Anyconnect Was Not Able To Establish A Connection Secure Gateway

 admin



  1. Cisco Anyconnect Was Not Able To Establish
Home • Регистрация • FAQ • Поиск • Вход
Сообщения без ответов | Активные темы Текущее время: 23 апр 2021, 04:25



Страница 1 из 1
 [ Сообщений: 22 ]
Версия для печатиПред. тема | След. тема
АвторСообщение

Зарегистрирован: 28 май 2015, 06:00
Сообщения: 15
Добрый день. Начал изучать cisco, до этого не был знаком.
Понадобилось поднять vpn для управления рабочим компом из дому.
Дома установил cisco client версии 5.0.07.0440
Подключение есть, но нет пингов и не работает удаленный рабочий стол..
Конфиг циски:
: Saved
:
ASA Version 8.2(1)
!
hostname centr-asa
domain-name centr.local
enable password EK4b8dCg1g0YYFeX encrypted
passwd jWW5/24YPPu6vmqW encrypted
names
name 188.123.42.213 home1
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 62.231.162.137 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone KRAT 7
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.4.4
name-server 8.8.8.8
name-server 62.231.161.9
name-server 62.231.161.10
name-server 62.231.190.2
domain-name centr.local
object-group network og_my_lan
network-object 10.1.1.0 255.255.255.0
object-group network og_ksz_lan
network-object 10.1.10.0 255.255.255.0
object-group network og_kuz_lan
network-object 10.1.2.0 255.255.255.0
object-group network og_zav_lan
network-object 10.1.3.0 255.255.255.0
object-group network og_ord_lan
network-object 10.1.4.0 255.255.255.0
object-group network og_kuj_lan
network-object 10.1.5.0 255.255.255.0
object-group network og_lnk_lan
network-object 10.1.6.0 255.255.255.0
object-group network og_tst_lan
network-object 10.1.17.0 255.255.255.0
object-group network og_uszn_lan
group-object og_kuz_lan
group-object og_zav_lan
group-object og_ord_lan
group-object og_kuj_lan
group-object og_lnk_lan
group-object og_tst_lan
object-group network og_dsz1
network-object 192.168.0.0 255.255.255.0
object-group network og_dsz2
network-object 172.21.0.0 255.255.0.0
object-group network og_dsz_lan
group-object og_dsz1
group-object og_dsz2
access-list ACL_NONAT extended permit ip object-group og_my_lan object-group og_ksz_lan
access-list ACL_NONAT extended permit ip object-group og_my_lan object-group og_dsz_lan
access-list ACL_NONAT extended permit ip object-group og_my_lan object-group og_uszn_lan
access-list ACL_NONAT extended permit ip object-group og_my_lan host 10.1.50.0
access-list ACL_NONAT extended permit ip host 10.1.50.0 object-group og_my_lan
access-list ACL_VPN_KSZ extended permit ip object-group og_my_lan object-group og_ksz_lan
access-list ACL_VPN_DSZ extended permit ip object-group og_my_lan object-group og_dsz1
access-list ACL_VPN_SMEV extended permit ip object-group og_my_lan object-group og_dsz2
access-list ACL_VPN_KUZ extended permit ip object-group og_my_lan object-group og_kuz_lan
access-list ACL_VPN_ZAV extended permit ip object-group og_my_lan object-group og_zav_lan
access-list ACL_VPN_ORD extended permit ip object-group og_my_lan object-group og_ord_lan
access-list ACL_VPN_KUJ extended permit ip object-group og_my_lan object-group og_kuj_lan
access-list ACL_VPN_LNK extended permit ip object-group og_my_lan object-group og_lnk_lan
access-list ACL_VPN_TST extended permit ip object-group og_my_lan object-group og_tst_lan
access-list ACL_NAT_WAN extended permit ip object-group og_my_lan any
access-list ACL_NAT_WAN extended permit ip host 10.1.50.0 any
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool job 10.1.1.130-10.1.1.140 mask 255.255.255.0
ip local pool pool3 10.1.50.0-10.1.50.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list ACL_NONAT
nat (inside) 10 access-list ACL_NAT_WAN
route outside 0.0.0.0 0.0.0.0 62.231.162.142 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
http 10.1.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vpnset esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map MAP_VPN 5 match address ACL_VPN_KSZ
crypto map MAP_VPN 5 set peer 62.231.164.105
crypto map MAP_VPN 5 set transform-set vpnset
crypto map MAP_VPN 5 set reverse-route
crypto map MAP_VPN 6 match address ACL_VPN_DSZ
crypto map MAP_VPN 6 set peer 62.231.164.105
crypto map MAP_VPN 6 set transform-set vpnset
crypto map MAP_VPN 6 set reverse-route
crypto map MAP_VPN 7 match address ACL_VPN_SMEV
crypto map MAP_VPN 7 set peer 62.231.164.105
crypto map MAP_VPN 7 set transform-set vpnset
crypto map MAP_VPN 7 set reverse-route
crypto map MAP_VPN 20 match address ACL_VPN_KUZ
crypto map MAP_VPN 20 set peer 62.231.167.77
crypto map MAP_VPN 20 set transform-set vpnset
crypto map MAP_VPN 20 set reverse-route
crypto map MAP_VPN 30 match address ACL_VPN_ZAV
crypto map MAP_VPN 30 set peer 62.231.163.53
crypto map MAP_VPN 30 set transform-set vpnset
crypto map MAP_VPN 30 set reverse-route
crypto map MAP_VPN 40 match address ACL_VPN_ORD
crypto map MAP_VPN 40 set peer 62.231.170.9
crypto map MAP_VPN 40 set transform-set vpnset
crypto map MAP_VPN 40 set reverse-route
crypto map MAP_VPN 50 match address ACL_VPN_KUJ
crypto map MAP_VPN 50 set peer 62.231.163.45
crypto map MAP_VPN 50 set transform-set vpnset
crypto map MAP_VPN 50 set reverse-route
crypto map MAP_VPN 60 match address ACL_VPN_LNK
crypto map MAP_VPN 60 set peer 62.231.163.69
crypto map MAP_VPN 60 set transform-set vpnset
crypto map MAP_VPN 60 set reverse-route
crypto map MAP_VPN 70 match address ACL_VPN_TST
crypto map MAP_VPN 70 set peer 62.231.164.108
crypto map MAP_VPN 70 set transform-set vpnset
crypto map MAP_VPN 70 set reverse-route
crypto map MAP_VPN 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map MAP_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp disconnect-notify
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh 62.231.164.106 255.255.255.255 outside
ssh 109.171.77.131 255.255.255.255 outside
ssh timeout 25
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd domain centr.local
!
dhcpd address 10.1.1.100-10.1.1.200 inside
!
vpnclient server 10.1.1.254
vpnclient mode client-mode
vpnclient vpngroup testVPN password ********
vpnclient username bushuev password ********
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1
webvpn
enable inside
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.3046-k9.pkg 1
svc enable
group-policy testVPN internal
group-policy testVPN attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
re-xauth enable
webvpn
svc ask none default svc
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc webvpn
username bushuev password eE3DjP3D6KIUFTEr encrypted
username tsvc01 password ly8vOCKDNkWoFDdq encrypted
tunnel-group 62.231.164.105 type ipsec-l2l
tunnel-group 62.231.164.105 ipsec-attributes
pre-shared-key *
tunnel-group 62.231.167.77 type ipsec-l2l
tunnel-group 62.231.167.77 ipsec-attributes
pre-shared-key *
tunnel-group 62.231.163.53 type ipsec-l2l
tunnel-group 62.231.163.53 ipsec-attributes
pre-shared-key *
tunnel-group 62.231.170.9 type ipsec-l2l
tunnel-group 62.231.170.9 ipsec-attributes
pre-shared-key *
tunnel-group 62.231.163.45 type ipsec-l2l
tunnel-group 62.231.163.45 ipsec-attributes
pre-shared-key *
tunnel-group 62.231.163.69 type ipsec-l2l
tunnel-group 62.231.163.69 ipsec-attributes
pre-shared-key *
tunnel-group 62.231.164.108 type ipsec-l2l
tunnel-group 62.231.164.108 ipsec-attributes
pre-shared-key *
tunnel-group testVPN type remote-access
tunnel-group testVPN general-attributes
address-pool (inside) job
address-pool pool3
tunnel-group testVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6c82ac677e7eec49652240624a8d0023
: end


28 май 2015, 06:09
также пробовал через AnyConnect
установил его на циске и компе
пишет при подключении: anyconnect was not able to establish a connection to the specified secure gateway


28 май 2015, 06:17

Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 875
Уж сколько раз твердили - не используйте Cisco VPN client на новых windows.
Раз вы только начали разбираться с циско - сразу обновите свою ASA до версии посвежее.


28 май 2015, 08:35
Уж сколько раз твердили - не используйте Cisco VPN client на новых windows.
Раз вы только начали разбираться с циско - сразу обновите свою ASA до версии посвежее.

Обновить не выйдет, там сертифицированно все. А что тогда использовать? везде пишут по-разному,


28 май 2015, 10:59

Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 875
А что тогда использовать?

Используйте Anyconnect, только чуть посвежее версию возьмите. Ну или вполне годную замену - shrew vpn client
Вот это читали? - http://www.cisco.com/c/en/us/td/docs/se .. d/svc.html


28 май 2015, 11:21
А что тогда использовать?

Используйте Anyconnect, только чуть посвежее версию возьмите. Ну или вполне годную замену - shrew vpn client
Вот это читали? - http://www.cisco.com/c/en/us/td/docs/se .. d/svc.html

на циску установил: anyconnect-win-2.5.3046-k9.pkg
потом через нее скачал файл: anyconnect-win-2.5.3046-web-deploy-k9.exe и установил на пк
Выходит ошибка: anyconnect was not able to establish a connection to the specified secure gateway


28 май 2015, 12:13

Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 2111
Прикол в том, что старый клиент с 'бессплатными' сессиями давно не поддерживается.
Соединения для эниконнект (ssl или ikev2) лицензируются. Бесплатно - только 2 параллельных.
Если лицензии покупать не планируешь - настраивая L2tp over ipsec, клиент которого встроен в винду. К слову клиент ikev2 тоже встроен в винду. Но нужны лицензии.


28 май 2015, 12:16

Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 875
Выходит ошибка: anyconnect was not able to establish a connection to the specified secure gateway

Так вы настройте нормальный профиль для соединения
Для вашей версии будет примерно так (возможно что то упустил - давно уже не использую эту версию АСА) -
при условии, что для удаленных клиентов используется сеть 10.1.50.0/24
username testssl password p@$$w0rd
username testssl attributes
service-type remote-access
webvpn
enable outside
tunnel-group-list enable
svc enable
object-group network SSLVPN-LAN
network-object 10.1.50.0 255.255.255.0
access-list ACL_NONAT extended permit ip object-group SSLVPN-LAN object-group og_my_lan
group-policy _testpol_SSLVPN internal
group-policy _testpol_SSLVPN attributes
vpn-tunnel-protocol svc
address-pools value pool3
tunnel-group _testprof_SSLVPN type remote-access
tunnel-group _testprof_SSLVPN general-attributes
default-group-policy _testpol_SSLVPN
tunnel-group _testprof_SSLVPN webvpn-attributes
group-alias SSLVPN enable

и, естественно, не забывайте, что сказал P@ve1 - бесплатно доступно только два соединения.


28 май 2015, 13:21

Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 488
А почему не выйдет обновиться на 9ю версию? лицензию это никак не затрагивает


29 май 2015, 14:47
А почему не выйдет обновиться на 9ю версию? лицензию это никак не затрагивает

это снимает сертификацию фстэк.
Я установил ANY Connect версии 3.1
Проблема та же..
Домашний ПК берет ip 10.1.50.2 (шлюз 10.1.50.1)
ПК на работе с ip 10.1.1.x


01 июн 2015, 06:31

Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 875
Проблема та же..
Какая именно?
Продемонстрируйте текущий конфиг для Anyconnect


21 сен 2015, 11:04
Проблема та же..
Какая именно?
Продемонстрируйте текущий конфиг для Anyconnect

ASA Version 8.2(1)
!
hostname centr-asa
domain-name centr.local
enable password EK4b8dCg1g0YYFeX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.x 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 62.231.x.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone KRAT 7
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.4.4
name-server 8.8.8.8
name-server 62.231.x.x
name-server 62.231.x.x
name-server 62.231.x.x
domain-name centr.local
object-group network og_my_lan
network-object 10.1.x.x 255.255.255.0
object-group network og_ksz_lan
network-object 10.1.x.x 255.255.255.0
object-group network og_kuz_lan
network-object 10.1.x.x 255.255.255.0
object-group network og_zav_lan
network-object 10.1.x.x 255.255.255.0
object-group network og_ord_lan
network-object 10.1.x.x 255.255.255.0
object-group network og_kuj_lan
network-object 10.1.x.x 255.255.255.0
object-group network og_lnk_lan
network-object 10.1.x.x 255.255.255.0
object-group network og_uszn_lan
group-object og_kuz_lan
group-object og_zav_lan
group-object og_ord_lan
group-object og_kuj_lan
group-object og_lnk_lan
object-group network og_dsz1
network-object 192.168.x.0 255.255.255.0
object-group network og_dsz2
network-object 172.21.x.0 255.255.255.0
object-group network og_dsz_lan
group-object og_dsz1
group-object og_dsz2
object-group network og_adm_lan
network-object 192.168.x.0 255.255.255.0
access-list ACL_NONAT extended permit ip object-group og_my_lan object-group og_ksz_lan
access-list ACL_NONAT extended permit ip object-group og_my_lan object-group og_dsz_lan
access-list ACL_NONAT extended permit ip object-group og_my_lan object-group og_uszn_lan
access-list ACL_NONAT extended permit ip object-group og_my_lan object-group og_adm_lan
access-list ACL_NONAT extended permit ip object-group og_my_lan 10.1.50.0 255.255.255.0
access-list ACL_VPN_KSZ extended permit ip object-group og_my_lan object-group og_ksz_lan
access-list ACL_VPN_DSZ extended permit ip object-group og_my_lan object-group og_dsz1
access-list ACL_VPN_SMEV extended permit ip object-group og_my_lan object-group og_dsz2
access-list ACL_VPN_KUZ extended permit ip object-group og_my_lan object-group og_kuz_lan
access-list ACL_VPN_ZAV extended permit ip object-group og_my_lan object-group og_zav_lan
access-list ACL_VPN_ORD extended permit ip object-group og_my_lan object-group og_ord_lan
access-list ACL_VPN_KUJ extended permit ip object-group og_my_lan object-group og_kuj_lan
access-list ACL_VPN_LNK extended permit ip object-group og_my_lan object-group og_lnk_lan
access-list ACL_NAT_WAN extended permit ip object-group og_my_lan any
access-list ACL_VPN_ADM extended permit ip object-group og_my_lan object-group og_adm_lan
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool poolvpnc 10.1.50.20-10.1.50.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list ACL_NONAT
nat (inside) 10 access-list ACL_NAT_WAN
route outside 0.0.0.0 0.0.0.0 62.231.x.x 1
route inside 62.231.x.x 255.255.255.255 10.1.1.1 1
route inside 62.231.x.x 255.255.255.255 10.1.1.1 1
route inside 192.168.x.x 255.255.255.255 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vpnset esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MAP_VPN 5 match address ACL_VPN_KSZ
crypto map MAP_VPN 5 set peer 62.231.x.x
crypto map MAP_VPN 5 set transform-set vpnset
crypto map MAP_VPN 5 set reverse-route
crypto map MAP_VPN 6 match address ACL_VPN_DSZ
crypto map MAP_VPN 6 set peer 62.231.x.x
crypto map MAP_VPN 6 set transform-set vpnset
crypto map MAP_VPN 6 set reverse-route
crypto map MAP_VPN 7 match address ACL_VPN_SMEV
crypto map MAP_VPN 7 set peer 62.231.x.x
crypto map MAP_VPN 7 set transform-set vpnset
crypto map MAP_VPN 7 set reverse-route
crypto map MAP_VPN 20 match address ACL_VPN_KUZ
crypto map MAP_VPN 20 set peer 62.231.x.x
crypto map MAP_VPN 20 set transform-set vpnset
crypto map MAP_VPN 20 set reverse-route
crypto map MAP_VPN 30 match address ACL_VPN_ZAV
crypto map MAP_VPN 30 set peer 62.231.x.x
crypto map MAP_VPN 30 set transform-set vpnset
crypto map MAP_VPN 30 set reverse-route
crypto map MAP_VPN 40 match address ACL_VPN_ORD
crypto map MAP_VPN 40 set peer 62.231.x.x
crypto map MAP_VPN 40 set transform-set vpnset
crypto map MAP_VPN 40 set reverse-route
crypto map MAP_VPN 60 match address ACL_VPN_LNK
crypto map MAP_VPN 60 set peer 62.231.x.x
crypto map MAP_VPN 60 set transform-set vpnset
crypto map MAP_VPN 60 set reverse-route
crypto map MAP_VPN 99 match address ACL_VPN_ADM
crypto map MAP_VPN 99 set peer 62.231.x.x
crypto map MAP_VPN 99 set transform-set vpnset
crypto map MAP_VPN 99 set reverse-route
crypto map MAP_VPN interface outside
crypto map map_VPN 50 match address ACL_VPN_KUJ
crypto map map_VPN 50 set peer 62.231.x.x
crypto map map_VPN 50 set transform-set vpnset
crypto map map_VPN 50 set reverse-route
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=centr-asa
keypair VPNc
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 7501ff55
308201eb 30820154 a0030201 02020475 01ff5530 0d06092a 864886f7 0d010104
0500303a 31123010 06035504 03130963 656e7472 2d617361 31243022 06092a86
4886f70d 01090216 1563656e 74722d61 73612e63 656e7472 2e6c6f63 616c301e
170d3135 30393230 31383536 35335a17 0d323530 39313731 38353635 335a303a
31123010 06035504 03130963 656e7472 2d617361 31243022 06092a86 4886f70d
01090216 1563656e 74722d61 73612e63 656e7472 2e6c6f63 616c3081 9f300d06
092a8648 86f70d01 01010500 03818d00 30818902 818100a9 1da7be40 0b5b2249
1e467eaf 72608dac b8f28272 2dd9846b eeef8e92 59f83907 79825aa6 81527e18
4258a503 a97a430e f7cd2a69 acc1cf60 97048121 d63ad956 617617fb 5d660b6b
9e3949c6 f39a52ca a49b6812 443b03fd c112d4e6 1a69ddef 72bb2afc c7c2dc87
3967c4a0 3a7ad16b e689b7ad 891c3fb6 cd7664d5 a91ae302 03010001 300d0609
2a864886 f70d0101 04050003 81810065 c435ef17 ea85f27b 6e5c8e0b 6c13c1ea
65c15f04 74cdf645 6f93c0af a1022cff 991e65ef ae6bc43b 44588790 284cc515
66ef6dcc 36e5201d 6d2dd3d0 7f4c7a37 61c54a85 f39be55d 621b8dff 02096690
c21fd359 4c18f10e 29b7309b 853bb39b 18c3804b 2d6b2455 0697507a 9db7f266
1b60c846 0e9211f9 e4f09ca7 c8ccff
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp disconnect-notify
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh 62.231.x.x 255.255.255.255 outside
ssh 62.231.x.x 255.255.255.255 outside
ssh 109.171.x.x 255.255.255.255 outside
ssh timeout 15
console timeout 0
dhcpd dns 10.1.x.4 10.1.x.1
dhcpd domain k.ru
!
dhcpd address 10.1.1.100-10.1.1.200 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
no anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.3046-k9.pkg 1
svc profiles bush disk0:/bush.xml
svc enable
tunnel-group-list enable
group-policy AnyConnect internal
group-policy AnyConnect attributes
wins-server none
dns-server value 8.8.4.4 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_NONAT
default-domain value centr.local
webvpn
url-list none
svc profiles value bush
svc ask enable default webvpn
username bav01 password t0A.B.zmGWdo4AqR encrypted privilege 0
username uszn password ADwmLk9oezPce9Y5 encrypted
username bush password eE3DjP3D6KIUFTEr encrypted privilege 15
username bush attributes
vpn-group-policy AnyConnect
vpn-tunnel-protocol IPSec svc webvpn
webvpn
svc keep-installer installed
svc compression deflate
svc dtls enable
username tsvc01 password ly8vOCKDNkWoFDdq encrypted
tunnel-group 62.231.x.x type ipsec-l2l
tunnel-group 62.231.x.x ipsec-attributes
pre-shared-key *
tunnel-group 62.231.x.x type ipsec-l2l
tunnel-group 62.231.x.x ipsec-attributes
pre-shared-key *
tunnel-group 62.231.x.x type ipsec-l2l
tunnel-group 62.231.x.x ipsec-attributes
pre-shared-key *
tunnel-group 62.231.x.x type ipsec-l2l
tunnel-group 62.231.x.x ipsec-attributes
pre-shared-key *
tunnel-group 62.231.x.x type ipsec-l2l
tunnel-group 62.231.x.x ipsec-attributes
pre-shared-key *
tunnel-group 62.231.x.x type ipsec-l2l
tunnel-group 62.231.x.x ipsec-attributes
pre-shared-key *
tunnel-group 62.231.x.x type ipsec-l2l
tunnel-group 62.231.x.x ipsec-attributes
pre-shared-key *
tunnel-group VPNc type remote-access
tunnel-group VPNc general-attributes
address-pool poolvpnc
authorization-server-group LOCAL
default-group-policy AnyConnect
tunnel-group VPNc webvpn-attributes
group-alias bush enable
group-url https://62.231.x.x/bush enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e374d9eb081963e7e1b55b68efe11430
: end

Последний раз редактировалось sasha047 21 сен 2015, 11:18, всего редактировалось 1 раз. Nfl pro 2014 free download.



21 сен 2015, 11:11
Проблема пока осталась. Подключаюсь через anyconnect client 3.1
Подключение есть. Доступ к интернету есть (домашний интернет)
Пингов нет, локалку не вижу
В packet tracer по маршруту 10.1.50.1 до 10.1.1.1
ошибка acl drop flow is denied by configured rule implicit rule


21 сен 2015, 11:16

Зарегистрирован: 10 окт 2012, 09:51
Сообщения: 2678
вы бы показали как вы packet-tracer запускаете. Хочется увидеть что у клиента после подключения настроено? То есть нормально ли у него прописан маршрут, адрес и все такое.
И покажите, что показывает ASA при соединении клиента.


21 сен 2015, 12:16
6 Sep 21 2015 16:26:16 10.1.50.20 30 10.1.1.1 0 Built inbound ICMP connection for faddr 10.1.50.20/30 gaddr 10.1.1.1/0 laddr 10.1.1.1/0 (bush)


21 сен 2015, 12:43
Packet-Tracer https://cloud.mail.ru/public/72xh/DmmvToUCR
Кто может помочь, стучите в квип если есть: 592-545-828


21 сен 2015, 13:29

Зарегистрирован: 10 окт 2012, 09:51
Сообщения: 2678
у вас сеть 10.1.50.0 сидит за outside, а вы делаете input inside. Если вы делаете input inside, то поменяйте source и destination адрес.


21 сен 2015, 13:37
у вас сеть 10.1.50.0 сидит за outside, а вы делаете input inside. Если вы делаете input inside, то поменяйте source и destination адрес.

Поменял местами адреса, пакет прошел на inside
сделал как впервый раз на outside, ошибка осталась та же, но ругается на outside any any dany


21 сен 2015, 13:44
у вас сеть 10.1.50.0 сидит за outside, а вы делаете input inside. Если вы делаете input inside, то поменяйте source и destination адрес.

https://cloud.mail.ru/public/6aoB/4L7B61fRw
https://cloud.mail.ru/public/CU1s/sC8gG69E8


21 сен 2015, 14:36

Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 111
Проблема пока осталась. Подключаюсь через anyconnect client 3.1
Подключение есть. Доступ к интернету есть (домашний интернет)
Пингов нет, локалку не вижу
В packet tracer по маршруту 10.1.50.1 до 10.1.1.1
ошибка acl drop flow is denied by configured rule implicit rule

может уже файрвол посмотрите на конечной машине раз подключились


22 сен 2015, 09:31

Зарегистрирован: 10 окт 2012, 09:51
Сообщения: 2678
проблема оказалась в том, что комп из локальной сети не в курсе о vpn-сети и как туда попасть.


22 сен 2015, 09:52
проблема оказалась в том, что комп из локальной сети не в курсе о vpn-сети и как туда попасть.

