cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
467
Views
10
Helpful
2
Replies

Not able to access Internet or Internal network via SSL AnyConnect

Robert Hefner
Level 1
Level 1

After connecting succesfully with Cisco AnyConnect version 3.0.05152 I am unable to access internal resources. Below is the configuration of the ASA.

Any input on the below would be appreciated

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.02.04 16:15:58 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
:
ASA Version 9.1(4)
!
hostname ASA
domain-name hb.local
enable password pEuUQweb2zEldXkE encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd pEuUQweb2zEldXkE encrypted
names
ip local pool Remote_VPN_DHCP_Pool 172.16.253.100-172.16.253.150 mask 255.255.255.0
!
interface Ethernet0/0
description *** Internet ***
nameif publicWAN
security-level 0
ip address X.X.X.X X.X.X.X.
!
interface Ethernet0/1
description *** Guest Wireless Network ***
nameif guest
security-level 50
ip address 10.0.254.1 255.255.255.0
!
interface Ethernet0/2
description *** Uplink to Branches ***
nameif Branches
security-level 100
ip address 192.168.254.1 255.255.255.0
!
interface Ethernet0/3
description *** Uplink to JHA ***
nameif JHA
security-level 0
ip address 10.0.8.1 255.255.255.0
!
interface Management0/0
description *** Managemnet Interface - NOT USED ***
management-only
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup publicWAN
dns domain-lookup guest
dns domain-lookup Branches
dns domain-lookup JHA
dns server-group DefaultDNS
name-server 172.16.1.2
domain-name hb.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-10.0.0.0
subnet 10.0.0.0 255.255.255.0
object network obj_guest
subnet 10.0.254.0 255.255.255.0
object network obj-172.16.1.0
subnet 172.16.1.0 255.255.255.0
object network obj-172.16.1.5
host 172.16.1.5
object network obj-172.16.1.5-01
host 172.16.1.5
access-list Branches extended permit icmp any4 any4
access-list Branches extended permit ip any4 any4
access-list JHA extended permit ip any4 any4
access-list JHA extended permit icmp any4 any4
access-list guest extended deny ip any4 10.0.1.0 255.255.255.0
access-list guest extended deny ip any4 10.0.2.0 255.255.255.0
access-list guest extended deny ip any4 10.0.3.0 255.255.255.0
access-list guest extended deny ip any4 10.0.4.0 255.255.255.0
access-list guest extended deny ip any4 10.0.5.0 255.255.255.0
access-list guest extended deny ip any4 10.0.6.0 255.255.255.0
access-list guest extended deny ip any4 10.0.7.0 255.255.255.0
access-list guest extended deny ip any4 10.0.8.0 255.255.255.0
access-list guest extended deny ip any4 10.0.9.0 255.255.255.0
access-list guest extended deny ip any4 10.0.10.0 255.255.255.0
access-list guest extended deny ip any4 172.16.0.0 255.255.0.0
access-list guest extended permit ip any4 any4
access-list guest extended permit icmp any4 any4
access-list traffic_send_ips_module extended permit ip any4 any4
access-list outside extended permit tcp any4 host 172.16.1.5 eq https
access-list outside extended permit tcp X.X.X.X 255.255.255.0 host 172.16.1.5 eq smtp
access-list outside extended permit tcp X.X.X.X. 255.255.255.0 host 172.16.1.5 eq smtp
access-list outside extended deny ip any4 any4 log interval 30
pager lines 50
logging enable
logging timestamp
logging monitor warnings

logging buffered informational
logging trap warnings
logging asdm informational
logging queue 2048
logging device-id hostname
logging host Branches 172.16.1.80
flow-export destination Branches 172.16.1.80 2055
flow-export template timeout-rate 15
mtu publicWAN 1500
mtu guest 1500
mtu Branches 1500
mtu JHA 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any publicWAN
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,publicWAN) dynamic interface
object network obj-10.0.0.0
nat (Branches,JHA) static 10.0.0.0
object network obj_guest
nat (guest,publicWAN) dynamic interface
object network obj-172.16.1.0
nat (Branches,JHA) static 172.16.1.0
object network obj-172.16.1.5
nat (Branches,publicWAN) static interface service tcp smtp smtp
object network obj-172.16.1.5-01
nat (Branches,publicWAN) static interface service tcp https https
access-group outside in interface publicWAN
access-group guest in interface guest
access-group Branches in interface Branches
access-group JHA in interface JHA
route publicWAN 0.0.0.0 0.0.0.0 X.X.X.X. 1
route Branches 10.0.0.0 255.255.0.0 192.168.254.2 1
route Branches 10.0.5.0 255.255.255.0 192.168.254.2 1
route Branches 10.28.11.0 255.255.255.0 192.168.254.2 1
route Branches 10.55.4.0 255.255.255.0 192.168.254.2 1
route Branches 10.55.6.0 255.255.255.0 192.168.254.2 1
route Branches 10.57.4.0 255.255.255.0 192.168.254.2 1
route Branches 10.57.6.0 255.255.255.0 192.168.254.2 1
route Branches 10.71.4.0 255.255.255.0 192.168.254.2 1
route Branches 10.71.6.0 255.255.255.0 192.168.254.2 1
route JHA 10.150.0.0 255.255.0.0 10.0.8.254 1
route JHA 10.251.4.0 255.255.255.0 10.0.8.254 1
route Branches 172.16.0.0 255.255.0.0 192.168.254.2 1
route Branches 172.28.0.0 255.255.0.0 192.168.254.2 1

route Branches 172.28.250.0 255.255.255.0 192.168.254.2 1
route Branches 192.9.200.0 255.255.255.0 192.168.254.2 1
route Branches 192.9.201.0 255.255.255.0 192.168.254.2 1
route Branches 192.9.220.0 255.255.255.0 192.168.254.2 1
route Branches 200.0.0.0 255.255.0.0 192.168.254.2 1
route Branches 200.0.11.0 255.255.255.0 192.168.254.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
  always-on-vpn profile-setting
aaa-server HB_LDAP_Group protocol ldap
aaa-server HB_LDAP_Group (Branches) host 172.16.1.2
server-port 636
ldap-base-dn CN=VPN LDAP,OU=HB Users,DC=hb,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn VPN LDAP
ldap-over-ssl enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.0.0 Branches
http 172.16.0.0 255.255.0.0 Branches
snmp-server host Branches 172.16.1.80 community *****
snmp-server location Seagoville
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
sysopt connection timewait
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 publicWAN
ssh 10.0.0.0 255.255.0.0 Branches
ssh 172.16.0.0 255.255.0.0 Branches
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd domain hb.local
!
dhcpd address 10.0.254.100-10.0.254.200 guest
dhcpd dns 12.127.17.72 12.127.17.73 interface guest
dhcpd enable guest
!
threat-detection rate acl-drop rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.28 source publicWAN
webvpn
port 4443
enable publicWAN
enable Branches
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.05152-k9.pkg 2
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 172.16.1.2
vpn-tunnel-protocol ikev2 ssl-client
default-domain value hb.local
split-tunnel-all-dns enable
username HBAdmin password azFWMwV/tQh/YjoW encrypted
tunnel-group Remote_VPN_Users type remote-access
tunnel-group Remote_VPN_Users general-attributes
address-pool Remote_VPN_DHCP_Pool
authentication-server-group HB_LDAP_Group LOCAL
default-group-policy GroupPolicy1
dhcp-server 172.16.1.2
tunnel-group Remote_VPN_Users webvpn-attributes
group-alias RemoteVPNUsers enable
!
class-map inspection_default
match default-inspection-traffic
class-map ips_module_class_map
match access-list traffic_send_ips_module
!
!

policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect http
  inspect icmp
  inspect ip-options
class ips_module_class_map
  ips inline fail-open
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1c38a95ce10dab97ac6ad2e99823f5a2
: end

ASA#            exit

Logoff

1 Accepted Solution

Accepted Solutions

Also depending on your requirements you may want to configure split tunneling.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

2 Replies 2

Looks like you are missing the nonat statement.  Try adding the following and test (adjust the source subnet to match your needs)

object network VPN_range

range 172.16.253.100 172.16.253

nat (Branches,publicWAN) source static obj-10.0.0.0 obj-10.0.0.0 destination static VPN_range VPN_range

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Also depending on your requirements you may want to configure split tunneling.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: