×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Unable to reach internal network after remote SSL VPN connection

Unanswered Question
Oct 3rd, 2013
User Badges:

Hi,


I am setting up ASA 5505 for remote access SSL VPN now. After successfully login with Anyconnect Mobile Secure client, I am having problem to reach internal network. The screen shot of the route table on the client is as attached.




Can anyone give me a hand? Thanks.


Also, the running configuration is as below:


: Saved

:

ASA Version 8.2(5)

!

hostname myvpn

domain-name paragontesting.ca

names

name 10.30.0.0 Paragon_SSLVPN_IP01

dns-guard

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 5

!

interface Ethernet0/6

switchport access vlan 5

!

interface Ethernet0/7

switchport access vlan 5

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.14 255.255.255.0

!

interface Vlan2

nameif outside

security-level 1

ip address 10.50.0.1 255.255.255.224

!

interface Vlan5

no nameif

security-level 50

ip address 10.100.0.1 255.255.255.0

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 10.0.0.115

domain-name paragontesting.ca

access-list Internal standard permit 10.0.0.0 255.255.255.0

access-list Internal standard permit Paragon_SSLVPN_IP01 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 10.0.0.0 255.255.255.0 Paragon_SSLVPN_IP01 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip Paragon_SSLVPN_IP01 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool Paragon_SSL_VPN_Pool2 10.30.0.100-10.30.0.109 mask 255.255.255.0

ip local pool Paragon_SSLVPN_Inside 10.30.0.1 mask 255.255.255.255

ip local pool SSL_VPN_IP_Pool 10.30.0.190-10.30.0.199 mask 255.255.255.240

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 10.50.0.1 1

route inside 10.20.0.0 255.255.255.0 10.0.0.11 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server Duo-LDAP protocol ldap

aaa-server Duo-LDAP (outside) host api-0c274afe.duosecurity.com

timeout 60

server-port 636

ldap-base-dn dc=DIAFSBNHYPCDKTTIS10Y,dc=duosecurity,dc=com

ldap-naming-attribute cn

ldap-login-password *****

ldap-login-dn dc=DIAFSBNHYPCDKTTIS10Y,dc=duosecurity,dc=com

ldap-over-ssl enable

server-type auto-detect

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn



no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 5

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 1.1.1.1 source outside prefer

ssl trust-point selfSign_2012 outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc profiles Paragon_SSLVPN_01 disk0:/paragon_sslvpn_01.xml

svc enable

tunnel-group-list enable

group-policy ParagonPolicy01 internal

group-policy ParagonPolicy01 attributes

wins-server none

dns-server value 10.0.0.115

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Internal

default-domain value paragontesting.ca

webvpn

  url-list none

  customization value Due01

group-policy DfltGrpPolicy attributes

dns-server value 10.0.0.115

vpn-tunnel-protocol webvpn

default-domain value paragontesting.ca

webvpn

  url-list value Paragon01

  customization value Due01

username cisco password  nt-encrypted

username cisco attributes

service-type remote-access

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool (outside) SSL_VPN_IP_Pool

address-pool SSL_VPN_IP_Pool

authentication-server-group (outside) LOCAL

authorization-server-group LOCAL

tunnel-group DefaultWEBVPNGroup webvpn-attributes

customization Due01

tunnel-group ParagonSSLVPN type remote-access

tunnel-group ParagonSSLVPN general-attributes

address-pool Paragon_SSL_VPN_Pool2

default-group-policy ParagonPolicy01

tunnel-group ParagonSSLVPN webvpn-attributes

customization Due01

group-alias SSLVPN enable

group-url https://10.50.0.1/SSLVPN disable

!

!

prompt hostname context

no call-home reporting anonymous

: end

asdm location Paragon_SSLVPN_IP01 255.255.255.0 inside

no asdm history enable

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion