Cisco ASA Remote Access VPN

adeyanjusaheed14 · January 28, 2024, 2:52pm

Cisco secure client vpn version 5.142 was not able to Establish a Connection to the Specified Secure Gateway for some users

lagapidis · January 31, 2024, 5:32am

Hello Saheed

There may be many reasons for this failure to occur. Without more information, it is difficult to troubleshoot. However, here are some guidelines that may be helpful for you in your effort to resolve the problem:

Check the Internet connection: I know it sounds fundamental, but it is a first step. Ensure that those users having issues have a stable internet connection. Sometimes, a weak or unstable connection can cause issues with VPN connectivity.
Check the VPN credentials: Make sure that the users are entering the correct username and password. Also, verify if their accounts have the necessary permissions to connect to the VPN.
Firewall or Antivirus interference: Firewalls or antivirus software could be blocking the VPN connection. Try temporarily disabling them to see if the connection can be established.
Update the VPN client: If the VPN client software is outdated, it might not be able to connect. Ensure that all users are using the latest version of the Cisco VPN client.
Check the VPN server: If multiple users are experiencing the same issue, there could be a problem with the VPN server itself. Check if the server is running and if it has the capacity to handle all the connections.
Try Reinstalling the VPN client: If none of the above solutions work, try uninstalling and reinstalling the VPN client. Sometimes, this can resolve any issues caused by corrupted files or settings.

Remember to have your users restart their computers after each step before they try connecting to the VPN again. If the problem still persists, give us some more info so that we can help you further.

I hope this has been helpful!

Laz

adeyanjusaheed14 · January 31, 2024, 11:14am

Hello Iagapidis,

I appreciate all this information but we are using a Cisco secure client with an identity service engine (ISE) and the firewall is firepower.

Whenever a user launches the Cisco Secure client and enters their credentials the One-time password (OTP), it goes back to the username password. I had another user put in their credentials and MFA worked on the same machine.
This is affecting a few users in different departments. I have performed all the guidelines below and had no luck.

Thank you

Saheed Adeyanju

lagapidis · February 2, 2024, 6:20am

Hello Saheed

This type of problem is difficult to diagnose and troubleshoot and requires more in-depth information. The additional information you shared here seems to indicate that the issue is not with the client machine or network but probably has to do with the specific user accounts that are having trouble. Since you mentioned that MFA worked for another user on the same machine, it suggests that the client setup and network are functioning correctly.

Here are a few additional steps to consider:

User account settings: Check the settings for the user accounts that are experiencing the issue. Make sure they are configured correctly for MFA in ISE.
OTP settings: Verify the OTP settings in the Cisco ISE for these specific users. There might be a misconfiguration that is causing the OTP to not be recognized correctly.
ISE logs: Check the logs in the ISE to see if there are any error messages or warnings related to these user accounts or their authentication attempts. This will shed a lot of light on the issue because whatever is happening to get the user back to the previous credential prompt should be recorded here.
User synchronization: If you are using any directory services like Active Directory for user account management, ensure that the user accounts are synchronized correctly between AD and ISE.
Test with other users: Try to replicate the issue using new “dummy” user credentials. This can help you to understand if the issue is limited to certain users or if it is a wider problem.

Again, these are just some guidelines that may be helpful based on the information given. Please let us know if you have any other questions or if there’s more information you can provide.

I hope this has been helpful!

Laz

mjmalleo · March 21, 2024, 10:36pm

Would this example also work on a Cisco ISR, 891F more specifically?

lagapidis · March 23, 2024, 6:52am

Hello Matthew

Yes, it is possible to create a similar remote access VPN using a Cisco ISR 8901F router. However, the process, commands, and specific configuration may differ slightly due to the fact that the ASA has a different operating system and command structure. YOu would have to look for related documentation of the 891F to see the specific configuration process. I have been unable to find Cisco documentation that details this process, however, doing a search online you will find many third-party contributors that detail how this can be achieved.

Give it a try, and if you have any difficult as you get along, let us know, and we can help you along the way.

I hope this has been helpful!