Спасибо CRASH, ОГРОМНОЕ!
Тему наверное можно закрыть


22 сен 2015, 10:52
Страница 1 из 1
 [ Сообщений: 22 ]

Кто сейчас на конференции

Сейчас этот форум просматривают: Google [Bot] и гости: 16


Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Создано на основе phpBB® Forum Software © phpBB Group
Designed by ST Software for PTF.
Русская поддержка phpBB

.this -minute screening survey to be eligible cisco anyconnect was not able to establish a connection to the specified secure gateway to participate. Sep 28, 2014 AnyConnect not able to establish a connection to the specified secure gateway September 28, 2014 / 1 Comment / in Knowledge base / by Mike Khzouz AnyConnect was not able to establish a connection to the specified secure gateway – Cisco VPN Linux / RedHat and RHEL / Ubuntu, Debian. Hi, I am trying to setup a secure SSLVPN tunnel on a Cisco 1841 router (running the latest IOS code, Advanced Enterprise, 12.4 (22)YB8).

Topics Map > Networking > Virtual Private Networking (VPN)
Anyconnect Was Not Able To Establish A Connection Secure Gateway

In most cases, you won't need to uninstall an old VPN client; you can just stop using it. However, some users report error messages with the new AnyConnect VPN that can be corrected by uninstalling older ones.

Establish

The error message

You may need to uninstall the old VPN clients if you see the message 'AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.'

On Windows

Windows 7

  1. Click the Start Menu.
  2. Type View network connections in the search bar, then click that item in the results list.
  3. In the window that appears, right-click the old VPN item you want to remove and choose Delete. You may need to delete two items:
    1. CITES VPN with the subheading WAN Miniport (PPTP)
    2. Aventail VPN with the subheading Aventail VPN Adapter
  4. (If you had an Aventail VPN client installed:)
    Go to the Start Menu- > Control Panel -> Uninstall Program.
  5. In the list of programs that appears, select Aventail Connect, then click the Uninstall button above the list.
  6. Click Yes when prompted to uninstall.
  7. If the Aventail icon remains on your desktop after uninstallation, you can drag it into your Recycle Bin.

Windows 8

  1. Right-click the Start Menu.
  2. Select Network Connections from the list of options.
  3. In the window that appears, right-click the old VPN item you want to remove and choose Delete. You may need to delete two items:
    1. CITES VPN with the subheading WAN Miniport (PPTP)
    2. Aventail VPN with the subheading Aventail VPN Adapter
  4. (If you had an Aventail VPN client installed:)
    Go to the Start Menu- > Control Panel -> Uninstall Program.
  5. In the list of programs that appears, select Aventail Connect, then click the Uninstall button above the list.
  6. Click Yes when prompted to uninstall.
  7. If the Aventail icon remains on your desktop after uninstallation, you can drag it into your Recycle Bin.

Windows 10 is unlikely to have the Nortel or Aventail VPN installed from use with the prior versions of the Tech Services VPN. If you need to uninstall them because they were installed for a different VPN, please refer to that group's documentation.

On Mac

Removing the old CITES VPN (aka Nortel)

  1. Under System Preferences, choose Network
  2. In the left hand list of connections, choose the old VPN that you want to remove. (If it says vpn3.near.uiuc.edu in the Server Address line, it's an old connection and should be removed.)
  3. Uncheck the box that says 'Show VPN status in the menu bar.'
  4. Click the minus button below the left hand column.
  5. Click Apply.

Removing the Aventail VPN client

  1. With your Finder open to Applications, find Aventail Connect in your applications list.
  2. Right click on it and choose Move to Trash.
  3. If prompted, enter the computer's administrator user name and password.

More help

If you need further assistance with this error, please contact the Help Desk.


Cisco Anyconnect Was Not Able To Establish

Keywords:VPN, uninstall, AnyConnect gateway error, Cisco, Nortel, Aventail, Windows 7, Windows 8, MacSuggest keywordsDoc ID:47634
Owner:Debbie F.Group:University of Illinois Technology Services
Created:2015-02-26 10:42 CDTUpdated:2021-02-24 10:32 CDT
Sites:University of Illinois Technology Services
Feedback:00CommentSuggest a new documentSubscribe to changes