Skip to main content

SSL ANYconnect access

More
16 years 6 months ago #25922 by bindumadhav
Hi All

I have configured anyconnect SSL VPN on ASA 5505.
But when I try to connect from IE brower I am unable to my firewall to access my internal network. Can anyone take look my configuration and what I have done wrong


cisco(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname cisco
domain-name default.domain.invalid
enable password XXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.103.150 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxx encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 115
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.104.1-192.168.104.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.104.0 255.255.255.0
static (inside,outside) interface 192.168.103.50 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa local authentication attempts max-fail 10
http server enable
http 192.168.104.0 255.255.255.0 inside
http 192.168.103.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.103.0 255.255.255.0 inside
telnet 192.168.104.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
tunnel-group-list enable
group-policy cliengroup internal
group-policy cliengroup attributes
vpn-tunnel-protocol webvpn
split-tunnel-policy tunnelall
webvpn
svc keep-installer installed
svc rekey time 45
svc rekey method ssl
svc ask none default svc
username xxxxxx password xxxxx encrypted
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
default-group-policy cliengroup
tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable
prompt hostname context
Cryptochecksum:0acb1ec5cae18bf5c8e1c8590f705ce4
: end
cisco(config)#
More
16 years 6 months ago #25950 by jasta99
Replied by jasta99 on topic Re: SSL ANYconnect access
I don't like this solution but I've found it to work. I'm looking for a solution that doesn't use policies if anyone has one.

Use a policy static NAT instead of a regular one. Something like this (created in asdm) :

static (inside,outside) 192.168.103.0 access-list inside_nat_static
access-list inside_nat_static extended permit ip 192.168.103.0 255.255.255.0 192.168.104.0 255.255.255.0
More
16 years 6 months ago #25969 by bindumadhav
I tried the line which you sent but I am still not able to access the VPN (https://address) from client browser.

Thanks
More
16 years 6 months ago #25977 by sp1k3tou
Replied by sp1k3tou on topic Re: SSL ANYconnect access
Your problem is that you need to allow ssh access. Look at your config below. This will allow http access from the inside from the t subnet 192.168.103


http 192.168.103.0 255.255.255.0 inside


If you want to grant ssh access you need to put this in your config.

ssh 192.168.103.0 255.255.255.0 inside

Now I would only add an entry for each computer that your going to use so that everyone on that subent cannot access the ASA. So say your computer address is 192.168.103.3 your ssl allow would look like this below.

ssh 192.168.103.3 255.255.255.255 inside

If you want to allow outside access you would do

ssh 80.80.80.9 255.255.255.255 outside

This would only allow on host since the 255 locks in each octet.
More
16 years 6 months ago #25979 by sp1k3tou
Replied by sp1k3tou on topic Re: SSL ANYconnect access
you might also need this line of code also

aaa authentication login default local
Time to create page: 0.126 seconds