Configuring a Cisco AnyConnect VPN using a selfsigned certificate for a Cisco ASA and Integration with LDAP 12/28/2012 Chris Rose ([email protected]) Dianne Dunlap ([email protected]) This document covers basic configuration of Cisco AnyConnect on an ASA running 8.2.25.2 and integration with ldap (Microsoft AD) using the command-line and ASDM 6.4. The lab setup was as shown below. Figure 1 – Lab ASA AnyConnect With 3+ Microsoft AD security groups, the goal was to give users different access levels depending on their group: • acadmins – full access to everything inside the network • acstudents – no remote access to anything for this group (or groups other than acadmins and acteachers) • acteachers – remote access to 192.168.57.5 application-server only Command-line is shown with some ASDM screen-captures for clarification. Configuration of Dynamic Access Policies (DAP) is shown with ASDM because results are stored in ‘dap.xml’ file in flash (not ‘show run’). Further information on DAP is in: ASA 8.x Dynamic Access Policies (DAP) Deployment Guide https://supportforums.cisco.com/docs/DOC-1369 Task 1. Create the self signed certificate
49
Embed
Configuring Cisco AnyConnect · security-level 0 ip address 152.46.31.231 255.255.255.224 ! interface Vlan12 no forward interface Vlan1 nameif DMZ security-level 50 ip address 10.0.0.254
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Configuring a Cisco AnyConnect VPN using a self-‐signed certificate for a Cisco ASA and Integration with LDAP
This document covers basic configuration of Cisco AnyConnect on an ASA running 8.2.25.2 and integration with ldap (Microsoft AD) using the command-line and ASDM 6.4. The lab setup was as shown below.
Figure 1 – Lab ASA AnyConnect
With 3+ Microsoft AD security groups, the goal was to give users different access levels depending on their group:
• acadmins – full access to everything inside the network • acstudents – no remote access to anything for this group (or groups other than acadmins
and acteachers) • acteachers – remote access to 192.168.57.5 application-server only
Command-line is shown with some ASDM screen-captures for clarification. Configuration of Dynamic Access Policies (DAP) is shown with ASDM because results are stored in ‘dap.xml’ file in flash (not ‘show run’).
ciscoasa(config)#crypto key generate rsa label sslvpnkeypair INFO: The name for the keys will be: sslvpnkeypair Keypair generation process begin. Please wait... !--- Generate an RSA key for the certificate. The name should be unique, !--- for example, ‘sslvpnkeypair’. ciscoasa(config)#crypto ca trustpoint localtrust !--- Create a trustpoint for the self-issued certificate. ciscoasa(config-ca-trustpoint)#enrollment self ciscoasa(config-ca-trustpoint)#fqdn vpn.someschool.edu ciscoasa(config-ca-trustpoint)#subject-name CN= vpn.someschool.edu !--- The fully qualified domain name is used for both FQDN and CN. !--- The name should resolve to the ASA outside interface IP address. !--- You can use any domain or name you wish however it should resolve !--- to the hostname on the public internet. ciscoasa(config-ca-trustpoint)#keypair sslvpnkeypair !--- The RSA key is assigned to the trustpoint for certificate creation. ciscoasa(config-ca-trustpoint)#crypto ca enroll localtrust noconfirm % The fully-qualified domain name in the certificate will be: sslvpn.cisco.com ciscoasa(config)# ssl trust-point localtrust outside !--- Assign the trustpoint to be used for SSL connections on the outside interface.
Task 2. Install the Cisco AnyConnect client packages
Manipulation of AnyConnect client packages is much easier to perform using the ASDM gui interface, particularly updating or deleting old clients. ‘show flash | inc anyconnect’ will produce a list of AnyConnect packages on the ASA.
ASDM Procedure
1. Click Configuration, and then click Remote Access VPN. 2. Expand Network (Client) Access, and then expand Advanced. 3. Expand SSL VPN, and choose Client Settings. 4. In the SSL VPN Client Images area, click Add, and then click Upload. 5. Browse to the location where you downloaded the AnyConnect client. 6. Select the file, and click Upload File.
Once the client uploads, you should receive a message that states the file was uploaded to flash successfully.
7. Click OK.
A dialogue box will appear to confirm that you want to use the newly uploaded image as the current SSL VPN client image.
8. Click OK. 9. Click OK, and then click Apply. 10. Repeat the steps in this section for each operating system-specific AnyConnect package
that you want to use.
Task 3. Create an address pool for AnyConnect users
ciscoasa(config)#ip local acpool 10.1.1.2-10.1.1.254 mask 255.255.255.0 !--- Define the IP pool. The IP pool should be a range of IP addresses !--- not already in use on the internal network. !----You will also need to ensure that these addresses are included !--- in any internal routers. The route would be the subnet selected for !--- the address pool. The router would be the address of the inside !--- interface of the firewall. The metric would be the route preference, !--- “1” in most cases. (In our example, there is no internal !--- router.)
Task 4. Enable AnyConnect Access
ciscoasa(config)#webvpn ciscoasa(config-webvpn)#enable outside ciscoasa(config-webvpn)#svc enable ciscoasa(config-webvpn)#svc image disk0:/anyconnect-win-3.1.00495-k9.pkg 1 !--- Enable AnyConnect to be downloaded to remote computers.
Figure 2 - Enabling AnyConnect via ASDM
Figure 3 - Address pool definition in ASDM
Figure 4 - Address-pool and image via ASDM
Task 5. Create a new group policy
ciscoasa(config)#group-policy Anyconnect_GPol internal ciscoasa(config)#group-policy Anyconnect_GPol attributes ciscoasa(config-group-policy)#dns-server value 192.168.57.2 !--- Specify the internal DNS server to be used. ciscoasa(config-group-policy)#vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn !--- Specify VPN tunnel protocol to be used by the Group Policy.
Figure 5 - Creating group policy through ASDM
ciscoasa(config-group-policy)#default-domain value someschool.local !--- Define the default domain assigned to VPN users. In many cases !--- this is the active directory domain, particularly if you want the !--- clients to act as if they are on the local LAN. ciscoasa(config-group-policy)#address-pool value acpool !--- Assign the IP pool created to the AnyConnect_GPol group policy.
Task 6. Configure the access list bypass for VPN traffic.
ciscoasa(config)#sysopt connection permit-vpn !--- Enable interface access-list bypass for VPN connections. !--- This example uses the vpn-filter command for access control. !--- The ‘sysopt’ command is default so it will not appear in ‘show run’.
Task 7. Create a VPN Connection Profile and associated Tunnel Group
ciscoasa(config)#tunnel-group AC type remote-access !--- Define tunnel group to be used for VPN remote access connections. ciscoasa(config)#tunnel-group AC general-attributes
ciscoasa(config-tunnel-general)#default-group-policy Anyconnect_GPol !--- Associate tunnel-group with group-policy
Figure 7 - Associating tunnel-group with group-policy through ASDM
Task 8. Configure the ASA to use the local Microsoft AD as the local Web VPN authenticator
ciscoasa(config)#aaa-server ldap protocol ldap !--- Configure the AAA Server group. ciscoasa(config-aaa-server-group)#aaa-server ldap (inside) host 192.168.57.2 !--- Configure the AAA Server. !--- Configure the AD server as the AAA authentication source by interface !--- and IP. ciscoasa(config-aaa-server-host)#ldap-base-dn dc=cne, dc=org !--- Configure the base DN to begin the search for a user. ciscoasa(config-aaa-server-host)#ldap-login-dn cn=CNE\cneadmin, cn=users, dc=cne, dc=org ciscoasa(config-aaa-server-host)#ldap-login-password **********
!--- Configure the bind DN account to login to the AD server !--- in order to search for a user. This can be a standard !--- domain user account. When configuring the account, set the password !--- to never expire or you will need to update this configuration !--- when it changes. ciscoasa(config-aaa-server-host)#ldap-scope subtree !--- Set the scope.
Figure 8 - Defining ldap parameters in ASDM
ciscoasa(config)#tunnel-group AC general-attributes ciscoasa(config-tunnel-general)#authentication-server-group ldap ciscoasa(config)#tunnel-group DefaultWEBVPNGroup general-attributes ciscoasa(config-tunnel-general)#address-pool acpool ciscoasa(config-tunnel-general)#authentication-server-group ldap !--- Configure the tunnel group to use the new AAA setup.
Figure 9 - Associating ldap parameters with tunnel-group
Now you can use the test command on the command line in order to test your AAA setup. A test request is sent to the AAA server, and the result appears on the command line. ciscoasa#test aaa-server authentication ldap host 192.168.57.2 username CNE\cneadmin password testuserpassword INFO: Attempting Authentication test to IP address <192.168.57.2> (timeout: 12 seconds) INFO: Authentication Successful
Task 9. Configure the ASA to permit hair pinning of internet traffic from AnyConnect clients out to the internet to avoid the use of split tunneling and allow AnyConnect clients to communicate with the inside network ciscoasa(config)#same-security-traffic permit intra-interface
!--- Tell the ASA to allow traffic back out of the interface it came in !--- from without dropping it.
Figure 10 - Configuring intra-interface access in ASDM
ciscoasa(config)#name 10.1.1.0 acpoolexempt description exempt Anyconnect traffic from nat ciscoasa(config)#nat (outside) 1 10.1.1.0 255.255.255.0 !--- Tell the ASA to NAT traffic from the VPN pool to the outside !--- interface PAT. You can change the pool to a different global if needed !--- to track VPN users separately.
Figure 11 - Allowing pool traffic out in ASDM
ciscoasa(config)#access-list inside_nat0_outbound extended permit ip 192.168.57.0 255.255.255.0 acpoolexempt 255.255.255.0 !--- Exempt internal traffic to vpn pool traffic from NAT
Figure 12 - Exempting internal traffic to vpn pool from NAT
Task 10. Create an access-‐list to prevent teachers from accessing devices other than the application-‐server ciscoasa(config)#access-list limitteacher extended permit ip any host 192.168.57.5
Figure 13 - Creating access-list to limit 'acteacher' traffic
Task 11. Configure 3 DAP entries to assign access to vpn users based on group permissions
While the DAP entries may be created from the command-line, the additional group permission information that will be stored in the ‘dap.xml’ file in flash will be done through ASDM in screen-shots following.
ciscoasa(config-dynamic-access-policy-record# ciscoasa(config)#dynamic-access-policy-record acadministrators ciscoasa(config-dynamic-access-policy-record#description "Administrative network access with Anyconnect" ciscoasa(config-dynamic-access-policy-record)#webvpn ciscoasa(config-dynamic-access-policy-record)#svc ask none default svc ciscoasa(config)#dynamic-access-policy-record acteachers ciscoasa(config-dynamic-access-policy-record)#description "Group for AD users in 'acteachers' group" ciscoasa(config-dynamic-access-policy-record)#network-acl limitteacher ciscoasa(config-dynamic-access-policy-record)#webvpn ciscoasa(config-dynamic-access-policy-record)#svc ask none default svc ciscoasa(config)#dynamic-access-policy-record DfltAccessPolicy ciscoasa(config-dyamic-access-policy-record)#action terminate !---Create 3 DAP entries then refresh configuration in ASDM and
!---associate AD membership afterwards: DAP ‘acadministrators’ includes members of AD ‘acadmins’ group; ‘Action’ is ‘Continue’ and ‘Access Method’ is ‘AnyConnect Client’.
Figure 14 - Configuring 'acadministrators' group membership through ASDM
DAP ‘acteachers’ includes members of AD ‘acteachers’ group; ‘Action’ is ‘Continue’ and ‘Access Method’ is ‘AnyConnect Client’. ‘Network ACL Filters (Client)’ also specifies an access-list.
Figure 15 - Configuring 'acteachers' group membership through ASDM
Figure 16 - Configuring 'acteachers' access-list through ASDM
DAP ‘DfltAccessPolicy’ is set to terminate users not in other policies. Users in AD group ‘acstudents’ and other groups will have this policy.
Figure 17 - Configuring default DAP policy to terminate users not in other policies
ASA Finished Configuration
ASA Version 8.2(5)22 ! hostname ciscoasa domain-name mcnc.org enable password 1KYq7.p8MaFbxoh/ encrypted passwd 1KYq7.p8MaFbxoh/ encrypted names name 152.46.31.232 CNE-AD name 10.1.1.0 acpoolexempt description exempt Anyconnect traffic from nat ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 speed 100 duplex full ! interface Ethernet0/2 speed 100
duplex full ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 speed 100 duplex full ! interface Ethernet0/6 switchport access vlan 12 ! interface Ethernet0/7 switchport access vlan 12 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.57.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 152.46.31.231 255.255.255.224 ! interface Vlan12 no forward interface Vlan1 nameif DMZ security-level 50 ip address 10.0.0.254 255.0.0.0 ! boot system disk0:/asa825-22-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup outside dns server-group DefaultDNS name-server 192.168.57.2 name-server 202.12.27.33 domain-name mcnc.org same-security-traffic permit intra-interface object-group service http object-group service https object-group network test object-group service LDAP service-object tcp source eq ldap object-group service proxyport object-group network obj-192.168.88.0 object-group service Filtered-Services-TCP object-group service CES-standard-tcp tcp port-object eq www port-object eq https object-group service CES-standard-udp udp
port-object eq domain object-group network obj_any network-object 192.168.57.0 255.255.255.0 object-group network zscalerone-ca network-object host 199.168.148.18 network-object host 199.168.148.21 network-object host 199.168.149.18 network-object host 199.168.149.21 network-object host 199.168.150.18 network-object host 199.168.150.21 network-object host 199.168.151.18 network-object host 199.168.151.21 network-object host 208.100.40.52 network-object host 216.52.207.84 network-object host 216.52.207.85 object-group service Zscaler tcp port-object eq 3268 port-object eq 3269 port-object eq ldap port-object eq ldaps access-list test443 extended permit ip host 192.168.57.150 any access-list test443 extended permit ip any host 192.168.57.150 access-list inside_access_in extended permit tcp any any eq www access-list inside_access_in extended permit tcp any any eq https access-list inside_access_in extended permit udp host 192.168.57.2 any eq domain access-list inside_access_in extended permit tcp host 192.168.57.2 any eq domain access-list inside_access_in extended permit tcp any any eq 9443 access-list inside_access_in remark allow passive ftp access-list inside_access_in extended permit tcp any any eq ssh access-list inside_access_in extended permit icmp any any access-list inside_access_in extended permit udp any any eq ntp access-list inside_access_in extended permit tcp any any eq 123 access-list inside_access_in extended permit ip host 192.168.57.150 any access-list inside_access_in extended permit tcp any any eq 5222 access-list inside_nat0_outbound extended permit ip any 192.168.57.96 255.255.255.240 access-list inside_nat0_outbound extended permit ip 192.168.57.0 255.255.255.0 acpoolexempt 255.255.255.0 access-list outside_access_in extended permit tcp object-group zscalerone-ca host CNE-AD object-group Zscaler access-list limitteacher extended permit ip any host 192.168.57.5 pager lines 24 logging enable logging console debugging logging monitor debugging logging trap debugging logging asdm informational mtu inside 1500 mtu outside 1500 mtu DMZ 1500 ip local pool acpool 10.1.1.2-10.1.1.254 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1
Debugs were run to show connection by user ‘acteacher’ in group ‘acteachers’, demonstrating group mapping and access-list application.
ciscoasa# sho debug debug dap errors enabled at level 1 debug dap trace enabled at level 1 debug ldap enabled at level 255 ciscoasa# term mon %ASA-6-302013: Built inbound TCP connection 47217 for outside:152.45.1.199/6316 (152.45.1.199/6316) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6316 for TLSv1 session. %ASA-7-725010: Device supports the following 4 cipher(s). %ASA-7-725011: Cipher[1] : RC4-SHA %ASA-7-725011: Cipher[2] : AES128-SHA %ASA-7-725011: Cipher[3] : AES256-SHA %ASA-7-725011: Cipher[4] : DES-CBC3-SHA %ASA-7-725008: SSL client outside:152.45.1.199/6316 proposes the following 8 cipher(s). %ASA-7-725011: Cipher[1] : RC4-MD5 %ASA-7-725011: Cipher[2] : RC4-SHA %ASA-7-725011: Cipher[3] : DES-CBC3-SHA %ASA-7-725011: Cipher[4] : DES-CBC-SHA
%ASA-7-725011: Cipher[5] : EXP-RC4-MD5 %ASA-7-725011: Cipher[6] : EXP-RC2-CBC-MD5 %ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA %ASA-7-725011: Cipher[8] : EDH-DSS-DES-CBC-SHA %ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:152.45.1.199/6316 %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6316 %ASA-6-302013: Built inbound TCP connection 47218 for outside:152.45.1.199/6317 (152.45.1.199/6317) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6317 for TLSv1 session. %ASA-6-725003: SSL client outside:152.45.1.199/6317 request to resume previous session. %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6317 %ASA-6-302013: Built inbound TCP connection 47219 for outside:152.45.1.199/6318 (152.45.1.199/6318) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6318 for TLSv1 session. %ASA-6-725003: SSL client outside:152.45.1.199/6318 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6318 %ASA-6-302014: Teardown TCP connection 47217 for outside:152.45.1.199/6316 to identity:152.46.31.231/443 duration 0:00:00 bytes 577 TCP Reset-I %ASA-6-725007: SSL session with client outside:152.45.1.199/6316 terminated. %ASA-6-725007: SSL session with client outside:152.45.1.199/6317 terminated. %ASA-6-302014: Teardown TCP connection 47218 for outside:152.45.1.199/6317 to identity:152.46.31.231/443 duration 0:00:00 bytes 427 TCP Reset-I %ASA-6-725007: SSL session with client outside:152.45.1.199/6318 terminated. %ASA-6-302014: Teardown TCP connection 47219 for outside:152.45.1.199/6318 to identity:152.46.31.231/443 duration 0:00:00 bytes 1011 TCP Reset-I %ASA-6-302013: Built inbound TCP connection 47220 for outside:152.45.1.199/6321 (152.45.1.199/6321) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6321 for TLSv1 session. %ASA-6-725003: SSL client outside:152.45.1.199/6321 request to resume previous session. %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6321 %ASA-6-302013: Built outbound TCP connection 47221 for inside:192.168.57.2/389 (192.168.57.2/389) to identity:192.168.57.1/28851 (192.168.57.1/28851)
[90] Session Start [90] New request Session, context 0xc96f19c0, reqType = Authentication [90] Fiber started [90] Creating LDAP context with uri=ldap://192.168.57.2:389 [90] Connect to LDAP server: ldap://192.168.57.2:389, status = Successful [90] supportedLDAPVersion: value = 3 [90] supportedLDAPVersion: value = 2 [90] Binding as CNE\cneadmin [90] Performing Simple authentication for CNE\cneadmin to 192.168.57.2 [90] LDAP Search: Base DN = [DC=cne,DC=org] Filter = [sAMAccountName=acteacher] Scope = [SUBTREE] [90] User DN = [CN=A C. Teacher,CN=Users,DC=cne,DC=org] [90] Talking to Active Directory server 192.168.57.2 %ASA-6-113004: AAA user authentication Successful : server = 192.168.57.2 : user = acteacher %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = acteacher %ASA-6-113008: AAA transaction status ACCEPT : user = acteacher %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.objectClass.1 = top %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.objectClass.2 = person %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.objectClass.3 = organizationalPerson %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.objectClass.4 = user %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.cn = A C. Teacher %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.sn = Teacher
%ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.givenName = A %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.initials = C %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.distinguishedName = CN=A C. Teacher,CN=Users,DC=cne,DC=org %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.instanceType = 4 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.whenCreated = 20121221140355.0Z %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.whenChanged = 20121221191115.0Z %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.displayName = A C. Teacher %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.uSNCreated = 182255 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.memberOf = acteachers %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.uSNChanged = 182399 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.name = A C. Teacher %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.objectGUID = .:I$i.,C..q....8 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.userAccountControl = 66048
%ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.badPwdCount = 0 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.codePage = 0 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.countryCode = 0 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.badPasswordTime = 0 [90] Reading password policy for acteacher, dn:CN=A C. Teacher,CN=Users,DC=cne,DC=org %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.lastLogoff = 0 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.lastLogon = 0 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.pwdLastSet = 130005722355000000 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.primaryGroupID = 513 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.userParameters = m: d. %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.objectSid = .. [90] Read bad password count 0 [90] Binding as acteacher [90] Performing Simple authentication for acteacher to 192.168.57.2 [90] Processing LDAP response for user acteacher [90] Message (acteacher): [90] Authentication successful for acteacher to 192.168.57.2 [90] Retrieved User Attributes: [90] objectClass: value = top [90] objectClass: value = person [90] objectClass: value = organizationalPerson
[90] objectClass: value = user [90] cn: value = A C. Teacher [90] sn: value = Teacher [90] givenName: value = A [90] initials: value = C [90] distinguishedName: value = CN=A C. Teacher,CN=Users,DC=cne,DC=org [90] instanceType: value = 4 [90] whenCreated: value = 20121221140355.0Z [90] whenChanged: value = 20121221191115.0Z [90] displayName: value = A C. Teacher [90] uSNCreated: value = 182255 [90] memberOf: value = CN=acteachers,CN=Users,DC=cne,DC=org [90] uSNChanged: value = 182399 [90] name: value = A C. Teacher [90] objectGUID: value = .:I$i.,C..q....8 [90] userAccountControl: value = 66048 [90] badPwdCount: value = 0 [90] codePage: value = 0 [90] countryCode: value = 0 [90] badPasswordTime: value = 0 [90] lastLogoff: value = 0 [90] lastLogon: value = 0 [90] pwdLastSet: value = 130005722355000000 [90] primaryGroupID: value = 513 [90] userParameters: value = m: d. [90] objectSid: value = .............MeX.].)........ [90] accountExpires: value = 9223372036854775807 [90] logonCount: value = 0 [90] sAMAccountName: value = acteacher [90] sAMAccountType: value = 805306368 [90] userPrincipalName: value = [email protected] [90] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=cne,DC=org [90] msNPAllowDialin: value = TRUE [90] dSCorePropagationData: value = 16010101000000.0Z [90] lastLogonTimestamp: value = 130005906758281250 [90] Fiber exit Tx=497 bytes Rx=2621 bytes, status=1 [90] Session End DAP_TRACE: DAP_open: CA56A208 DAP_TRACE: Username: acteacher, aaa.ldap.objectClass.1 = top DAP_TRACE: Username: acteacher, aaa.ldap.objectClass.2 = person DAP_TRACE: Username: acteacher, aaa.ldap.objectClass.3 = organizationalPerson DAP_TRACE: Username: acteacher, aaa.ldap.objectClass.4 = user DAP_TRACE: Username: acteacher, aaa.ldap.cn = A C. Teacher DAP_TRACE: Username: acteacher, aaa.ldap.sn = Teacher DAP_TRACE: Username: acteacher, aaa.ldap.givenName = A DAP_TRACE: Username: acteacher, aaa.ldap.initials = C DAP_TRACE: Username: acteacher, aaa.ldap.distinguishedName = CN=A C. Teacher,CN=Users,DC=cne,DC=org DAP_TRACE: Username: acteacher, aaa.ldap.instanceType = 4
DAP_TRACE: name = aaa["ldap"]["objectClass"]["4"], value = "user" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["cn"]="A C. Teacher" DAP_TRACE: name = aaa["ldap"]["cn"], value = "A C. Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["sn"]="Teacher" DAP_TRACE: name = aaa["ldap"]["sn"], value = "Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["givenName"]="A" DAP_TRACE: name = aaa["ldap"]["givenName"], value = "A" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["initials"]="C" DAP_TRACE: name = aaa["ldap"]["initials"], value = "C" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=A C. Teacher,CN=Users,DC=cne,DC=org" DAP_TRACE: name = aaa["ldap"]["distinguishedName"], value = "CN=A C. Teacher,CN=Users,DC=cne,DC=org" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["instanceType"]="4" DAP_TRACE: name = aaa["ldap"]["instanceType"], value = "4" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["whenCreated"]="20121221140355.0Z" DAP_TRACE: name = aaa["ldap"]["whenCreated"], value = "20121221140355.0Z" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["whenChanged"]="20121221191115.0Z" DAP_TRACE: name = aaa["ldap"]["whenChanged"], value = "20121221191115.0Z" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["displayName"]="A C. Teacher" DAP_TRACE: name = aaa["ldap"]["displayName"], value = "A C. Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["uSNCreated"]="182255" DAP_TRACE: name = aaa["ldap"]["uSNCreated"], value = "182255" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["memberOf"]="acteachers" DAP_TRACE: name = aaa["ldap"]["memberOf"], value = "acteachers" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["uSNChanged"]="182399" DAP_TRACE: name = aaa["ldap"]["uSNChanged"], value = "182399" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["name"]="A C. Teacher" DAP_TRACE: name = aaa["ldap"]["name"], value = "A C. Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa.ldap.objectGUID contains binary data DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["userAccountControl"]="66048" DAP_TRACE: name = aaa["ldap"]["userAccountControl"], value = "66048" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["badPwdCount"]="0" DAP_TRACE: name = aaa["ldap"]["badPwdCount"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["codePage"]="0" DAP_TRACE: name = aaa["ldap"]["codePage"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["countryCode"]="0" DAP_TRACE: name = aaa["ldap"]["countryCode"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["badPasswordTime"]="0" DAP_TRACE: name = aaa["ldap"]["badPasswordTime"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["lastLogoff"]="0" DAP_TRACE: name = aaa["ldap"]["lastLogoff"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["lastLogon"]="0" DAP_TRACE: name = aaa["ldap"]["lastLogon"], value = "0"
DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["pwdLastSet"]="130005722355000000" DAP_TRACE: name = aaa["ldap"]["pwdLastSet"], value = "130005722355000000" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["primaryGroupID"]="513" DAP_TRACE: name = aaa["ldap"]["primaryGroupID"], value = "513" DAP_TRACE: dap_add_to_lua_tree:aaa.ldap.userParameters contains binary data DAP_TRACE: dap_add_to_lua_tree:aaa.ldap.objectSid contains binary data DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["accountExpires"]="9223372036854775807" DAP_TRACE: name = aaa["ldap"]["accountExpires"], value = "9223372036854775807" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["logonCount"]="0" DAP_TRACE: name = aaa["ldap"]["logonCount"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["sAMAccountName"]="acteacher" DAP_TRACE: name = aaa["ldap"]["sAMAccountName"], value = "acteacher" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["sAMAccountType"]="805306368" DAP_TRACE: name = aaa["ldap"]["sAMAccountType"], value = "805306368" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["userPrincipalName"]="[email protected]" DAP_TRACE: name = aaa["ldap"]["userPrincipalName"], value = "[email protected]" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectCategory"]="CN=Person,CN=Schema,CN=Configuration,DC=cne,DC=org" DAP_TRACE: name = aaa["ldap"]["objectCategory"], value = "CN=Person,CN=Schema,CN=Configuration,DC=cne,DC=org" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["msNPAllowDialin"]="TRUE" DAP_TRACE: name = aaa["ldap"]["msNPAllowDialin"], value = "TRUE" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["dSCorePropagationData"]="16010101000000.0Z" DAP_TRACE: name = aaa["ldap"]["dSCorePropagationData"], value = "16010101000000.0Z" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["lastLogonTimestamp"]="130005906758281250" DAP_TRACE: name = aaa["ldap"]["lastLogonTimestamp"], value = "130005906758281250" DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="DfltGrpPolicy" %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.accountExpires = 9223372036854775807
%ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.logonCount = 0 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.sAMAccountName = acteacher DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "DfltGrpPolicy" DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="acteacher" DAP_TRACE: name = aaa["cisco"]["username"], value = "acteacher" DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup" DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "DefaultWEBVPNGroup" DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect" DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect" DAP_TRACE: Username: acteacher, Selected DAPs: ,acteachers DAP_TRACE: dap_process_selected_daps: selected 1 records DAP_TRACE: Username: acteacher, dap_aggregate_attr: rec_count = 1 DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectClass"]["1"]="top" DAP_TRACE: name = aaa["ldap"]["objectClass"]["1"], value = "top" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectClass"]["2"]="person" DAP_TRACE: name = aaa["ldap"]["objectClass"]["2"], value = "person" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectClass"]["3"]="organizationalPerson" DAP_TRACE: name = aaa["ldap"]["objectClass"]["3"], value = "organizationalPerson" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectClass"]["4"]="user" DAP_TRACE: name = aaa["ldap"]["objectClass"]["4"], value = "user" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["cn"]="A C. Teacher" DAP_TRACE: name = aaa["ldap"]["cn"], value = "A C. Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["sn"]="Teacher" DAP_TRACE: name = aaa["ldap"]["sn"], value = "Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["givenName"]="A" DAP_TRACE: name = aaa["ldap"]["givenName"], value = "A" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["initials"]="C" DAP_TRACE: name = aaa["ldap"]["initials"], value = "C" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=A C. Teacher,CN=Users,DC=cne,DC=org" DAP_TRACE: name = aaa["ldap"]["distinguishedName"], value = "CN=A C. Teacher,CN=Users,DC=cne,DC=org" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["instanceType"]="4" DAP_TRACE: name = aaa["ldap"]["instanceType"], value = "4" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["whenCreated"]="20121221140355.0Z" DAP_TRACE: name = aaa["ldap"]["whenCreated"], value = "20121221140355.0Z"
DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["whenChanged"]="20121221191115.0Z" DAP_TRACE: name = aaa["ldap"]["whenChanged"], value = "20121221191115.0Z" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["displayName"]="A C. Teacher" DAP_TRACE: name = aaa["ldap"]["displayName"], value = "A C. Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["uSNCreated"]="182255" DAP_TRACE: name = aaa["ldap"]["uSNCreated"], value = "182255" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["memberOf"]="acteachers" DAP_TRACE: name = aaa["ldap"]["memberOf"], value = "acteachers" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["uSNChanged"]="182399" DAP_TRACE: name = aaa["ldap"]["uSNChanged"], value = "182399" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["name"]="A C. Teacher" DAP_TRACE: name = aaa["ldap"]["name"], value = "A C. Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa.ldap.objectGUID contains binary data DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["userAccountControl"]="66048" DAP_TRACE: name = aaa["ldap"]["userAccountControl"], value = "66048" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["badPwdCount"]="0" DAP_TRACE: name = aaa["ldap"]["badPwdCount"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["codePage"]="0" DAP_TRACE: name = aaa["ldap"]["codePage"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["countryCode"]="0" DAP_TRACE: name = aaa["ldap"]["countryCode"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["badPasswordTime"]="0" DAP_TRACE: name = aaa["ldap"]["badPasswordTime"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["lastLogoff"]="0" DAP_TRACE: name = aaa["ldap"]["lastLogoff"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["lastLogon"]="0" DAP_TRACE: name = aaa["ldap"]["lastLogon"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["pwdLastSet"]="130005722355000000" DAP_TRACE: name = aaa["ldap"]["pwdLastSet"], value = "130005722355000000" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["primaryGroupID"]="513" DAP_TRACE: name = aaa["ldap"]["primaryGroupID"], value = "513" DAP_TRACE: dap_add_to_lua_tree:aaa.ldap.userParameters contains binary data DAP_TRACE: dap_add_to_lua_tree:aaa.ldap.objectSid contains binary data DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["accountExpires"]="9223372036854775807" DAP_TRACE: name = aaa["ldap"]["accountExpires"], value = "9223372036854775807" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["logonCount"]="0" DAP_TRACE: name = aaa["ldap"]["logonCount"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["sAMAccountName"]="acteacher" DAP_TRACE: name = aaa["ldap"]["sAMAccountName"], value = "acteacher"
DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["sAMAccountType"]="805306368" DAP_TRACE: name = aaa["ldap"]["sAMAccountType"], value = "805306368" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["userPrincipalName"]="[email protected]" DAP_TRACE: name = aaa["ldap"]["userPrincipalName"], value = "[email protected]" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectCategory"]="CN=Person,CN=Schema,CN=Configuration,DC=cne,DC=org" DAP_TRACE: name = aaa["ldap"]["objectCategory"], value = "CN=Person,CN=Schema,CN=Configuration,DC=cne,DC=org" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["msNPAllowDialin"]="TRUE" DAP_TRACE: name = aaa["ldap"]["msNPAllowDialin"], value = "TRUE" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["dSCorePropagationData"]="16010101000000.0Z" DAP_TRACE: name = aaa["ldap"]["dSCorePropagationData"], value = "16010101000000.0Z" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["lastLogonTimestamp"]="130005906758281250" DAP_TRACE: name = aaa["ldap"]["lastLogonTimestamp"], value = "130005906758281250" DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="DfltGrpPolicy" DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "DfltGrpPolicy" DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="acteacher" DAP_TRACE: name = aaa["cisco"]["username"], value = "acteacher" DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup" DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "DefaultWEBVPNGroup" DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect" DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect" DAP_TRACE: Username: acteacher, Selected DAPs: ,acteachers DAP_TRACE: dap_process_selected_daps: selected 1 records DAP_TRACE: Username: acteacher, dap_aggregate_attr: rec_count = 1 DAP_TRACE: Username: acteacher, DAP_close: CA56A208 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.sAMAccountType = 805306368 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.userPrincipalName = [email protected]
%ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.objectCategory = CN=Person,CN=Schema,CN=Configuration,DC=cne,DC=org %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.msNPAllowDialin = TRUE %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.dSCorePropagationData = 16010101000000.0Z %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.lastLogonTimestamp = 130005906758281250 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.cisco.grouppolicy = DfltGrpPolicy %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.cisco.username = acteacher %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.cisco.tunnelgroup = DefaultWEBVPNGroup %ASA-6-734001: DAP: User acteacher, Addr 152.45.1.199, Connection AnyConnect: The following DAP records were selected for this connection: acteachers %ASA-6-716001: Group <DfltGrpPolicy> User <acteacher> IP <152.45.1.199> WebVPN session started. %ASA-6-716038: Group <DfltGrpPolicy> User <acteacher> IP <152.45.1.199> Authentication: successful, Session Type: WebVPN. %ASA-6-302013: Built inbound TCP connection 47222 for outside:152.45.1.199/6322 (152.45.1.199/6322) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6322 for TLSv1 session.
%ASA-6-725003: SSL client outside:152.45.1.199/6322 request to resume previous session. %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6322 %ASA-6-302013: Built inbound TCP connection 47223 for outside:152.45.1.199/6323 (152.45.1.199/6323) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6323 for TLSv1 session. %ASA-6-725003: SSL client outside:152.45.1.199/6323 request to resume previous session. %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6323 %ASA-6-302013: Built inbound TCP connection 47224 for outside:152.45.1.199/6324 (152.45.1.199/6324) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6324 for TLSv1 session. %ASA-6-725003: SSL client outside:152.45.1.199/6324 request to resume previous session. %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6324 %ASA-6-302014: Teardown TCP connection 47221 for inside:192.168.57.2/389 to identity:192.168.57.1/28851 duration 0:00:00 bytes 504 TCP Reset-I %ASA-6-725007: SSL session with client outside:152.45.1.199/6321 terminated.
%ASA-6-302014: Teardown TCP connection 47220 for outside:152.45.1.199/6321 to identity:152.46.31.231/443 duration 0:00:00 bytes 810 TCP Reset-I %ASA-6-725007: SSL session with client outside:152.45.1.199/6322 terminated. %ASA-6-302014: Teardown TCP connection 47222 for outside:152.45.1.199/6322 to identity:152.46.31.231/443 duration 0:00:00 bytes 5959 TCP Reset-I %ASA-6-725007: SSL session with client outside:152.45.1.199/6323 terminated. %ASA-6-302014: Teardown TCP connection 47223 for outside:152.45.1.199/6323 to identity:152.46.31.231/443 duration 0:00:00 bytes 258 TCP Reset-I %ASA-6-725007: SSL session with client outside:152.45.1.199/6324 terminated. %ASA-6-302014: Teardown TCP connection 47224 for outside:152.45.1.199/6324 to identity:152.46.31.231/443 duration 0:00:00 bytes 296 TCP Reset-I %ASA-6-302013: Built inbound TCP connection 47225 for outside:152.45.1.199/6326 (152.45.1.199/6326) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6326 for TLSv1 session. %ASA-7-725010: Device supports the following 4 cipher(s). %ASA-7-725011: Cipher[1] : RC4-SHA %ASA-7-725011: Cipher[2] : AES128-SHA %ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA %ASA-7-725008: SSL client outside:152.45.1.199/6326 proposes the following 8 cipher(s). %ASA-7-725011: Cipher[1] : RC4-MD5 %ASA-7-725011: Cipher[2] : RC4-SHA %ASA-7-725011: Cipher[3] : DES-CBC3-SHA %ASA-7-725011: Cipher[4] : DES-CBC-SHA %ASA-7-725011: Cipher[5] : EXP-RC4-MD5 %ASA-7-725011: Cipher[6] : EXP-RC2-CBC-MD5 %ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA %ASA-7-725011: Cipher[8] : EDH-DSS-DES-CBC-SHA %ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:152.45.1.199/6326 %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6326 %ASA-6-302013: Built inbound TCP connection 47226 for outside:152.45.1.199/6327 (152.45.1.199/6327) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6327 for TLSv1 session. %ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-6-302014: Teardown TCP connection 47225 for outside:152.45.1.199/6326 to identity:152.46.31.231/443 duration 0:00:00 bytes 624 TCP Reset-I %ASA-6-302013: Built inbound TCP connection 47227 for outside:152.45.1.199/6329 (152.45.1.199/6329) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6329 for TLSv1 session. %ASA-7-725010: Device supports the following 4 cipher(s). %ASA-7-725011: Cipher[1] : RC4-SHA %ASA-7-725011: Cipher[2] : AES128-SHA %ASA-7-725011: Cipher[3] : AES256-SHA %ASA-7-725011: Cipher[4] : DES-CBC3-SHA %ASA-7-725008: SSL client outside:152.45.1.199/6329 proposes the following 6 cipher(s). %ASA-7-725011: Cipher[1] : AES256-SHA %ASA-7-725011: Cipher[2] : AES128-SHA %ASA-7-725011: Cipher[3] : DES-CBC3-SHA %ASA-7-725011: Cipher[4] : RC4-SHA %ASA-7-725011: Cipher[5] : RC4-MD5 %ASA-7-725011: Cipher[6] : DES-CBC-SHA
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:152.45.1.199/6329 %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6329 %ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ' %ASA-5-737003: IPAA: DHCP configured, no viable servers found for tunnel-group 'DefaultWEBVPNGroup' %ASA-6-737026: IPAA: Client assigned 10.1.1.2 from local pool %ASA-6-737006: IPAA: Local pool request succeeded for tunnel-group 'DefaultWEBVPNGroup' %ASA-5-722033: Group <DfltGrpPolicy> User <acteacher> IP <152.45.1.199> First TCP SVC connection established for SVC session. %ASA-6-722022: Group <DfltGrpPolicy> User <acteacher> IP <152.45.1.199> TCP SVC connection established without compression %ASA-4-722051: Group <DfltGrpPolicy> User <acteacher> IP <152.45.1.199> Address <10.1.1.2> assigned to session %ASA-6-734001: DAP: User acteacher, Addr 152.45.1.199, Connection AnyConnect: The following DAP records were selected for this connection: acteachers %ASA-6-302015: Built inbound UDP connection 47228 for outside:152.45.1.199/6336 (152.45.1.199/6336) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6336 for DTLSv1 session. %ASA-7-710005: UDP request discarded from 10.1.1.2/5353 to outside:224.0.0.251/5353
%ASA-6-725003: SSL client outside:152.45.1.199/6336 request to resume previous session. %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6336 %ASA-5-722033: Group <DfltGrpPolicy> User <acteacher> IP <152.45.1.199> First UDP SVC connection established for SVC session. %ASA-6-722022: Group <DfltGrpPolicy> User <acteacher> IP <152.45.1.199> UDP SVC connection established without compression %ASA-7-710005: UDP request discarded from 10.1.1.2/5353 to outside:224.0.0.251/5353 %ASA-6-110002: Failed to locate egress interface for UDP from outside:10.1.1.2/6333 to 239.255.255.250/1900 %ASA-7-710005: UDP request discarded from 10.1.1.2/5353 to outside:224.0.0.251/5353 %ASA-7-710005: UDP request discarded from 10.1.1.2/5353 to outside:224.0.0.251/5353 %ASA-6-302015: Built outbound UDP connection 47231 for outside:216.239.32.10/53 (216.239.32.10/53) to inside:192.168.57.2/65109 (CNE-AD/65109) %ASA-7-710005: UDP request discarded from 10.1.1.2/5353 to outside:224.0.0.251/5353 %ASA-6-305011: Built dynamic TCP translation from inside:192.168.57.3/57817 to outside:152.46.31.231/53245 %ASA-6-302013: Built outbound TCP connection 47232 for outside:173.194.37.39/80 (173.194.37.39/80) to inside:192.168.57.3/57817 (152.46.31.231/53245)
%ASA-6-302014: Teardown TCP connection 47226 for outside:152.45.1.199/6327 to identity:152.46.31.231/443 duration 0:00:04 bytes 3157 TCP Reset-O %ASA-6-725007: SSL session with client outside:152.45.1.199/6327 terminated. %ASA-6-302015: Built outbound UDP connection 47237 for outside:216.239.32.10/53 (216.239.32.10/53) to inside:192.168.57.2/65433 (CNE-AD/65433) %ASA-6-305011: Built dynamic TCP translation from inside:192.168.57.3/57818 to outside:152.46.31.231/3380 %ASA-6-302013: Built outbound TCP connection 47238 for outside:173.194.37.39/80 (173.194.37.39/80) to inside:192.168.57.3/57818 (152.46.31.231/3380) %ASA-7-609001: Built local-host outside:208.94.148.4 %ASA-6-302015: Built outbound UDP connection 47239 for outside:208.94.148.4/53 (208.94.148.4/53) to inside:192.168.57.2/64574 (CNE-AD/64574) %ASA-6-302015: Built outbound UDP connection 47240 for outside:216.52.207.85/53 (216.52.207.85/53) to inside:192.168.57.2/49842 (CNE-AD/49842) %ASA-6-305011: Built dynamic TCP translation from inside:192.168.57.3/57819 to outside:152.46.31.231/1481 %ASA-6-302013: Built outbound TCP connection 47241 for outside:209.51.184.30/443 (209.51.184.30/443) to inside:192.168.57.3/57819 (152.46.31.231/1481) %ASA-6-302015: Built outbound UDP connection 47242 for outside:208.94.148.4/53 (208.94.148.4/53) to inside:192.168.57.2/65106 (CNE-AD/65106) %ASA-7-609001: Built local-host outside:50.97.101.114
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.57.3/57820 to outside:152.46.31.231/37545 %ASA-6-302013: Built outbound TCP connection 47243 for outside:50.97.101.114/80 (50.97.101.114/80) to inside:192.168.57.3/57820 (152.46.31.231/37545) %ASA-7-710005: UDP request discarded from 10.1.1.2/5353 to outside:224.0.0.251/5353 %ASA-7-609001: Built local-host outside:207.19.96.22 %ASA-6-302015: Built outbound UDP connection 47244 for outside:207.19.96.22/53 (207.19.96.22/53) to inside:192.168.57.2/49560 (CNE-AD/49560) %ASA-7-609001: Built local-host outside:216.191.247.139 %ASA-6-305011: Built dynamic TCP translation from inside:192.168.57.3/57821 to outside:152.46.31.231/20321 %ASA-6-302013: Built outbound TCP connection 47245 for outside:216.191.247.139/80 (216.191.247.139/80) to inside:192.168.57.3/57821 (152.46.31.231/20321) %ASA-6-302015: Built outbound UDP connection 47247 for outside:216.52.207.85/53 (216.52.207.85/53) to inside:192.168.57.2/49743 (CNE-AD/49743) %ASA-6-305011: Built dynamic TCP translation from inside:192.168.57.3/57822 to outside:152.46.31.231/47639 %ASA-6-302013: Built outbound TCP connection 47249 for outside:216.52.207.85/443 (216.52.207.85/443) to inside:192.168.57.3/57822 (152.46.31.231/47639) %ASA-6-302014: Teardown TCP connection 47249 for outside:216.52.207.85/443 to inside:192.168.57.3/57822 duration 0:00:00 bytes 10758 TCP FINs
%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.57.5/23704 to outside:152.46.31.231/52502 duration 0:00:30 %ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.57.5/23705 to outside:152.46.31.231/20620 duration 0:00:30 %ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.57.5/23706 to outside:152.46.31.231/7567 duration 0:00:30 show commands
Note: The access-list in the ‘show’ commands is code-generated and will not appear on ‘show run’. ciscoasa# show vpn-sessiondb detail svc Session Type: SVC Detailed Username : acteacher Index : 45 Assigned IP : 10.1.1.2 Public IP : 152.45.1.199 Protocol : Clientless SSL-Tunnel DTLS-Tunnel License : SSL VPN Encryption : RC4 AES128 Hashing : SHA1 Bytes Tx : 10528 Bytes Rx : 12415 Pkts Tx : 13 Pkts Rx : 87 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : DfltGrpPolicy Tunnel Group : DefaultWEBVPNGroup Login Time : 12:48:39 EST Fri Dec 28 2012 Duration : 0h:00m:27s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A VLAN : none Clientless Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 Clientless: Tunnel ID : 45.1 Public IP : 152.45.1.199 Encryption : RC4 Hashing : SHA1 Encapsulation: TLSv1.0 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client Type : Web Browser Client Ver : AnyConnect Windows 3.1.00495 Bytes Tx : 9795 Bytes Rx : 3123 SSL-Tunnel: Tunnel ID : 45.2 Assigned IP : 10.1.1.2 Public IP : 152.45.1.199 Encryption : RC4 Hashing : SHA1 Encapsulation: TLSv1.0 TCP Src Port : 6329 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 3.1.00495 Bytes Tx : 733 Bytes Rx : 182 Pkts Tx : 1 Pkts Rx : 2 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : DAP-ip-user-B0ED7A01 DTLS-Tunnel: Tunnel ID : 45.3 Assigned IP : 10.1.1.2 Public IP : 152.45.1.199 Encryption : AES128 Hashing : SHA1 Encapsulation: DTLSv1.0 UDP Src Port : 6336 UDP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes Client Type : DTLS VPN Client Client Ver : AnyConnect Windows 3.1.00495 Bytes Tx : 0 Bytes Rx : 9419 Pkts Tx : 0 Pkts Rx : 83 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : DAP-ip-user-B0ED7A01 NAC: Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds SQ Int (T) : 0 Seconds EoU Age(T) : 29 Seconds Hold Left (T): 0 Seconds Posture Token: Redirect URL : ciscoasa# show access-list DAP-ip-user-B0ED7A01 access-list DAP-ip-user-B0ED7A01; 1 elements; name hash: 0x6cf89ded (dynamic) access-list DAP-ip-user-B0ED7A01 line 1 extended permit ip any host 192.168.57.5 (hitcnt=0) 0x4bfa2720