Question of my asa if it support anyconnect vpn

Similar Messages

• Is it possible to run AnyConnect VPN from an XP Virtual Machine

  I am trying to setup my ASA firewall to accept AnyConnect VPN connections from an XP client running in VMware ESXi 5.1.
  Does anyone know if this is even possible?
  If this helps any - from an internal XP Virtual Machine, I can run ASDM to manage the firewall.
  ASA IOS 9.2(2)
  ASDM 7.2(2)
  In my physical environment:
  I have proven my VPN setup is functional between the ASA and physical XP laptop.
  The physical laptop running XP can make a successful AnyConnect VPN connection to the ASA. This VPN session works as expected as I can access the LAN and all servers on the inside LAN of the ASA once the VPN session is established.
  Thank you
  Frank

  Hi Jody,
  My vm XP and physical XP attributes are identical BUT do not match yours.
  Not sure what this means? :-|
  Any ideas?
  BTW, my XP clients are operating as standalone; I.E. no Windows domain.
  ! VM XP
  C:\Documents and Settings\me>cacls "%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile"
  C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
  NT AUTHORITY\SYSTEM:(OI)(CI)F
  BUILTIN\Administrators:(OI)(CI)F
  BUILTIN\Administrators:F
  CREATOR OWNER:(OI)(CI)(IO)F
  BUILTIN\Power Users:(OI)(CI)C
  BUILTIN\Users:(OI)(CI)R
  BUILTIN\Users:(CI)(special access:)
       FILE_WRITE_DATA
       FILE_APPEND_DATA
       FILE_WRITE_EA
       FILE_WRITE_ATTRIBUTES
  C:\Documents and Settings\me>
  ! Physical PC
  C:\Documents and Settings\me>cacls "%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile"
  C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
  NT AUTHORITY\SYSTEM:(OI)(CI)F
  BUILTIN\Administrators:(OI)(CI)F
  BUILTIN\Administrators:F
  CREATOR OWNER:(OI)(CI)(IO)F
  BUILTIN\Power Users:(OI)(CI)C
  BUILTIN\Users:(OI)(CI)R
  BUILTIN\Users:(CI)(special access:)
       FILE_WRITE_DATA
       FILE_APPEND_DATA
       FILE_WRITE_EA
       FILE_WRITE_ATTRIBUTES
  C:\Documents and Settings\me>

• Is ASA 5550 firewall supports BGP

  Hi All,
  Please help me out regarding my question.
  Thank you all in advance.
  Regards,
  Sayak

  Hello Sayak,
  The ASA does not support BGP. Border Gateway Protocol. BGP performs interdomain routing in TCP/IP networks. BGP is an Exterior Gateway Protocol, which means that it performs routing between multiple autonomous systems or domains and exchanges routing and access information with other BGP systems.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/glossary.htmlhttp://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/glossary.html
  ASA allows passing of BGP sessions through it but just only that. It’s being discussed that it will be supported in the future but there’s no definite date yet.
           "niLz"
  Nilo Noguera Jr. 
  | Specialist, Virtual Engineering - Partner Helpline Organization 
  together we are the human network

• ASA 5505 AnyConnect VPN Can RDP to clients but can't ping/icmp

  Hello all,
  I've been searching all day for a solution to this problem. I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. It may be something simple and I would appreciate any help. Most of the time people end up posting their config so I will as well.
  MafSecASA# show run
  : Saved
  ASA Version 8.2(1)
  hostname MafSecASA
  domain-name mafsec.com
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.4.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 7.3.3.2 255.255.255.248
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  ip address 172.20.1.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  speed 100
  duplex full
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 3
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name mafsec.com
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object tcp
  protocol-object udp
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object udp
  protocol-object tcp
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_4
  protocol-object ip
  protocol-object icmp
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in remark allow remote users to internal users
  access-list inside_access_in remark allow remote users to internal users
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any
  access-list inside_split_tunnel standard permit 10.4.0.0 255.255.255.0
  access-list inside_split_tunnel standard permit 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  ip local pool SSLVPNPool2 10.5.0.1-10.5.0.254 mask 255.255.255.0
  ip verify reverse-path interface outside
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 7.3.3.6 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 10.4.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 10.4.0.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd option 6 ip 8.8.8.8 8.8.4.4
  dhcpd address 10.4.0.15-10.4.0.245 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd lease 86400 interface inside
  dhcpd option 3 ip 10.4.0.1 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
  svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
  svc enable
  tunnel-group-list enable
  group-policy SSLVPN internal
  group-policy SSLVPN attributes
  dns-server value 8.8.8.8 8.8.4.4
  vpn-tunnel-protocol svc
  group-lock none
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value inside_split_tunnel
  vlan none
  address-pools value SSLVPNPool2
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  username user1 password
  username user1 attributes
  service-type remote-access
  username user2 password
  tunnel-group SSLVPNGROUP type remote-access
  tunnel-group SSLVPNGROUP general-attributes
  address-pool SSLVPNPool2
  default-group-policy SSLVPN
  tunnel-group SSLVPNGROUP webvpn-attributes
  group-alias SSLVPN enable
  prompt hostname context
  Cryptochecksum:3b16cbc9bbdfa20e6987857c1916a396
  : end
  Thank in advance for any help!

  Your config actually looks good (you have the ACL that would allow the echo-reply back since you don't have inspection turned on) - are you sure this isn't a windows firewall issue on the PCs?  I'd try pinging a router or switch just to make sure.
  --Jason

• Problem with AnyConnect VPN on ASA 5505

  Hello everyone,
  We're troubleshooting an issue where a client cannot pass any traffic across an AnyConnect VPN with an ASA5505 as the endpoint. The client receives and IP address in the 172.16.0.1/24 range and the ASA creates a static route to the 10.0.0.0/24 internal network but we cannot ping or connect to any internal IP address. The connection appears to fully build and pass traffic (based on the byte counts which increase) but we can't talk to the main network.
  Does anyone have any ideas as to what I can check?
  Thanks!
  Ryan

  AnyConnect client should not be in the same subnet as the internal hosts. It needs to be unique subnet within your environment, so you were on the right path initially.
  If you can share your config, that would be easier for us to check.
  In the meantime, a few things to check:
  1) Have you configured split tunnel policy?
  2) Do you have NAT exemption configured?
  3) Any VPN filter configured that might be blocking the traffic?
  4) Does the internal network know how to route back to the VPN Pool subnet (ie: via the ASA)
  5) Lastly, do you have "inspect icmp" configured?

• Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

  Hi Guys,
  I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
  Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
  For some odd reason, I am able to ping the following, with no issues.
  Cisco 3750 SVI (192.168.1.3)
  CentOS web server (connected directly to the Cisco ASA 5505)
  I have checked and enable the following:
  Nat Exemption
  Sysopt connection permit-vpn
  ACL's
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  Added ICMP in the inspection policy
  Packet-capture - Only getting echo requests.
  Thanks in advance!

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• HT5312 I didn't make a rescue e-mail and now i forgot the answers of my security questions!!' And the apple support contact wont open???

  I didn't make a rescue e-mail and now i forgot the answers of my security questions!!' And the apple support contact wont open???

  I'm not sure what you mean by the 'apple support contact wont open' (?). If you mean the 'contact iTunes Store support' link on the page that you posted from I've just tried it and it seems to wok ok for me, though I haven't gone as far as to actually contact them.
  You can contact either iTunes Support or Apple to get the questions reset.
  e.g. you can try contacting iTunes Support : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page, then Account Management , and then 'Forgotten Apple ID security questions'
  or try ringing Apple in your country and ask to talk to the Accounts Security Team : http://support.apple.com/kb/HE57
  When they've been reset you can then use the steps on the page that you posted from to add a rescue email address for potential future use, or if it's available in your country you could change to 2-step verification : http://support.apple.com/kb/HT5570

• Support IPSec VPN Client in ASA Multiple Context Mode

  I've looked at under "Cisco ASA Series CLI Configuration Guide, 9.0" on "Configuring Multiple Context Mode", it says
  "IPsec sessions—5 sessions. (The maximum per context.) ".  Does it mean in ASA Multiple Contest Mode support IPSec VPN Client? I just want to confirm it because I can't seem find any doc that clearly spell it out.  I'll appreciate anyone who can clarify it.
  Thank Jason.
  ( Please direct me to the right group if I'm not for the first time I post it in the Cisco support forum)

  This is from the v9.3 config-guide:
  Unsupported Features
  Multiple context mode does not support the following features:
  Remote access VPN. (Site-to-site VPN is supported.)

• ASA 9.x support PBR?

  Hi Cisco Soldiers,
  I'd like to know if the new version for ASAs (9.x) support PBR (Policy-Based Routing).
  Regards
  Alek

  Hi,
  No, PBR is not officially supported on the ASA.
  The only way to achieve something like that is to play around with the NAT. Even though it usually works, as its not officially supported (atleast yet) theres naturally always a risk that it stops working because of some change.
  I have tried this for example in a situation where the user had 2 ISP links and wanted one DMZ network to use the other ISP for all outbound connections while the rest used the other ISP.
  - Jouni

• How to reset security questions after to many attempts and support is closed

  how to reset security question after to many attemptd and support is closed

  Unless you're desperate, wait until you can reach Apple's Account Security team.
  (118978)

• Is there anyway I can reset my security questions without having to call Apple support?

  Is there anyway I can reset my security questions without having to call Apple support?

  The Three Best Alternatives for Security Questions and Rescue Mail
       1.  Send Apple an email request at: Apple - Support - iTunes Store - Contact Us.
       2.  Call Apple Support in your country: Customer Service: Contact Apple support.
       3.  Rescue email address and how to reset Apple ID security questions.
  A substitute for using the security questions is to use 2-step verification:
  Two-step verification FAQ Get answers to frequently asked questions about two-step verification for Apple ID.

• I have an iphone 4 . i am adding mkv. format videos but it cannot show anything  So my question is that can iphone 5s support mkv. format ?

  i have an iphone 4 . i am adding mkv. format videos but it cannot show anything  So my question is that can iphone 5s support mkv. format ?

  How can I contact Viber support? When I go to their website there's no such thing as 'email us' or 'contact us'.
  They may have a do-it-yourself troubleshoot system but that doesnt help my problem at all.

• Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

                     Dear All,
  i have the folloing case :
  i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
  i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
  so what the setting of the mail and smtp server should be ,
  was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
  i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
  Best regards,

  Thanks Jennifer.
  I did manage to configure LDAP attribute map to the specific group policy.
  Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
  Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
  Example: let say my username is LLH.
  Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
  Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
  Only me know the preshared key and only me can login with my Connection Profile.
  Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
  Example:
  AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
  Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
  Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
  I hope above description can paint the scenario clearer.
  Thanks in advance for all the help and comment given.

• I downloaded the i07.  My id had changed a year ago and I forgot my password and my answer to the security question was not accepted.  Tech support say nothing that can be done.  I can no longer access my iphone.  Any suggestions

  I downloaded the i07.  My id had changed a year ago and I forgot my password and my answer to the security question was not accepted.  Tech support say nothing that can be done.  I can no longer access my iphone.  Any suggestions

  I believe part of the recovery process is you get an e-mail allowing you to reset questions.  If that e-mail isn't correct either because your son set it up then you really have no option but to ask Apple again.  They are getting strict abotu security and given the number of "My iTunes account got hacked" posts here I can guess why.  They have no way of knowing you really are the owner of the account.  It's like me going to a policeman and saying, "See that car over there?  That is mine, can you open the door for me?" and the police opening it on that basis alone.
  Frequently asked questions about Apple ID - http://support.apple.com/kb/HE37 --> Can I change the answers to the security questions for my Apple ID?  --> Yes. You can change the answers to the security questions provided when you originally signed up for your Apple ID. Go to My Apple ID (http://appleid.apple.com/) and click Manage your account.
  Forgotten security questions - https://discussions.apple.com/message/18402551  and https://discussions.apple.com/message/18625296
  More involved forgotten question issues - https://discussions.apple.com/thread/3961813
  Kappy 09/2012 post about security questions - https://discussions.apple.com/message/19569468
  John Galt's tips (09&11/2012) - https://discussions.apple.com/message/19809294 and https://discussions.apple.com/message/20229239
  If none of the above work, contact iTunes Support at http://www.apple.com/support/itunes/contact/ and follow the instructions to report the issue to the iTunes Store.

• Cisco AnyConnect VPN client and 256 AES encryption in IE8

  Hey,
  We have a site that we are trying to connect to with the AnyConnect VPN client version 2.5.3055 on Windows XP SP3. As soon as we enter the site info and hit select, it says a connection was unable to be established.
  I believe this has to do with the encryption, its set up with 256 bit AES. We are only able to install IE8, which on XP only supports up to 128 bit encryption, so in IE8 the page will not load. To fix that issue we installed firefox which supports 256 bit encryption. We can get to the page there, but when we go to connect to the same site VIA the VPN client it still will not connect. It will work fine on a windows 7 box with IE9 installed from the same network.
  My question mainly pertains to how the AnyConnect client connects on the back end. Does it use Internet explorer's SSL layer by default? Or does it have its own? If it connects through internet explorer, is there a way to change it to firefox so it will actually be able to open up a connection?
  Thank you for your answers in advance,
  John

  Hey Jeff,
  Thanks for answering that question. Hmm, so it doesnt go through the browsers SSL layer. We have systems on the same network (same proxy, firewall, vlan, etc). All the systems with windows XP SP3 and IE8/IE7 can not connect to the VPN (they arent even able to start the connection and ask for proxy/logon info.), all the systems with windows 7 and IE9 can. Same setups on each one as far as the security policies go as well. I thought it may have to do with the 256 bit encryption that they are using.
  If thats not the case, what else could be causing the problem? weve tested it on about 5 XP machines and 5 Win 7 machines, same results on each. Connects on Win 7, does not connect on Win XP.
  Thanks,
  John