Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2064
Views
6
Helpful
5
Replies

Remote user cannot access the inside corporate network using anyconnect vpn

lourdesanne
Level 1
Level 1

‎02-08-2012 06:35 PM - edited ‎03-11-2019 03:26 PM

Hi guys,

Can anyone help me why i can't access the servers that is on the corporate network that is located on the trust side of the ssg140 firewall using anyconnect vpn.

my network topology goes like these:

               dmz                 untrust

                |                      |

                |                      |

               \/                     \/

ASA5510 ------- SSG140 ------- INTERNET ------ REMOTE USER

                         |

                         | <-------- trust

                         |

CORPORATE NETWORK (where the servers are located)

Config on asa:

ASA Version 8.0(4)

!

hostname ciscoasa

domain-name thpal.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

no ip address

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.30.10.236 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 40

ip address 192.168.200.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup management

dns server-group DefaultDNS

name-server 192.168.1.1

domain-name thpal.local

same-security-traffic permit intra-interface

access-list inside_access_out extended permit ip any any

access-list inside_access_out_1 extended permit ip any any inactive

access-list inside_access_out_1 extended permit icmp any any echo-reply inactive

access-list SPLITTUNNEL standard permit 172.30.10.0 255.255.255.0

access-list SPLITTUNNEL standard permit 172.30.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any any

access-list inside_nat0_outbound_1 extended permit ip 172.30.20.0 255.255.255.0 172.30.10.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 172.30.10.0 255.255.255.0 172.30.20.0 255.255.255.0

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool ANYPOOL 172.30.20.60-172.30.20.65 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (inside) 1 172.30.20.20-172.30.20.25 netmask 255.0.0.0

global (inside) 2 203.167.x.x netmask 255.255.255.240

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 172.30.10.0 255.255.255.0

static (inside,inside) 203.167.x.x 172.30.10.236 netmask 255.255.255.255

static (inside,inside) 172.30.20.0 172.30.10.0 netmask 255.255.255.0

access-group inside_access_in in interface inside

access-group inside_access_out_1 out interface inside

route inside 0.0.0.0 0.0.0.0 172.30.10.1 1

route inside 0.0.0.0 0.0.0.0 172.30.10.236 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.30.10.0 255.255.255.0 inside

http 192.168.200.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.200.2-192.168.200.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable inside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

port-forward remoteaccess 2300 192.168.1.1 telnet telnet to ssg5

port-forward remoteaccess 2100 192.168.1.236 ftp connects to ftp

group-policy DfltGrpPolicy attributes

dns-server value 192.168.1.1

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-network-list value SPLITTUNNEL

default-domain value thpal.local

group-policy CLIENTLESS_SSL_POLICY internal

group-policy CLIENTLESS_SSL_POLICY attributes

wins-server none

dns-server value 192.168.1.1

vpn-tunnel-protocol l2tp-ipsec

default-domain value thpal.local

webvpn

  url-list value ssl_services

group-policy ANYCON internal

group-policy ANYCON attributes

wins-server none

dns-server value 192.168.1.1

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLITTUNNEL

default-domain value thpal.local

webvpn

  url-list value ssl_services

  port-forward disable

  svc ask enable default svc

username Sally password kjqjVsSlNIa.DGOu encrypted privilege 15

username Sally attributes

vpn-group-policy ANYCON

webvpn

  port-forward auto-start remoteaccess

  url-list value ssl_services

username Louanne password 0IoElNJ1cQv7RJiy encrypted privilege 15

username Louanne attributes

vpn-group-policy ANYCON

webvpn

  port-forward auto-start remoteaccess

  url-list value ssl_services

username Jonathan password 4DZSa0919GBhEyiT encrypted

username Jonathan attributes

vpn-group-policy ANYCON

webvpn

  url-list value ssl_services

username Rommel password 6hWsMiVOi2o1KyzI encrypted privilege 15

username Larry password m98u9t2E8Jrzu96P encrypted

username Larry attributes

vpn-group-policy CLIENTLESS_SSL_POLICY

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool ANYPOOL

tunnel-group CL_SSLVPN_PROFILE type remote-access

tunnel-group CL_SSLVPN_PROFILE general-attributes

default-group-policy CLIENTLESS_SSL_POLICY

tunnel-group anycon type remote-access

tunnel-group anycon general-attributes

address-pool ANYPOOL

default-group-policy ANYCON

tunnel-group anycon webvpn-attributes

group-alias anycon enable

group-url https://203.167.x.x/anycon enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:a9e4e955d01c1504b4b85fa39e040886

: end

Remote user can established an anyconnect vpn connection to the asa and can access the local folders and internet while connected to the vpn but it cannot access the remote corporate network.

Any help would be much appreciated.

Thanks.

-L.A.-

Labels:
0 Helpful
5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-08-2012 06:46 PM

Hello Lourdes,

Can you remove the following:

no  access-group inside_access_out_1 out interface inside

And then give it a try.

Also

Please provide following output as well

packet-tracer input inside tcp 172.30.20.62 1025 172.30.10.11  80

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

lourdesanne
Level 1
Level 1
In response to Julio Carvajal

‎02-08-2012 07:00 PM

Hi Julio,

Thanks for the reply.

I already add the management-access inside. What should i ping?

here is the result of the packet tracer command

ciscoasa(config)# packet-tracer input inside tcp 172.30.20.62 1025 172.30.10.1$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.30.10.0     255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: WEBVPN-SVC

Subtype: in

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

rizwanr74
Level 7
Level 7
In response to lourdesanne

‎02-08-2012 07:09 PM

Please remove this static nat.

static (inside,inside) 172.30.20.0 172.30.10.0 netmask 255.255.255.0

Please make sure you have a static route on your inside network to push "172.30.20.0 255.255.255.0" to FW's inside interface ip address i.e. 172.30.10.236

try it and let me know the result.

thanks

Rizwan Rafeek

lourdesanne
Level 1
Level 1
In response to rizwanr74

‎02-08-2012 07:25 PM

Hi Rizwan,

Thanks for the reply.

I did what you have suggested, and it works like magic.

May I ask the reason for removing the static nat:

static (inside,inside) 172.30.20.0 172.30.10.0 netmask 255.255.255.0

Thank you very much and kind regards.

-L.A.-

0 Helpful

rizwanr74
Level 7
Level 7
In response to lourdesanne

‎02-09-2012 05:53 AM

Hi Lourdes Anne,

I am glad to hear that worked out for you.

"May I ask the reason for removing the static nat:

static (inside,inside) 172.30.20.0 172.30.10.0 netmask 255.255.255.0"

FW sees that IP segment comes from outside interface but your above statement tells FW to translate it to inside, which is a contradictory rule.

Please rate, any help post, so that it will be a helpful tip for someone else.

thanks

Rizwan Rafeek

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card