- Cisco Community
- Technology and Support
- Security
- Network Security
- Unable to reach internal networks from AnyConnect VPN - ASA ver 8.6
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Unable to reach internal networks from AnyConnect VPN - ASA ver 8.6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2013
03:15 AM
- last edited on
03-25-2019
05:51 PM
by
ciscomoderator
Goodmorning all, I am trying to configure an AnyConnect solution using a pair of 5545x ASA's running 8.6 software. I am unable to access my internal network when connected to VPN.
When I do a packet trace from an unassigned IP address in the VPN DHCP pool the flow is created alright but when I packet trace using an IP that has been assigned to an AnyConnect client the flow is not created.The trace gets as far as webvpn-svc and gets dropped. I'm hoping this is an easy fix and another pair of eyes will be able to spot it for me Packet trace and config are below.
Thanks very much in advance for any help.
: Saved
:
ASA Version 8.6(1)2
!
hostname uk-abz-p-vpn-01
enable password xxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
names
!
interface GigabitEthernet0/0
description External DMZ
speed 1000
duplex full
nameif PUBLIC
security-level 0
ip address 10.30.34.3 255.255.255.0
!
interface GigabitEthernet0/1
description Internal DMZ
speed 1000
duplex full
nameif PRIVATE
security-level 100
ip address 10.30.35.1 255.255.255.0
!
interface GigabitEthernet0/2
speed 1000
duplex full
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
speed 1000
duplex full
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
speed 1000
duplex full
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
speed 1000
duplex full
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
speed 1000
duplex full
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
description LAN/STATE Failover Interface
speed 1000
duplex full
!
interface Management0/0
speed 1000
duplex full
nameif management
security-level 0
ip address 10.30.112.9 255.255.255.0
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.1.0.1
name-server 10.1.0.2
same-security-traffic permit intra-interface
object network TSUK-AnyConnectVPN
subnet 10.44.10.0 255.255.255.0
object-group network TSUK-Networks
network-object 10.0.0.0 255.0.0.0
network-object 172.0.0.0 255.0.0.0
network-object 192.168.0.0 255.255.0.0
access-list PUBLIC_access_in extended permit ip object TSUK-AnyConnectVPN object-group TSUK-Networks
pager lines 24
logging enable
logging timestamp
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
mtu PUBLIC 1500
mtu PRIVATE 1500
mtu management 1500
ip local pool test 10.44.10.10-10.44.10.12 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/7
failover link FAILOVER GigabitEthernet0/7
failover interface ip FAILOVER 10.35.13.209 255.255.255.252 standby 10.35.13.210
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
nat (PRIVATE,PUBLIC) source static TSUK-Networks TSUK-Networks destination static TSUK-AnyConnectVPN TSUK-AnyConnectVPN no-proxy-arp route-lookup
access-group PUBLIC_access_in in interface PUBLIC
route PUBLIC 0.0.0.0 0.0.0.0 10.30.34.254 1
route PRIVATE 10.0.0.0 255.0.0.0 10.30.35.254 1
route management 10.1.0.193 255.255.255.255 10.30.112.254 1
route management 10.50.102.0 255.255.255.0 10.30.112.254 1
route PRIVATE 192.168.0.0 255.255.0.0 10.30.35.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server aberdeen protocol tacacs+
aaa-server aberdeen (management) host 10.30.49.6
key *****
aaa-server Cisco_ACS protocol radius
aaa-server TalismanRSA protocol sdi
user-identity default-domain LOCAL
aaa authentication ssh console aberdeen LOCAL
aaa authentication enable console aberdeen LOCAL
aaa authentication http console aberdeen LOCAL
http server enable
http 10.50.0.0 255.255.0.0 management
http 10.1.0.0 255.255.0.0 management
snmp-server host management 10.1.0.193 community ***** version 2c
snmp-server location Aberdeen Data Centre
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map PUBLIC_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map PUBLIC_map interface PUBLIC
crypto map PRIVATE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map PRIVATE_map interface PRIVATE
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=uk-abz-p-vpn-01
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 4285b051
30820250 308201b9 a0030201 02020442 85b05130 0d06092a 864886f7 0d010105
0500303a 31183016 06035504 03130f75 6b2d6162 7a2d702d 76706e2d 3031311e
301c0609 2a864886 f70d0109 02160f75 6b2d6162 7a2d702d 76706e2d 3031301e
170d3133 30373031 31333430 31345a17 0d323330 36323931 33343031 345a303a
31183016 06035504 03130f75 6b2d6162 7a2d702d 76706e2d 3031311e 301c0609
2a864886 f70d0109 02160f75 6b2d6162 7a2d702d 76706e2d 30313081 9f300d06
092a8648 86f70d01 01010500 03818d00 30818902 818100d6 04f5b3f4 00d792a7
bb6a3f11 fd0784a1 5863f14e 7afb00a8 e630e284 857965a4 a085d6cd cffbba55
2bbe301d 0603551d 0e041604 1411dcc0 2b7cce4b 6f33a2bb cda979f7 ec09332b
be300d06 092a8648 86f70d01 01050500 03818100 4ebaea54 994613ba 5f099b57
4ad30645 d47d8af0 4325896f 24f014d9 8b05062c 5909a3e0 4a8eac08 fa27aaeb
61b7569e 39310995 e4fcd843 2bdfe3d3 a6a726da 5dda1f6a a9f00337 936431a5
f871028a 29730596 d84ac770 575eae1f db78a3c4 668f2d3f d4f369eb e1bd588c
ff0a0a48 6dfdd27b 231139bf f9a41eb8 583bc237
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable PUBLIC client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.50.0.0 255.255.0.0 management
ssh 10.1.0.0 255.255.0.0 management
ssh timeout 30
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.1.0.239 prefer
ntp server 10.30.49.3 source management
ntp server 10.30.49.2 source management
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint0 PUBLIC
ssl trust-point ASDM_TrustPoint0 PRIVATE
webvpn
enable PUBLIC
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-64-3.1.03103-k9.pkg 3
anyconnect profiles TSUK_client_profile disk0:/TSUK_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_TSUK internal
group-policy GroupPolicy_TSUK attributes
wins-server none
dns-server value 10.1.0.1 10.1.0.2
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
default-domain value euro.tlm.com
webvpn
anyconnect profiles value TSUK_client_profile type user
username xxxxxxxxx password xxxxxxxxxxxxx encrypted
username xxxxxxxxx password xxxxxxxxxxxxx encrypted privilege 15
username xxxxxxxxx password xxxxxxxxxxxxx encrypted privilege 15
tunnel-group TSUK type remote-access
tunnel-group TSUK general-attributes
address-pool test
default-group-policy GroupPolicy_TSUK
tunnel-group TSUK webvpn-attributes
group-alias TSUK enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3edfb08a7e1628366f09eb50c2110b9f
: end
ROUTE-LOOKUP
|
| |
|
UN-NAT
|
|
|
|
|
|
ACCESS-LIST
|
|
|
|
IP-OPTIONS
|
|
CP-PUNT
|
|
WEBVPN-SVC
|
|
RESULT- The packet is dropped.
Info: (acl-drop) Flow is denied by configured rule.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2013 12:26 PM
Hello,
First recommendation:
Use a different subnet than the inside network for the VPN client pool (example 192.168.10.0/24) as most of the times there will be problems related to routing or NAT that happen due to this,
Modify the config with that and let me know,
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2013 06:26 AM
OK I changed the test pool to be 172.31.0.10 - .12 /24 and amended the ACL's to mirror. Now the trace looks like this. Same result.
ROUTE-LOOKUP
|
| |
|
UN-NAT
|
|
|
|
|
|
ACCESS-LIST
|
|
|
|
IP-OPTIONS
|
|
CP-PUNT
|
|
WEBVPN-SVC
|
|
RESULT
(acl-drop) Flow denied by configured rule.
Thanks again
Wes
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
