Racking my brain to find an answer…need your help.
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
A. Where is this MAC address (00-05-9A-3C-7A-00) coming from? Who assigns this MAC address? Does the ASA assign it to the Virtual adapter of my laptop? If it does then how come it doesn’t show up in “sh arp” for L2 to L3 mapping? How/ where would I go to see L2 to L3 mapping in ASA for the IPSec connection established via AnyConnect from my laptop?
B. I tested five (5) laptops with AnyConnect, they all got the same MAC address! Shouldn’t it be unique?
00:05:9A:3C:7A:00 is the MAC address for the SSL VPN client. 00:05:9A:3C:78:00 is used for the IPSec VPN client. You can’t change these and yes, it’s the same on all clients.
I think the VPN client itself assigns it. I haven’t checked but I think you always see this MAC address, even when you are not connected. It’s a virtual interface so not a real “Ethernet” interface which is why you don’t see it in the ARP table. I guess the client does something internally but I’m not exactly sure how the client works internally, it’s not open source.
Yes, SSL VPN requires a license to function with the Cisco ASA. This of course depends on if you purchase the license as part of a package or if you buy it as a standalone license for a device you already have. In each case, ordering information can be found at the following link:
Here you can see part numbers for various licenses that depend on the maximum number of VPN users for each.
As for the anyconnect package files, you can download the latest versions at this link.
The latest available version is 4.6. You may need a license or support contract to be able to download. If you want to find one of the previous versions, those aren’t available from Cisco anymore, however, you may be able to find them on some other uncertified download sites.
Hi Rene,
I don’t want users download the anyconnect secure mobile client through the clientless webvpn, but client is already installed on the user’s client.
Is there a way to don’t use clientless webvpn ?
It is possible to disable connectivity via the clientless webvpn. You can do one of two things:
Use the keepout command which will essentially replace the webvpn page with a message of your choice. An example is:
keepout “unauthorized access”
More info about this command can be found here under the keepout command:
The other option is to allow only the ssl-client protocol under the group policy configuration. More information can be found at this thread of the Cisco Support Community:
It seems that you have configured the ASA correctly, however, you have not created any user accounts (unless you just haven’t shown them here). Other than that, at first glance, I don’t see anything that is out of place. Take a look at the lesson once again and see if you’ve missed something in the client configuration as well.
Anyconnect can be downloaded from the official download site of Cisco here. Now you can download it only if you have the appropriate contract type with Cisco. If you do not, then you can’t download it from there.
However, it is made available by various other sources, and if you use your favourite search engine to search for the latest release (4.7 at the time of this writing) you will be able to find it available for download.
Your initial post mentioned Anyconnect. I just did a search online and found several sites that allow you to download the software. I am unable to put those links in this post, but I suggest you try it and see the results. For ASDM however, that’s a different story. You’ll have to see if you can find some organization that you may be partnering with to see if they can provide you with access to such software. Unfortunately, as far as I know, there are no “official” routes through which you can obtain it beyond buying an ASA. Even so, if you spend some time searching, you may be able to find something that will suit you.
Interface outside_1 is for main internet.---- vpn.abc.com
Interface outside_2 is for backup internet ----vpn2.abc.com
we are using different ssl certificate for both out vpn connection.
I am configuring backup vpn for one of our ASA 5506x for backup internet line and I entered our fqdn in Backup server in the attached image.
I can access backup vpn through display name but the problem is it gives me certificate error it’s not secure.
When I try to access through FQDN it connects without error but I cannot access either internal company app or Simple help technician. Both are in DMZ.
I have a 5505 in my lab. I was following the lesson above when I came to the section to configure the tunnel group looks like the type command is not supported. Do I need to use a 5510 for this configuration. Thanks
I have an ASA 5506-X running version 9.8(2) and I find that I have the “type” keyword available. Actually, the tunnel-group command is considered incomplete if you don’t include the “type” keyword. My output looks like this if I try not to use the “type” keyword.
myASA(config)# tunnel-group laz
ERROR: % Incomplete command
myASA(config)# tunnel-group laz ?
configure mode commands/options:
type Enter the type of this group-policy
I found the issues this morning. In the lesson it shows the type command being run from global config mode when it should have been run as part of webvpn configuration. Just a typo in the lesson which I should have caught yesterday. See lesson test below. Thank you for your response.
I’m not sure I follow. The tunnel-group MY_TUNNEL type remote-access and the tunnel-group MY_TUNNEL general-attributes should indeed be run under the global configuration mode. The commands you show above are correct, and I have attempted to input them in my ASA as well, with success.
Maybe the only thing that should be added here is that after the webvpn configuration, you should exit out to global config mode where the tunnel-group commands must be implemented. Is that what you mean?
I will let @ReneMolenaar know to take a look and see if he can add those exit commands to return to the global configuration mode.
You are correct. Looks like the “type” command is not available if the tunnel group name has already been created. I guess their was some confusion on my part. I did the configuration again this morning and it works as outlined in the lesson. Why is the type command also available under webvpn?
I have one issue where I am not able ping from outside host 10.10.10.2 to inside 192.168.1.1 once the tunnel is created. I have a default route on R1. I can reach both ip addresses from the asa.
Thanks
Looking on my ASA in more detail, I see what is happening. Looking under the webvpn configuration mode, I cannot find the tunnel-group command nor the type keyword, as shown below:
myASA(config)# webvpn
myASA(config-webvpn)# ?
WebVPN commands:
anyconnect AnyConnect configuration parameters
anyconnect-custom-attr Define custom user policy attributes for AnyConnect
!<--output omitted -->
smart-tunnel Configure a list of programs to use smart tunnel
ssl-server-check Verify remote https server's certificate
tunnel-group-list Configure WebVPN group list dropdown in login page
tunnel-group-preference Tunnel Group Preferences
myASA(config-webvpn)#
By using the context sensitive help and issuing the tunnel-group? command, it gives you the commands that you can use in this mode starting with “tunnel-group”. It shows you the two commands shown in the list above, but it also shows you the configure mode commands and options that are available from this prompt. Here it shows you that you are able to issue both webvpn mode and configure mode commands. This means that you can indeed issue the tunnel-group command from the webvpn mode, but it will execute it as if you were in the configuration mode. Whether you do it in the webvpn or configuration mode, the results of the command are the same.
