Hot Downloads



The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: SSL ANYconnect access

SSL ANYconnect access 10 years 9 months ago #25922

Hi All

I have configured anyconnect SSL VPN on ASA 5505.
But when I try to connect from IE brower I am unable to my firewall to access my internal network. Can anyone take look my configuration and what I have done wrong

cisco(config)# sh run
: Saved
ASA Version 8.0(2)
hostname cisco
domain-name default.domain.invalid
enable password XXXXX encrypted
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd xxxxxx encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 115
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
nat (outside) 1
static (inside,outside) interface netmask
access-group outside_access_in in interface outside
route outside X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa local authentication attempts max-fail 10
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside

threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
enable outside
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
tunnel-group-list enable
group-policy cliengroup internal
group-policy cliengroup attributes
vpn-tunnel-protocol webvpn
split-tunnel-policy tunnelall
svc keep-installer installed
svc rekey time 45
svc rekey method ssl
svc ask none default svc
username xxxxxx password xxxxx encrypted
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
default-group-policy cliengroup
tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable
prompt hostname context
: end

Re: SSL ANYconnect access 10 years 9 months ago #25950

I don't like this solution but I've found it to work. I'm looking for a solution that doesn't use policies if anyone has one.

Use a policy static NAT instead of a regular one. Something like this (created in asdm) :

static (inside,outside) access-list inside_nat_static
access-list inside_nat_static extended permit ip

Re: SSL ANYconnect access 10 years 9 months ago #25969

I tried the line which you sent but I am still not able to access the VPN (https://address) from client browser.


Re: SSL ANYconnect access 10 years 9 months ago #25977

Your problem is that you need to allow ssh access. Look at your config below. This will allow http access from the inside from the t subnet 192.168.103

http inside

If you want to grant ssh access you need to put this in your config.

ssh inside

Now I would only add an entry for each computer that your going to use so that everyone on that subent cannot access the ASA. So say your computer address is your ssl allow would look like this below.

ssh inside

If you want to allow outside access you would do

ssh outside

This would only allow on host since the 255 locks in each octet.

Re: SSL ANYconnect access 10 years 9 months ago #25979

you might also need this line of code also

aaa authentication login default local
  • Page:
  • 1
Time to create page: 0.110 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup