Solved: ASA 5505 ANYCONNECT

STYLIANOS DEMETRIOU · ‎11-12-2013

Hello Guys,

I've managed to setup an ssl vpn connection on asa 5505 but i have the below issue

inside network: 10.0.0.0/24

asa inside: 10.0.0.254

dns: 10.0.0.1

vpn pool:192.168.50.0/24

When i am connected through vpn i am receiving 192.168.50.1 ip address and i am able to ping hosts inside except the domain controller which is 10.0.0.1.

Also i am unable to ping from asa my vpn client.

Please see below my configuration and advice accordingly

!

ASA Version 8.2(5)

!

hostname imlfw

domain-name IMLDOM

enable password q06nVnsUc78g4jiU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x 255.255.255.252

!

ftp mode passive

clock timezone EEDT 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.0.0.1

name-server 8.8.8.8

name-server 4.4.4.2

domain-name IMLDOM

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network inside-net

network-object 10.0.0.0 255.255.255.0

access-list inside_in extended permit ip any any

access-list inside_in extended permit icmp any any

access-list outside_acl extended permit ip any any

access-list outside_acl extended permit icmp any any

access-list ACL-SPLIT-TUNNEL extended permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0

pager lines 24

logging enable

logging buffer-size 30000

logging buffered debugging

logging asdm informational

logging debug-trace

mtu inside 1500

mtu outside 1500

ip local pool VPNPOOL 192.168.50.1-192.168.50.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.255.255.0

static (inside,outside) tcp interface 3389 10.0.0.1 3389 netmask 255.255.255.255

access-group inside_in in interface inside

access-group outside_acl in interface outside

route outside 0.0.0.0 0.0.0.0 [gateway's ip] 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.1 255.255.255.255 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 10.0.0.1 255.255.255.255 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

dhcpd dns 10.0.0.1

!

dhcpd address 10.0.0.50-10.0.0.81 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 87.232.1.40 prefer

ntp server 81.94.123.16

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3

svc enable

tunnel-group-list enable

group-policy TELECOMMUTERSPOLICY internal

group-policy TELECOMMUTERSPOLICY attributes

vpn-idle-timeout 120

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ACL-SPLIT-TUNNEL

webvpn

svc dtls enable

svc keep-installer installed

username ************************************

tunnel-group telecommuters type remote-access

tunnel-group telecommuters general-attributes

address-pool VPNPOOL

default-group-policy TELECOMMUTERSPOLICY

tunnel-group telecommuters webvpn-attributes

group-alias TELECOMMUTERS enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect pptp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:6c5d2f60afc59fca351ff98a2a30ca93

: end

Jouni Forss · ‎11-12-2013

Hi,

I cant see a NAT0 configuration.

Add the following configuration

access-list INSIDE-NAT0 remark NAT0 for VPN Client traffic

access-list INSIDE-NAT0 permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

Though I am not sure how you would be able to ping other internal hosts when you dont have a NAT0 configuration for any host on the network.

If you are pinging the VPN Client (which usually is not needed) try the following command

ping inside 192.168.50.x

Where you naturally fill in the IP address that the VPN Client has gotten.

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎11-12-2013

Hi,

I cant see a NAT0 configuration.

Add the following configuration

access-list INSIDE-NAT0 remark NAT0 for VPN Client traffic

access-list INSIDE-NAT0 permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

Though I am not sure how you would be able to ping other internal hosts when you dont have a NAT0 configuration for any host on the network.

If you are pinging the VPN Client (which usually is not needed) try the following command

ping inside 192.168.50.x

Where you naturally fill in the IP address that the VPN Client has gotten.

Hope this helps

- Jouni

STYLIANOS DEMETRIOU · ‎11-12-2013

Jouni you are a star!!

Thanks a lot for your help, you saved me hours of reading

Jouni Forss · ‎11-13-2013

Hi,

Answering here regarding your private message.

You mention in your message the ASA as 10.0.0.1 but the above configuration says 10.0.0.254? Are you sure you are connecting to the correct IP address for ASA management?

You seem to have the required configuration to enable management of the ASA through the VPN

Which is

management-access inside

With regards to copying the configuration from the ASA directly to the VPN Client host. I think the ASA will probably use the "outside" interface as the source IP address for the TFTP traffic and since you are using Split Tunnel it wont match the VPN configuration/connection.

You could try to temporarily switch the VPN Client to Full Tunnel and see if that helps. If that works you could try to add the ASAs external IP address to the Split Tunnel ACL

Hope this helps

- Jouni

STYLIANOS DEMETRIOU · ‎11-13-2013

Regarding the ip of the asa it was a mistypo the correct which i used to access the asdm and still doesn't work is 10.0.0.254

I've added also

access-list ACL-SPLIT-TUNNEL extended permit ip host mypublicip 192.168.50.0 255.255.255.0

but still no luck.

What do you mean swith the client to full tunnel? how do i achieve that?

Jouni Forss · ‎11-13-2013

Hi,

To change to Full Tunnel you would have to do the following changes

group-policy TELECOMMUTERSPOLICY attributes

no split-tunnel-policy tunnelspecified

no split-tunnel-network-list value ACL-SPLIT-TUNNEL

split-tunnel-policy tunnelall

To change back naturally add the old configurations back.

I have not had use for copying traffic to a VPN Client from the ASA directly or doing management through VPN as both have been handled in other ways so I am not sure if there is something missing.

I for example am not sure will the "http 0.0.0.0 0.0.0.0 outside" apply to these connections or will you actually have to use the "inside" interface. It would seem logical that it would be "outside" but I am not sure. You already seem to have that sorted. Naturally you can try adding an "inside" command also.

Otherwise I would suggest getting logs from the connection attempts through VPN.

You could also try SSH or Telnet through the VPN to the ASA interface and see if those succeed.

- Jouni

STYLIANOS DEMETRIOU · ‎11-13-2013

Thanks Jouni i will try it and let you know!