cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
298
Views
0
Helpful
3
Replies

Accessing inside network with anyconnect

sina tahmasebi
Level 1
Level 1

Hi Folks

I have configured anyconnect VPN on our corporate ASA and it's working fine with split tunnel and I can access Internet when connected. 

Can you please let me know how can I access my inside network and beyond that? I don't have access to my inside network and I don't know what is lacking in my configuraion! 

Any help would appreciated!

Here is my configuraion: 

ASA Version 9.1(2)
!
hostname anyconnect-test
domain-name xxxxx.com
enable password xxxxx
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool ANYCONNECT-VPN 192.168.20.1-192.168.20.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 142.x.x.100 255.255.255.0
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 142.x.x.31 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 0
 ip address 192.168.5.10 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name transalta.com
object network LOCAL
 subnet 142.x.x.0 255.255.255.0
object network ANYCONNECT-VPN
 subnet 192.168.20.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 142.x.x.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LOCAL LOCAL destination static ANYCONNECT-VPN ANYCONNECT-VPN no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 142.x.x.10 1
route inside 142.x.0.0 255.255.0.0 142.x.x.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=anyconnect-test
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
 certificate 13caf954
    3082030c 308201f4 a0030201 02020413 caf95430 0d06092a 864886f7 0d010105
    05003048 31183016 06035504 03130f61 6e79636f 6e6e6563 742d7465 7374312c
    302a0609 2a864886 f70d0109 02161d61 6e79636f 6e6e6563 742d7465 73742e74
    72616e73 616c7461 2e636f6d 301e170d 31353033 30393038 30373239 5a170d32
    35303330 36303830 3732395a 30483118 30160603 55040313 0f616e79 636f6e6e
    6563742d 74657374 312c302a 06092a86 4886f70d 01090216 1d616e79 636f6e6e
    6563742d 74657374 2e747261 6e73616c 74612e63 6f6d3082 0122300d 06092a86
    4886f70d 01010105 00038201 0f003082 010a0282 010100d3 4491f744 631d707f
    1146ddd2 c4687c02 3d4412bc 4df5a6c9 0998453b 3165d5f7 51ae9726 c5dda846
    db0e4d07 2a748991 0c360185 aec2687b 49de80a5 7352fa66 13319568 31a9a745
    61cfc6ba 965f6da3 a88fb11e fa41687b 399e98ba 022b7bf6 b01dc4fa 244e3aa0
    ad88e646 84bb94c8 e0f41876 11469eee 2b93dc3b 5a960e24 62134320 183e8f56
    33f4e157 5bb4b1fb 10dbc0e5 ed448187 667e6d3b 246eb836 8217c055 0292029a
    e0c3ec02 99661155 a957b562 31c890ab 1df20c4d 7cdae3d1 6052e322 aa97be1d
    b998b7d8 784ecaf5 f847ddcf e8005dd4 6e3489e1 24a7b641 f7b5a9ad 1c4c9c9f
    7f3b2eee 314bf0c2 7ba5d3fc add93900 b0fc1116 fa2d6b02 03010001 300d0609
    2a864886 f70d0101 05050003 82010100 cd1330b4 ceacda6b b4af5e74 c48bd27b
    10d65af3 fa944679 7c3b7c67 ed91b1d6 a89588ba af15b8f8 d9c26191 e4f35991
    d225cd7e 4b534f3f 76571612 47f4384f 105a283b 526c1208 a7034ab5 9992083e
    10183293 067baf69 e1e77df5 20dc1924 28c0d807 1dc7a33f ec609684 d5482085
    264949af bf485850 c9b91a64 cb0e5fc9 f43610a2 db31596a ad616748 e8d74a48
    38355cfb 4efc0a05 4962962b 8551f8c8 c5cdba87 97ae795b 5a788fa0 6372d3c9
    b4a0b74e 4b00fb88 26e794f9 daa984b0 f6254b0f 7a3a6476 b336bf5e dfc1eb0c
    4c406191 4bc46450 35e8879e 9508b6bf c2cddb6d 547cbd68 ab5a4b45 b45c7f0f
    fcddc81b 002076a7 781f40bb 703fb651
  quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 142.x.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect profiles anyconnect-test_client_profile disk0:/anyconnect-test_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy ANYCONNECT-VPN internal
group-policy ANYCONNECT-VPN attributes
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 webvpn
  anyconnect keep-installer installed
  anyconnect ask enable default anyconnect timeout 10
username armani password jIgrPMz6vta5Ra5t encrypted
username armani attributes
 service-type remote-access
tunnel-group ANYCONNECT-VPN type remote-access
tunnel-group ANYCONNECT-VPN general-attributes
 address-pool ANYCONNECT-VPN
 default-group-policy ANYCONNECT-VPN
tunnel-group ANYCONNECT-VPN webvpn-attributes
 group-alias TAU_ANYCONNECT enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 6
  subscribe-to-alert-group configuration periodic monthly 6
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b998e23e6a411047d8ea2222b9b55341
: end

 

3 Replies 3

Adeolu Owokade
Level 1
Level 1

Hi,

Do your internal hosts have a route back to the VPN pool?

Hi Adeolu, 

Yes I have a directly connected 4506 switch that is conencted to out core Switches and runs EIGRP

I have statically routed that pool on that switch to point to inside interface of the ASA and redistributed it to into our EIGRP!

Just to highlight, my inside and outside subnet is class B public IP and my pool Address is class C Private address range. 

All my access lists are also in place and I think they are ok. 

I can copy them here if you'd like to have a look.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: