Configuring  a  Cisco  AnyConnect  VPN  using  a  self-­‐signed  certificate  for  a  Cisco  ASA  and  Integration  with  LDAP  

12/28/2012

Chris Rose (crose@mcnc.org)

Dianne Dunlap (ddunlap@mcnc.org)

This document covers basic configuration of Cisco AnyConnect on an ASA running 8.2.25.2 and integration with ldap (Microsoft AD) using the command-line and ASDM 6.4. The lab setup was as shown below.

 

Figure 1 – Lab ASA AnyConnect

With 3+ Microsoft AD security groups, the goal was to give users different access levels depending on their group:

• acadmins – full access to everything inside the network • acstudents – no remote access to anything for this group (or groups other than acadmins

and acteachers) • acteachers – remote access to 192.168.57.5 application-server only

Command-line is shown with some ASDM screen-captures for clarification. Configuration of Dynamic Access Policies (DAP) is shown with ASDM because results are stored in ‘dap.xml’ file in flash (not ‘show run’).

Further information on DAP is in:

ASA 8.x Dynamic Access Policies (DAP) Deployment Guide

https://supportforums.cisco.com/docs/DOC-1369

Task  1.  Create  the  self  signed  certificate  

ciscoasa(config)#crypto key generate rsa label sslvpnkeypair INFO: The name for the keys will be: sslvpnkeypair Keypair generation process begin. Please wait... !--- Generate an RSA key for the certificate. The name should be unique, !--- for example, ‘sslvpnkeypair’. ciscoasa(config)#crypto ca trustpoint localtrust !--- Create a trustpoint for the self-issued certificate. ciscoasa(config-ca-trustpoint)#enrollment self ciscoasa(config-ca-trustpoint)#fqdn vpn.someschool.edu ciscoasa(config-ca-trustpoint)#subject-name CN= vpn.someschool.edu !--- The fully qualified domain name is used for both FQDN and CN. !--- The name should resolve to the ASA outside interface IP address. !--- You can use any domain or name you wish however it should resolve !--- to the hostname on the public internet. ciscoasa(config-ca-trustpoint)#keypair sslvpnkeypair !--- The RSA key is assigned to the trustpoint for certificate creation. ciscoasa(config-ca-trustpoint)#crypto ca enroll localtrust noconfirm % The fully-qualified domain name in the certificate will be: sslvpn.cisco.com ciscoasa(config)# ssl trust-point localtrust outside !--- Assign the trustpoint to be used for SSL connections on the outside interface.  

Task  2.  Install  the  Cisco  AnyConnect  client  packages  

Manipulation of AnyConnect client packages is much easier to perform using the ASDM gui interface, particularly updating or deleting old clients. ‘show flash | inc anyconnect’ will produce a list of AnyConnect packages on the ASA.

ASDM Procedure

1. Click Configuration, and then click Remote Access VPN. 2. Expand Network (Client) Access, and then expand Advanced. 3. Expand SSL VPN, and choose Client Settings. 4. In the SSL VPN Client Images area, click Add, and then click Upload. 5. Browse to the location where you downloaded the AnyConnect client. 6. Select the file, and click Upload File.

Once the client uploads, you should receive a message that states the file was uploaded to flash successfully.

7. Click OK.

A dialogue box will appear to confirm that you want to use the newly uploaded image as the current SSL VPN client image.

8. Click OK. 9. Click OK, and then click Apply. 10. Repeat the steps in this section for each operating system-specific AnyConnect package

that you want to use.

Task  3.    Create  an  address  pool  for  AnyConnect  users  

ciscoasa(config)#ip local acpool 10.1.1.2-10.1.1.254 mask 255.255.255.0 !--- Define the IP pool. The IP pool should be a range of IP addresses !--- not already in use on the internal network. !----You will also need to ensure that these addresses are included !--- in any internal routers. The route would be the subnet selected for !--- the address pool. The router would be the address of the inside !--- interface of the firewall. The metric would be the route preference, !--- “1” in most cases. (In our example, there is no internal !--- router.)

 

Task  4.  Enable  AnyConnect  Access  

ciscoasa(config)#webvpn ciscoasa(config-webvpn)#enable outside ciscoasa(config-webvpn)#svc enable ciscoasa(config-webvpn)#svc image disk0:/anyconnect-win-3.1.00495-k9.pkg 1 !--- Enable AnyConnect to be downloaded to remote computers.

 Figure 2 - Enabling AnyConnect via ASDM

 Figure 3 - Address pool definition in ASDM

 

Figure 4 - Address-pool and image via ASDM

 

Task  5.  Create  a  new  group  policy  

ciscoasa(config)#group-policy Anyconnect_GPol internal ciscoasa(config)#group-policy Anyconnect_GPol attributes ciscoasa(config-group-policy)#dns-server value 192.168.57.2 !--- Specify the internal DNS server to be used. ciscoasa(config-group-policy)#vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn !--- Specify VPN tunnel protocol to be used by the Group Policy.

Figure 5 - Creating group policy through ASDM

ciscoasa(config-group-policy)#default-domain value someschool.local !--- Define the default domain assigned to VPN users. In many cases !--- this is the active directory domain, particularly if you want the !--- clients to act as if they are on the local LAN. ciscoasa(config-group-policy)#address-pool value acpool !--- Assign the IP pool created to the AnyConnect_GPol group policy.  

Task  6.  Configure  the  access  list  bypass  for  VPN  traffic.  

ciscoasa(config)#sysopt connection permit-vpn !--- Enable interface access-list bypass for VPN connections. !--- This example uses the vpn-filter command for access control. !--- The ‘sysopt’ command is default so it will not appear in ‘show run’.

 

Task  7.  Create  a  VPN  Connection  Profile  and  associated  Tunnel  Group  

ciscoasa(config)#tunnel-group AC type remote-access !--- Define tunnel group to be used for VPN remote access connections. ciscoasa(config)#tunnel-group AC general-attributes

ciscoasa(config-tunnel-general)#address-pool acpool

Figure 6 - Creating tunnel-group through ASDM

ciscoasa(config-tunnel-general)#default-group-policy Anyconnect_GPol !--- Associate tunnel-group with group-policy

Figure 7 - Associating tunnel-group with group-policy through ASDM

 

Task  8.    Configure  the  ASA  to  use  the  local  Microsoft  AD  as  the  local  Web  VPN  authenticator  

ciscoasa(config)#aaa-server ldap protocol ldap !--- Configure the AAA Server group. ciscoasa(config-aaa-server-group)#aaa-server ldap (inside) host 192.168.57.2 !--- Configure the AAA Server. !--- Configure the AD server as the AAA authentication source by interface !--- and IP. ciscoasa(config-aaa-server-host)#ldap-base-dn dc=cne, dc=org !--- Configure the base DN to begin the search for a user. ciscoasa(config-aaa-server-host)#ldap-login-dn cn=CNE\cneadmin, cn=users, dc=cne, dc=org ciscoasa(config-aaa-server-host)#ldap-login-password **********

!--- Configure the bind DN account to login to the AD server !--- in order to search for a user. This can be a standard !--- domain user account. When configuring the account, set the password !--- to never expire or you will need to update this configuration !--- when it changes. ciscoasa(config-aaa-server-host)#ldap-scope subtree !--- Set the scope.

Figure 8 - Defining ldap parameters in ASDM

ciscoasa(config)#tunnel-group AC general-attributes ciscoasa(config-tunnel-general)#authentication-server-group ldap ciscoasa(config)#tunnel-group DefaultWEBVPNGroup general-attributes ciscoasa(config-tunnel-general)#address-pool acpool ciscoasa(config-tunnel-general)#authentication-server-group ldap !--- Configure the tunnel group to use the new AAA setup.

Figure 9 - Associating ldap parameters with tunnel-group

Now you can use the test command on the command line in order to test your AAA setup. A test request is sent to the AAA server, and the result appears on the command line. ciscoasa#test aaa-server authentication ldap host 192.168.57.2 username CNE\cneadmin password testuserpassword INFO: Attempting Authentication test to IP address <192.168.57.2> (timeout: 12 seconds) INFO: Authentication Successful

Task  9.  Configure  the  ASA  to  permit  hair  pinning  of  internet  traffic  from  AnyConnect  clients  out  to  the  internet  to  avoid  the  use  of  split  tunneling  and  allow  AnyConnect  clients  to  communicate  with  the  inside  network   ciscoasa(config)#same-security-traffic permit intra-interface

!--- Tell the ASA to allow traffic back out of the interface it came in !--- from without dropping it.

Figure 10 - Configuring intra-interface access in ASDM

ciscoasa(config)#name 10.1.1.0 acpoolexempt description exempt Anyconnect traffic from nat ciscoasa(config)#nat (outside) 1 10.1.1.0 255.255.255.0 !--- Tell the ASA to NAT traffic from the VPN pool to the outside !--- interface PAT. You can change the pool to a different global if needed !--- to track VPN users separately.

Figure 11 - Allowing pool traffic out in ASDM

ciscoasa(config)#access-list inside_nat0_outbound extended permit ip 192.168.57.0 255.255.255.0 acpoolexempt 255.255.255.0 !--- Exempt internal traffic to vpn pool traffic from NAT

Figure 12 - Exempting internal traffic to vpn pool from NAT

Task  10.  Create  an  access-­‐list  to  prevent  teachers  from  accessing  devices  other  than  the  application-­‐server   ciscoasa(config)#access-list limitteacher extended permit ip any host 192.168.57.5

Figure 13 - Creating access-list to limit 'acteacher' traffic

 Task  11.    Configure  3  DAP  entries  to  assign  access  to  vpn  users  based  on  group  permissions  

While the DAP entries may be created from the command-line, the additional group permission information that will be stored in the ‘dap.xml’ file in flash will be done through ASDM in screen-shots following.

ciscoasa(config-dynamic-access-policy-record# ciscoasa(config)#dynamic-access-policy-record acadministrators ciscoasa(config-dynamic-access-policy-record#description "Administrative network access with Anyconnect" ciscoasa(config-dynamic-access-policy-record)#webvpn ciscoasa(config-dynamic-access-policy-record)#svc ask none default svc ciscoasa(config)#dynamic-access-policy-record acteachers ciscoasa(config-dynamic-access-policy-record)#description "Group for AD users in 'acteachers' group" ciscoasa(config-dynamic-access-policy-record)#network-acl limitteacher ciscoasa(config-dynamic-access-policy-record)#webvpn ciscoasa(config-dynamic-access-policy-record)#svc ask none default svc ciscoasa(config)#dynamic-access-policy-record DfltAccessPolicy ciscoasa(config-dyamic-access-policy-record)#action terminate !---Create 3 DAP entries then refresh configuration in ASDM and

!---associate AD membership afterwards: DAP ‘acadministrators’ includes members of AD ‘acadmins’ group; ‘Action’ is ‘Continue’ and ‘Access Method’ is ‘AnyConnect Client’.

Figure 14 - Configuring 'acadministrators' group membership through ASDM

DAP ‘acteachers’ includes members of AD ‘acteachers’ group; ‘Action’ is ‘Continue’ and ‘Access Method’ is ‘AnyConnect Client’. ‘Network ACL Filters (Client)’ also specifies an access-list.

Figure 15 - Configuring 'acteachers' group membership through ASDM

Figure 16 - Configuring 'acteachers' access-list through ASDM

DAP ‘DfltAccessPolicy’ is set to terminate users not in other policies. Users in AD group ‘acstudents’ and other groups will have this policy.

 

Figure 17 - Configuring default DAP policy to terminate users not in other policies

 

ASA  Finished  Configuration  

ASA Version 8.2(5)22 ! hostname ciscoasa domain-name mcnc.org enable password 1KYq7.p8MaFbxoh/ encrypted passwd 1KYq7.p8MaFbxoh/ encrypted names name 152.46.31.232 CNE-AD name 10.1.1.0 acpoolexempt description exempt Anyconnect traffic from nat ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 speed 100 duplex full ! interface Ethernet0/2 speed 100

duplex full ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 speed 100 duplex full ! interface Ethernet0/6 switchport access vlan 12 ! interface Ethernet0/7 switchport access vlan 12 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.57.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 152.46.31.231 255.255.255.224 ! interface Vlan12 no forward interface Vlan1 nameif DMZ security-level 50 ip address 10.0.0.254 255.0.0.0 ! boot system disk0:/asa825-22-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup outside dns server-group DefaultDNS name-server 192.168.57.2 name-server 202.12.27.33 domain-name mcnc.org same-security-traffic permit intra-interface object-group service http object-group service https object-group network test object-group service LDAP service-object tcp source eq ldap object-group service proxyport object-group network obj-192.168.88.0 object-group service Filtered-Services-TCP object-group service CES-standard-tcp tcp port-object eq www port-object eq https object-group service CES-standard-udp udp

port-object eq domain object-group network obj_any network-object 192.168.57.0 255.255.255.0 object-group network zscalerone-ca network-object host 199.168.148.18 network-object host 199.168.148.21 network-object host 199.168.149.18 network-object host 199.168.149.21 network-object host 199.168.150.18 network-object host 199.168.150.21 network-object host 199.168.151.18 network-object host 199.168.151.21 network-object host 208.100.40.52 network-object host 216.52.207.84 network-object host 216.52.207.85 object-group service Zscaler tcp port-object eq 3268 port-object eq 3269 port-object eq ldap port-object eq ldaps access-list test443 extended permit ip host 192.168.57.150 any access-list test443 extended permit ip any host 192.168.57.150 access-list inside_access_in extended permit tcp any any eq www access-list inside_access_in extended permit tcp any any eq https access-list inside_access_in extended permit udp host 192.168.57.2 any eq domain access-list inside_access_in extended permit tcp host 192.168.57.2 any eq domain access-list inside_access_in extended permit tcp any any eq 9443 access-list inside_access_in remark allow passive ftp access-list inside_access_in extended permit tcp any any eq ssh access-list inside_access_in extended permit icmp any any access-list inside_access_in extended permit udp any any eq ntp access-list inside_access_in extended permit tcp any any eq 123 access-list inside_access_in extended permit ip host 192.168.57.150 any access-list inside_access_in extended permit tcp any any eq 5222 access-list inside_nat0_outbound extended permit ip any 192.168.57.96 255.255.255.240 access-list inside_nat0_outbound extended permit ip 192.168.57.0 255.255.255.0 acpoolexempt 255.255.255.0 access-list outside_access_in extended permit tcp object-group zscalerone-ca host CNE-AD object-group Zscaler access-list limitteacher extended permit ip any host 192.168.57.5 pager lines 24 logging enable logging console debugging logging monitor debugging logging trap debugging logging asdm informational mtu inside 1500 mtu outside 1500 mtu DMZ 1500 ip local pool acpool 10.1.1.2-10.1.1.254 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside icmp permit any outside asdm image disk0:/asdm-647.bin asdm location acpoolexempt 255.255.255.0 inside no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (outside) 1 acpoolexempt 255.255.255.0 static (inside,outside) CNE-AD 192.168.57.2 netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 152.46.31.230 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record acadministrators description "Administrative network access with Anyconnect" webvpn svc ask none default svc dynamic-access-policy-record DfltAccessPolicy action terminate dynamic-access-policy-record acteachers description "Group for AD users in 'adteachers' group" network-acl limitteacher webvpn svc ask none default svc aaa-server ldap protocol ldap aaa-server ldap (inside) host 192.168.57.2 ldap-base-dn DC=cne,DC=org ldap-scope subtree ldap-login-password <hidden> ldap-login-dn CNE\cneadmin aaa authentication ssh console LOCAL aaa authentication http console LOCAL http server enable http 192.168.57.0 255.255.255.0 inside http 128.109.139.0 255.255.255.0 outside http 128.109.64.0 255.255.255.0 outside http 152.45.1.0 255.255.255.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 1800 crypto ipsec security-association lifetime kilobytes 4608000 crypto ca trustpoint _SmartCallHome_ServerCA crl configure

crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 6ecc7aa5a7032009b8cebcf4e952d491 308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130 0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117 30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b 13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504 0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72 20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56 65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043 65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31 30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b 30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20 496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65 74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420 68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329 3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365 63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597 a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10 9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc 7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b 15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845 63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced 4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f 81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201 db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101

ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8 45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a 1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406 03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973 69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969 6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973 69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30 1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603 551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609 2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a 6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc 481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16 b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0 5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8 6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28 6c2527b9 deb78458 c61f381e a4c4cb66 quit telnet timeout 5 ssh 192.168.57.0 255.255.255.0 inside ssh 128.109.139.0 255.255.255.0 outside ssh 128.109.64.0 255.255.255.0 outside ssh 152.45.1.0 255.255.255.0 outside ssh timeout 30 ssh version 2 console timeout 0 dhcpd dns 192.168.57.2 !

dhcpd address 192.168.57.150-192.168.57.155 inside dhcpd enable inside ! threat-detection basic-threat threat-detection scanning-threat shun threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn enable outside svc image disk0:/anyconnect-win-3.1.00495-k9.pkg 1 svc enable group-policy DfltGrpPolicy attributes dns-server value 192.168.57.2 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn default-domain value mcnc.org group-policy Anyconnect_GPol internal group-policy Anyconnect_GPol attributes wins-server none dns-server value 192.168.57.2 vpn-tunnel-protocol svc default-domain value mcnc.org username vpnuser password NwqI8up4b2z2zDt4 encrypted username gonz password rS3qXR1Hm/6cpmWL encrypted privilege 15 username cneuser password tj0YNrKKxe13CaFX encrypted privilege 15 tunnel-group DefaultWEBVPNGroup general-attributes address-pool acpool authentication-server-group ldap tunnel-group AC type remote-access tunnel-group AC general-attributes address-pool acpool authentication-server-group ldap default-group-policy Anyconnect_GPol ! ! prompt hostname context call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:4ffa839966b51b215c562eb27bb5fd9c : end  

dap.xml  

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <dapRecordList> <dapRecord> <dapName> <value>acadministrators</value> </dapName> <dapViewsRelation> <value>and</value> </dapViewsRelation> <dapBasicView> <dapSelection> <dapPolicy> <value>match-any</value> </dapPolicy> <attr> <name>aaa.ldap.memberOf</name> <value>acadmins</value> <operation>EQ</operation> <type>caseless</type> </attr> </dapSelection> </dapBasicView> </dapRecord> <dapRecord> <dapName> <value>acteachers</value> </dapName> <dapViewsRelation> <value>and</value> </dapViewsRelation> <dapBasicView> <dapSelection> <dapPolicy> <value>match-any</value> </dapPolicy> <attr> <name>aaa.ldap.memberOf</name> <value>acteachers</value> <operation>EQ</operation> <type>caseless</type> </attr> </dapSelection> </dapBasicView> </dapRecord> </dapRecordList>  

 

Debugs  

Debugs were run to show connection by user ‘acteacher’ in group ‘acteachers’, demonstrating group mapping and access-list application.

ciscoasa# sho debug debug dap errors enabled at level 1 debug dap trace enabled at level 1 debug ldap enabled at level 255 ciscoasa# term mon %ASA-6-302013: Built inbound TCP connection 47217 for outside:152.45.1.199/6316 (152.45.1.199/6316) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6316 for TLSv1 session. %ASA-7-725010: Device supports the following 4 cipher(s). %ASA-7-725011: Cipher[1] : RC4-SHA %ASA-7-725011: Cipher[2] : AES128-SHA %ASA-7-725011: Cipher[3] : AES256-SHA %ASA-7-725011: Cipher[4] : DES-CBC3-SHA %ASA-7-725008: SSL client outside:152.45.1.199/6316 proposes the following 8 cipher(s). %ASA-7-725011: Cipher[1] : RC4-MD5 %ASA-7-725011: Cipher[2] : RC4-SHA %ASA-7-725011: Cipher[3] : DES-CBC3-SHA %ASA-7-725011: Cipher[4] : DES-CBC-SHA

%ASA-7-725011: Cipher[5] : EXP-RC4-MD5 %ASA-7-725011: Cipher[6] : EXP-RC2-CBC-MD5 %ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA %ASA-7-725011: Cipher[8] : EDH-DSS-DES-CBC-SHA %ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:152.45.1.199/6316 %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6316 %ASA-6-302013: Built inbound TCP connection 47218 for outside:152.45.1.199/6317 (152.45.1.199/6317) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6317 for TLSv1 session. %ASA-6-725003: SSL client outside:152.45.1.199/6317 request to resume previous session. %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6317 %ASA-6-302013: Built inbound TCP connection 47219 for outside:152.45.1.199/6318 (152.45.1.199/6318) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6318 for TLSv1 session. %ASA-6-725003: SSL client outside:152.45.1.199/6318 request to resume previous session.

%ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6318 %ASA-6-302014: Teardown TCP connection 47217 for outside:152.45.1.199/6316 to identity:152.46.31.231/443 duration 0:00:00 bytes 577 TCP Reset-I %ASA-6-725007: SSL session with client outside:152.45.1.199/6316 terminated. %ASA-6-725007: SSL session with client outside:152.45.1.199/6317 terminated. %ASA-6-302014: Teardown TCP connection 47218 for outside:152.45.1.199/6317 to identity:152.46.31.231/443 duration 0:00:00 bytes 427 TCP Reset-I %ASA-6-725007: SSL session with client outside:152.45.1.199/6318 terminated. %ASA-6-302014: Teardown TCP connection 47219 for outside:152.45.1.199/6318 to identity:152.46.31.231/443 duration 0:00:00 bytes 1011 TCP Reset-I %ASA-6-302013: Built inbound TCP connection 47220 for outside:152.45.1.199/6321 (152.45.1.199/6321) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6321 for TLSv1 session. %ASA-6-725003: SSL client outside:152.45.1.199/6321 request to resume previous session. %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6321 %ASA-6-302013: Built outbound TCP connection 47221 for inside:192.168.57.2/389 (192.168.57.2/389) to identity:192.168.57.1/28851 (192.168.57.1/28851)

[90] Session Start [90] New request Session, context 0xc96f19c0, reqType = Authentication [90] Fiber started [90] Creating LDAP context with uri=ldap://192.168.57.2:389 [90] Connect to LDAP server: ldap://192.168.57.2:389, status = Successful [90] supportedLDAPVersion: value = 3 [90] supportedLDAPVersion: value = 2 [90] Binding as CNE\cneadmin [90] Performing Simple authentication for CNE\cneadmin to 192.168.57.2 [90] LDAP Search: Base DN = [DC=cne,DC=org] Filter = [sAMAccountName=acteacher] Scope = [SUBTREE] [90] User DN = [CN=A C. Teacher,CN=Users,DC=cne,DC=org] [90] Talking to Active Directory server 192.168.57.2 %ASA-6-113004: AAA user authentication Successful : server = 192.168.57.2 : user = acteacher %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = acteacher %ASA-6-113008: AAA transaction status ACCEPT : user = acteacher %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.objectClass.1 = top %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.objectClass.2 = person %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.objectClass.3 = organizationalPerson %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.objectClass.4 = user %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.cn = A C. Teacher %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.sn = Teacher

%ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.givenName = A %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.initials = C %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.distinguishedName = CN=A C. Teacher,CN=Users,DC=cne,DC=org %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.instanceType = 4 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.whenCreated = 20121221140355.0Z %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.whenChanged = 20121221191115.0Z %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.displayName = A C. Teacher %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.uSNCreated = 182255 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.memberOf = acteachers %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.uSNChanged = 182399 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.name = A C. Teacher %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.objectGUID = .:I$i.,C..q....8 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.userAccountControl = 66048

%ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.badPwdCount = 0 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.codePage = 0 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.countryCode = 0 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.badPasswordTime = 0 [90] Reading password policy for acteacher, dn:CN=A C. Teacher,CN=Users,DC=cne,DC=org %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.lastLogoff = 0 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.lastLogon = 0 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.pwdLastSet = 130005722355000000 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.primaryGroupID = 513 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.userParameters = m: d. %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.objectSid = .. [90] Read bad password count 0 [90] Binding as acteacher [90] Performing Simple authentication for acteacher to 192.168.57.2 [90] Processing LDAP response for user acteacher [90] Message (acteacher): [90] Authentication successful for acteacher to 192.168.57.2 [90] Retrieved User Attributes: [90] objectClass: value = top [90] objectClass: value = person [90] objectClass: value = organizationalPerson

[90] objectClass: value = user [90] cn: value = A C. Teacher [90] sn: value = Teacher [90] givenName: value = A [90] initials: value = C [90] distinguishedName: value = CN=A C. Teacher,CN=Users,DC=cne,DC=org [90] instanceType: value = 4 [90] whenCreated: value = 20121221140355.0Z [90] whenChanged: value = 20121221191115.0Z [90] displayName: value = A C. Teacher [90] uSNCreated: value = 182255 [90] memberOf: value = CN=acteachers,CN=Users,DC=cne,DC=org [90] uSNChanged: value = 182399 [90] name: value = A C. Teacher [90] objectGUID: value = .:I$i.,C..q....8 [90] userAccountControl: value = 66048 [90] badPwdCount: value = 0 [90] codePage: value = 0 [90] countryCode: value = 0 [90] badPasswordTime: value = 0 [90] lastLogoff: value = 0 [90] lastLogon: value = 0 [90] pwdLastSet: value = 130005722355000000 [90] primaryGroupID: value = 513 [90] userParameters: value = m: d. [90] objectSid: value = .............MeX.].)........ [90] accountExpires: value = 9223372036854775807 [90] logonCount: value = 0 [90] sAMAccountName: value = acteacher [90] sAMAccountType: value = 805306368 [90] userPrincipalName: value = acteacher@cne.org [90] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=cne,DC=org [90] msNPAllowDialin: value = TRUE [90] dSCorePropagationData: value = 16010101000000.0Z [90] lastLogonTimestamp: value = 130005906758281250 [90] Fiber exit Tx=497 bytes Rx=2621 bytes, status=1 [90] Session End DAP_TRACE: DAP_open: CA56A208 DAP_TRACE: Username: acteacher, aaa.ldap.objectClass.1 = top DAP_TRACE: Username: acteacher, aaa.ldap.objectClass.2 = person DAP_TRACE: Username: acteacher, aaa.ldap.objectClass.3 = organizationalPerson DAP_TRACE: Username: acteacher, aaa.ldap.objectClass.4 = user DAP_TRACE: Username: acteacher, aaa.ldap.cn = A C. Teacher DAP_TRACE: Username: acteacher, aaa.ldap.sn = Teacher DAP_TRACE: Username: acteacher, aaa.ldap.givenName = A DAP_TRACE: Username: acteacher, aaa.ldap.initials = C DAP_TRACE: Username: acteacher, aaa.ldap.distinguishedName = CN=A C. Teacher,CN=Users,DC=cne,DC=org DAP_TRACE: Username: acteacher, aaa.ldap.instanceType = 4

DAP_TRACE: Username: acteacher, aaa.ldap.whenCreated = 20121221140355.0Z DAP_TRACE: Username: acteacher, aaa.ldap.whenChanged = 20121221191115.0Z DAP_TRACE: Username: acteacher, aaa.ldap.displayName = A C. Teacher DAP_TRACE: Username: acteacher, aaa.ldap.uSNCreated = 182255 DAP_TRACE: Username: acteacher, aaa.ldap.memberOf = acteachers DAP_TRACE: Username: acteacher, aaa.ldap.uSNChanged = 182399 DAP_TRACE: Username: acteacher, aaa.ldap.name = A C. Teacher DAP_TRACE: Username: acteacher, aaa.ldap.objectGUID = .:I$i.,C..q....8 DAP_TRACE: Username: acteacher, aaa.ldap.userAccountControl = 66048 DAP_TRACE: Username: acteacher, aaa.ldap.badPwdCount = 0 DAP_TRACE: Username: acteacher, aaa.ldap.codePage = 0 DAP_TRACE: Username: acteacher, aaa.ldap.countryCode = 0 DAP_TRACE: Username: acteacher, aaa.ldap.badPasswordTime = 0 DAP_TRACE: Username: acteacher, aaa.ldap.lastLogoff = 0 DAP_TRACE: Username: acteacher, aaa.ldap.lastLogon = 0 DAP_TRACE: Username: acteacher, aaa.ldap.pwdLastSet = 130005722355000000 DAP_TRACE: Username: acteacher, aaa.ldap.primaryGroupID = 513 DAP_TRACE: Username: acteacher, aaa.ldap.userParameters = m: d. DAP_TRACE: Username: acteacher, aaa.ldap.objectSid = .. DAP_TRACE: Username: acteacher, aaa.ldap.accountExpires = 9223372036854775807 DAP_TRACE: Username: acteacher, aaa.ldap.logonCount = 0 DAP_TRACE: Username: acteacher, aaa.ldap.sAMAccountName = acteacher DAP_TRACE: Username: acteacher, aaa.ldap.sAMAccountType = 805306368 DAP_TRACE: Username: acteacher, aaa.ldap.userPrincipalName = acteacher@cne.org DAP_TRACE: Username: acteacher, aaa.ldap.objectCategory = CN=Person,CN=Schema,CN=Configuration,DC=cne,DC=org DAP_TRACE: Username: acteacher, aaa.ldap.msNPAllowDialin = TRUE DAP_TRACE: Username: acteacher, aaa.ldap.dSCorePropagationData = 16010101000000.0Z DAP_TRACE: Username: acteacher, aaa.ldap.lastLogonTimestamp = 130005906758281250 DAP_TRACE: Username: acteacher, aaa.cisco.grouppolicy = DfltGrpPolicy DAP_TRACE: Username: acteacher, aaa.cisco.username = acteacher DAP_TRACE: Username: acteacher, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectClass"]["1"]="top" DAP_TRACE: name = aaa["ldap"]["objectClass"]["1"], value = "top" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectClass"]["2"]="person" DAP_TRACE: name = aaa["ldap"]["objectClass"]["2"], value = "person" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectClass"]["3"]="organizationalPerson" DAP_TRACE: name = aaa["ldap"]["objectClass"]["3"], value = "organizationalPerson" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectClass"]["4"]="user"

DAP_TRACE: name = aaa["ldap"]["objectClass"]["4"], value = "user" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["cn"]="A C. Teacher" DAP_TRACE: name = aaa["ldap"]["cn"], value = "A C. Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["sn"]="Teacher" DAP_TRACE: name = aaa["ldap"]["sn"], value = "Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["givenName"]="A" DAP_TRACE: name = aaa["ldap"]["givenName"], value = "A" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["initials"]="C" DAP_TRACE: name = aaa["ldap"]["initials"], value = "C" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=A C. Teacher,CN=Users,DC=cne,DC=org" DAP_TRACE: name = aaa["ldap"]["distinguishedName"], value = "CN=A C. Teacher,CN=Users,DC=cne,DC=org" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["instanceType"]="4" DAP_TRACE: name = aaa["ldap"]["instanceType"], value = "4" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["whenCreated"]="20121221140355.0Z" DAP_TRACE: name = aaa["ldap"]["whenCreated"], value = "20121221140355.0Z" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["whenChanged"]="20121221191115.0Z" DAP_TRACE: name = aaa["ldap"]["whenChanged"], value = "20121221191115.0Z" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["displayName"]="A C. Teacher" DAP_TRACE: name = aaa["ldap"]["displayName"], value = "A C. Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["uSNCreated"]="182255" DAP_TRACE: name = aaa["ldap"]["uSNCreated"], value = "182255" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["memberOf"]="acteachers" DAP_TRACE: name = aaa["ldap"]["memberOf"], value = "acteachers" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["uSNChanged"]="182399" DAP_TRACE: name = aaa["ldap"]["uSNChanged"], value = "182399" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["name"]="A C. Teacher" DAP_TRACE: name = aaa["ldap"]["name"], value = "A C. Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa.ldap.objectGUID contains binary data DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["userAccountControl"]="66048" DAP_TRACE: name = aaa["ldap"]["userAccountControl"], value = "66048" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["badPwdCount"]="0" DAP_TRACE: name = aaa["ldap"]["badPwdCount"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["codePage"]="0" DAP_TRACE: name = aaa["ldap"]["codePage"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["countryCode"]="0" DAP_TRACE: name = aaa["ldap"]["countryCode"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["badPasswordTime"]="0" DAP_TRACE: name = aaa["ldap"]["badPasswordTime"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["lastLogoff"]="0" DAP_TRACE: name = aaa["ldap"]["lastLogoff"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["lastLogon"]="0" DAP_TRACE: name = aaa["ldap"]["lastLogon"], value = "0"

DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["pwdLastSet"]="130005722355000000" DAP_TRACE: name = aaa["ldap"]["pwdLastSet"], value = "130005722355000000" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["primaryGroupID"]="513" DAP_TRACE: name = aaa["ldap"]["primaryGroupID"], value = "513" DAP_TRACE: dap_add_to_lua_tree:aaa.ldap.userParameters contains binary data DAP_TRACE: dap_add_to_lua_tree:aaa.ldap.objectSid contains binary data DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["accountExpires"]="9223372036854775807" DAP_TRACE: name = aaa["ldap"]["accountExpires"], value = "9223372036854775807" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["logonCount"]="0" DAP_TRACE: name = aaa["ldap"]["logonCount"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["sAMAccountName"]="acteacher" DAP_TRACE: name = aaa["ldap"]["sAMAccountName"], value = "acteacher" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["sAMAccountType"]="805306368" DAP_TRACE: name = aaa["ldap"]["sAMAccountType"], value = "805306368" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["userPrincipalName"]="acteacher@cne.org" DAP_TRACE: name = aaa["ldap"]["userPrincipalName"], value = "acteacher@cne.org" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectCategory"]="CN=Person,CN=Schema,CN=Configuration,DC=cne,DC=org" DAP_TRACE: name = aaa["ldap"]["objectCategory"], value = "CN=Person,CN=Schema,CN=Configuration,DC=cne,DC=org" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["msNPAllowDialin"]="TRUE" DAP_TRACE: name = aaa["ldap"]["msNPAllowDialin"], value = "TRUE" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["dSCorePropagationData"]="16010101000000.0Z" DAP_TRACE: name = aaa["ldap"]["dSCorePropagationData"], value = "16010101000000.0Z" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["lastLogonTimestamp"]="130005906758281250" DAP_TRACE: name = aaa["ldap"]["lastLogonTimestamp"], value = "130005906758281250" DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="DfltGrpPolicy" %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.accountExpires = 9223372036854775807

%ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.logonCount = 0 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.sAMAccountName = acteacher DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "DfltGrpPolicy" DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="acteacher" DAP_TRACE: name = aaa["cisco"]["username"], value = "acteacher" DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup" DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "DefaultWEBVPNGroup" DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect" DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect" DAP_TRACE: Username: acteacher, Selected DAPs: ,acteachers DAP_TRACE: dap_process_selected_daps: selected 1 records DAP_TRACE: Username: acteacher, dap_aggregate_attr: rec_count = 1 DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectClass"]["1"]="top" DAP_TRACE: name = aaa["ldap"]["objectClass"]["1"], value = "top" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectClass"]["2"]="person" DAP_TRACE: name = aaa["ldap"]["objectClass"]["2"], value = "person" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectClass"]["3"]="organizationalPerson" DAP_TRACE: name = aaa["ldap"]["objectClass"]["3"], value = "organizationalPerson" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectClass"]["4"]="user" DAP_TRACE: name = aaa["ldap"]["objectClass"]["4"], value = "user" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["cn"]="A C. Teacher" DAP_TRACE: name = aaa["ldap"]["cn"], value = "A C. Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["sn"]="Teacher" DAP_TRACE: name = aaa["ldap"]["sn"], value = "Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["givenName"]="A" DAP_TRACE: name = aaa["ldap"]["givenName"], value = "A" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["initials"]="C" DAP_TRACE: name = aaa["ldap"]["initials"], value = "C" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=A C. Teacher,CN=Users,DC=cne,DC=org" DAP_TRACE: name = aaa["ldap"]["distinguishedName"], value = "CN=A C. Teacher,CN=Users,DC=cne,DC=org" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["instanceType"]="4" DAP_TRACE: name = aaa["ldap"]["instanceType"], value = "4" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["whenCreated"]="20121221140355.0Z" DAP_TRACE: name = aaa["ldap"]["whenCreated"], value = "20121221140355.0Z"

DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["whenChanged"]="20121221191115.0Z" DAP_TRACE: name = aaa["ldap"]["whenChanged"], value = "20121221191115.0Z" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["displayName"]="A C. Teacher" DAP_TRACE: name = aaa["ldap"]["displayName"], value = "A C. Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["uSNCreated"]="182255" DAP_TRACE: name = aaa["ldap"]["uSNCreated"], value = "182255" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["memberOf"]="acteachers" DAP_TRACE: name = aaa["ldap"]["memberOf"], value = "acteachers" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["uSNChanged"]="182399" DAP_TRACE: name = aaa["ldap"]["uSNChanged"], value = "182399" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["name"]="A C. Teacher" DAP_TRACE: name = aaa["ldap"]["name"], value = "A C. Teacher" DAP_TRACE: dap_add_to_lua_tree:aaa.ldap.objectGUID contains binary data DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["userAccountControl"]="66048" DAP_TRACE: name = aaa["ldap"]["userAccountControl"], value = "66048" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["badPwdCount"]="0" DAP_TRACE: name = aaa["ldap"]["badPwdCount"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["codePage"]="0" DAP_TRACE: name = aaa["ldap"]["codePage"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["countryCode"]="0" DAP_TRACE: name = aaa["ldap"]["countryCode"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["badPasswordTime"]="0" DAP_TRACE: name = aaa["ldap"]["badPasswordTime"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["lastLogoff"]="0" DAP_TRACE: name = aaa["ldap"]["lastLogoff"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["lastLogon"]="0" DAP_TRACE: name = aaa["ldap"]["lastLogon"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["pwdLastSet"]="130005722355000000" DAP_TRACE: name = aaa["ldap"]["pwdLastSet"], value = "130005722355000000" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["primaryGroupID"]="513" DAP_TRACE: name = aaa["ldap"]["primaryGroupID"], value = "513" DAP_TRACE: dap_add_to_lua_tree:aaa.ldap.userParameters contains binary data DAP_TRACE: dap_add_to_lua_tree:aaa.ldap.objectSid contains binary data DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["accountExpires"]="9223372036854775807" DAP_TRACE: name = aaa["ldap"]["accountExpires"], value = "9223372036854775807" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["logonCount"]="0" DAP_TRACE: name = aaa["ldap"]["logonCount"], value = "0" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["sAMAccountName"]="acteacher" DAP_TRACE: name = aaa["ldap"]["sAMAccountName"], value = "acteacher"

DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["sAMAccountType"]="805306368" DAP_TRACE: name = aaa["ldap"]["sAMAccountType"], value = "805306368" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["userPrincipalName"]="acteacher@cne.org" DAP_TRACE: name = aaa["ldap"]["userPrincipalName"], value = "acteacher@cne.org" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["objectCategory"]="CN=Person,CN=Schema,CN=Configuration,DC=cne,DC=org" DAP_TRACE: name = aaa["ldap"]["objectCategory"], value = "CN=Person,CN=Schema,CN=Configuration,DC=cne,DC=org" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["msNPAllowDialin"]="TRUE" DAP_TRACE: name = aaa["ldap"]["msNPAllowDialin"], value = "TRUE" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["dSCorePropagationData"]="16010101000000.0Z" DAP_TRACE: name = aaa["ldap"]["dSCorePropagationData"], value = "16010101000000.0Z" DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["lastLogonTimestamp"]="130005906758281250" DAP_TRACE: name = aaa["ldap"]["lastLogonTimestamp"], value = "130005906758281250" DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="DfltGrpPolicy" DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "DfltGrpPolicy" DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="acteacher" DAP_TRACE: name = aaa["cisco"]["username"], value = "acteacher" DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="DefaultWEBVPNGroup" DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "DefaultWEBVPNGroup" DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect" DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect" DAP_TRACE: Username: acteacher, Selected DAPs: ,acteachers DAP_TRACE: dap_process_selected_daps: selected 1 records DAP_TRACE: Username: acteacher, dap_aggregate_attr: rec_count = 1 DAP_TRACE: Username: acteacher, DAP_close: CA56A208 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.sAMAccountType = 805306368 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.userPrincipalName = acteacher@cne.org

%ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.objectCategory = CN=Person,CN=Schema,CN=Configuration,DC=cne,DC=org %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.msNPAllowDialin = TRUE %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.dSCorePropagationData = 16010101000000.0Z %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.ldap.lastLogonTimestamp = 130005906758281250 %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.cisco.grouppolicy = DfltGrpPolicy %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.cisco.username = acteacher %ASA-7-734003: DAP: User acteacher, Addr 152.45.1.199: Session Attribute aaa.cisco.tunnelgroup = DefaultWEBVPNGroup %ASA-6-734001: DAP: User acteacher, Addr 152.45.1.199, Connection AnyConnect: The following DAP records were selected for this connection: acteachers %ASA-6-716001: Group <DfltGrpPolicy> User <acteacher> IP <152.45.1.199> WebVPN session started. %ASA-6-716038: Group <DfltGrpPolicy> User <acteacher> IP <152.45.1.199> Authentication: successful, Session Type: WebVPN. %ASA-6-302013: Built inbound TCP connection 47222 for outside:152.45.1.199/6322 (152.45.1.199/6322) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6322 for TLSv1 session.

%ASA-6-725003: SSL client outside:152.45.1.199/6322 request to resume previous session. %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6322 %ASA-6-302013: Built inbound TCP connection 47223 for outside:152.45.1.199/6323 (152.45.1.199/6323) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6323 for TLSv1 session. %ASA-6-725003: SSL client outside:152.45.1.199/6323 request to resume previous session. %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6323 %ASA-6-302013: Built inbound TCP connection 47224 for outside:152.45.1.199/6324 (152.45.1.199/6324) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6324 for TLSv1 session. %ASA-6-725003: SSL client outside:152.45.1.199/6324 request to resume previous session. %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6324 %ASA-6-302014: Teardown TCP connection 47221 for inside:192.168.57.2/389 to identity:192.168.57.1/28851 duration 0:00:00 bytes 504 TCP Reset-I %ASA-6-725007: SSL session with client outside:152.45.1.199/6321 terminated.

%ASA-6-302014: Teardown TCP connection 47220 for outside:152.45.1.199/6321 to identity:152.46.31.231/443 duration 0:00:00 bytes 810 TCP Reset-I %ASA-6-725007: SSL session with client outside:152.45.1.199/6322 terminated. %ASA-6-302014: Teardown TCP connection 47222 for outside:152.45.1.199/6322 to identity:152.46.31.231/443 duration 0:00:00 bytes 5959 TCP Reset-I %ASA-6-725007: SSL session with client outside:152.45.1.199/6323 terminated. %ASA-6-302014: Teardown TCP connection 47223 for outside:152.45.1.199/6323 to identity:152.46.31.231/443 duration 0:00:00 bytes 258 TCP Reset-I %ASA-6-725007: SSL session with client outside:152.45.1.199/6324 terminated. %ASA-6-302014: Teardown TCP connection 47224 for outside:152.45.1.199/6324 to identity:152.46.31.231/443 duration 0:00:00 bytes 296 TCP Reset-I %ASA-6-302013: Built inbound TCP connection 47225 for outside:152.45.1.199/6326 (152.45.1.199/6326) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6326 for TLSv1 session. %ASA-7-725010: Device supports the following 4 cipher(s). %ASA-7-725011: Cipher[1] : RC4-SHA %ASA-7-725011: Cipher[2] : AES128-SHA %ASA-7-725011: Cipher[3] : AES256-SHA

%ASA-7-725011: Cipher[4] : DES-CBC3-SHA %ASA-7-725008: SSL client outside:152.45.1.199/6326 proposes the following 8 cipher(s). %ASA-7-725011: Cipher[1] : RC4-MD5 %ASA-7-725011: Cipher[2] : RC4-SHA %ASA-7-725011: Cipher[3] : DES-CBC3-SHA %ASA-7-725011: Cipher[4] : DES-CBC-SHA %ASA-7-725011: Cipher[5] : EXP-RC4-MD5 %ASA-7-725011: Cipher[6] : EXP-RC2-CBC-MD5 %ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA %ASA-7-725011: Cipher[8] : EDH-DSS-DES-CBC-SHA %ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:152.45.1.199/6326 %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6326 %ASA-6-302013: Built inbound TCP connection 47226 for outside:152.45.1.199/6327 (152.45.1.199/6327) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6327 for TLSv1 session. %ASA-7-725010: Device supports the following 4 cipher(s).

%ASA-7-725011: Cipher[1] : RC4-SHA %ASA-7-725011: Cipher[2] : AES128-SHA %ASA-7-725011: Cipher[3] : AES256-SHA %ASA-7-725011: Cipher[4] : DES-CBC3-SHA %ASA-7-725008: SSL client outside:152.45.1.199/6327 proposes the following 8 cipher(s). %ASA-7-725011: Cipher[1] : RC4-MD5 %ASA-7-725011: Cipher[2] : RC4-SHA %ASA-7-725011: Cipher[3] : DES-CBC3-SHA %ASA-7-725011: Cipher[4] : DES-CBC-SHA %ASA-7-725011: Cipher[5] : EXP-RC4-MD5 %ASA-7-725011: Cipher[6] : EXP-RC2-CBC-MD5 %ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA %ASA-7-725011: Cipher[8] : EDH-DSS-DES-CBC-SHA %ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:152.45.1.199/6327 %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6327 %ASA-6-725007: SSL session with client outside:152.45.1.199/6326 terminated.

%ASA-6-302014: Teardown TCP connection 47225 for outside:152.45.1.199/6326 to identity:152.46.31.231/443 duration 0:00:00 bytes 624 TCP Reset-I %ASA-6-302013: Built inbound TCP connection 47227 for outside:152.45.1.199/6329 (152.45.1.199/6329) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6329 for TLSv1 session. %ASA-7-725010: Device supports the following 4 cipher(s). %ASA-7-725011: Cipher[1] : RC4-SHA %ASA-7-725011: Cipher[2] : AES128-SHA %ASA-7-725011: Cipher[3] : AES256-SHA %ASA-7-725011: Cipher[4] : DES-CBC3-SHA %ASA-7-725008: SSL client outside:152.45.1.199/6329 proposes the following 6 cipher(s). %ASA-7-725011: Cipher[1] : AES256-SHA %ASA-7-725011: Cipher[2] : AES128-SHA %ASA-7-725011: Cipher[3] : DES-CBC3-SHA %ASA-7-725011: Cipher[4] : RC4-SHA %ASA-7-725011: Cipher[5] : RC4-MD5 %ASA-7-725011: Cipher[6] : DES-CBC-SHA

%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:152.45.1.199/6329 %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6329 %ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ' %ASA-5-737003: IPAA: DHCP configured, no viable servers found for tunnel-group 'DefaultWEBVPNGroup' %ASA-6-737026: IPAA: Client assigned 10.1.1.2 from local pool %ASA-6-737006: IPAA: Local pool request succeeded for tunnel-group 'DefaultWEBVPNGroup' %ASA-5-722033: Group <DfltGrpPolicy> User <acteacher> IP <152.45.1.199> First TCP SVC connection established for SVC session. %ASA-6-722022: Group <DfltGrpPolicy> User <acteacher> IP <152.45.1.199> TCP SVC connection established without compression %ASA-4-722051: Group <DfltGrpPolicy> User <acteacher> IP <152.45.1.199> Address <10.1.1.2> assigned to session %ASA-6-734001: DAP: User acteacher, Addr 152.45.1.199, Connection AnyConnect: The following DAP records were selected for this connection: acteachers %ASA-6-302015: Built inbound UDP connection 47228 for outside:152.45.1.199/6336 (152.45.1.199/6336) to identity:152.46.31.231/443 (152.46.31.231/443) %ASA-6-725001: Starting SSL handshake with client outside:152.45.1.199/6336 for DTLSv1 session. %ASA-7-710005: UDP request discarded from 10.1.1.2/5353 to outside:224.0.0.251/5353

%ASA-6-725003: SSL client outside:152.45.1.199/6336 request to resume previous session. %ASA-6-725002: Device completed SSL handshake with client outside:152.45.1.199/6336 %ASA-5-722033: Group <DfltGrpPolicy> User <acteacher> IP <152.45.1.199> First UDP SVC connection established for SVC session. %ASA-6-722022: Group <DfltGrpPolicy> User <acteacher> IP <152.45.1.199> UDP SVC connection established without compression %ASA-7-710005: UDP request discarded from 10.1.1.2/5353 to outside:224.0.0.251/5353 %ASA-6-110002: Failed to locate egress interface for UDP from outside:10.1.1.2/6333 to 239.255.255.250/1900 %ASA-7-710005: UDP request discarded from 10.1.1.2/5353 to outside:224.0.0.251/5353 %ASA-7-710005: UDP request discarded from 10.1.1.2/5353 to outside:224.0.0.251/5353 %ASA-6-302015: Built outbound UDP connection 47231 for outside:216.239.32.10/53 (216.239.32.10/53) to inside:192.168.57.2/65109 (CNE-AD/65109) %ASA-7-710005: UDP request discarded from 10.1.1.2/5353 to outside:224.0.0.251/5353 %ASA-6-305011: Built dynamic TCP translation from inside:192.168.57.3/57817 to outside:152.46.31.231/53245 %ASA-6-302013: Built outbound TCP connection 47232 for outside:173.194.37.39/80 (173.194.37.39/80) to inside:192.168.57.3/57817 (152.46.31.231/53245)

%ASA-6-302014: Teardown TCP connection 47226 for outside:152.45.1.199/6327 to identity:152.46.31.231/443 duration 0:00:04 bytes 3157 TCP Reset-O %ASA-6-725007: SSL session with client outside:152.45.1.199/6327 terminated. %ASA-6-302015: Built outbound UDP connection 47237 for outside:216.239.32.10/53 (216.239.32.10/53) to inside:192.168.57.2/65433 (CNE-AD/65433) %ASA-6-305011: Built dynamic TCP translation from inside:192.168.57.3/57818 to outside:152.46.31.231/3380 %ASA-6-302013: Built outbound TCP connection 47238 for outside:173.194.37.39/80 (173.194.37.39/80) to inside:192.168.57.3/57818 (152.46.31.231/3380) %ASA-7-609001: Built local-host outside:208.94.148.4 %ASA-6-302015: Built outbound UDP connection 47239 for outside:208.94.148.4/53 (208.94.148.4/53) to inside:192.168.57.2/64574 (CNE-AD/64574) %ASA-6-302015: Built outbound UDP connection 47240 for outside:216.52.207.85/53 (216.52.207.85/53) to inside:192.168.57.2/49842 (CNE-AD/49842) %ASA-6-305011: Built dynamic TCP translation from inside:192.168.57.3/57819 to outside:152.46.31.231/1481 %ASA-6-302013: Built outbound TCP connection 47241 for outside:209.51.184.30/443 (209.51.184.30/443) to inside:192.168.57.3/57819 (152.46.31.231/1481) %ASA-6-302015: Built outbound UDP connection 47242 for outside:208.94.148.4/53 (208.94.148.4/53) to inside:192.168.57.2/65106 (CNE-AD/65106) %ASA-7-609001: Built local-host outside:50.97.101.114

%ASA-6-305011: Built dynamic TCP translation from inside:192.168.57.3/57820 to outside:152.46.31.231/37545 %ASA-6-302013: Built outbound TCP connection 47243 for outside:50.97.101.114/80 (50.97.101.114/80) to inside:192.168.57.3/57820 (152.46.31.231/37545) %ASA-7-710005: UDP request discarded from 10.1.1.2/5353 to outside:224.0.0.251/5353 %ASA-7-609001: Built local-host outside:207.19.96.22 %ASA-6-302015: Built outbound UDP connection 47244 for outside:207.19.96.22/53 (207.19.96.22/53) to inside:192.168.57.2/49560 (CNE-AD/49560) %ASA-7-609001: Built local-host outside:216.191.247.139 %ASA-6-305011: Built dynamic TCP translation from inside:192.168.57.3/57821 to outside:152.46.31.231/20321 %ASA-6-302013: Built outbound TCP connection 47245 for outside:216.191.247.139/80 (216.191.247.139/80) to inside:192.168.57.3/57821 (152.46.31.231/20321) %ASA-6-302015: Built outbound UDP connection 47247 for outside:216.52.207.85/53 (216.52.207.85/53) to inside:192.168.57.2/49743 (CNE-AD/49743) %ASA-6-305011: Built dynamic TCP translation from inside:192.168.57.3/57822 to outside:152.46.31.231/47639 %ASA-6-302013: Built outbound TCP connection 47249 for outside:216.52.207.85/443 (216.52.207.85/443) to inside:192.168.57.3/57822 (152.46.31.231/47639) %ASA-6-302014: Teardown TCP connection 47249 for outside:216.52.207.85/443 to inside:192.168.57.3/57822 duration 0:00:00 bytes 10758 TCP FINs

%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.57.5/23704 to outside:152.46.31.231/52502 duration 0:00:30 %ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.57.5/23705 to outside:152.46.31.231/20620 duration 0:00:30 %ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.57.5/23706 to outside:152.46.31.231/7567 duration 0:00:30 show  commands  

Note: The access-list in the ‘show’ commands is code-generated and will not appear on ‘show run’. ciscoasa# show vpn-sessiondb detail svc Session Type: SVC Detailed Username : acteacher Index : 45 Assigned IP : 10.1.1.2 Public IP : 152.45.1.199 Protocol : Clientless SSL-Tunnel DTLS-Tunnel License : SSL VPN Encryption : RC4 AES128 Hashing : SHA1 Bytes Tx : 10528 Bytes Rx : 12415 Pkts Tx : 13 Pkts Rx : 87 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : DfltGrpPolicy Tunnel Group : DefaultWEBVPNGroup Login Time : 12:48:39 EST Fri Dec 28 2012 Duration : 0h:00m:27s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A VLAN : none Clientless Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 Clientless: Tunnel ID : 45.1 Public IP : 152.45.1.199 Encryption : RC4 Hashing : SHA1 Encapsulation: TLSv1.0 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes

Client Type : Web Browser Client Ver : AnyConnect Windows 3.1.00495 Bytes Tx : 9795 Bytes Rx : 3123 SSL-Tunnel: Tunnel ID : 45.2 Assigned IP : 10.1.1.2 Public IP : 152.45.1.199 Encryption : RC4 Hashing : SHA1 Encapsulation: TLSv1.0 TCP Src Port : 6329 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 3.1.00495 Bytes Tx : 733 Bytes Rx : 182 Pkts Tx : 1 Pkts Rx : 2 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : DAP-ip-user-B0ED7A01 DTLS-Tunnel: Tunnel ID : 45.3 Assigned IP : 10.1.1.2 Public IP : 152.45.1.199 Encryption : AES128 Hashing : SHA1 Encapsulation: DTLSv1.0 UDP Src Port : 6336 UDP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes Client Type : DTLS VPN Client Client Ver : AnyConnect Windows 3.1.00495 Bytes Tx : 0 Bytes Rx : 9419 Pkts Tx : 0 Pkts Rx : 83 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : DAP-ip-user-B0ED7A01 NAC: Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds SQ Int (T) : 0 Seconds EoU Age(T) : 29 Seconds Hold Left (T): 0 Seconds Posture Token: Redirect URL :  ciscoasa# show access-list DAP-ip-user-B0ED7A01 access-list DAP-ip-user-B0ED7A01; 1 elements; name hash: 0x6cf89ded (dynamic) access-list DAP-ip-user-B0ED7A01 line 1 extended permit ip any host 192.168.57.5 (hitcnt=0) 0x4bfa2720