Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AnyConnect VPN Setup Assistance

Hi everybody. I installed a brand new ASA to replace my current one, and need a bit of help with the setup of AnyConnect. I believe I have everything setup correctly, except for my NAT exceptions. I can successfully connect to the ASA via the clientless page and the AnyConnect client, but can't get past the ASA, so I'm assuming its NAT exceptions. I've been looking at both the ASA_cli.pdf but can't seem to nail it down. Even using the ASDM, which I normally don't do for VPN, its not spelled out as easy as asdm 6.1.

On my current ASA, I know that I have an ACL called NoNat. For reference, my internal networks are 10.0.x.x, and my ip pool for VPN users is 192.168.2.x.

Any help would be greatly appreciated. Thanks in advance

.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: AnyConnect VPN Setup Assistance

add DNS and WINS  servers to the corresponding Anyconnect group-policy so that it is pushed to the clients when they connect. Also make sure the servers are reachable when connected via Anyconnect.

20 REPLIES
Silver

Re: AnyConnect VPN Setup Assistance

Since you have a nonat statement , I am assuming that you have an 8.2 or earlier code on the  current ASA. Your nonat statemet should be

access-list nonat permit ip  10.0.0.0 255.255.0.0 192.168.2.0 255.255.255.0

nat(inside) 0 access-list nonat

If this is not how it is set up please change it to the same. If it still doesn't work post a gist of your relevant config.

If on the new ASA you are using an 8.3 code you need to create a static identity nat rule( there is no nat exemption in 8.3).The following doc can be referred for the change in nat commands in 8.3.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60183

New Member

Re: AnyConnect VPN Setup Assistance

Yes, that is exactly how my current setup is like on the old ASA, which is indeed running 8.2. The new ASA is running 8.3, so

its no wonder I couldn't figure out the syntax.

Silver

Re: AnyConnect VPN Setup Assistance

Did it work when you changed the nat?

New Member

Re: AnyConnect VPN Setup Assistance

So currently my configuration in 8.2 shows:

For VPN users:

access-list nonat extended permit ip 10.0.7.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat extended permit ip 10.0.20.0 255.255.254.0 192.168.2.0 255.255.255.0

access-list nonat extended permit ip 10.0.30.0 255.255.254.0 192.168.2.0 255.255.255.0

access-list nonat extended permit ip 10.0.40.0 255.255.254.0 192.168.2.0 255.255.255.0

access-list nonat extended permit ip 10.0.60.0 255.255.254.0 192.168.2.0 255.255.255.0

access-list nonat extended permit ip 10.0.10.0 255.255.254.0 192.168.2.0 255.255.255.0

 

For my DMZ:

access-list nonat extended permit ip 10.0.18.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 10.0.33.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 10.0.40.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 10.0.20.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 10.0.7.0 255.255.255.0 192.168.1.0 255.255.255.0

Then I have:

nat-control
global (OUTSIDE) 10 interface
global (OUTSIDE) 1 63.172.8.201
nat (DMZ) 10 192.168.3.7 255.255.255.255
nat (DMZ) 10 192.168.3.8 255.255.255.255
nat (DMZ) 10 192.168.3.10 255.255.255.255
nat (DMZ) 10 192.168.3.11 255.255.255.255
nat (DMZ) 10 192.168.3.12 255.255.255.255
nat (DMZ) 10 192.168.3.65 255.255.255.255
nat (DMZ) 10 192.168.3.254 255.255.255.255
nat (INSIDE) 0 access-list nonat
nat (INSIDE) 1 10.0.40.72 255.255.255.255
nat (INSIDE) 10 0.0.0.0 0.0.0.0

I honestly don't know why I have all the hosts for the DMZ nat, as I didn't setup this ASA.