Laz

chamoaguilar2024 · March 23, 2024, 7:26pm

Hello, when we use IKEv2, would it be what we call FlexVPN remote access?
The VPN client, where can I download it or what other alternative can I use?

lagapidis · March 26, 2024, 6:22am

Hello Lucero

FlexVPN uses IKEv2 whenever it creates VPNs, however, FlexVPN is not IKEv2 itself. FlexVPN is a framework that provides a scalable and flexible VPN solution, and it incorporates the use of IKEv2 as well as many other technologies. You can find out more about FlexVPN here:

Keep in mind that FlexVPN is primarily a feature provided by Cisco IOS and IOS XE platforms, not Cisco ASA platforms as implemented in this lesson.

As for the VPN client, if you’re using a Cisco infrastructure, you can download the Cisco AnyConnect Secure Mobility Client from the Cisco website. However, it’s only available if you have a Cisco service contract, Cisco SMARTnet support, or if your device has a warranty.

If you don’t have access to Cisco AnyConnect, you can use other VPN clients that support IKEv2, such as StrongSwan or Shrew Soft VPN. These are open-source alternatives that you can download for free. Please note that you’ll need to configure these clients to work with your specific network setup.

I hope this has been helpful!

Laz

mohamed.ghanem · June 13, 2024, 11:20am

Cisco AnyConnect users can access the internal subnet with any port while restricting internet access to only ports 80 and 443. All other internet-bound traffic will be routed through the VPN tunnel

lagapidis · June 17, 2024, 5:34am

Hello Mohamed

Yes, your statement is correct. You can achieve this by first creating an ACL that matches TCP ports 80 and 443, and cause that traffic to be routed out of the local Internet connection. All the rest of the traffic can be routed over the tunnel. This is indeed called split tunneling. You can find out more information about it at this lesson:

I hope this has been helpful!

Laz

mohamed.ghanem · June 17, 2024, 9:12am

@lagapidis to be honest ! i don’t if we should use two access-lists for this case or only one to achieve the goal !
Please share with me ACL config and where can we apply it ( tunnel-specific or vpn filter … )
In the link that you shared with me > we can reroute all internet traffic directly to the internet not through the Tunnel … but in my case we the user to connect directly to the internet when using ports 443 , 80 and through the tunnel if he needs to connect to any another port in the internet !!!

Thanks for your help

lagapidis · June 19, 2024, 5:59am

Hello Mohamed

To achieve what you want, you can use the configuration found in the lesson I shared, and modify it somewhat. Using the configs in the lesson as the fundamental configuration, you can do the following:

Create a new ACL used to match TCP ports 80 and 443:

ASA1(config)# access-list SPLIT_TUNNEL extended permit tcp any any eq 80
ASA1(config)# access-list SPLIT_TUNNEL extended permit tcp any any eq 443

Apply this ACL to the group policy like so:

ASA1(config)# group-policy VPN_POLICY internal
ASA1(config)# group-policy VPN_POLICY attributes
ASA1(config-group-policy)# dns-server value 8.8.8.8
ASA1(config-group-policy)# vpn-idle-timeout 15
ASA1(config-group-policy)# split-tunnel-policy excludespecified
ASA1(config-group-policy)# split-tunnel-network-list value SPLIT_TUNNEL

Notice the keyword excludespecified used in the second to last command. This keyword will cause ALL traffic to be tunneled EXCEPT the traffic that matches the ACL. Take a look at this NetworkLessons note for more information about this and related configurations.

I hope this has been helpful!

Laz

mohamed.ghanem · June 19, 2024, 10:04am

Hello,
Thanks for your reply , really appreciate !

as i understand we will exclude any connection to port 80 and 443 to the internet but i think we also exclude any connection to internal ip addresses with 443 & 80 ports .

what i meant if we need to connect to an internal server with port 443 how can ASA will send traffic to the tunnel ?

Also where can we define our internal network ?

lagapidis · June 24, 2024, 3:49pm

Hello Mohamed

Well, since this is for an AnyConnect user, that means that the policies applied in the group policy are valid for ALL traffic. The ACLs I included in my post will match ALL traffic that has TCP destination ports of 80 and 443 regardless of whether or not the destination is on the Internet or on the local network.

If you need to be more specific beyond just the TCP ports, then you can include IP addresses in your ACLs. If you want to be able to reach a local server on both ports 80 and 443, then you can create the following SPLIT_TUNNEL ACL:

ASA1(config)# access-list SPLIT_TUNNEL extended deny tcp any host 192.168.10.10 eq 80
ASA1(config)# access-list SPLIT_TUNNEL extended deny tcp any host 192.168.10.10 eq 443
ASA1(config)# access-list SPLIT_TUNNEL extended permit tcp any any eq 80
ASA1(config)# access-list SPLIT_TUNNEL extended permit tcp any any eq 443

The above ACL will match all TCP traffic destined to ports 80 and 443 EXCEPT for those packets with a destination IP address of 192.168.10.10. This may be a local web server on your local network. By issuing the deny statements before the more general permit statements, you make sure to exclude any packets destined for that particular local device. Does that make sense?

I hope this has been helpful!

Laz

mohamed.ghanem · June 24, 2024, 8:48pm

hello,

thanks for your reply and help !

so i think if i need any connect users to use internet with only 443 / 80 ports and any another traffic to be routed through the tunnel ( even internet traffic with non 80/443 ports ) i will apply below ACL ( excludespecified )

ASA1(config)# access-list SPLIT_TUNNEL extended deny tcp any internal-subnet  eq 80
ASA1(config)# access-list SPLIT_TUNNEL extended deny tcp any internal-subnet eq 443
ASA1(config)# access-list SPLIT_TUNNEL extended permit tcp any any eq 80
ASA1(config)# access-list SPLIT_TUNNEL extended permit tcp any any eq 443
ASA1(config)# group-policy VPN_POLICY internal
ASA1(config)# group-policy VPN_POLICY attributes
ASA1(config-group-policy)# dns-server value 8.8.8.8
ASA1(config-group-policy)# vpn-idle-timeout 15
ASA1(config-group-policy)# split-tunnel-policy excludespecified
ASA1(config-group-policy)# split-tunnel-network-list value SPLIT_TUNNEL

lagapidis · June 26, 2024, 10:54am

Hello Mohamed

Yes, that looks good!

Laz

youssef.zahir · November 10, 2024, 11:40am

FWLABYZ# show running-config
: Saved
:
ASA Version 9.1(2)
!
hostname FWLABYZ
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool VPN-POOL 10.106.2.1-10.106.2.50 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 172.16.1.254 255.255.255.0
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.106.1.253 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
access-list SPLIT-TUNNEL-ACL extended permit ip 10.106.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host 172.16.1.254 eq https
access-list outside_access_in extended deny tcp any host 172.16.1.254 eq www
pager lines 24
logging enable
logging monitor debugging
logging buffered debugging
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (INSIDE,OUTSIDE) dynamic interface
access-group outside_access_in in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 172.16.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.106.1.0 255.255.255.0 INSIDE
http redirect OUTSIDE 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable OUTSIDE
 anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy VPN-Policy internal
group-policy VPN-Policy attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL-ACL
 webvpn
  anyconnect keep-installer installed
  anyconnect dpd-interval client 30
  anyconnect ask none default anyconnect
username SSL_USER password LzcZrUN/xvCbbrqE encrypted
username SSL_USER attributes
 service-type remote-access
username vpnuser password AXo.N5oyg9Keafci encrypted privilege 15
tunnel-group VPN-CLIENT type remote-access
tunnel-group VPN-CLIENT general-attributes
 address-pool VPN-POOL
 default-group-policy VPN-Policy
tunnel-group VPN-CLIENT webvpn-attributes
 group-alias SSL_USERS enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 1
  subscribe-to-alert-group configuration periodic monthly 1
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3694d43cc8029478168395084215a1d8
: end

I have this configuration and i still found diffuclties to access via Cisco Anyconnect, can some one help me?

lagapidis · November 13, 2024, 7:07am

Hello Youssef

At first glance, from the configuration you’ve provided, it seems like your AnyConnect VPN setup is mostly correct. It would be helpful if you can share with us the behavior you are seeing so that we can pinpint more closely the areas in which you may potentially be having problems.

Some general guidelines that may help include:

Make sure that the user “SSL_USER” has the correct password and has been assigned the correct attributes for remote access.
Check if the group policy “VPN-Policy” and tunnel group “VPN-CLIENT” are correctly configured with the right attributes.
Make sure that the correct ports are open on the firewall and the client machine. AnyConnect typically uses TCP port 443.
Check the logs on the ASA when a VPN connection attempt is made. This can help identify if there are any issues with the VPN negotiation process.
Ensure that the DNS servers are reachable. You have configured Google’s public DNS servers (8.8.8.8 and 8.8.4.4) for the VPN clients.

For further help, let us know some more details about what behavior you are seeing on the network so that we can help you zero in on the problem.

I hope this has been helpful!

Laz