VPN und Cisco Anyconnect Cisco ISA570 - einrichtung

Similar Messages

• Setting up IPsec VPNs to use with Cisco Anyconnect

  So I've been having trouble setting up vpns on our ASA 5510. I would like to use IPsec VPNs so that we don't have to worry about licensing issues, but from what I've read you can do this with and still use Cisco Anyconnect. My knowledge on how to set up VPNs especially in iOS verion 8.4 is limited so I've been using a combination of command line and ASDM.
  I'm finally able to connect from a remote location but once I connect, nothing else works. From what I've read, you can use IPsec for client-to-lan connections. I've been using a preshared key for this. Documentation is limited on what should happen after you connect? Shouldn't I be able to access computers that are local to the vpn connection? I'm trying to set this up from work. If I VPN from home, shouldn't I be able to access all resources at work? I think because I've used the command line as well as ASDM I've confused some of the configuration. Plus I think some of the default policies are confusing me too. So I probably need a lot of help. Below is my current configuration with IP address altered and stuff that is completely non-related to vpns removed.
  NOTE: We are still testing this ASA and it isn't in production.
  Any help you can give me is much appreciated.
  ASA Version 8.4(2)
  hostname ASA
  domain-name domain.com
  interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  interface Ethernet0/1
  nameif outside
  security-level 0
  ip address 50.1.1.225 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  no nameif
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  boot system disk0:/asa842-k8.bin
  ftp mode passive
  dns domain-lookup outside
  dns server-group DefaultDNS
  same-security-traffic permit intra-interface
  object network NETWORK_OBJ_192.168.0.224_27
  subnet 192.168.0.224 255.255.255.224
  object-group service VPN
  service-object esp
  service-object tcp destination eq ssh
  service-object tcp destination eq https
  service-object udp destination eq 443
  service-object udp destination eq isakmp
  access-list ips extended permit ip any any
  ip local pool VPNPool 192.168.0.225-192.168.0.250 mask 255.255.255.0
  no failover
  failover timeout -1
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 no-proxy-arp route-lookup
  object network LAN
  nat (inside,outside) dynamic interface
  access-group outside_in in interface outside
  route outside 0.0.0.0 0.0.0.0 50.1.1.250 1
  sysopt noproxyarp inside
  sysopt noproxyarp outside
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=ASA
  crl configure
  crypto ca server
  shutdown
  crypto ca certificate chain ASDM_TrustPoint0
  certificate d2c18c4e
      308201f3 3082015c a0030201 020204d2 c18c4e30 0d06092a 864886f7 0d010105
      0500303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
      f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
      6f6d301e 170d3131 31303036 31393133 31365a17 0d323131 30303331 39313331
      365a303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
      f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
      6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b2
      8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b
      37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c
      234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c51782
      3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02
      03010001 300d0609 2a864886 f70d0101 05050003 8181009d d2d4228d 381112a1
      cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc
      18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6
      beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef
      af72e31f a1c4a892 d0acc618 888b53d1 9b888669 70e398
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 10
  console timeout 0
  management-access inside
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
  anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
  anyconnect profiles VPN disk0:/devpn.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy VPN internal
  group-policy VPN attributes
  wins-server value 50.1.1.17 50.1.1.18
  dns-server value 50.1.1.17 50.1.1.18
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
  default-domain value digitalextremes.com
  webvpn
    anyconnect profiles value VPN type user
    always-on-vpn profile-setting
  username administrator password xxxxxxxxx encrypted privilege 15
  username VPN1 password xxxxxxxxx encrypted
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  address-pool (inside) VPNPool
  address-pool VPNPool
  authorization-server-group LOCAL
  default-group-policy VPN
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  tunnel-group VPN ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  class-map ips
  match access-list ips
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect http
  class ips
    ips inline fail-open
  class class-default
    user-statistics accounting

  Hi Marvin, thanks for the quick reply.
  It appears that we don't have Anyconnect Essentials.
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 100            perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Active/Active  perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  Security Contexts                 : 2              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 250            perpetual
  Total VPN Peers                   : 250            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has an ASA 5510 Security Plus license.
  So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?

• Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access

  Greetings,
  I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
  Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
  OR 
  Am I forced to put the ASA behind the filtering device somehow?

  Hi Jim,
  You can use tunnel default route for vpn traffic:
  ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
  configure mode commands/options:
    <1-255>   Distance metric for this route, default is 1
    track     Install route depending on tracked item
    tunneled  Enable the default tunnel gateway option, metric is set to 255
  This route is applicable for only vpn traffic.
  HTH,
  Shetty

• Cisco AnyConnect VPN won't install, says There is a newer version of the AnyConnect client already installed

  I had an issue with my Cisco Anyconnect VPN not working, so uninstalled it. I've tried a new install and now I get the message "There is a newer version of the AnyConnect client installed" and it won't tell me install it at all. I've gone through various recommendations on the site included this :-
  Go to "Regedit" and search for "Deterministic Networks" and delete it.
  HKEY_LOCAL_MACHINE \SOFTWARE\Deterministic Networks
  Search with the following keywords in the registry, under "Uninstall" or  "Components" folders and delete any related entries.
  Vpnapi
  Vpngui
  Cisco
  CVPND
  CVPNDRA
  Ipsecdialer
  Source: https://supportforums.cisco.com/message/3728011#3728011
  But I've still got the same problem, and just cant find anything to help !

  Disable Internet Connection Sharing (ICS) and then try You can disable ICS in two ways:
  Per Adapter:
  Click the Start button.
  Click on Control Panel.
  Click on View Network Status and Tasks
  Click on Change adapter settings
  Right-click the shared connection and choose Properties
  Click the Sharing tab
  Clear the Allow other network users to connect through this computer's Internet connection checkbox
  Click OK
  System Wide:
  Click the Start button (Windows' orb)
  Type: services.msc and press ENTER
  Double-Click on Internet Connection Sharing (ICS)
  Change Startup Type to Disabled
  Reboot the computer
  You can now try reinstalling the WiscVPN client again

• Unable to unistall Cisco AnyConnect VPN - please help

  I have upgraded to Windows 8.1 preview on my Surface Pro. My Cisco AnyConnect VPN stopped working. When I uninstalled the software it left the ‘Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64’ under the network adapters in Device Manager. No matter what I do, I cannot uninstall it from there. I tried everything including uninstalling in safe mode. I says it uninstalled but still appears there. I believe because of this, my internet connection performance has decreased tremendously. It also disconnects and reconnects sometime after. My other computers work perfectly with maximum speed.
  Please Help.
  Thanks,
  Mike

  Windows Event Log detail as follows:
  Faulting application name: vpnagent.exe, version: 3.1.4066.0, time stamp: 0x52211732
  Faulting module name: Dbghelp.dll, version: 6.3.9600.16520, time stamp: 0x52e690ac
  Exception code: 0xc0000005
  Fault offset: 0x00029132
  Faulting process id: 0x1e74
  Faulting application start time: 0x01d02328f37bd890
  Faulting application path: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
  Faulting module path: C:\Windows\SYSTEM32\Dbghelp.dll
  Report Id: 31beb6d1-8f1c-11e4-8278-54271ebdf9a6
  Faulting package full name: 
  Faulting package-relative application ID: 

• Cisco AnyConnect WEB/SSL VPN - does not launch after Apple's security update on Mac OS 10.7 and 10.6

  AnyConnect version: 2.5.2001
  Mac OS versions: 10.7.2 and 10.6.8
  We used to invoke Cisco AnyConnect VPN via the Safari browser for the SSL URL and it used to work fine on Mac OS 10.6 and 10.7. Apple released a security update on 8/Nov/2011 (see: http://support.apple.com/kb/HT5045) and after applying the update, invoking AnyConnect from the browser no longer invokes the AnyConnect application on the machine. The browser stops at this page repeatedly:
  I have installed AnyConnect on my machine and am able to invoke it explicitly, but browser login just fails to do that. I have tried re-installing AnyConnect, but the problem still persists.
  Any help would be highly appreciated as we are in a show-stopped situation because of this issue.
  Thanks
  Vivek.

  This is an old issue, but I ran into it continually this month while trying to use AnyConnect on my Mac 10.8+ version.
  For me, the solution was:
  I realized that I should have seen a pop-up warning me about the dangers of using Java etc. etc but it seemed as if my computer was blocking it automatically without giving me the option.
  I went to the Java page (Java.com) and clicked on "Do I have Java?" The plug-in was inactive, so clicking it allowed me to check that my Java was up to date. Going back to my AnyConnect, this time, it seemed to go through and give me all the pop-ups allowing me to allow Java.

• Cisco AnyConnect Secured Mobility Client not saving the VPN url after disconnecting from session/restarting client

  Hello there.
  I am having a problem with Cisco AnyConnect version 3.1.04072. When one of my colleagues disconnects from the VPN session, closes out the program, and then later on, reopens the client, the address that he manually entered did not save and it's defaulting on the two now-defunct VPN servers listed.
  Here's an example to see if it makes more sense:
  -User opens Cisco AnyConnect. By default, there are two selections available on the pulldown:
  SSLVPN.abcdefg.com
  access.abcdefg.ca
  These two VPN servers are now defunct and we use a new VPN server:
  access.abcdefg.com
  The user has to manually type it in. He is now able to connect. However, when disconnected. Regardless if the program is closed or not, it does not save the new VPN server address, rather goes back to the default two VPN servers listed.
  I've checked XML, HTML, registry keys, sys files, dll files to see if I can change the default servers manually. No sign of it.
  I'm hoping that someone out there knows a solution to fix it.
  Thanks in advance!

  Hi Vergel ,
  You can create Anyconnect client profile on ASA. In this profile , you can define the hostname/IP that you wish to connect , along with hostname/IP that should be displayed on the client.
  In the client profile , you can define these parameters - "HostName" and "HostAddress" as "access.abcdefg.com" so that any user , who tries to connects , will see "access.abcdefg.com" as the name displayed in the anyconnect connect field.
  On the client, the xml profile (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) [Win 7] can be seen using those parameters as follows:-
          <HostEntry>
              <HostName>access.abcdefg.com</HostName>
              <HostAddress>access.abcdefg.com</HostAddress>
          </HostEntry>
  Ref:- http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac03vpn.html#89103
  Additionally, you can try to delete preferences.xml file to remove the redundant hostnames from the anyconnect connect filed.
  Path for preferences.xml is C:\Users\Cisco\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client (Win 7),
  Hope this helps.
  Regards,
  Dinesh Moudgil
  P.S. Please rate helpful posts.

• VPN issues after updating to Cisco AnyConnect 3.1.04072?

  Even after downloading the most recent version of Cisco Client 3.1.04072 (see below) I'm still getting a periodic disconnect and reconnect from my VPN client.  Issue only seems to occur when I'm connecting from outside my company's wi-fi network.  Happens on both my personal and on public wi-fi.  Is anyone else experiencing a similar issue?
  Changes in AnyConnect 3.1.04072 (and 3.1.04074)
  The Mac OS X versions of AnyConnect were updated to 3.1.04074 to resolve the problem of frequent disconnects of the AnyConnect VPN on systems running Mac OS X 10.9 (Mavericks). Apple is aware of this issue and you can reference Apple Bug Report ID 15261749 if you want to open your own case with them. AnyConnect 3.1.0474 also supports Mac OS X 10.8, 10.7 and 10.6.
  Once Apple provides a fix for OS X 10.9, we may choose to retract this workaround. At that time, both versions 3.1.04074 and 3.1.04072 of AnyConnect will work reliably with Mac OS X 10.9.
  Defect CSCui69769 was fixed by version 3.1.0704.
  AnyConnect 3.1.04072 is a maintenance release that resolves the defects described in Caveats Resolved by AnyConnect 3.1.04072 and is compatible with Host Scan Engine Update, 3.1.04075.

  Pete is right, I apparently don't know how to read version numbers!  I downloaded the 3.1.05152 version of Cisco AnyConnect, and I no longer experience the reconnect issue on Mavericks.  Yea!
  In my defense, there is no such version 3.1.04074 listed on the download page:
  http://software.cisco.com/portal/pub/download/portal/select.html?&mdfid=28300018 5&flowid=17001&softwareid=282364313
  So I mistakenly downloaded 3.1.04072 in a moment of dyslexia.  I suspect I'm not the first person to come along and do this!
  PS:  You need a service contract with Cisco to download this file.  If you don't have one, and/or your IT administrator isn't able to provide you with one, you might try doing a google search for the actual filename:  anyconnect-macosx-i386-3.1.05152-k9.dmg.  If you go this route, at least compare the md5 checksum with the one listed on Cisco's website (it shows up if you hover your cursor over the file) to ensure you're not running a hacked VPN client.  For example, running "md5 anyconnect-macosx-i386-3.1.05152-k9.dmg" should produce a884f2092d08f006b2dc3a5054988f1c.  If it does not, it's not the same binary as on Cisco's downloads page so you probably don't want to run it.

• New vpn conncetion using Cisco Anyconnect Secure Mobility Client

  (Not sure if I'm in the right forum.)
  I'd like to connect via VPN to complete work tasks while not on the network.  My Windows 8 laptop came with Cisco Anyconnect Secure Mobility.  How do I or where do I go to add the new settings for this new vpn location?  I have connections in the drop down list that I no longer use/need.
  The VPN connetion failed due to unsuccessful domain name resolution.

  Right now I'm testing on a single access point (autonomous) with WEP! The same laptop works fine without the Cisco client. Usually it is several hours, 12 or more when it happens, but I've seen it less than that. And I've seen it up for over a day and a half. At this point I just don't trust the client to roll out to a larger audience.

• Cisco AnyConnect VPN app on iPhone 4s won't connect

  I have successfully installed the Cisco AnyConnect VPN app on my iPad Air and can connect to my target VPN. But the same app on my iPhone 4s won't work. When I try to connect I get this message: "Connect using Cisco AnyConnect App at least once before using any other App." I'm not trying to use another app, in fact I closed all other apps. I'm using the same settings as the Air. I tried with wi-fi, turned wi-fi off, location services on and off, etc. I'm on Verizon.
  Has anyone got this to work on an iPhone?
  Thanks

  Although I agree that this is really a question for Cisco, finding/receiving an official answer there may take a while.
  This app worked fine for me until I upgraded today - June 19, 2014 - the date of the release of Version 3.0.09430. After upgrade, I get the same message. The update note says "Apple IOS Connect On Demand Considerations - To ensure proper establish of Connect On Demand VPN tunnels after updating AnyConnect, users must manually start the Any Connect app and establish a connection. If this is not done, upon the next iOS system attempt to establish a VPN tunnel, the error message 'The VPN Connection requires an application to start up' will display."
  But I too have tried various interpretations of that, and still get the error above quoted by azmilt.
  It appears that either:
  - the upgrade is faulty
  - the version itself is faulty
  - the directions for a proper upgrade need clarification
  So if anyone has upgraded to this version, and made it work, I think that providing a procedure would help the community.

• Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

                     Dear All,
  i have the folloing case :
  i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
  i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
  so what the setting of the mail and smtp server should be ,
  was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
  i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
  Best regards,

  Thanks Jennifer.
  I did manage to configure LDAP attribute map to the specific group policy.
  Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
  Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
  Example: let say my username is LLH.
  Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
  Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
  Only me know the preshared key and only me can login with my Connection Profile.
  Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
  Example:
  AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
  Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
  Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
  I hope above description can paint the scenario clearer.
  Thanks in advance for all the help and comment given.

• Trouble with Cisco Anyconnect VPN Client

  Hello,
  our Cisco AnyConnect VPN Client has stopped working, we are a medical office and we are attempting to connect to "clientvpn.e-mds.com" however it will not connect, the username and password we input are irrelevant it doesnt come up with a "wrong credentials" window it just erases the password and at the bottom of the window it says "Please enter your username and password". our version is 2.5.0217 does anyone know anything to try? any help would be appreciated

  you may want to try the OS X networking forums:
  http://discussions.apple.com/forum.jspa?forumID=733

• Problem using SunRay with Cisco AnyConnect VPN Client

  I am using Cisco AnyConnect VPN Client Version 2.5.3046
  I  have a PC and a SunRay connected to my router. I use VPN to connect my  SunRay and my PC to my work computer. My PC works fine, I am able to  connect to the internet and also run cisco VPN to connect to my work  computer. But when I try to use my SunRay, I get a window on the screen  with the message:
      VPN IKE Phase 1 agg I msg1This window  keeps moving around on the screen. I am not able to connect my SunRay  through VPN to my work computer. Any idea what could be wrong and how I  can fix this?

  2.2 is definitely better.
  On one PC, I'm fine. On another -- very similar -- it tells me it can't start the VPN even after uninstalling and re-installing and everything else I can think of, with plenty of re-boots inbetween.
  Aaaaarrrrrrggggggghhhh.

• No Audio on either end Cisco Jabber for Windows over Cisco AnyConnect

  Our telephony staff is replacing our aging/unsupported VoIP system with a Cisco system and as the network tech, I'm trying to get Jabber for Windows to work over our AnyConnect VPN client.  Jabber to Cisco phone and Jabber to Jabber calls work fine within our LAN.  
  However, when I take a laptop to a separate internet connection and connect to the network via the VPN, I can't get any audio to pass across the system, in either direction.  If I call a phone on our LAN using the Jabber client (via AnyConnect), the phone rings and when I answer it, it's just dead air on both ends.  If I reverse the process, calling from the phone to the Jabber client, the same thing, Jabber client rings, but dead air both ways once I answer.  
  Things I can do from the laptop over the VPN connection:
  I'm able to get to the phone's web interface using that same laptop.
  I can ping the phone as well.  In fact, the VPN profile I'm using has full access to the entire VoIP Vlan including all IP traffic (all ~65,000 ports).
  Searching the address book also works fine.  I can search for staff and it's pulling directly from our Active Directory environment.
  Is there any special settings on the firewall that I need to setup to allow the voice traffic (which I assume is RTP traffic)?  I tried to add a service policy for RTP traffic, but that didn't seem to work...unless I built it wrong.
  Jabber for Windows - 10.6.0
  Cisco Anyconnect - 3.1.06079
  Cisco 5515-x ASA - 9.2

  I was able to resolve this on my own.  I thought that SIP traffic needed to be inspected via the global inspection policy in order for it to pass through the firewall. I ran into the same issue with ICMP traffic from an Anyconnect client to LAN devices. I had to enable ICMP in that policy for us to be able to ping LAN devices over the VPN tunnel. So when I saw that SIP was already being inspected by this policy, I moved on looking for other solutions. Then I stumbled deep within a Google search (almost hit the end of the Internet doing so) where someone mentioned that SIP shouldn’t be inspected by that policy. So I unchecked it and bam! Voice is now working over the anyconnect client to phones on the LAN. 

• Windows 8 64 bit issues with Cisco AnyConnect Secure Mobility Client version 3.1.04072

  I am having an issue with the Cisco AnyConnect Secure Mobility Client version 3.1.04072 on a Windows 8 64 bit laptop.
  I am able to create the VPN connection but the connection will not allow data to be transferred.
  Stats from a manual connection:
  Cisco AnyConnect Secure Mobility Client Version 3.1.04072
  VPN Stats
      Bytes Received:  14375
      Bytes Sent:  0
      Compressed Bytes Received:  0
      Compressed Bytes Sent:  0
      Compressed Packets Received:  0
      Compressed Packets Sent:  0
      Control Bytes Received:  0
      Control Bytes Sent:  0
      Control Packets Received:  0
      Control Packets Sent:  0
      Encrypted Bytes Received:  7820
      Encrypted Bytes Sent:  1207
      Encrypted Packets Received:  9
      Encrypted Packets Sent:  3
      Inbound Bypassed Packets:  0
      Inbound Discarded Packets:  0
      Outbound Bypassed Packets:  0
      Outbound Discarded Packets:  0
      Packets Received:  4
      Packets Sent:  0
      Time Connected:  00:03:01
  Protocol Info
      Inactive Protocol
          Protocol Cipher:  RSA_3DES_168_SHA1
          Protocol Compression:  None
          Protocol State:  Disconnected
          Protocol:  DTLS
      Active Protocol
          Protocol Cipher:  RSA_3DES_168_SHA1
          Protocol Compression:  Deflate
          Protocol State:  Connected
          Protocol:  TLS
  OS Version
      Windows 8 : WinNT 6.2.9200
  Log from the data transmission software:
  24/12/2013 12:51:13 - Application version = 1.11.28.0
  24/12/2013 12:51:13 - Lodgement Library Version =  1.11.28.0
  24/12/2013 12:51:13 - Connection Method =  INTERNET
  24/12/2013 12:51:13 - DIS Connection Type = Automatic
  24/12/2013 12:51:13 - VPN Client =  ACTIVE
  24/12/2013 12:51:13 - Check Available Connections =  NOT ACTIVE
  24/12/2013 12:51:13 - Windows 8 (6.2.9200 SP )
  24/12/2013 12:51:13 - Language: English (Australia)
  24/12/2013 12:51:13 -
  24/12/2013 12:51:13 - Connected to ISP via LAN
  24/12/2013 12:51:13 - Checking for presence of VPN client.
  24/12/2013 12:51:13 - VPN client found. (C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe)
  24/12/2013 12:51:13 - The Cisco AnyConnect Secure Mobility Client application is in use.
  24/12/2013 12:51:18 - Terminating Cisco AnyConnect Secure Mobility Client in progress ...
  24/12/2013 12:51:18 -
  24/12/2013 12:51:18 - Checking Cisco AnyConnect  version.
  24/12/2013 12:51:19 - Cisco AnyConnect Secure Mobility Client (version 3.1.04072) .
  24/12/2013 12:51:19 - Copyright (c) 2004 - 2013 Cisco Systems, Inc.  All Rights Reserved.
  24/12/2013 12:51:19 - Config file directory:C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\
  24/12/2013 12:51:19 -
  24/12/2013 12:51:19 - Loading profile:C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ELS-IMelAde-TCP.xml
  24/12/2013 12:51:19 -
  24/12/2013 12:51:19 - Initializing the VPN connection.
  24/12/2013 12:51:19 - Ready to connect.
  24/12/2013 12:51:19 - Ready to connect.
  24/12/2013 12:51:19 - Contacting ELS-IMelAde-TCP.
  24/12/2013 12:51:23 - Authenticating user.
  24/12/2013 12:51:23 - Connected to VPN concentrator.
  24/12/2013 12:51:23 - Establishing VPN session...
  24/12/2013 12:51:23 - Checking for profile updates...
  24/12/2013 12:51:23 - Checking for product updates...
  24/12/2013 12:51:23 - Checking for customization updates...
  24/12/2013 12:51:23 - Performing any required updates...
  24/12/2013 12:51:23 - Establishing VPN session...
  24/12/2013 12:51:23 - Establishing VPN - Initiating connection...
  24/12/2013 12:51:24 - Establishing VPN - Examining system...
  24/12/2013 12:51:24 - Establishing VPN - Activating VPN adapter...
  24/12/2013 12:51:24 - Establishing VPN - Configuring system...
  24/12/2013 12:51:24 - Establishing VPN...
  24/12/2013 12:51:24 - Connected to VPN concentrator.
  24/12/2013 12:51:24 - Connected to ELS-IMelAde-TCP.
  24/12/2013 12:51:24 - Connected to VPN concentrator.
  24/12/2013 12:51:24 - Connection to VPN client return code = 0.
  24/12/2013 12:51:24 - Connected to VPN concentrator.
  24/12/2013 12:51:24 - Connecting : Connecting to 203.202.43.2.
  24/12/2013 12:51:45 - Error in ConnectToDIS - Socket Error # 10060
  Connection timed out.
  24/12/2013 12:51:46 -
  24/12/2013 12:51:46 - Disconnecting from the VPN concentrator.
  24/12/2013 12:51:46 - Disconnect in progress, please wait...
  24/12/2013 12:51:46 - Detaching AnyConnect, please wait...
  24/12/2013 12:51:47 - Detached.
  24/12/2013 12:51:47 - Disconnected from VPN concentrator.
  24/12/2013 12:51:47 - *****************************************************
  24/12/2013 12:51:47 -               END OF LODGEMENT PROCESS
  24/12/2013 12:51:47 - *****************************************************
  Issue history:
  - Previously running Cisco VPN client on Windows 8 64 bit laptop (VPN working and able to transmit data over VPN)
  - Upgrade to Windows 8.1 stopped the VPN client working
  - Refreshed system back to Windows 8 and reinstalled all software
  - Cisco VPN client would not install on system
  - Cisco AnyConnect Secure Mobility Client installs and is able to connect to VPN host
  - Cisco AnyConnect Secure Mobility Client downloads and installs software from VPN host
  - Data transmission software returns error code #10060
  Any assistance would be greatly appreciated.

  anyone found the fix for this?