Hi Rene,
Congrats, very clear tutorial. What about the NAT rule to keep untranslated the traffic between internal subnets and remote VPN hosts ? Is not it needed ?
Please advise.
Thank you.
Hi Alessandro,
Glad to hear you like it! You will need a NAT rule to keep traffic between remote VPN users and inside hosts untranslated. You can find the config for it in this reply:
Rene
Hi Rene
Been trying to get a 9.1x VPN working for a while now, and wiped the config and started new and followed 99% of your config - internal network is 192.168.2.0/24, running 9.1(6) and Anyconnect 4.2.x.
Everything checked out but unable to talk to internal network once connected. On the ASA log I see the following:-
5 Jul 26 2016 10:25:05 192.168.10.100 38593 192.168.2.100 53 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.10.100/38593(LOCAL\user) dst inside:192.168.2.100/53 denied due to NAT reverse path failure
Tried adding the nat:-
ciscoasa(config)# object network Inside
ciscoasa(config-network-object)# subnet 192.168.2.0 255.255.255.0
ciscoasa(config-network-object)# object network VPN
ciscoasa(config-network-object)# subnet 192.168.10.0 255.255.255.0
ciscoasa(config)#nat(inside,outside) source static Inside,Inside destination static VPN VPN
and get the error
nat (inside,outside) source static Inside,Inside destination static VPN VPN
^
ERROR: % Invalid input detected at '^' marker.
This is driving me nuts, please advise
Thanks
Neil.
Hello Neil.
This error occurs when an inbound connection is trying to reach the internal address on the external interface. This check for assymetric NAT rules basically checks (to quote Cisco) “that the reverse connection from the server to the client matches the same NAT rule” used to initiate the connection. If it does not, then this check fails and the packet is blocked.
Check your NAT rules (especially those translating the 192.168.2.0/24 subnet) and confirm their correctness. You may also find this Cisco resource helpful to solve this problem.
I hope this has been helpful!
Laz
Hi Rene,
Could you please help me with a problem we’re having at work, which is stopping us from moving our network to a VRF lite or MPLS design. When our customers SSL into our network, the following is required:
1- Provide SSL access using over lapping address spaces i.e. All customer are assigned the address pool of 172.10.10.0/28 in their own VRF. Then route via their own VRF route table (This part, i have worked out how to do).
2- When customers login to their SSL account, via wbevpn gateway, that username and password then places them into the correct webvpn context, which is linked to their VRF. I have worked out how to link a context to a VRF, but i am unable to link a username and password from the webvpn gateway to a particular context.
3- I have tried aaa but this only seem to work for global usernames and passwords, and we don’t have access to a radius or tac+ server.
If you could suggest a way for the username and password, entered into the webvpn gateway, to link to the webvpn context. You would make me a very happy junior engineer. All this if possible, configured on an IOS router.
How would I setup for each user to use their own username and password when logging into the cisco any connect from their home computer to our ASA? I see you created one locally on the ASA.
If you only have a few users, you can add them locally on the ASA:
ASA1(config)# username SSL_USER password MY_PASSWORD
If you have a lot of users and/or multiple ASAs, you could use an external authentication server.
Dear Sir this configuration for SSL WEB VPN only what about IKEV2 IPsec configuration ? in this lesson
Hello Tariq
Thanks very much for your inquiry. You can find a lesson on IKEv2 and IPsec at the following link:
I hope this has been helpful!
Laz
Dear lagapides
Thank you very much for your response
My inquiry was about ikev2 vpn remote access Anyconnect i hope find lesson about it
Regards
Hi Rene,
I am unable to access the internal network, what could be the problem.
I am working a real device, inside interface is configured to 192.168.2.1 255.255.255.0
I need help.
Hello Aldo
In order to help you, we’ll need a little more information about your setup. Can you give us some more details so that we can see what we can do?
Thanks!
Laz
Hi,
How to do double authentication using ldap and user certificate issued from microsoft CA
Thanks
Hello Sims
If you’re running ASA version 8.4 or later, the following Cisco documentation will be of help:
Try it out and let us know if you have any specific questions about configuration.
I hope this has been helpful!
Laz
Hello Rene. I have a basic question. First I have applied the the Anyconnect and can login with no problem. The issue is, once I have connected to the VPN, then I cannot connect to devices in the inside network. I think this might be an issue of ACL? Or better yet. Once I am connected to the ASA via remote VPN. How can I then access the ASA itslef? Sorry for such a noob question.
Great tutorial. Things like this make me happy to be a member. I followed this tutorial using ASAv (9.9(1) and ESXi. I can get to the point of installing the anyconnect client, but when I try to logon the client says:
Logon denied, unauthorized connection mechanism, contact your administrator.
I’ll post my config. Nothing is sensitive. This is strictly a casual lab at this point:
ASA Version 9.9(1)
!
hostname asa-site-b
enable password $sha512$5000$mCWc4U5GPK8YCASrOVHhqQ==$Nz/fZLrq5I77IHNcQQMXGw== pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool VPN_POOL 192.168.200.100-192.168.200.200 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.16.40.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.2.40 255.255.255.0
!
ftp mode passive
access-list SPLIT_TUNNEL standard permit 192.168.40.0 255.255.255.0
pager lines 23
logging enable
logging timestamp
logging standby
logging console errors
logging buffered notifications
logging trap notifications
logging asdm informational
logging facility 22
logging device-id hostname
no logging message 106015
no logging message 742004
no logging message 111010
logging message 713228 level notifications
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
route outside 0.0.0.0 0.0.0.0 172.16.40.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http redirect outside 80
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 513fb9743870b73440418d30930699ff
30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30
0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30
09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f
72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275
7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c
61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230
0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca
1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b
037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203
7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c
ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee
b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a
6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26
4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a
16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100
01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006
03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e
636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630
2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474
703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60
86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f
7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230
1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906
03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350
4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a
b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3
4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649
dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722
2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16
2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd
e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382
e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d
4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de
30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41
a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.0.0 outside
ssh 192.168.0.0 255.255.0.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8
dhcpd domain siteb.test
!
dhcpd address 192.168.40.101-192.168.40.200 inside
dhcpd lease 28800 interface inside
dhcpd option 3 ip 192.168.40.1 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.5.03040-webdeploy-k9.pkg 1
anyconnect enable
cache
disable
error-recovery disable
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
webvpn
anyconnect keep-installer installed
anyconnect dpd-interval client 30
anyconnect ask none default anyconnect
dynamic-access-policy-record DfltAccessPolicy
username vpnuser password $sha512$5000$9Jdl1OlDuImWjJol/TEEpg==$WjcQkosTN239h7c3Zsex4Q== pbkdf2
username vpnuser attributes
service-type remote-access
username cisco password $sha512$5000$EYRiwnetUMUE84JHCb75Ug==$ta0GKwEYxlh2LSEjRaDqmA== pbkdf2 privilege 15
tunnel-group MY_TUNNEL type remote-access
tunnel-group MY_TUNNEL general-attributes
address-pool VPN_POOL
default-group-policy ANYCONNECT_POLICY
tunnel-group MY_TUNNEL webvpn-attributes
group-alias SSL_USERS enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:ca3c4b2fa1f42f77993a7fa8ba8f60b3
: endHello Don
Great to see that you’re enjoying the site!
An error such as this can be due to various configuration issues. Specifically, Cisco states that
This error message occurs mostly because of configuration issues that are improper or an incomplete configuration. Check the configuration and make sure it is as required to resolve the issue.
It’s very general because it could be many things! The first thing I’d do if I were you is to check out the config and make sure there are no discrepancies as to the configuration. Make sure you take a look at:
- certificate mapping
- the attributes option for the username
- if VPN tunnel protocol is specified correctly
- group policy configuration
You can find some more possible misconfigurations that may cause such an error at this Cisco support community thread.
I hope this has been helpful!
Laz
Perhaps on demonstrating using ikev2 and certificate instead of preshare key is more useful.
1 Like