Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
1
Replies

Anyconnect Issue

kuldeep.kaur
Level 1
Level 1

‎06-30-2015 10:57 PM - edited ‎02-21-2020 08:19 PM

Hi Guys,

 

I have configured anyconnect on my ASA. The client pc is able to connect to the network with anyconnect client gets ip address but cannot ping or access anything. Here is the config:

 

DMZ1664 is outside interface

DMZ1070 is inside interface

 

interface GigabitEthernet0/0
 nameif DMZ1664
 security-level 0
 ip address 202.X.X.X 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif DMZ1070
 security-level 80
 ip address 10.1.50.8 255.255.255.0 


ip local pool JDE_VPN_Users 10.1.30.10-10.1.30.254 mask 255.255.255.0


object network JDE_VPN_Pool
 subnet 10.1.30.0 255.255.255.0

object-group network JDE_subnets_main
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.255.0.0
 

access-list DMZ1070_access_in extended permit ip 10.1.30.0 255.255.255.0 object-group JDE_subnets_main 
access-list DMZ1070_access_in extended permit ip object-group JDE_subnets_main 10.1.30.0 255.255.255.0 
 

access-list JDE_VPN standard permit 10.0.0.0 255.0.0.0 
access-list JDE_VPN standard permit 172.16.0.0 255.240.0.0 


access-list Outside_access_in extended permit ip 10.1.30.0 255.255.255.0 any 
access-list Outside_access_in extended permit icmp any any inactive 
access-list Outside_nat0_outbound extended permit ip any any 


access-group Outside_access_in in interface DMZ1664
access-group DMZ1070_access_in in interface DMZ1070

nat (DMZ1070,any) source static JDE_VPN_Pool JDE_VPN_Pool destination static JDE_subnets_main JDE_subnets_main no-proxy-arp
nat (any,DMZ1070) source static JDE_subnets_main JDE_subnets_main destination static JDE_VPN_Pool JDE_VPN_Pool no-proxy-arp

route DMZ1664 0.0.0.0 0.0.0.0 202.129.X.X
route DMZ1070 10.0.0.0 255.0.0.0 10.1.50.1 1 


webvpn
 enable DMZ1664
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-3.1.08009-k9.pkg 1
 anyconnect image disk0:/anyconnect-linux-3.1.08009-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.08009-k9.pkg 3
 anyconnect enable
 tunnel-group-list enable

group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

group-policy GroupPolicy_JDE_VPN internal

group-policy GroupPolicy_JDE_VPN attributes
 wins-server none
 dns-server value 10.1.8.1 10.1.8.2

vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 ipv6-split-tunnel-policy excludespecified
 split-tunnel-network-list value JDE_VPN
 default-domain value jdeglobal.com
 split-dns value jdeglobal.com

username admin password TOyVyM6G6TXcuQ5w encrypted

tunnel-group VPNUsers type remote-access

tunnel-group JDE_VPN type remote-access

tunnel-group JDE_VPN general-attributes
 address-pool (DMZ1070) JDE_VPN_Users
 address-pool JDE_VPN_Users
 authentication-server-group JDE-Radius
 default-group-policy GroupPolicy_JDE_VPN
tunnel-group JDE_VPN webvpn-attributes
 group-alias JDE_VPN enable


# show run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp DMZ1664
no sysopt noproxyarp DMZ1070
no sysopt noproxyarp mgmt

 

Could someone please check the above config and let me know what the mistake is ?

 

Also do I need nat as I only want to access the internal network which is 10.0.0.0/8.

 

Thanks guys

Labels:
0 Helpful
1 Reply 1

Puneesh Chhabra
Cisco Employee
Cisco Employee

‎07-02-2015 05:34 PM

Hi Kuldeep,

 

Your first NAT is incorrect, please remove it

no nat (DMZ1070,any) source static JDE_VPN_Pool JDE_VPN_Pool destination static JDE_subnets_main JDE_subnets_main no-proxy-arp

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents