98afe871
      45547855 c0ceaf39 256f46db 4ac412a7 2b594817 a967ba5a 24986b24 57002ce4
      f046c6b3 5f7c9cc2 e6cd8ede 8fbcac60 b87fd497 71328783 8b148f7f affec249
      191c460b 3d46d352 0651f35e 96a60fbe 7b22e057 06aa7722 da447cd3 0ea72e7f
      5ec8c13c b550f502 b020efdc 35f62b89 52d7e6e3 14ade632 802dee70 1cdbf7ad
      a39a173b 916406e4 887ba623 4813b925 8a63a300 fd016981 a8d70651 a736267a
    quit
  no crypto isakmp nat-traversal
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside vpnclient-wins-override
  dhcpd address 192.168.1.100-192.168.1.200 inside
  dhcpd dns 66.180.96.12 64.238.96.12 interface inside
  dhcpd lease 86400 interface inside
  dhcpd ping_timeout 4000 interface inside
  dhcpd domain mydomain.org interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 64.147.116.229 source outside
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  svc enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  group-policy VPNGP internal
  group-policy VPNGP attributes
  vpn-tunnel-protocol svc
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SPLIT-TUNNEL
  username GaryC password TGbvzEO3d6HlfU66 encrypted privilege 15
  username GaryC attributes
  vpn-group-policy VPNGP
  tunnel-group MCVPN type remote-access
  tunnel-group MCVPN general-attributes
  address-pool VPNPOOL
  default-group-policy VPNGP
  tunnel-group MCVPN webvpn-attributes
  group-alias MCVPN enable
  group-url https://11.11.11.202/MCVPN enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:1e950c041cc2c25116d30e5c884abbfc
  : end
  My goal is to allow Remote Users to RDP(3389) through VPN.
  Thank you,
  Gary
  Message was edited by: Gary Culwell

  Hello Jon,
    Thank you so much for your response. Clients will not be connect to a specific RDP server.  I was hoping if we were to establish a VPN Client tunnel I would like that tunnel to provide full local are access.  So the way the clients are used to is while in the field they use RDP to connect to their desktops on the internal LAN.
  Would you say this would work:
  route inside 192.168.1.0 255.255.255.0 192.168.1.1 1
  Do you have examples?
  Thank you,
  Gary

• ASA 5505 SSL VPN LOG failed

  %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3293 for TLSv1 session.
  %ASA-6-725003: SSL client outside:58.211.122.212/3293 request to resume previous session.
  %ASA-6-725002: Device completed SSL handshake with client outside:58.211.122.212/3293
  %ASA-6-113012: AAA user authentication Successful : local database : user = admin
  %ASA-6-113009: AAA retrieved default group policy (SSLCLientPolicy) for user = admin
  %ASA-6-113008: AAA transaction status ACCEPT : user = admin
  %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.grouppolicy = SSLCLientPolicy
  %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.username = admin
  %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.tunnelgroup = SSLClientProfile
  %ASA-6-734001: DAP: User admin, Addr 58.211.122.212, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy
  %ASA-4-716023: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> Session could not be established: session limit of 2 reached.
  %ASA-4-716007: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> WebVPN Unable to create session.
  %ASA-6-302013: Built inbound TCP connection 137616 for outside:58.211.122.212/3294 (58.211.122.212/3294) to identity:61.155.55.66/443 (61.155.55.66/443)
  %ASA-6-302013: Built inbound TCP connection 137617 for outside:58.211.122.212/3295 (58.211.122.212/3295) to identity:61.155.55.66/443 (61.155.55.66/443)
  %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3294 for TLSv1 session.
  %ASA-6-725003: SSL client outside:58.211.122.212/3294 request to resume previous session.
  %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3295 for TLSv1 session.
  %ASA-6-725003: SSL client outside:58.211.122.212/3295 request to resume previous session.
  Red error what is the reason? Only appears in the window 2003 server.

  ciscoasa# show   activation-key 
  Serial Number:  JMX1314Z1UV
  Running Activation Key: 0x9625fa6a 0x68e90200 0x38c3adac 0xaa0448d0 0x4b3815b6
  Licensed features for this platform:
  Maximum Physical Interfaces    : 8        
  VLANs                          : 3, DMZ Restricted
  Inside Hosts                   : 10       
  Failover                       : Disabled
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 10       
  Dual ISPs                      : Disabled 
  VLAN Trunk Ports               : 0        
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled 
  This platform has a Base license.
  The flash activation key is the SAME as the running key.
  ciscoasa#
  Sure ？it was licence question？

• Ssl vpn and soft phone

  Does the ASA or IOS support an SSL VPN that includes the Cisco softphone like it does say RDP, SSH, etc?  I'm trying to determine if I can have a user connect a soft phone to our parent company's SSL VPN so they can use their Cisco phone system, while simultaneously having a remote access vpn tunnel to our division's data network.  In short, our employees need to use phones that don't exist on our network while having access to our data network.  I've been able to test having an SSL vpn session open at the same time as an IPSec remote access session, but the softphone is not an option in my current code of 8.4 on the ASA.  I thought I heard it might be available in 9.0.  It seems like it would work in reverse, i.e. having my users connect to my SSL VPN to use my data network and then IPSec to our parent company for the client's locally installed soft phone, but that's not an option for me.  The link below seems to suggest it's possible in IOS at least, but I haven't been able to find any details beyond the sales pitch it offers.
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_securing_voice_traffic_with_cisco_ios_ssl_vpn.html
  thank you

  Following links may help you
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008072462a.shtml

• ASA 5505 WebVPN - It has taken a while for SSL VPN Relay to load. You need to verify Java is enabled in your browser

  ASA 5505
  ASA Version 9.0.(2)
  Suddently on the webvpn Interface when i click on my web bookmarks (and java launches in browser) i get this fail in Chrome and FF 'It has take a while for SSL VPN Relay til load. You need to verify Java is enabled in your browser' and nothing happens...
  Java IS enabled and running. Tried this in both 7.45 and 7.51
  No problem in IE 11 and java 7.45 and 7.51
  I've googled alot but have not been able to find any suggetions
  Hope you have a solution
  Best Regards.

  Any resolution on this?  Firefox/Chrome my cifs work but smart tunnel RDP doesn't, and in IE my shares don't work but RDP smart tunnel does....
  Cisco, if you're not going to do something good, just don't do it.  The SSL VPN is a hack job.

• ASA Clientless SSL VPN can't access login pages on websites

  When I'm doing a clientless SSL VPN to my ASA and using the ASA to browse websites, I can pretty much go on to just about any website except specificly login websites. I can go on google and yahoo but when I click the "mail" button it just gives me an error message "Connection Failed - Server (site name) unavailable. When I go onto hotmail.com, it says server hotmail.com unavailable. When I browse by entering hotmail's IP address in, it says "Bad Request." Same happens on ebay, youtube, etc. Funny thing is, the ONLY login page I can get onto is Cisco's website's login page. I tried changing DNS servers, nothing changed. Here is my configuration:
  show run
  : Saved
  ASA Version 8.4(4)1
  hostname PatG
  domain-name resolver4.opendns.com
  enable password aDvdtQE/ih5t061i encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  boot system disk0:/asa844-1-k8.bin
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group Comcast
  name-server 75.75.75.75
  domain-name cdns01.comcast.net
  dns server-group DefaultDNS
  name-server 208.67.220.222
  name-server 208.67.220.220
  domain-name resolver4.opendns.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-649-103.bin
  no asdm history enable
  arp timeout 14400
  object network obj_any
  nat (inside,outside) dynamic interface
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server Remote1 protocol radius
  aaa-server Remote1 (inside) host 192.168.1.8
  key *****
  radius-common-pw *****
  user-identity default-domain LOCAL
  aaa authentication ssh console Remote1
  aaa authentication http console Remote1 LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd domain redtube.com
  dhcpd auto_config outside
  dhcpd option 150 ip 192.168.1.15 192.168.1.5
  dhcpd address 192.168.1.5-192.168.1.36 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  tunnel-group-list enable
  group-policy Eng internal
  group-policy Eng attributes
  vpn-tunnel-protocol ssl-clientless
  webvpn
    url-list value EngineerMarks
  group-policy RemoteHTTP internal
  group-policy RemoteHTTP attributes
  vpn-tunnel-protocol ssl-clientless
  webvpn
    url-list value Test
    customization value Extra
  username user1 password mbO2jYs13AXlIAGa encrypted privilege 0
  tunnel-group Browser type remote-access
  tunnel-group Browser general-attributes
  authentication-server-group Remote1
  default-group-policy RemoteHTTP
  tunnel-group TEST type remote-access
  tunnel-group TEST general-attributes
  authentication-server-group Remote1
  default-group-policy RemoteHTTP
  tunnel-group TEST webvpn-attributes
  group-alias testing enable
  group-url https://24.19.162.53/testing enable
  tunnel-group Engineering type remote-access
  tunnel-group Engineering general-attributes
  authentication-server-group Remote1 LOCAL
  default-group-policy Eng
  tunnel-group Engineering webvpn-attributes
  group-alias engineering enable
  group-url https://209.165.200.2/engineering enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect http
  policy-map map
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                                                                                             CEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  password encryption aes
  Cryptochecksum:843e718c8d4b23b5f421f82fc0a0c255
  : end
  Can anyone please help me? Thanks

  In your crypto ACLs for the site-to-site tunnels, add the ASA's public IP destined to the remote network, and mirror this ACL on the remote end VPN device.
  Example:
  ASA public IP: 2.2.2.2
  Remote network: 192.168.1.0/24
  access-list vpn_to_remote_network permit ip host 2.2.2.2 192.168.1.0 255.255.255.0
  Mirror the above acl on the remote end router.
  PS. If you found this post helpful, please rate it.