Solved: Hi and thanks for the reply.

Jason Lista · ‎03-26-2014

I have an AnyConnect VPN set up with no split tunnelling (U-turning/hairpinning traffic), running 8.2.5 code.

This works great, but I want to allow the AnyConnect clients to access a site-to-site VPN as well, which I have been unable to do.

I did check that the anyconnect network IP addresses are part of the tunnel on both sides.

My logic tells me I need to not u-turn the traffic coming from the anyconnect network for the site-to-site VPN, but I am not sure how to do this.

Any help would be appreciated.

Here are the relevant portions of my config:

(Inside network is 192.168.0.0/24,

anyconnect network is 192.168.10.0/24,

site-site VPN network is 192.168.2.0/24)

--------------------------------------------------------------------------------------

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1
network-object 192.168.0.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0

ip local pool AnyConnectPool 192.168.10.2-192.168.10.254 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.10.0 255.255.255.0
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 (gateway IP) 1
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
svc profiles AnyConnectProfile disk0:/anyconnect_client.xml
svc enable
tunnel-group-list enable
group-policy AnyConnectGrpPolicy internal
group-policy AnyConnectGrpPolicy attributes
wins-server none
dns-server value 192.168.0.33 192.168.2.33
vpn-session-timeout none
vpn-tunnel-protocol l2tp-ipsec svc
split-tunnel-policy tunnelall
address-pools value AnyConnectPool
tunnel-group AnyConnectGroup type remote-access
tunnel-group AnyConnectGroup general-attributes
address-pool AnyConnectPool
authentication-server-group SERVER1_AD
default-group-policy AnyConnectGrpPolicy
tunnel-group AnyConnectGroup webvpn-attributes
authentication aaa certificate
group-alias _AnyConnect enable

Marvin Rhoads · ‎03-26-2014

Your remote access VPN traffic apears as originating on the outside interface so I believe you need to exempt from NAT the PN pool traffic headed back into the site-site VPN. Something like this:

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0
nat (outside) 1 192.168.10.0 255.255.255.0

access-list outside_nat0 extended permit ip any 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

View solution in original post

Marvin Rhoads · ‎03-26-2014

Your remote access VPN traffic apears as originating on the outside interface so I believe you need to exempt from NAT the PN pool traffic headed back into the site-site VPN. Something like this:

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0
nat (outside) 1 192.168.10.0 255.255.255.0

access-list outside_nat0 extended permit ip any 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

Jason Lista · ‎03-26-2014

Thank you for the reply. This didn't resolve the issue, but perhaps will help point me in the right direction. I had been running the packet tracer on the inside interface, and the traffic was allowed from 192.168.10.0/24 to 192.168.2.0/24. However as you noted I should be running it on the outside interface, which gives me an access-list error right off the bat - the implicit access rule on the outside interface (source any destination any service IP action deny).

Below is my current config:
!
ASA Version 8.2(5)
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 192.168.0.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
access-list outside_nat0 extended permit ip any 192.168.10.0 255.255.255.0
ip local pool AnyConnectPool 192.168.10.2-192.168.10.254 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0
nat (outside) 1 vpn-network 255.255.255.0

route outside 0.0.0.0 0.0.0.0 (gateway IP) 1
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
svc profiles AnyConnectProfile disk0:/anyconnect_client.xml
svc enable
tunnel-group-list enable
group-policy AnyConnectGrpPolicy internal
group-policy AnyConnectGrpPolicy attributes
wins-server none
dns-server value 192.168.0.33 192.168.2.33
vpn-session-timeout none
vpn-tunnel-protocol l2tp-ipsec svc
split-tunnel-policy tunnelall
address-pools value AnyConnectPool
tunnel-group AnyConnectGroup type remote-access
tunnel-group AnyConnectGroup general-attributes
address-pool AnyConnectPool
authentication-server-group SERVER1_AD
default-group-policy AnyConnectGrpPolicy
tunnel-group AnyConnectGroup webvpn-attributes
authentication aaa certificate
group-alias _AnyConnect enable

jj27 · ‎03-26-2014

What is the output of: packet-tracer input outside rawip 192.168.10.10 0 192.168.2.10 80

Jason Lista · ‎03-26-2014

Hi and thanks for the reply. The packet-tracer shows the traffic being dropped as mentioned above with the implicit access rule on the outside interface (source any destination any service IP action deny). Although, if I run the same command as: packet-tracer input outside rawip 192.168.10.10 0 192.168.0.10 , I get the same message, but I can access the 192.168.0.0/24 network just fine after connecting via Anyconnect and getting a 192.168.10.x address.

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Jason Lista · ‎03-27-2014

this ended up being the correct solution, except we need to change the access-list statement as follows:

access-list outside_nat0 extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0

Thank you very much for your help!!

Marvin Rhoads · ‎03-27-2014

Excellent - glad to see you have it working now.

Thanks for the rating. Cheers!

Jason Lista · ‎03-27-2014

OK, so following the packet tracer, I added an access rule, then took Mr. Rhoads suggestions and tweaked them to make it work. But I don't feel comfortable adding IP-based outside access to the remote network, and feel like I am putting in a security hole.

access-list outside-access-in extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_nat0 extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (outside) 0 access-list outside_nat0

Jason Lista · ‎03-27-2014

nevermind, it works without the access rule, we just needed to swap around the order of the outside_nat0 statement.

Jason Lista · ‎07-09-2021

So believe it or not here I am again with this same problem, albeit with a different device (pfsense) on the other end.

Still have:

anyconnect client -> local network (inside) -> remote networks (ny2-network and ch1-network) (via site to site vpn)

anyconnect client is fully tunneled, can access local network and the internet. cannot access remote networks (but the remote networks can ping the anyconnect clients).

I'm pretty sure (with the new syntax) I still have the solution listed here in this thread implemented in my config, which is below:

-------------------------------------------------

hostname fw1
domain-name corp.sample.com
enable password cmotpkMmnUA2K6lS encrypted
names
dns-guard
ip local pool Pool1 172.31.9.1-172.31.9.10 mask 255.255.255.0
ip local pool Pool2 172.31.10.1-172.31.10.99 mask 255.255.255.0
ip local pool Pool3 172.31.11.1-172.31.11.19 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address a.a.a.a 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 172.31.1.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif violet
security-level 99
ip address 172.31.3.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
security-level 99
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
security-level 99
no ip address
!
interface GigabitEthernet1/6
no nameif
security-level 99
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif mgmt
security-level 0
ip address 172.31.99.1 255.255.255.0
!
boot system disk0:/asa992-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222 outside
name-server 208.67.220.220 outside
domain-name corp.sample.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network anyconnect-network
subnet 172.31.10.0 255.255.255.0
object network vpnc-network
subnet 172.31.9.0 255.255.255.0
object network debian-vm
host 172.31.1.100
object network svn-server
host 172.31.0.32
object network spider-duo-main
host 172.31.1.98
object network server1
host 172.31.1.33
object network server2
host 172.31.2.33
object network cisco_router_1
host 172.31.1.1
object network ch1-network
subnet 172.31.2.0 255.255.255.0
object network any4
object network inside-network
subnet 172.31.1.0 255.255.255.0
object network vpnc2-network
subnet 172.31.11.0 255.255.255.0
object network ny2-network
subnet 172.31.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object anyconnect-network
network-object object vpnc-network
network-object object vpnc2-network
object-group service syslog tcp
port-object eq 1060
object-group service syslog-ng udp
port-object eq syslog
object-group network DM_INLINE_NETWORK_3
network-object object server2
network-object object spider-duo-main
network-object object server1
network-object object cisco_router_1
network-object object svn-server
object-group network DM_INLINE_NETWORK_2
network-object object server2
network-object object spider-duo-main
network-object object server1
network-object object cisco_router_1
network-object object svn-server
object-group network DM_INLINE_NETWORK_9
network-object object server2
network-object object server1
object-group network DM_INLINE_NETWORK_8
network-object object server2
network-object object debian-vm
network-object object server1
object-group network DM_INLINE_NETWORK_4
network-object object anyconnect-network
network-object object vpnc-network
network-object object vpnc2-network
object-group network DM_INLINE_NETWORK_5
network-object object anyconnect-network
network-object object inside-network
network-object object vpnc-network
network-object object vpnc2-network
object-group network DM_INLINE_NETWORK_7
network-object object anyconnect-network
network-object object inside-network
network-object object vpnc-network
network-object object vpnc2-network
access-list Pool1Users_splitTunnelAcl remark svn-server
access-list Pool1Users_splitTunnelAcl standard permit host 172.31.0.32
access-list Pool1Users_splitTunnelAcl remark server1
access-list Pool1Users_splitTunnelAcl standard permit host 172.31.1.33
access-list Pool1Users_splitTunnelAcl remark spider-duo-main
access-list Pool1Users_splitTunnelAcl standard permit host 172.31.1.98
access-list Pool1Users_splitTunnelAcl remark server2
access-list Pool1Users_splitTunnelAcl standard permit host 172.31.2.33
access-list outside_restricted_access extended permit ip object vpnc-network object-group DM_INLINE_NETWORK_3
access-list outside_restricted_access extended permit ip object vpnc2-network object-group DM_INLINE_NETWORK_8
access-list outside_restricted_access extended deny ip object vpnc-network any
access-list outside_restricted_access extended deny ip object vpnc2-network any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list outside_cryptomap_1 extended permit ip object inside-network object ny2-network inactive
access-list outside_cryptomap_1 extended permit ip object anyconnect-network object ny2-network inactive
access-list outside_cryptomap_1 extended permit ip object vpnc-network object ny2-network inactive
access-list outside_cryptomap_1 extended permit ip object vpnc2-network object ny2-network inactive
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_5 object ny2-network
access-list sfr_redirect extended permit ip any any
access-list syslog_server_access extended permit udp object cisco_router_1 object-group DM_INLINE_NETWORK_9 eq syslog
access-list user_local_network standard permit 192.168.0.0 255.255.0.0
access-list Pool3Users_splitTunnelAcl standard permit host 172.31.1.33
access-list Pool3Users_splitTunnelAcl standard permit host 172.31.1.100
access-list Pool3Users_splitTunnelAcl remark server1
access-list Pool3Users_splitTunnelAcl remark server2
access-list Pool3Users_splitTunnelAcl remark intranet
access-list Pool3Users_splitTunnelAcl standard permit host 172.31.2.33
access-list outside_cryptomap extended permit ip object inside-network object ch1-network inactive
access-list outside_cryptomap extended permit ip object anyconnect-network object ch1-network inactive
access-list outside_cryptomap extended permit ip object vpnc-network object ch1-network inactive
access-list outside_cryptomap extended permit ip object vpnc2-network object ch1-network inactive
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_7 object ch1-network
pager lines 24
logging enable
logging timestamp
logging trap errors
logging asdm informational
logging host inside 172.31.1.33 17/2514
logging permit-hostdown
logging class auth trap notifications
mtu outside 1500
mtu inside 1500
mtu violet 1500
mtu mgmt 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static inside-network inside-network destination static ny2-network ny2-network no-proxy-arp
nat (inside,outside) source static inside-network inside-network destination static ch1-network ch1-network no-proxy-arp
nat (outside,inside) source static anyconnect-network anyconnect-network destination static inside-network inside-network no-proxy-arp
nat (outside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static ny2-network ny2-network no-proxy-arp
nat (outside,outside) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static ch1-network ch1-network no-proxy-arp
nat (outside,outside) source static anyconnect-network anyconnect-network destination static anyconnect-network anyconnect-network no-proxy-arp
nat (inside,any) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static vpnc-network vpnc-network no-proxy-arp
!
object network obj_any
nat (inside,outside) dynamic interface
object network anyconnect-network
nat (outside,outside) dynamic interface
!
nat (violet,outside) after-auto source dynamic obj_any interface
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server MS_AD protocol ldap
aaa-server MS_AD (inside) host 172.31.1.33
ldap-base-dn dc=corp, dc=sample, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CORP\Administrator
server-type microsoft
aaa-server MS_AD (outside) host 172.31.2.33
ldap-base-dn dc=corp, dc=sample, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CORP\Administrator
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa local authentication attempts max-fail 5
aaa authentication login-history
http server enable
http 172.31.10.0 255.255.255.0 outside
http 172.31.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES128
protocol esp encryption aes
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec profile NYI
set ikev2 ipsec-proposal AES128
set pfs group20
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap_1
crypto map outside_map1 1 set pfs group20
crypto map outside_map1 1 set peer b.b.b.b
crypto map outside_map1 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 AES128
crypto map outside_map1 1 set nat-t-disable
crypto map outside_map1 2 match address outside_cryptomap
crypto map outside_map1 2 set pfs group20
crypto map outside_map1 2 set peer c.c.c.c
crypto map outside_map1 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 AES128
crypto map outside_map1 2 set nat-t-disable
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=172.31.1.1,CN=ciscoasa1
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
fqdn vpn.sample.com
subject-name (redacted)
keypair SSL-Keypair
crl configure
crypto ca trustpoint Digicert_CA
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
subject-name CN=fw1.corp.sample.com
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
fqdn vpn.sample.com
subject-name (redacted)
keypair SSL-Keypair
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate map AnyconnectCertificateMap 10
issuer-name attr cn eq corp-server1-ca
issuer-name attr dc eq com
issuer-name attr dc eq corp
issuer-name attr dc eq sample
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca (redacted)
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate (redacted)
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate (redacted)
quit
crypto ca certificate chain Digicert_CA
certificate ca (redacted)
quit
crypto ca certificate chain ASDM_TrustPoint3
certificate (redacted)
quit
crypto ca certificate chain ASDM_TrustPoint2
certificate (redacted)
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate ca (redacted)
quit
crypto ikev2 policy 10
encryption aes
integrity sha256
group 20
prf sha256
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 172.31.1.0 255.255.255.0 inside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 172.31.1.33 172.31.2.33 interface inside
dhcpd domain corp.sample.com interface inside
!
dhcpd address 172.31.3.101-172.31.3.101 violet
dhcpd dns 208.67.222.222 208.67.220.220 interface violet
dhcpd enable violet
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.33 source inside prefer
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default high
ssl cipher tlsv1 fips
ssl cipher tlsv1.1 fips
ssl cipher tlsv1.2 high
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_TrustPoint1 inside
ssl trust-point ASDM_TrustPoint1 violet
webvpn
enable outside
portal-access-rule 1 deny code 403 any
anyconnect image disk0:/anyconnect-win-4.4.02034-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.4.02034-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-linux64-4.4.02034-webdeploy-k9.pkg 3
anyconnect profiles Pool3_Anyconnect_client_profile disk0:/Pool3_Anyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
keepout "Service Unavailable"
cache
disable
certificate-group-map AnyconnectCertificateMap 10 Pool2_Anyconnect
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-clientless
group-policy GroupPolicy_Pool2_Anyconnect_w_local internal
group-policy GroupPolicy_Pool2_Anyconnect_w_local attributes
wins-server none
dns-server value 172.31.1.33 172.31.2.33
vpn-session-timeout none
vpn-tunnel-protocol l2tp-ipsec ssl-client
password-storage disable
split-tunnel-policy excludespecified
split-tunnel-network-list value user_local_network
default-domain value corp.sample.com
address-pools value Pool2
group-policy GroupPolicy_c.c.c.cinternal
group-policy GroupPolicy_c.c.c.cattributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_Pool2_Anyconnect internal
group-policy GroupPolicy_Pool2_Anyconnect attributes
wins-server none
dns-server value 172.31.1.33 172.31.2.33
vpn-session-timeout none
vpn-tunnel-protocol l2tp-ipsec ssl-client
password-storage disable
split-tunnel-policy tunnelall
default-domain value corp.sample.com
address-pools value Pool2
group-policy GroupPolicy_Pool1_Anyconnect internal
group-policy GroupPolicy_Pool1_Anyconnect attributes
wins-server none
dns-server value 172.31.1.33 172.31.2.33
vpn-idle-timeout none
vpn-session-timeout 1440
vpn-filter value outside_restricted_access
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Pool1Users_splitTunnelAcl
group-policy GroupPolicy_Pool3_Anyconnect internal
group-policy GroupPolicy_Pool3_Anyconnect attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value Pool3Users_splitTunnelAcl
default-domain value corp.sample.com
webvpn
anyconnect profiles value Pool3_Anyconnect_client_profile type user
group-policy GroupPolicy_b.b.b.b internal
group-policy GroupPolicy_b.b.b.b attributes
vpn-tunnel-protocol ikev2
group-policy Pool1Users internal
group-policy Pool1Users attributes
dns-server value 172.31.1.33 172.31.2.33
vpn-idle-timeout none
vpn-session-timeout 1440
vpn-filter value outside_restricted_access
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Pool1Users_splitTunnelAcl
dynamic-access-policy-record DfltAccessPolicy
username (redacted)
username (redacted) attributes
vpn-group-policy Pool1Users
service-type remote-access
tunnel-group Pool1_Anyconnect type remote-access
tunnel-group Pool1_Anyconnect general-attributes
address-pool Pool1
default-group-policy GroupPolicy_Pool1_Anyconnect
tunnel-group Pool1_Anyconnect webvpn-attributes
group-alias Pool1_Anyconnect enable
tunnel-group Pool2_Anyconnect type remote-access
tunnel-group Pool2_Anyconnect general-attributes
address-pool Pool2
authentication-server-group MS_AD LOCAL
default-group-policy GroupPolicy_Pool2_Anyconnect
tunnel-group Pool2_Anyconnect webvpn-attributes
authentication aaa certificate
group-alias Pool2_Anyconnect enable
tunnel-group b.b.b.b type ipsec-l2l
tunnel-group b.b.b.b general-attributes
default-group-policy GroupPolicy_b.b.b.b
tunnel-group b.b.b.b ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group Pool3_Anyconnect type remote-access
tunnel-group Pool3_Anyconnect general-attributes
address-pool Pool3
authentication-server-group MS_AD
default-group-policy GroupPolicy_Pool3_Anyconnect
tunnel-group Pool3_Anyconnect webvpn-attributes
group-alias Pool3_Anyconnect enable
tunnel-group c.c.c.c type ipsec-l2l
tunnel-group c.c.c.c general-attributes
default-group-policy GroupPolicy_c.c.c.c
tunnel-group c.c.c.c ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map sfr
match access-list sfr_redirect
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class sfr
sfr fail-open
!
service-policy global_policy global

-----------------------------------------------------

any ideas what I am doing wrong???

AnyConnect VPN full tunnel cannot access site-to-site VPN