cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1305
Views
0
Helpful
3
Replies

8.4.2 SSL AnyConnect Clients two groups two inside interfaces one outside interface

bschrunk
Level 1
Level 1

Hello,

I am having an issue I need to have the outside interface terminate a ssl AnyConnect Client.  I have several groups the will login and I need multiple inside interfaces to satisfy my security needs.

I have one group call ombudsman-mhdd and they need to go out interface g0/1.231 and another group called oet-router go out g0/1.232.

This works on my 8.2 box but I am having trouble routing traffic out these interfaces.

Any help would be greatly appreciated.

interface GigabitEthernet0/0

description trunk mplsfe-hub g1/10 - - null

nameif outside

security-level 0

ip address 207.171.92.25 255.255.255.252

!

interface GigabitEthernet0/1

description trunk  mplsfe-hub g1/11 - - null

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.231

description mplsfe-hub g1/11.231 - null    V17:vpn-crs

vlan 231

nameif inside

security-level 100

ip address 207.171.109.173 255.255.255.252

!

interface GigabitEthernet0/1.232

description mplsfe-hub g1/11.232 - null    vpn-admin

vlan 232

nameif vpn-admin

security-level 100

ip address 207.171.120.29 255.255.255.252 interface GigabitEthernet0/0
description trunk mplsfe-hub g1/10 - - null
nameif outside
security-level 0
ip address 207.171.92.25 255.255.255.252
!

3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Hi,

I assume you're doing this via

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/uz.html#wp1547912

If so (unless someone has a better idea) I would suggest opening a TAC case so we have a look in depth, with full config and logs ;-)

M.

interface GigabitEthernet0/0

description trunk mplsfe-hub g1/10 - - null

nameif outside

security-level 0

ip address 207.171.92.25 255.255.255.252

!

interface GigabitEthernet0/1

description trunk  mplsfe-hub g1/11 - - null

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.231

description mplsfe-hub g1/11.231 - null    V17:vpn-crs

vlan 231

nameif inside

security-level 100

ip address 207.171.109.173 255.255.255.252

!

interface GigabitEthernet0/1.232

description mplsfe-hub g1/11.232 - null    vpn-admin

vlan 232

nameif vpn-admin

security-level 100

ip address 207.171.120.29 255.255.255.252

This is the current config.  I have a case open with them and they aren't having any success.  This is very unusual we are acting as an ISP for various agencies to SSL into the network.

:

ASA Version 8.4(2)

!

hostname mplsfe-shpix

domain-name r.state.mn.us

names

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 10.10.10.2 255.255.255.0

management-only

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 156.98.47.21

name-server 207.171.71.71

name-server 156.98.1.1

domain-name r.state.mn.us

dns server-group ns1.state.mn.us

dns server-group ns2.state.mn.us

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network ombudsman-mhdd-outside

subnet 10.77.25.0 255.255.255.224

object network oet-router-outside

subnet 10.77.25.64 255.255.255.192

object network 10.77.25.65

host 10.77.25.65

object network 172.20.111.117

host 172.20.111.117

object-group network dns-servers

network-object 156.98.47.21 255.255.255.255

network-object 156.98.1.1 255.255.255.255

network-object 156.98.47.20 255.255.255.255

network-object 156.99.222.4 255.255.255.255

network-object 207.171.71.71 255.255.255.255

object-group network inside-networks

description all state networks inside

network-object 156.98.0.0 255.255.0.0

network-object 156.99.0.0 255.255.0.0

network-object 136.234.0.0 255.255.0.0

network-object 207.171.0.0 255.255.0.0

network-object 64.8.0.0 255.255.0.0

network-object 172.0.0.0 255.0.0.0

network-object 10.0.0.0 255.0.0.0

access-list capin extended permit ip host 10.77.25.65 host 172.20.111.117

access-list capin extended permit ip host 172.20.111.117 host 10.77.25.65

no pager

logging enable

logging timestamp

logging buffer-size 10000

logging asdm-buffer-size 512

logging monitor debugging

logging buffered warn-vpn

logging facility 21

logging device-id hostname

mtu outside 1500

mtu inside 1500

mtu vpn-admin 1500

mtu management 1500

ip local pool ombudsman-mhdd 10.77.25.1-10.77.25.30 mask 255.255.255.224

ip local pool oet-router 10.77.25.65-10.77.25.126 mask 255.255.255.192

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any echo-reply outside

icmp permit any unreachable outside

icmp permit any inside

asdm image disk0:/asdm-645-204.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static inside-networks inside-networks destination static ombudsman-mhdd-outside ombudsman-mhdd-outside no-proxy-arp route-lookup

nat (outside,outside) source dynamic ombudsman-mhdd-outside interface

nat (any,vpn-admin) source static 10.77.25.65 interface destination static 172.20.111.117 172.20.111.117

nat (inside,vpn-admin) source static inside-networks inside-networks destination static oet-router-outside oet-router-outside no-proxy-arp route-lookup

!

object network ombudsman-mhdd-outside

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 207.171.92.26 1

route vpn-admin 0.0.0.0 0.0.0.0 207.171.120.30 2

route inside 10.0.0.0 255.0.0.0 207.171.109.174 1

route inside 64.8.0.0 255.255.0.0 207.171.109.174 1

route outside 68.87.77.134 255.255.255.255 207.171.92.26 1

route inside 136.234.0.0 255.255.0.0 207.171.109.174 1

route outside 136.234.20.1 255.255.255.255 156.99.224.241 1

route outside 136.234.168.137 255.255.255.255 207.171.92.26 1

route outside 136.234.168.141 255.255.255.255 207.171.92.26 1

route outside 136.234.197.28 255.255.255.255 207.171.92.26 1

route inside 156.98.0.0 255.255.0.0 207.171.109.174 1

route outside 156.98.1.1 255.255.255.255 207.171.92.26 1

route outside 156.98.1.168 255.255.255.248 207.171.92.26 1

route outside 156.98.3.136 255.255.255.248 207.171.92.26 1

route outside 156.98.48.176 255.255.255.255 207.171.92.26 1

route outside 156.98.75.0 255.255.255.0 156.98.75.3 1

route outside 156.98.75.253 255.255.255.255 207.171.92.26 1

route outside 156.98.77.245 255.255.255.255 207.171.92.26 1

route outside 156.98.99.4 255.255.255.255 207.171.92.26 1

route inside 156.99.0.0 255.255.0.0 207.171.109.174 1

route outside 156.99.0.40 255.255.255.248 207.171.92.26 1

route outside 156.99.11.56 255.255.255.248 207.171.92.26 1

route outside 156.99.11.120 255.255.255.248 207.171.92.26 1

route outside 156.99.23.56 255.255.255.248 207.171.92.26 1

route outside 156.99.26.64 255.255.255.248 207.171.92.26 1

route outside 156.99.26.80 255.255.255.248 207.171.92.26 1

route outside 156.99.28.120 255.255.255.248 207.171.92.26 1

route outside 156.99.31.96 255.255.255.240 207.171.92.26 1

route outside 156.99.34.216 255.255.255.248 207.171.92.26 1

route outside 156.99.34.232 255.255.255.248 207.171.92.26 1

route outside 156.99.38.225 255.255.255.255 207.171.92.26 1

route outside 156.99.41.163 255.255.255.255 207.171.92.26 1

route outside 156.99.63.16 255.255.255.248 207.171.92.26 1

route outside 156.99.63.24 255.255.255.248 207.171.92.26 1

route outside 156.99.90.141 255.255.255.255 207.171.92.26 1

route outside 156.99.90.142 255.255.255.255 207.171.92.26 1

route outside 156.99.90.160 255.255.255.248 207.171.92.26 1

route outside 156.99.90.176 255.255.255.248 207.171.92.26 1

route outside 156.99.93.159 255.255.255.255 207.171.92.26 1

route outside 156.99.98.72 255.255.255.248 207.171.92.26 1

route outside 156.99.106.232 255.255.255.248 207.171.92.26 1

route outside 156.99.115.224 255.255.255.248 207.171.92.26 1

route outside 156.99.124.128 255.255.255.240 207.171.92.26 1

route inside 172.0.0.0 255.0.0.0 207.171.109.174 1

route inside 172.16.0.0 255.240.0.0 207.171.109.174 1

route vpn-admin 172.20.111.116 255.255.255.252 207.171.120.30 2

route vpn-admin 172.25.224.0 255.255.248.0 207.171.87.126 2

route vpn-admin 172.25.232.0 255.255.248.0 207.171.87.126 2

route vpn-admin 172.25.240.0 255.255.240.0 207.171.87.126 2

route inside 207.171.0.0 255.255.0.0 207.171.109.174 1

route outside 207.171.110.90 255.255.255.255 156.99.224.241 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

reval-period 36000

sq-period 300

aaa authentication ssh console TACACS+ LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console TACACS+ LOCAL

aaa authorization command LOCAL

http server enable

sysopt connection tcpmss 1200

sysopt connection preserve-vpn-flows

auth-prompt prompt Enter RSA Token Codes

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpoint Intermediate

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint0-VPN2

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint0-VPN2c

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPointVPN3

crl configure

crypto isakmp identity address

crypto ikev1 enable outside

crypto ikev1 policy 5

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 864000

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 15

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

console timeout 30

management-access vpn-admin

dhcpd wins 156.98.47.21 156.98.47.20

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp authenticate

ntp server 156.99.23.20

ntp server 156.98.1.113

tftp-server inside 156.99.121.129 /home/tftpboot

ssl trust-point VPN_trust vpn-admin

ssl trust-point VPN_trust outside

ssl trust-point VPN_trust inside

webvpn

enable outside

enable inside

enable vpn-admin

anyconnect-essentials

anyconnect image disk0:/anyconnect-dart-win-2.5.3041-k9.pkg 1

anyconnect enable

tunnel-group-list enable

************************************

group-policy GroupPolicy_ombudsman-mhdd internal

group-policy GroupPolicy_ombudsman-mhdd attributes

banner value You are now logging on to the Ombudsman VPN.  Unauthorized access to this network is strictly prohibited.  By logging into this network you agree to a

ll State and Federal Laws Governing Remote Access.

wins-server value 156.99.113.62 156.99.113.61

dns-server value 156.99.113.62 156.99.113.61

vpn-tunnel-protocol ssl-client

group-lock value ombudsman-mhdd

default-domain value state.mn.us

address-pools value ombudsman-mhdd

webvpn

  anyconnect modules value dart,vpngina

group-policy oet-router internal

*************************************

group-policy oet-router attributes

wins-server value 156.98.47.21 156.99.222.4

dns-server value 156.98.47.20 156.98.47.21

vpn-tunnel-protocol ssl-client

group-lock value oet-router

default-domain value admin.state.mn.us

vlan 232

webvpn

  anyconnect modules value dart,vpngina

  anyconnect ask none default anyconnect

  ****************************************

tunnel-group DefaultRAGroup webvpn-attributes

radius-reject-message

proxy-auth sdi

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 120 retry 5

tunnel-group DefaultWEBVPNGroup webvpn-attributes

radius-reject-message

tunnel-group ombudsman-mhdd type remote-access

tunnel-group ombudsman-mhdd general-attributes

address-pool ombudsman-mhdd

authentication-server-group keyfob

default-group-policy GroupPolicy_ombudsman-mhdd

tunnel-group ombudsman-mhdd webvpn-attributes

group-alias ombudsman-mhdd enable

tunnel-group oet-router type remote-access

tunnel-group oet-router general-attributes

address-pool oet-router

authentication-server-group keyfob

default-group-policy oet-router

tunnel-group oet-router webvpn-attributes

group-alias oet-router enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command uauth

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

: end

mplsfe-shpix#

Thank you so much for replying.  I did have a vlan attached to the group policy, I included it on the update I pasted in.  Thanks for your opinion if you give me any advice I really appreciate it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: