Ssl vpn and soft phone

Does the ASA or IOS support an SSL VPN that includes the Cisco softphone like it does say RDP, SSH, etc?  I'm trying to determine if I can have a user connect a soft phone to our parent company's SSL VPN so they can use their Cisco phone system, while simultaneously having a remote access vpn tunnel to our division's data network.  In short, our employees need to use phones that don't exist on our network while having access to our data network.  I've been able to test having an SSL vpn session open at the same time as an IPSec remote access session, but the softphone is not an option in my current code of 8.4 on the ASA.  I thought I heard it might be available in 9.0.  It seems like it would work in reverse, i.e. having my users connect to my SSL VPN to use my data network and then IPSec to our parent company for the client's locally installed soft phone, but that's not an option for me.  The link below seems to suggest it's possible in IOS at least, but I haven't been able to find any details beyond the sales pitch it offers.
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_securing_voice_traffic_with_cisco_ios_ssl_vpn.html
thank you

Following links may help you
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008072462a.shtml

Similar Messages

  • Works windows mobile with SSL VPN and anyconnect

    Hello,
    do anyone know if the following OS works with ASA 8.x SSL VPN client ,SSL clientless VPN and anyconnect client and Secure Desktop :
    windows mobile 5.0 Premium phone edition
    windows mobile 6.0
    windows embedded CE,Net
    windows mobile 2003
    Thank you for your help
    Michael

    [url=http://fztodds.24fast.info/washington225.html] washington [/url]
    [url=http://fztodds.24fast.info/washington16e.html] washington [/url]
    [url=http://fztodds.24fast.info/washingtond66.html] washington [/url]
    [url=http://fztodds.24fast.info/washington4e0.html] washington [/url]
    [url=http://fztodds.24fast.info/washington00b.html] washington [/url]
    [url=http://fztodds.24fast.info/washington1e7.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington0a8.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington9de.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washingtone4a.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington4ec.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington184.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washingtonb73.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington853.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washington1a5.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washingtonde7.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washington2b8.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washington902.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washingtonc99.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washingtoncc7.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washington598.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washingtonbe2.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washingtone9b.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washington4e0.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washington327.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washingtonada.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washingtond2b.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washington317.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington7cb.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washingtoneaf.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington259.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington8e0.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washingtonc03.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington092.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington79c.html] washington [/url]
    [url=http://aeaukol.rack111.com/washington766.html] washington [/url]
    [url=http://aeaukol.rack111.com/washingtona2e.html] washington [/url]
    [url=http://aeaukol.rack111.com/washington4c4.html] washington [/url]
    [url=http://aeaukol.rack111.com/washingtonb9f.html] washington [/url]
    [url=http://aeaukol.rack111.com/washingtond3a.html] washington [/url]
    [url=http://aeaukol.rack111.com/washington54a.html] washington [/url]
    [url=http://aeaukol.rack111.com/washington777.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington300.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington239.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington7b4.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washingtonad5.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washingtone03.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington399.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington9e9.html] washington [/url]
    [url=http://ggaubio.hostevo.com/washington878.html] washington [/url]
    [url=http://ggaubio.hostevo.com/washington525.html] washington [/url]

  • Cisco 1841 SSL VPN and Anyconnect Help

    I am pretty new to Cisco programming and am trying to get an SSL VPN set up  for remote access using a web browser and using Anyconnect version 3.1.04509. If I try to  connect via a web browser I get an error telling me the security  certificate is not secure. If I try to connect via Anyconnect I get an  error saying "Untrusted VPN Server Blocked." If I change the Anyconnect  settings to allow connections to untrusted servers, I get two errors  that say"Certificate does not match the server name" and "Certificate is  malformed." Below is the running config in the router at this time.  There is another Site-to-Site VPN tunnel that is up and working properly  on this device. Any help would be greatly appreciated. Thanks
    Current configuration : 7741 bytes
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname buchanan1841
    boot-start-marker
    boot-end-marker
    logging message-counter syslog
    no logging buffered
    enable secret 5 XXXXXXX
    enable password XXXX
    aaa new-model
    aaa authentication login default local
    aaa authentication login ciscocp_vpn_xauth_ml_1 local
    aaa authentication login ciscocp_vpn_xauth_ml_2 local
    aaa authorization exec default local
    aaa authorization network ciscocp_vpn_group_ml_1 local
    aaa session-id common
    crypto pki trustpoint buchanan_Certificate
    enrollment selfsigned
    revocation-check crl
    rsakeypair buchanan_rsakey_pairname
    crypto pki certificate chain buchanan_Certificate
    certificate self-signed 01
      30820197 30820141 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      1D311B30 1906092A 864886F7 0D010902 160C6275 6368616E 616E3138 3431301E
      170D3133 30373038 32323330 33335A17 0D323030 31303130 30303030 305A301D
      311B3019 06092A86 4886F70D 01090216 0C627563 68616E61 6E313834 31305C30
      0D06092A 864886F7 0D010101 0500034B 00304802 4100C76B D94BABC2 6D7FB1F1
      AF9AA76F E631B841 7CFEA806 1F52420B 9C83D754 D58393B1 EC02FCA8 BFBE82D6
      79645A32 4ECEDB43 8AEB1590 9CCC309E 17E70061 86150203 010001A3 6C306A30
      0F060355 1D130101 FF040530 030101FF 30170603 551D1104 10300E82 0C627563
      68616E61 6E313834 31301F06 03551D23 04183016 8014AF2E 3FCF66AF C8A43F5F
      97DFABA9 C74371FD 127A301D 0603551D 0E041604 14AF2E3F CF66AFC8 A43F5F97
      DFABA9C7 4371FD12 7A300D06 092A8648 86F70D01 01040500 034100C1 47D2E8B0
      4AC15F69 E8CBE141 E8EE96C5 7BF1EE51 102278B8 ED525185 9F112FA6 0D51F7A6
      3382DB09 8692EEE7 200471B3 BF12FBD0 223EB549 4A352049 513F4B
            quit
    dot11 syslog
    ip source-route
    ip cef
    no ipv6 cef
    multilink bundle-name authenticated
    username buchanan privilege 15 password 0 XXXXX
    username cybera password 0 cybera
    username skapple privilege 15 secret 5 XXXXXXXXXX
    username buckys secret 5 XXXXXXXXXXX
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key p2uprEswaspus address XXXXXX
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec transform-set cybera esp-3des esp-md5-hmac
    crypto ipsec profile cybera
    set transform-set cybera
    archive
    log config
      hidekeys
    ip ssh version 1
    interface Tunnel0
    description Cybera WAN - IPSEC Tunnel
    ip address x.x.x.x 255.255.255.252
    ip virtual-reassembly
    tunnel source x.x.x.x
    tunnel destination x.x.x.x
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile cybera
    interface FastEthernet0/0
    description LAN Connection
    ip address 192.168.1.254 255.255.255.0
    ip helper-address 192.168.1.2
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    no mop enabled
    interface FastEthernet0/1
    description WAN Connection
    ip address x.x.x.x 255.255.255.224
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    interface ATM0/0/0
    no ip address
    shutdown
    atm restart timer 300
    no atm ilmi-keepalive
    interface Virtual-Template2
    ip unnumbered FastEthernet0/0
    ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254
    ip local pool LAN_POOL 192.168.1.50 192.168.1.99
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 x.x.x.x
    ip route 4.71.21.0 255.255.255.224 x.x.x.x
    ip route 10.4.0.0 255.255.0.0 x.x.x.x
    ip route 10.5.0.0 255.255.0.0 x.x.x.x
    ip route x.x.x.x 255.255.240.0 x.x.x.x
    ip route x.x.x.x 255.255.255.255 x.x.x.x
    ip route x.x.x.x 255.255.255.255 x.x.x.x
    ip http server
    no ip http secure-server
    ip nat inside source list 1 interface FastEthernet0/1 overload
    ip nat inside source static tcp 192.168.1.201 22 x.x.x.x 22 extendable
    ip nat inside source static tcp 192.168.1.202 23 x.x.x.x 23 extendable
    access-list 1 permit 192.168.1.0 0.0.0.255
    control-plane
    line con 0
    line aux 0
    line vty 0 4
    password xxxxx
    transport input telnet ssh
    scheduler allocate 20000 1000
    webvpn gateway gateway_1
    ip address x.x.x.x port 443
    http-redirect port 80
    ssl trustpoint buchanan_Certificate
    inservice
    webvpn install svc flash:/webvpn/anyconnect-w
    in-3.1.04059-k9.pkg sequence 1
    webvpn context employees
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    policy group policy_1
       functions svc-enabled
       svc address-pool "LAN_POOL"
       svc default-domain "buchanan.local"
       svc keep-client-installed
       svc dns-server primary 192.168.1.2
       svc wins-server primary 192.168.1.2
    virtual-template 2
    default-group-policy policy_1
    aaa authentication list ciscocp_vpn_xauth_ml_2
    gateway gateway_1
    max-users 10
    inservice
    endbuchanan1841#

    Perhaps you have changed the host-/domainname after the certificate was created?
    I'd generate a new one ...
    Michael
    Please rate all helpful posts

  • Clientless SSL VPN and ActiveX question

    Hey All,
    First post for me here, so be gentle.  I'll try to be as detailed as possible.
    With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports.  However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center.  I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup.  Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective.  My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
    First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server).  I am unable to browse (via bookmark) to the internal address of the remote web server.  Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal.  I am testing this external connectivity using a cell card to be able to simulate outside access.  Is accessing the external IP address by design, or do I have something hosed?
    Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions.  I am not able to use controls that require my company's ActiveX controls (video, primarily).  I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through.  The stream only runs at about 5 fps, so it's not an intense stream.
    I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail.  I do see a decent number of "no translates" from a show nat:
      match ip inside any outside any
        NAT exempt
        translate_hits = 8915, untranslate_hits = 6574
    access-list nonat extended permit ip any any log notifications
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
    access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
    access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
    access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
    access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
    access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
    access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
    access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
    access-list outside_in extended permit icmp any any log notifications
    access-list outside_in extended permit tcp any any log notifications
    pager lines 24
    logging enable
    logging asdm informational
    logging ftp-server 192.168.16.34 / syslog *****
    mtu inside 1500
    mtu outside 1500
    ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (inside) 1 interface
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 192.168.16.32 255.255.255.224
    nat (inside) 1 192.168.17.0 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group outside_in in interface outside
    192.168.2.0 is my corp network range
    192.168.2.171 is my internal IP for corp ASA5510
    97.x.x.x is the external interface for my corp ASA5510
    192.168.16.34 is the internal interface for the remote ASA5505
    64.x.x.x is the external interface for the remote ASA5505
    192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
    As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out   Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505.  I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
    I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN.  Am I going about this the right way?  Anyone have any suggestions, or do I have my config royally hosed?
    Thanks much for any and all ideas!

    Hey All,  I appreciate all of the views on this post.  I would appreciate any input - even if you think it might be far-fetched.  I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself.  Thanks, in advance!!

  • Anyconnect ssl vpn and acl

     Hi Everyone,
    I was testing few things at my home lab.
    PC---running ssl vpn------------sw------router------------ISP--------------ASA(ssl anyconnect)
    anyconnect ssl is working fine and i am also able to access internet.
    I am using full tunnel
    i have acl on outside interface of ASA
    1
    True
    any
    any
    ip
    Deny
    0
    Default
    i know that ACL is used for traffic passing via ASA.
    I need to understand the traffic flow for access to internet via ssl vpn.?
    Regards
    MAhesh

    As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.
    You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

  • SSL VPN and dedicated IP address

    Hello
    I have an ASA 5505 8.3 and i setup it with ADSL 6.3
    I am trying to dedicate IP addresses to clientless SSL VPN user: is it possible ?
    If not is it possible with Anyconnect client ?
    If yes i can't perform it !
    I have a user test and i want dedicated him an IP address . After authentification user can connect to a web application but when i see the netstat, it is the IP adress of the ASA which is connected ...
    Could you help me ?
    Regards
    L.Malandain

    Two ways -
    Frist create pool with one IP address and assign that to group policy.
    Second- modify the user atributes-
    username test password xxxxx
    username test attributes
    vpn-framed-ip-address
    Thanks
    Ajay

  • SSL VPN and Dynamic DNS - ddns on IOS

    Hello,
    I'm trying to configure a SSL VPN tunnel via SDM on a 877 Router. The router gets the public IP address dynamically from the ISP, so I have configured the DDNS to access remotely to the router. I would like to know if it's possible to configure the SSL VPN to support the dynamic IP via SDM o CLI.
    Regards
    Gerard

    Seems like i have fixed the problem using:
    webvpn gateway gateway_1
    ip interface Dialer0 port 443
    ssl trustpoint local
    inservice
    However when the router is rebooted, it results in this error:
    Invalid ip address First configure an IP address for the gateway
    Any idea how to delay the webvpn commands at startup until dialer0 gets a dynamic IP ?

  • IP Phone SSL VPN and Split tunneling

    Hi Team,
    I went throught the following document which is very useful:
    https://supportforums.cisco.com/docs/DOC-9124
    The only things i'm not sure about split-tunneling point:
    Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
    I could see many implementation when they used split-tunneling, like one of my customer:
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    banner value This system is only for Authorized users.
    dns-server value 10.64.10.13 10.64.10.14
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value prod.mobily.lan
    address-pools value SSLClientPool
    webvpn
      anyconnect keep-installer installed
      anyconnect ssl rekey time 30
      anyconnect ssl rekey method ssl
      anyconnect ask none default anyconnect
    username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
    username manager-max attributes
    vpn-group-policy GroupPolicy1
    tunnel-group PhoneVPN type remote-access
    tunnel-group PhoneVPN general-attributes
    address-pool SSLClientPool
    authentication-server-group AD
    default-group-policy GroupPolicy1
    tunnel-group PhoneVPN webvpn-attributes
    group-url https://84.23.107.10 enable
    ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
    access-list split-tunnel remark split-tunnel network list
    access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
    It is working for them w/o any issue.
    My question would be
    - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
    Thanks!
    Eva

    Hi,
    If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
    Did this answer your question? If so, please mark it Answered!

  • Cisco E4200 and VPN and Vontage Phone service.

     I have a E4200 Router. I would like to  subscribe to a VPN service and possiby flash the router with DD-WRT so I can take advantge of of the VPN across my network and allow my various clents ( Roku, Boxee Box, etc ) to have access to the VPN.  My question is what is required to to have access to VOIP  say using Vontage. Will the router be cable of this ? Is it possible to be able to use the commerical VPN service using Linksys firmware ?  It appears my only option is to use third party firm ware ,such as DD-WRT or Tomato for the VPN.    I've heard some talking about using TWO routers, but I haven't been seen much detail on this option.
    Thanks !
    Glenn

    VPN Services that I have heard of use static DNS entries which you can setup in your routers DHCP settings
    DD-WRT may not be required for what you mention
    Vonage you just plug in (A QOS policy isn't required unless you have bandwidth issues)
    The router can do this with Linksys firmware or DD-WRT
    VPN passthrough is supported but your VPN connections have to be setup in your computers and devices
    Third party software isn't required unless you experience firmware issues
    Two routers are only required if you need to extend your wireless into areas where you have low signal strength
    I can provide detail on adding multiple router onto your network.
    Please remember to Kudo those that help you.
    Linksys
    Communities Technical Support

  • Trying to set up a ssl vpn and can't get to it from outside?

    I have a barracuda sslvpn and a
    Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
    Internal ATA Compact Flash, 256MB
    BIOS Flash M50FW016 @ 0xfff00000, 2048KB
    When I try and edit the vpn service object to say destination 444 source default insted of source 444 I get this.
    [OK] object service VPN
          object service VPN
    [ERROR] service tcp destination eq 444
    Object is used in IPv6 access-list out_in. Can't change IP to IPv4.
    ERROR: object (VPN) updation failed due to internal error

    HI franklyhollywood:
    Joomla is easy to set up (install) once Mysql and PHP is properly set up. CMS (Content Management
    System) websites are the way to go. I am migrating all my sites to CMS, either full CMS or Partial
    CMS. The Server Guys (and Girls) can help you get it set up properly. If you don't want the hassle
    of configuring MySql and PHP on your Mac, use the preconfigured MAMP setup:
    http://www.mamp.info/en/index.html
    I am only interested in the final product (the website), so I chose MAMP to handle the database and
    scripting language (PHP) chores. MAMP can be Installed, configured and up and running in minutes,
    leaving me free to develop and make ready my sites for uploading to their eventual home on my
    hosting provider's server.
    Kj ♘

  • EasyVPN on RV320 + SSL-VPN + Mac IPSec

    I just bought a Cisco RV320, and am trying to get it configured for providing VPN connectivity
    Starting with the EasyVPN I have setup a full tunnel using the defaults, and it shows it created to the ip address 192.168.168.0/24 - which makes sense to me as that is the local LAN the device is connected to.
    When I go the "Summary" page, it shows the Virtual IP Range as 172.16.100.100-100.129.
    I've installed the EasyVPN client on my target (Windows) machine, I get a connect, and I am tunnelled through the VPN, I can get out to the internet, but I have no access to the 192.168.168.0/24 network which is the desired local LAN I want to connect to.
    It would appear that I am missing a route from the virtual 172.16.100.0 network to the local LAN.  Any suggestions on how to resolve this?
    As a backup, I tried setting up the SSL-VPN, and while I authenticate and connect, every time I try to launch the VirtualPassage get an error that the "Port is in use", and the adapter fails to install.
    I also have a Mac that I want to use with this device.  The CD came with a client - vpnclient-darwin-4.9.01.0280-universal-k9.dmg - which installs, but gives an error saying it cannot talk to the VPN subsystem.
    Is an EasyVPN an actual IPSec VPN, and will the native Mac Cisco IPSec VPN work as a client?
    My priorities are:
    1.  Get the EasyVPN working in full tunnel mode on my Win-7 x32, and be able to connect to the target 192.168.168.0 network.
    2.  Get the VPN going on my Macbook (running Mavericks)
    3.  Get the SSL VPN working.
    If anyone can help me with this it would be greatly appreciated.
    One last question - the RV320 also allows the creation of a "Group VPN".  What is the difference between it and the EasyVPN?  It looks pretty similar except for the "Remote Client Domain Name" which can't be left empty.  The remote client will be multiple laptops: what would one put for a Domain Name?
    The EasyVPN is just that, but if I want a real IPSec VPN with a "shared secret", and be compatible with the Mac, what is the best way to configure the RV320?
    As an aside, I know the Mac Cisco IPSec client works as I use it to connect to my work VPN which is an enterprise level ASA device.
    Thanks for any help you can give.

    The short answer is , get rid of the RV320 and get a different router.
    The RV320 VPN is buggy and Cisco apparently couldn't care less since the last firmware was released over 7 month ago.
    I haven't been able to get mine to work consistently and found out that I'm not alone after searching the web for an answer.
    You could give PPTP a try if you are not too concerned about security.
    Good luck.

  • Anyone using Cisco Clean Access with Juniper SSL VPN?

    We're testing Cisco Clean Access with Juniper SSL VPN, and are running into a problem with single sign on. The Juniper box is sending the user's source IP as the framed-ip-address, and not the Network Connect assigned IP, which is why we need to get SSO to work. Has anyone done this, and what did you do to get it working? Thanks.

    Hi,
    I've no experience with this app but it does list
    Juniper as a sujpported client:
    http://www.equinux.com/us/products/vpntracker/interoperability.html

  • Jabber client and IP Phone SSL VPN to ASA using AnyConnect

    Also for Jabber 9.1 can the Jabber for X softphone client (CUCM) can fireup a SSL VPN direct to ASA, similar to how 7965s can? Anyone aware if Jabber 10 or next version will support Jabber client with ASA? I have this delpoyed with 7965s and certificates but I have to manually start a AnyConnect session for Jabber for Windows on my laptop.
    https://supportforums.cisco.com/docs/DOC-9124

    The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
    http://www.cisco.com/en/US/netsol/ns1246/index.html
    PS- Jason could have found out details in advance since DiData has partner NDA status.
    Please remember to rate helpful responses and identify helpful or correct answers.

  • IP phone SSL VPN configuration issue

    Hello,
    I am trying to configure the SSL VPN for the IP phone.
    I am using the CM8.0.2 and 7975.
    - I configured ASA and tested with my PC. PC can ping the CM.
    - I uploaded the ASA cert as a Phone-VPN-trust
    - I uploaded the CA root cert. Tried both, Phone-VPN-trust and Phone-trust. Which one is correct?
    - I created a VPN gateway and typed URL and selected the cert
    - I created the VPN group and added the VPN gateway to it.
    - I created the VPN profile and added the VPN group to it.
    - I disabled the Host ID check
    - I configured the Common Phone Profile with VPN group and VPN profile and added it to a 7975 phone.
    When I go into the phone settings, the VPN option is disabled and the Enable soft button is greyed out.
    What is missing? What am I doing wrong?

    Hi,
    If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
    Did this answer your question? If so, please mark it Answered!

  • IP Phone Over SSL VPN Registering Issue

    I have a Cisco 7945G phone that I have setup with a VPN profile so it can be used remotely.  This device was configured properly, tested at multiple locations and implemented.  This device worked fine for several months but recently the end user has moved into a new house and now has a new service provider (Verizon FIOS).  Now for some reason the phone will not get past the Registering process and doesn't prompt her for her VPN credentials.  Nothing has changed with the phone so I am assuming it is either her new ISP or the Modem/Router they provided her.  The device gets an IP address via DHCP from her home network but then just sits as the registering screen.  She is able to use the Anyconnect client on her laptop to connect to our SSL VPN that way so I don't think the provider is blocking VPN traffic; but there is something that is stoping the phone from getting out.            

    Honestly best thing you could try is download the console logs from the phone and review the VPN bootup process. Check if it's able to establish a TCP connection to the URL of the VPN.
    Maybe their DHCP doesn't give it a DNS server, and phone is unable to resolve your VPN URL? (a shoot in the dark)
    If the phone console logs don't reveal a lot of info, your best shot is a capture at the user site, so we could review the process.

Maybe you are looking for

  • Error message FI 759: Fund does not exist in FM area

    Hill! I have to make a distribution in CO-OM (tr KSV5) according to fund But if I customize fund as sender, choose fund from the fund catalog  and make a formal chek of cycle I see an error message FI 759: Fund does not exist in FM area. How can I ma

  • Role-Based CLI Views with AAA method

    Hi, I'm configuring Role-Based CLI Views on a router for limiting access to users. My criteria: - There should be a local user account on the router that has the view 'service' attached to it - If the router is online and can reach the radius server,

  • How do I activate a French dictionary in Safari?

    I love how double tapping on a word with three fingers in Safari brings up a dictionary definition. Is there any way I can get it to search a French dictionary as well as an English one? I suppose just a French one is as good.

  • Problem opening illustrator CC document

    I tried open an adobe illustrator CC document in Ai CC in mac environment but it prompted me that the file is in an unknown format and cannot be opened. I am clueless...any one know why? please advise me. appreciate your help alot!

  • Currency system variable

    hi ABAPers, what is the system variable to know about currency type?