Your ASA will (by default) update your AnyConnect clients to the latest client software when they connect. However you need to supply the ASA with the updated packages first.
Mostly my conversion to Windows 8 has been pretty painless, the only thing that wont work is the VMware VI client cant open a console session to the VMs on my ESX server.
Error
The VMRC console has disconencted…attempting to reconnect
This happens because the IE10 that comes with Windows 8 does NOT LIKE the requests the VI client is sending to the Internet Explorer plug-in.
Update 08/03/13 – This problem has now been fixed! Download the latest 5.1 version of the VI client. (see screenshot).
Solution
Work-Around 1 Use VMware workstation (Note: scroll down for a permanent fix)
Until either Microsoft or VMware change something then we are stuck! however there is a work around. if you have VMware Workstation (download the trial it will keep you ticking over till the problem is fixed!).
1. Launch VMware workstation > File > Connect to Server > Enter your ESX/vCenter server details > Connect.
Note: You may need to accept the certificate warning if you are using self signed certificates.
2. Now you can open a console session to your virtual machines.
Work-Around 2 Use VMware Guest Console
Download and run VMware Guest Console > Connect to to a host or vCenter, and you can access the guest machines consoles from there.
Permanent Fix
Sorry, the only way to fix this (at time of writing) is to upgrade to vSphere 5.1 AND install the 5.1 version of the vSphere client. (You can’t point the 5.1 client at a 5.0 host, it automatically launches the 5.0 version of the VI client).
Note: You will need to update vCenter to 5.1 as well for that to work!
Problem Resolved
Update to the latest VI client, and the problem will cease.
Related Articles, References, Credits, or External Links
I installed one of these a couple of weeks ago, and there’s some good documentation with the module itself so installing it into the UPS and giving it an IP address was easy, getting the right client software to talk to it was a pain.
Solution
Configure the Network Module
1. Physically install the module in the UPS, it’s fixed with two screws and you can install it with the UPS powered on.
2. It takes a while for the card to boot, pop in the console cable that came with it (into the Settings/AUX socket – see above). Fire up PuTTy and connect via serial.
Note: Standard Serial Settings,
Bits per second—9600
Data bits—8
Parity—None
Stop bits—1
Flow control—None
3. The default password is ‘admin’
4. Use the menus presented to change the IP details, you MUST restart the module when you are finished or the IP address WONT change.
5. Once its rebooted (again this takes a while) you can login with a web browser, (username admin password admin).
Configure the Client Machines.
1. Download HP Power Protector, (Note: there is no client and administrator software any more, this software will do BOTH. The network module has the administration software built in).
2. Install the software on your machine, and login (again username admin password admin).
3. Select client > Save.
4. Select the Device Discovery tab. The software usually detects the network module on its own quite quickly, if it does not you can use the options on right to do a scan.
Ports Required for HP UPS Network Module
If you are connecting through a firewall (or you machine has a software firewall), make sure the following six ports are open.
5. When it’s fully detected, select the network module and select ‘Configure power source’, supply the login credentials for the network module, and the load segment the machine is plugged into (see below) > Save.
6. Back in the web console of the network module > Open ‘Notified Applications’ and in about 5-10 minutes your server should appear.
Related Articles, References, Credits, or External Links
You would like to enable remote access for your clients using the Cisco VPN Client software.
Solution
Before you start – you need to ask yourself “Do I already have any IPSECVPN’s configured on this firewall?” Because if its not already been done, you need to enable ISAKMP on the outside interface. To accertain whether yours is on, or off, issue a “show run crypto isakmp” command and check the results, if you do NOT see “crypto isakmp enable outside” then you need to issue that command.
[box]
PetesASA# show run crypto isakmp
crypto isakmp enable outside << Mines already enabled.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PetesASA#
[/box]
1. Firstly we need to set up Kerberos AAA, if you wanted to use the ASDM to do this CLICK HERE however, to do the same via command line see the commands below. (so my DC is at 10.254.254.5 and the the domain is petenetlive.com). Note you could use LOCAL or RADIUS for authentication as well, but as the title states we are using Kerberos 🙂
2. Set up a range of IP addresses, for the remote clients to use, Note: DONT use the same IP range as your internal network (That’s a common error!) In this example I’m going to only have a range of 10 IP addresses.
[box]
PetesASA(config)#
PetesASA(config)# ip local pool IPSEC-VPN-DHCP-POOL 10.253.253.1-10.253.253.5
PetesASA(config)#
[/box]
3. Now I’m going to create two access control lists, one for “Split Tunneling” (So when my remote clients connect, they can still browse the internet from their remote location.) And the second one will be to STOP the ASA performing NAT on the traffic that travels over the VPN.
Warning: If you already have NAT excluded traffic on the firewall (for other VPN’s) this will BREAK THEM – to see if you do, issue a “show run nat” command, if you already have a nat (inside) 0 access-list {name} entry, then use that {name} NOT the one in my example.
So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to the remote clients (10.253.253.0) that we set up in step 2″.
3. Now we need to create a “Group Policy” this will specify that we are going to use split-tunneling, what type of VPN it is (IPSEC), the domain name and DNS server for the policy.
[box]
PetesASA(config)#
PetesASA(config)# group-policy IPSEC-VPN-POLICY internal
PetesASA(config)# group-policy IPSEC-VPN-POLICY attributes
PetesASA(config-group-policy)# vpn-tunnel-protocol IP Sec
PetesASA(config-group-policy)# split-tunnel-policy tunnelspecified
PetesASA(config-group-policy)# split-tunnel-network-list value Split-Tunnel
PetesASA(config-group-policy)# dns-server value 10.254.254.5
PetesASA(config-group-policy)# default-domain value PETENETLIVE.COM
PetesASA(config)#
[/box]
4. Next we create a tunnel group, and tell that group to use the policy we created above, we also specify the Kerberos AAA we created , the IP Pool, and lastly we set up a shared key.
NOTE: This sets up two of the three pieces of information that you need to enter into the VPN Client software, the tunnel group goes in the “Name” section, and the pre-shared-key goes in the “Password” section HERE.
6. Lastly we need to create a “Dynamic Cryptomap”, then get that cryptomap to use the transforms we have just created.
Note: I’ve also enabled NAT-Traversal here as well – sometimes the client software will connect successfully,and pass no traffic, if that happens 99% of the time its a NAT problem, caused by either mis-configured NAT on the ASA, or a device somewhere in the VPN tunnels path, that’s performing NAT that breaks the traffic flow, NAT-Traversal fixes this, so lets turn it on anyway to be on the safe side 🙂
(This method uses the ASA to hold the user database) to use RADIUS CLICK HEREto use Kerberos CLICK HERE
KB ID 0000070
Problem
Note: IPSEC VPN is still possible, but getting Windows clients is a little sketchy, and you will have to mess about with them to get them to work on modern versions of Windows. (Mac OSX and iPhone/iPad can connect with their built in VPN software though).
Below is a walkthrough for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console.
It also uses the Cisco VPN client – This is no longer available form Cisco see the following article.
1. Open up the ADSM console. > Click Wizards > VPN Wizard.
2. Select “Remote Access”. > Next.
3. Select Cisco VPN Client. > Next.
4. Enter a Pre Shared Key e.g. thisisthepresharedkey > And then give the Tunnel group a name e.g. “RemoteVPN”. > Next.
5. Select “Authenticate using the local user database”. > Next.
6. Now create a user, for this exercise I’ve created a user called user1 with a password of password1
7. Click Add. > Next.
8. Now we need to create some IP addresses that the remote clients will use when connected. > Click New
9. Give the Pool a name e.g. RemotePool and set the start and end IP addresses you want to lease (note these DONT have to be on the same network as your internal IP’s – In fact, for auditing its good practice to make them different). > Enter a Subnet Mask. > OK.
10 Click Next.
11 Enter the details you want the remote clients to use while connected, DNS servers, WINS Servers and domain name. > Next.
12. Leave it on the defaults of 3DES, SHA and DH Group 2 (Note some Cisco VPN clients will not support AES). > Next
13. Again leave it on the default of 3DES and SHA. > Next.
14. You can choose what IP addresses you want the remote VPN clients to have access to, first change the dropdown to “Inside”, here I want them to have access to the entire network behind the ASA so I will choose 10.254.254.0 with a mask of 255.255.255.0 > Click Add. > Next.
NOTE If you do not tick the box to enable “Split Tunneling” then the client cannot browse the internet etc while connected via VPN.
15. Review the information at the end of the wizard. > Finish
16. Now you need to save the changes you have just made, From the ASDM Select File > “Save running configuration to flash”
Step 2 Configure the Client VPN Software on the remote client.
1. I’ll assume you have the software installed you can get it from two places, On the CD that came with the ASA, or download it direct from Cisco (NOTE this needs a valid Cisco CCO account and a service contract). > Click New.
2. Under connection entry give the connection a name e.g. “Remote VPN to Office” > Under “Host” enter the Public IP of the ASA (NOTE I’ve blurred this one out to protect my IP address). > Under “Name” enter the name you created earlier (Step 1 number 4) > Under Password use the password you created earlier (Step 1 number 4) and enter it a second time to confirm. NOTE these are NOT the usernames and passwords you created in Step 1 number 6. > Click Transport Tab.
3 Accept the defaults but tick “Allow LAN access if you want to be able to access YOUR drives etc from the network behind the ASA” > Save.
4. Select the Connection you have just created. > Connect.
5. Enter the username and password you created earlier (Step 1 Number 6) of user1 and password1. > OK.
6 After a few seconds (provided the details were all right) it will connect, hover over the padlock in your task tray and it should say “VPN Client – Connected”.
Create Additional Users on the ASA
1. Open the ASDM and navigate to Configuration > VPN > General > Users > Add.
2. Give the user a name > Enter and confirm a password > Set the Privilege Level to 0 > Then Select the VPN Policy Tab
3. > Under Group Policy untick “Inherit” > Select RemoteVPN (the policy you set in Step1 Number 4) > OK.
4. You will now see the user listed (Don’t forget to save the settings, (File > “Save Running Configuration to Flash”).
The Cisco VPN client software (CVPN-CL-IPSEC-ALL) is no longer available from Cisco.
Milestone
Definition
Date
End-of-Llfe Announcement Date
The date the document that announces the end of sale and end of life of a product is distributed to the general public.
July 29, 2011
End-of-Availability Date
The last date to download the product from Cisco.com. The product is no longer for download after this date.
July 29, 2014
End of SW Maintenance Releases Date:
The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software.
July 30, 2012
Last Date of Support:
The last date to receive service and support for the product. After this date, all support services for the product are unavailable, and the product becomes obsolete.