IP Phone SSL VPN through ASA
Im in the middle of configuring Ip Phone SSL VPN through ASA, got stuck on authentication.. When I enter username and password on the phone screen, i get "Username and password failed" message on the screen. However, in ASA logs I see the following line
Feb 16 2011 15:12:57 725002 85.132.43.67 52684 Device completed SSL handshake with client vpn:85.132.*.*/52684
Feb 16 2011 15:17:26 725007 85.132.43.67 52745 SSL session with client vpn:85.132.*.*/52745 terminated.
What does it mean? How can I turn on debugging to see what is going on?
Thank you in advance!
Hi,
If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password. If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided). Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server. If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure. The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'. If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
Did this answer your question? If so, please mark it Answered!
Similar Messages
-
IP Phone SSL VPN to ASA using AnyConnect
I have a CUCM 7.1.5. We are using Phone proxy today. I wanted to upgrade to IP phone SSL VPN.
I know in 8.x and 9.x the Proxy phone is not supported and Cisco supports SSL VPN.
However, The question is: if CUCM 7.1.5 supports Phone SSL VPN.
Lastly,
I hear about Collaboration Edge in CUCM 10.x
If CUCM 10.x is deployed then how the ASA concept plays a role here.
What type of license I would need for Collaboration Edge to register the endpoints\phones from outside of network.
I cant find any information about the Colaboration Edge on the Internet...
Message was edited by: Sean PoureThe embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
http://www.cisco.com/en/US/netsol/ns1246/index.html
PS- Jason could have found out details in advance since DiData has partner NDA status.
Please remember to rate helpful responses and identify helpful or correct answers. -
IP Phone SSL VPN to ASA for multiple CUCM (CallManager)
hi all,
I have a case to support multiple CallManager clusters in different locations for internet SSL VPN IP Phone. We will deploy one ASA firewall for SSL VPN IP Phone connections. So, can we use single ASA firewall for mulitple CUCM clusters?? In order words, Internet IP Phone will connect to different CUCM via a single ASA firewall (by using SSL VPN).
I tested I need to upload the ASA's certificate into CUCM and upload CUCM's certificate into ASA for one ASA to one CUCM. If I create multiple profile (e.g. different URL for phone logins) for different CUCM. Is it possible to do that?
thanks for your input!
SamuelSamuel,
Did you ever find an answer to your question? I have a similar scenario.
Any input would be appreciated. -
Jabber client and IP Phone SSL VPN to ASA using AnyConnect
Also for Jabber 9.1 can the Jabber for X softphone client (CUCM) can fireup a SSL VPN direct to ASA, similar to how 7965s can? Anyone aware if Jabber 10 or next version will support Jabber client with ASA? I have this delpoyed with 7965s and certificates but I have to manually start a AnyConnect session for Jabber for Windows on my laptop.
https://supportforums.cisco.com/docs/DOC-9124The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
http://www.cisco.com/en/US/netsol/ns1246/index.html
PS- Jason could have found out details in advance since DiData has partner NDA status.
Please remember to rate helpful responses and identify helpful or correct answers. -
IP Phone SSL VPN - Licenses required.
Hi,
Can someone confirm the linceses required for me to get this working. I understand that it needs the 'AnyConnect for Cisco VPN Phone' license but do I also need to have anyconnec essentials? This is for ASA version 8.2 and the a license info below is for the ASA i intend to delpoy this on.
Thanks
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 250
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 5000
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5550 VPN Premium license.Hi,
You would need Anyconnect Premium license along with Cisco Ip phone feature enabled on ASA for Cisco IP phone to use anyconnect vpn feature.
You can find more details from following link:
http://www.cisco.com/en/US/products/ps12726/products_qanda_item09186a0080bf292f.shtml
Regards,
Varinder
P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users -
IP phone SSL VPN configuration issue
Hello,
I am trying to configure the SSL VPN for the IP phone.
I am using the CM8.0.2 and 7975.
- I configured ASA and tested with my PC. PC can ping the CM.
- I uploaded the ASA cert as a Phone-VPN-trust
- I uploaded the CA root cert. Tried both, Phone-VPN-trust and Phone-trust. Which one is correct?
- I created a VPN gateway and typed URL and selected the cert
- I created the VPN group and added the VPN gateway to it.
- I created the VPN profile and added the VPN group to it.
- I disabled the Host ID check
- I configured the Common Phone Profile with VPN group and VPN profile and added it to a 7975 phone.
When I go into the phone settings, the VPN option is disabled and the Enable soft button is greyed out.
What is missing? What am I doing wrong?Hi,
If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password. If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided). Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server. If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure. The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'. If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
Did this answer your question? If so, please mark it Answered! -
IP Phone SSL VPN and Split tunneling
Hi Team,
I went throught the following document which is very useful:
https://supportforums.cisco.com/docs/DOC-9124
The only things i'm not sure about split-tunneling point:
Group-policy must not be configured with split tunnel or split exclude. Only tunnel all is the supported tunneling policy
I could see many implementation when they used split-tunneling, like one of my customer:
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
banner value This system is only for Authorized users.
dns-server value 10.64.10.13 10.64.10.14
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value prod.mobily.lan
address-pools value SSLClientPool
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
username manager-max attributes
vpn-group-policy GroupPolicy1
tunnel-group PhoneVPN type remote-access
tunnel-group PhoneVPN general-attributes
address-pool SSLClientPool
authentication-server-group AD
default-group-policy GroupPolicy1
tunnel-group PhoneVPN webvpn-attributes
group-url https://84.23.107.10 enable
ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
access-list split-tunnel remark split-tunnel network list
access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
It is working for them w/o any issue.
My question would be
- is the limitation about split-tunneling still valid? If yes, why it is not recommended?
Thanks!
EvaHi,
If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password. If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided). Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server. If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure. The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'. If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
Did this answer your question? If so, please mark it Answered! -
OWA not accessible after setting up vpn through ASA 5505
I have a client that is running Win2003 Server R2 with Exchange Server 2003. OWA was setup and clients could connect to their exchange mailbox from the internet with no problems.
We recently configured vpn on the ASA 5505 and now no-one can connect to OWA since that time.
Here is what I have for a configuration.
Any thoughts?I thought OWA uses tcp port 80 by default, or 443 if you use https. Ignore the rest if this fact is wrong. Otherwise ...
In your config there is nothing to allow the www traffic in the access-list outside_access_in
access-list outside_access_in extended permit tcp any interface outside eq 80
and no static nat for this
static (inside,outside) tcp interface 80 192.168.0.254 80 netmask 255.255.255.255
I think these must have got deleted when you made the other changes ? Hope this helps. -
SA540 SSL VPN Client will not install on Windows 7
I had the SSL VPN Client working on my Windows 7 laptop. I tried to use the SSL VPN through Firefox and now my client does not work on IE anymore.
The install process beings and the progress bar makes it halfway before I get an error saying the install failed.
I tried everything I could to remove the SSL VPN client manually. I even followed the instructions posted at the end of this forum posting: https://cisco-support.hosted.jivesoftware.com/thread/2018716?decorator=print&displayFullThread=true
Nothing has worked.
The best I can find is the VPN Client is crashing during install. I saw this in the Event Log.
Fault bucket 177244756, type 5
Event Name: PnPDriverInstallError
Response: Not available
Cab Id: 0
Problem signature:
P1: x64
P2: E0000234
P3: ssldrv.inf
P4: 93775c2b0faa616bc11a47d4ff617aa8d00cd56f
P5: SSLDrv.Ndi
P6:
P7:
P8:
P9:
P10:
Attached files:
C:\Users\shudson\AppData\Local\Temp\DMIE984.tmp.log.xml
C:\Windows\inf\oem54.inf
These files may be available here:
C:\Users\shudson\AppData\Local\Microsoft\Windows\WER\ReportArchive\NonCritical_x64_d317f66069d2e3b17f6bc1e7306afd9085494a_1020fe2c
Analysis symbol:
Rechecking for solution: 0
Report Id: 75c67e96-1882-11e0-8e4d-5c260a0235ed
Report Status: 0
I then used AppCrashView to see the crash report and I get this:
Version=1
EventType=APPCRASH
EventTime=129386443518175301
ReportType=2
Consent=1
UploadTime=129386443518799293
ReportIdentifier=2a4c4f0a-183c-11e0-aac2-5c260a0235ed
IntegratorReportIdentifier=2a4c4f09-183c-11e0-aac2-5c260a0235ed
WOW64=1
Response.BucketId=2007535968
Response.BucketTable=1
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=VirtualPassageExe.exe
Sig[1].Name=Application Version
Sig[1].Value=1.7.3.1
Sig[2].Name=Application Timestamp
Sig[2].Value=4b20cf25
Sig[3].Name=Fault Module Name
Sig[3].Value=OLEAUT32.dll
Sig[4].Name=Fault Module Version
Sig[4].Value=6.1.7600.16567
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=4bbc2f3d
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
Sig[7].Name=Exception Offset
Sig[7].Value=00004660
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.1.7600.2.0.0.256.48
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=0a9e
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=0a9e
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789
UI[2]=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
UI[3]=VirtualPassageExe MFC Application has stopped working
UI[4]=Windows can check online for a solution to the problem.
UI[5]=Check online for a solution and close the program
UI[6]=Check online for a solution later and close the program
UI[7]=Close the program
LoadedModule[0]=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
LoadedModule[1]=C:\Windows\SysWOW64\ntdll.dll
LoadedModule[2]=C:\Windows\syswow64\kernel32.dll
LoadedModule[3]=C:\Windows\syswow64\KERNELBASE.dll
LoadedModule[4]=C:\Windows\system32\MFC42.DLL
LoadedModule[5]=C:\Windows\syswow64\msvcrt.dll
LoadedModule[6]=C:\Windows\syswow64\USER32.dll
LoadedModule[7]=C:\Windows\syswow64\GDI32.dll
LoadedModule[8]=C:\Windows\syswow64\LPK.dll
LoadedModule[9]=C:\Windows\syswow64\USP10.dll
LoadedModule[10]=C:\Windows\syswow64\ADVAPI32.dll
LoadedModule[11]=C:\Windows\SysWOW64\sechost.dll
LoadedModule[12]=C:\Windows\syswow64\RPCRT4.dll
LoadedModule[13]=C:\Windows\syswow64\SspiCli.dll
LoadedModule[14]=C:\Windows\syswow64\CRYPTBASE.dll
LoadedModule[15]=C:\Windows\syswow64\ole32.dll
LoadedModule[16]=C:\Windows\syswow64\OLEAUT32.dll
LoadedModule[17]=C:\Windows\system32\ODBC32.dll
LoadedModule[18]=C:\Windows\syswow64\SHELL32.dll
LoadedModule[19]=C:\Windows\syswow64\SHLWAPI.dll
LoadedModule[20]=C:\Windows\system32\apphelp.dll
LoadedModule[21]=C:\Windows\AppPatch\AcLayers.DLL
LoadedModule[22]=C:\Windows\system32\USERENV.dll
LoadedModule[23]=C:\Windows\system32\profapi.dll
LoadedModule[24]=C:\Windows\system32\WINSPOOL.DRV
LoadedModule[25]=C:\Windows\system32\MPR.dll
LoadedModule[26]=C:\Windows\system32\IMM32.DLL
LoadedModule[27]=C:\Windows\syswow64\MSCTF.dll
LoadedModule[28]=C:\Windows\system32\odbcint.dll
LoadedModule[29]=C:\Windows\system32\uxtheme.dll
LoadedModule[30]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7600.16661_none_ebfb56996c72aefc\COMCTL32.DLL
LoadedModule[31]=C:\Windows\system32\dwmapi.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=VirtualPassageExe MFC Application
AppPath=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
None of this makes any sense to me, but may someone can tell me why the install is failing?
Thanks,
ScottMario,
I tried everything you mentioned. I cleared cookies and temporary files. I enabled SSL 3.0. I restarted IE.
I get the same thing. The install process starts and then ends at suddenly saying the install failed.
Scott -
ASA license for Cisco IP Phone over VPN
Hi,
Are there special licenses required on the ASA to use Cisco IP Phones (Hard phone) over SSL VPN connection?
ThanksHi,
You can purchase the phone proxy license. This elimiates the need to build a VPN tunnel for voice traffic.
It is not mandatory to purchase this license however.
From the ASA configuration guide:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/unified_comm_phoneproxy.html#wp1144845
"The Cisco Phone Proxy on the adaptive security appliance bridges IP telephony between the corporate IP telephony network and the Internet in a secure manner by forcing data from remote phones on an untrusted network to be encrypted. "
Don't forget to rate all posts that are helpful. -
ASA 5505 8.2 - SSL VPN - Cannot Ping inside host's
Hello All,
I'm an ASA Newb.
I feel like I have tried everything posted and still no success.
PROBLEM: When connected to the SSL VPN I cannot ping any internal host's. I cannot ping anything on this inside?
Result of the command: "show running-config"
: Saved
ASA Version 8.2(5)
hostname MCASA01
domain-name mydomain.org
enable password xxbtzv6P4Hqevn4N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.0 VLAN
name 192.168.5.0 VPNPOOL
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ddns update hostname MC_DNS
dhcp client update dns server both
ip address 192.168.1.1 255.255.255.0
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 11.11.11.202 255.255.255.252
interface Vlan3
no nameif
security-level 50
ip address 192.168.2.1 255.255.255.0
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name mydomain.org
access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 192.168.5.1-192.168.5.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 74.7.217.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=vpn.mydomain.org,OU=IT,O="mydomain",C=US,St=CA,L=Chino
keypair digicert.key
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 00b63edadf5efa057ea49da56b179132e8
3082051c 30820404 a0030201 02021100 b63edadf 5efa057e a49da56b 179132e8
300d0609 2a864886 f70d0101 05050030 72310b30 09060355 04061302 4742311b
30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
41204c69 6d697465 64311830 16060355 0403130f 45737365 6e746961 6c53534c
20434130 1e170d31 33313130 35303030 3030305a 170d3134 30323033 32333539
35395a30 52312130 1f060355 040b1318 446f6d61 696e2043 6f6e7472 6f6c2056
616c6964 61746564 3111300f 06035504 0b130846 72656520 53534c31 1a301806
03550403 13117670 6e2e6d65 74726f63 656c6c2e 6f726730 82012230 0d06092a
864886f7 0d010101 05000382 010f0030 82010a02 82010100 a0d97d51 fcd18293
eaf8e9b2 d632b2e3 e4d92eb1 5b639766 52677a26 2aa7d09d 437be3b6 dfb8649c
4d715278 e1745955 27e8aab2 9c9da997 694a73e8 c1c426f3 a519adba acc2ad94
aa0e09af 6db7bfc6 bad90bf2 b057dc56 c69a4276 1b826c83 6cd7ae09 af39bd7d
4abe60b4 9b04613a 287a1ae6 9d117d05 c7cdc15f 09d588b0 fcc05c47 c1cb6d67
c3701389 d3b7691d b05ff82c b0be475d 746a4916 0bbf11a6 7ee1b7ec bd05e1d2
dda305a6 918bfd35 17447b04 bca1e6d9 10955649 d8211878 168c4c21 279a6584
4b560a9f 414aea15 91e21581 a71d6b98 86d9eac3 47ea3a1d a172c71a ecf77aaa
536d73e4 bc53eb68 c7bfacdd fab87ea5 121baf55 067dbd19 02030100 01a38201
cb308201 c7301f06 03551d23 04183016 8014dacb eaad5b08 5dccfffc 2654ce49
e555c638 f4f8301d 0603551d 0e041604 14fabb1d f439c41f e59207c7 202c2fda
b46bcacc ee300e06 03551d0f 0101ff04 04030205 a0300c06 03551d13 0101ff04
02300030 34060355 1d25042d 302b0608 2b060105 05070301 06082b06 01050507
0302060a 2b060104 0182370a 03030609 60864801 86f84204 01304f06 03551d20
04483046 303a060b 2b060104 01b23101 02020730 2b302906 082b0601 05050702
01161d68 74747073 3a2f2f73 65637572 652e636f 6d6f646f 2e636f6d 2f435053
30080606 67810c01 0201303b 0603551d 1f043430 323030a0 2ea02c86 2a687474
703a2f2f 63726c2e 636f6d6f 646f6361 2e636f6d 2f457373 656e7469 616c5353
4c43412e 63726c30 6e06082b 06010505 07010104 62306030 3806082b 06010505
07300286 2c687474 703a2f2f 6372742e 636f6d6f 646f6361 2e636f6d 2f457373
656e7469 616c5353 4c43415f 322e6372 74302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e63 6f6d6f64 6f63612e 636f6d30 33060355 1d11042c
302a8211 76706e2e 6d657472 6f63656c 6c2e6f72 67821577 77772e76 706e2e6d
6574726f 63656c6c 2e6f7267 300d0609 2a864886 f70d0101 05050003 82010100
2484b72c 56161585 c9caa1a3 43cbc754 d3b43cef 7902a775 d40d064f 6918d52f
0aaaea0c ad873124 11b68847 406812da fd0c5d71 6e110898 1ebddcab ddf980e4
b95be4e2 0633cc23 7a4cbc27 f1f5e4e8 1de3c127 2b28a364 f1f26764 98afe871
45547855 c0ceaf39 256f46db 4ac412a7 2b594817 a967ba5a 24986b24 57002ce4
f046c6b3 5f7c9cc2 e6cd8ede 8fbcac60 b87fd497 71328783 8b148f7f affec249
191c460b 3d46d352 0651f35e 96a60fbe 7b22e057 06aa7722 da447cd3 0ea72e7f
5ec8c13c b550f502 b020efdc 35f62b89 52d7e6e3 14ade632 802dee70 1cdbf7ad
a39a173b 916406e4 887ba623 4813b925 8a63a300 fd016981 a8d70651 a736267a
quit
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside vpnclient-wins-override
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 66.180.96.12 64.238.96.12 interface inside
dhcpd lease 86400 interface inside
dhcpd ping_timeout 4000 interface inside
dhcpd domain mydomain.org interface inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 64.147.116.229 source outside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy VPNGP internal
group-policy VPNGP attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
username GaryC password TGbvzEO3d6HlfU66 encrypted privilege 15
username GaryC attributes
vpn-group-policy VPNGP
tunnel-group MCVPN type remote-access
tunnel-group MCVPN general-attributes
address-pool VPNPOOL
default-group-policy VPNGP
tunnel-group MCVPN webvpn-attributes
group-alias MCVPN enable
group-url https://11.11.11.202/MCVPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1e950c041cc2c25116d30e5c884abbfc
: end
My goal is to allow Remote Users to RDP(3389) through VPN.
Thank you,
Gary
Message was edited by: Gary CulwellHello Jon,
Thank you so much for your response. Clients will not be connect to a specific RDP server. I was hoping if we were to establish a VPN Client tunnel I would like that tunnel to provide full local are access. So the way the clients are used to is while in the field they use RDP to connect to their desktops on the internal LAN.
Would you say this would work:
route inside 192.168.1.0 255.255.255.0 192.168.1.1 1
Do you have examples?
Thank you,
Gary -
%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3293 for TLSv1 session.
%ASA-6-725003: SSL client outside:58.211.122.212/3293 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client outside:58.211.122.212/3293
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113009: AAA retrieved default group policy (SSLCLientPolicy) for user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.grouppolicy = SSLCLientPolicy
%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.username = admin
%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.tunnelgroup = SSLClientProfile
%ASA-6-734001: DAP: User admin, Addr 58.211.122.212, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy
%ASA-4-716023: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> Session could not be established: session limit of 2 reached.
%ASA-4-716007: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> WebVPN Unable to create session.
%ASA-6-302013: Built inbound TCP connection 137616 for outside:58.211.122.212/3294 (58.211.122.212/3294) to identity:61.155.55.66/443 (61.155.55.66/443)
%ASA-6-302013: Built inbound TCP connection 137617 for outside:58.211.122.212/3295 (58.211.122.212/3295) to identity:61.155.55.66/443 (61.155.55.66/443)
%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3294 for TLSv1 session.
%ASA-6-725003: SSL client outside:58.211.122.212/3294 request to resume previous session.
%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3295 for TLSv1 session.
%ASA-6-725003: SSL client outside:58.211.122.212/3295 request to resume previous session.
Red error what is the reason? Only appears in the window 2003 server.ciscoasa# show activation-key
Serial Number: JMX1314Z1UV
Running Activation Key: 0x9625fa6a 0x68e90200 0x38c3adac 0xaa0448d0 0x4b3815b6
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
The flash activation key is the SAME as the running key.
ciscoasa#
Sure ?it was licence question? -
Does the ASA or IOS support an SSL VPN that includes the Cisco softphone like it does say RDP, SSH, etc? I'm trying to determine if I can have a user connect a soft phone to our parent company's SSL VPN so they can use their Cisco phone system, while simultaneously having a remote access vpn tunnel to our division's data network. In short, our employees need to use phones that don't exist on our network while having access to our data network. I've been able to test having an SSL vpn session open at the same time as an IPSec remote access session, but the softphone is not an option in my current code of 8.4 on the ASA. I thought I heard it might be available in 9.0. It seems like it would work in reverse, i.e. having my users connect to my SSL VPN to use my data network and then IPSec to our parent company for the client's locally installed soft phone, but that's not an option for me. The link below seems to suggest it's possible in IOS at least, but I haven't been able to find any details beyond the sales pitch it offers.
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_securing_voice_traffic_with_cisco_ios_ssl_vpn.html
thank youFollowing links may help you
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008072462a.shtml -
ASA 5505
ASA Version 9.0.(2)
Suddently on the webvpn Interface when i click on my web bookmarks (and java launches in browser) i get this fail in Chrome and FF 'It has take a while for SSL VPN Relay til load. You need to verify Java is enabled in your browser' and nothing happens...
Java IS enabled and running. Tried this in both 7.45 and 7.51
No problem in IE 11 and java 7.45 and 7.51
I've googled alot but have not been able to find any suggetions
Hope you have a solution
Best Regards.Any resolution on this? Firefox/Chrome my cifs work but smart tunnel RDP doesn't, and in IE my shares don't work but RDP smart tunnel does....
Cisco, if you're not going to do something good, just don't do it. The SSL VPN is a hack job. -
ASA Clientless SSL VPN can't access login pages on websites
When I'm doing a clientless SSL VPN to my ASA and using the ASA to browse websites, I can pretty much go on to just about any website except specificly login websites. I can go on google and yahoo but when I click the "mail" button it just gives me an error message "Connection Failed - Server (site name) unavailable. When I go onto hotmail.com, it says server hotmail.com unavailable. When I browse by entering hotmail's IP address in, it says "Bad Request." Same happens on ebay, youtube, etc. Funny thing is, the ONLY login page I can get onto is Cisco's website's login page. I tried changing DNS servers, nothing changed. Here is my configuration:
show run
: Saved
ASA Version 8.4(4)1
hostname PatG
domain-name resolver4.opendns.com
enable password aDvdtQE/ih5t061i encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
boot system disk0:/asa844-1-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group Comcast
name-server 75.75.75.75
domain-name cdns01.comcast.net
dns server-group DefaultDNS
name-server 208.67.220.222
name-server 208.67.220.220
domain-name resolver4.opendns.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Remote1 protocol radius
aaa-server Remote1 (inside) host 192.168.1.8
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console Remote1
aaa authentication http console Remote1 LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd domain redtube.com
dhcpd auto_config outside
dhcpd option 150 ip 192.168.1.15 192.168.1.5
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
tunnel-group-list enable
group-policy Eng internal
group-policy Eng attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value EngineerMarks
group-policy RemoteHTTP internal
group-policy RemoteHTTP attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value Test
customization value Extra
username user1 password mbO2jYs13AXlIAGa encrypted privilege 0
tunnel-group Browser type remote-access
tunnel-group Browser general-attributes
authentication-server-group Remote1
default-group-policy RemoteHTTP
tunnel-group TEST type remote-access
tunnel-group TEST general-attributes
authentication-server-group Remote1
default-group-policy RemoteHTTP
tunnel-group TEST webvpn-attributes
group-alias testing enable
group-url https://24.19.162.53/testing enable
tunnel-group Engineering type remote-access
tunnel-group Engineering general-attributes
authentication-server-group Remote1 LOCAL
default-group-policy Eng
tunnel-group Engineering webvpn-attributes
group-alias engineering enable
group-url https://209.165.200.2/engineering enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
policy-map map
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:843e718c8d4b23b5f421f82fc0a0c255
: end
Can anyone please help me? ThanksIn your crypto ACLs for the site-to-site tunnels, add the ASA's public IP destined to the remote network, and mirror this ACL on the remote end VPN device.
Example:
ASA public IP: 2.2.2.2
Remote network: 192.168.1.0/24
access-list vpn_to_remote_network permit ip host 2.2.2.2 192.168.1.0 255.255.255.0
Mirror the above acl on the remote end router.
PS. If you found this post helpful, please rate it.
Maybe you are looking for
-
How do i get three email addresses to all receive into one mailbox
We have a family e-mail address that works with 3 variations - [email protected] [email protected] [email protected] How do I set Thunderbird so that all come into one mailbox when we receive? Also need to have a second mailbox/account for [email pro
-
Can I assign a default value to a parameter like C++ ?
My question is whether I can assign a default value to a parameter in Java? Let's say : public void myMethod(int p1, int p2=3){...} Is this syntax acceptable ? Regards, WenBin
-
How to find the List of Errors occured while Upgradation
Hi All, I am working on Upgrade Project from 4.7C to ECC 6.0. I need to find out the list of all errors occured custom objects while doing Upgradation. I heard abt tool Uptimizer but our company is not using that tool, is there any other way to find
-
Help installing Areca 1882ix-12
I'm new to using a raid card, it's got some connections I'm not familiar with, so bear with me. I'm installing two raid sets (internal) in my computer. The card has got three internal Min SAS 4i (SFF-8087) ports, so I assume I need 8087 to SATA con
-
1 set of speakers, Airport Express & TV
I have a set of Bose computer speakers connected to my TV via the audio out jack on the TV. I would like to have the option of also playing music through these speakers via Airplay, by connecting them to an Airport Express unit. Is there a way to mak