I was asking because Cisco Packet Tracer 6.2 has a 5505 under it’s Security device category.
I will add an ASA 5510 to the physical lab after I pass the CCNA exam. I have to keep reminding myself to not spend a lot of time for now on things that are not going to be on the CCNA exam. It is easy to get distracted by topics not on the exam.
Ah I see…well the 5505 is similar but it uses a VLAN interface for the switchports (similar to a SVI interface on a multilayer switch).
The best results are achieved when you focus on one thing at a time…it’s so easy to get distracted, there are so many things that are worth checking out
I don’t have an example for it but it’s possible to assign users to certain groups and to disable the selection. They won’t be able to select any group aliases then.
I tested today AnyConnect VPN Client Software-4.2.01035 with my ASA and glad it works perfectly with Rene article.
Rene, your ASA articles are amazing which so far I am testing, just a quick note, if you can add NAT statements also related to the configuration that will be great or if you add a Note that particular configuration require NAT changes as well.
e.g. to make the Split Tunnel work we need a deny statement in NAT so it will be helpful.
Thanks and amazing work, everything work for me like a charm.
Basically this rule means that the source addresses from INSIDE will be translated to INSIDE and the destination addresses in VPN_POOL will be translated to VPN_POOL. In other words…the source and destination addresses will remain the same and no NAT is performed.
I think you will be fine with the anyconnect client btw, best to just test it.
I’ve recently setup the Anyconnect on my Corporate network for Windows users and it’s working beautifully, thanks to you. The only issue i have now is trying to get an iPad to connect using the Anyconnect, as it uses the Anyconnect App that it not pushed to the ipad when the user authenticates.
Have you seen or do you know a way of making the iPad work ? (Andriod devices work fine using the App, so I’m thinking its a Apple certificate blocking thing ???)
Ignore that last post Rene, I’ve just found out that the Domain chaps have pushed MobileIron out on the iPad fleet, and they are preventing SSL certificate installs. :o)
The VPN traffic does terminate on the outside interface. Usually we use the sysopt connection permit-vpn command to permit IPsec traffic to bypass any access-list. If you don’t use it, then you’ll need to explicitly permit your IPsec traffic to the inside.
It could be an issue on your ASA but have you also checked your router has a route back to the ASA?
Congrats, very clear tutorial. What about the NAT rule to keep untranslated the traffic between internal subnets and remote VPN hosts ? Is not it needed ?
Glad to hear you like it! You will need a NAT rule to keep traffic between remote VPN users and inside hosts untranslated. You can find the config for it in this reply:
Been trying to get a 9.1x VPN working for a while now, and wiped the config and started new and followed 99% of your config - internal network is 192.168.2.0/24, running 9.1(6) and Anyconnect 4.2.x.
Everything checked out but unable to talk to internal network once connected. On the ASA log I see the following:- 5 Jul 26 2016 10:25:05 192.168.10.100 38593 192.168.2.100 53 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.10.100/38593(LOCAL\user) dst inside:192.168.2.100/53 denied due to NAT reverse path failure
This error occurs when an inbound connection is trying to reach the internal address on the external interface. This check for assymetric NAT rules basically checks (to quote Cisco) “that the reverse connection from the server to the client matches the same NAT rule” used to initiate the connection. If it does not, then this check fails and the packet is blocked.
Check your NAT rules (especially those translating the 192.168.2.0/24 subnet) and confirm their correctness. You may also find this Cisco resource helpful to solve this problem.
Could you please help me with a problem we’re having at work, which is stopping us from moving our network to a VRF lite or MPLS design. When our customers SSL into our network, the following is required:
1- Provide SSL access using over lapping address spaces i.e. All customer are assigned the address pool of 172.10.10.0/28 in their own VRF. Then route via their own VRF route table (This part, i have worked out how to do).
2- When customers login to their SSL account, via wbevpn gateway, that username and password then places them into the correct webvpn context, which is linked to their VRF. I have worked out how to link a context to a VRF, but i am unable to link a username and password from the webvpn gateway to a particular context.
3- I have tried aaa but this only seem to work for global usernames and passwords, and we don’t have access to a radius or tac+ server.
If you could suggest a way for the username and password, entered into the webvpn gateway, to link to the webvpn context. You would make me a very happy junior engineer. All this if possible, configured on an IOS router.