New Member

Re: AnyConnect VPN Setup Assistance

Making an attempt for the new configuration:

object network obj-192.168.2.0

     subnet 192.168.2.0 255.255.255.0

object network obj-10.0.7.0

     subnet 10.0.7.0 255.255.255.0

object network obj-10.0.18.0

     subnet 10.0.18.0 255.255.255.0

object network obj-10.0.33.0

     subnet 10.0.33.0 255.255.255.0

object network obj-10.0.40.1

     subnet 10.0.40.0 255.255.254.0

object network obj-192.168.1.0

     subnet 192.168.1.0 255.255.255.0

Exempt the VPN users to subnets:

nat (inside,any) source static obj-10.0.33.0 obj-10.0.33.0 destination static obj-192.168.2.0 obj-192.168.2.0

nat (inside,any) source static obj-10.0.7.0 obj-10.0.7.0 destination static obj-192.168.2.0 obj-192.168.2.0

nat (inside,any) source static obj-10.0.18.0 obj-10.0.18.0 destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,any) source static obj-10.0.40.0 obj-10.0.40.0 destination static obj-192.168.2.0 obj-192.168.2.0

nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0

Exempt the internal subnets to the DMZ subnet:

nat (inside,any) source static obj-10.0.33.0 obj-10.0.33.0 destination static obj-192.168.1.0 obj-192.168.1.0

nat (inside,any) source static obj-10.0.7.0 obj-10.0.7.0 destination static obj-192.168.1.0 obj-192.168.1.0

nat (inside,any) source static obj-10.0.18.0 obj-10.0.18.0 destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static obj-10.0.40.0 obj-10.0.40.0 destination static obj-192.168.1.0 obj-192.168.1.0

Silver

Re: AnyConnect VPN Setup Assistance

that should work. Make sure that you have the nat exemption ( not called so for 8.3 ) at the highest order in the nat statements so that it takes precedence. Packet tracer output should show you what nat is being hit first and how the packet is being processed accordingly.

New Member

Re: AnyConnect VPN Setup Assistance

Well, I added the NATs but I still can't connect to a server/PC on those subnets. I can successfully log into the client, the client connects, but I can't get past the ASA. Here is my current config:

Cryptochecksum: c77e902d ae604267 9df16665 63413967
!
ASA Version 8.3(1)
!
hostname ifnASA5520
domain-name sn.com
enable password *

passwd * encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address * 255.255.255.0
!
interface GigabitEthernet0/1
description DMZ
nameif DMZ
security-level 0
ip address 192.168.3.5 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif INSIDE
security-level 100
ip address 10.0.10.5 255.255.254.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server 10.0.40.12
name-server 10.0.20.83
domain-name sn.com
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-10.0.40.0
subnet 10.0.40.0 255.255.254.0
object network obj-10.0.7.0
subnet 10.0.7.0 255.255.255.0
object network obj-10.0.33.0
subnet 10.0.33.0 255.255.255.0
object network obj-10.0.18.0
subnet 10.0.18.0 255.255.255.0
access-list DMZ_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
logging host INSIDE 10.0.40.49
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination INSIDE 10.0.40.48 9996
flow-export destination INSIDE 10.0.40.49 9996
mtu OUTSIDE 1500
mtu DMZ 1500
mtu INSIDE 1500
mtu management 1500
ip local pool VPNPool 192.168.2.100-192.168.2.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply OUTSIDE
icmp permit any INSIDE
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (INSIDE,any) source static obj-10.0.33.0 obj-10.0.33.0 destination static obj-192.168.2.0 obj-192.168.2.0
nat (INSIDE,any) source static obj-10.0.7.0 obj-10.0.7.0 destination static obj-192.168.2.0 obj-192.168.2.0
nat (INSIDE,any) source static obj-10.0.18.0 obj-10.0.18.0 destination static obj-192.168.2.0 obj-192.168.2.0
nat (INSIDE,any) source static obj-10.0.40.0 obj-10.0.40.0 destination static obj-192.168.2.0 obj-192.168.2.0
nat (INSIDE,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0
nat (INSIDE,OUTSIDE) source dynamic any interface
access-group DMZ_access_in in interface DMZ
route OUTSIDE 0.0.0.0 0.0.0.0 69.160.213.1 1
route INSIDE 10.0.7.0 255.255.255.0 10.0.10.1 1
route INSIDE 10.0.18.0 255.255.255.0 10.0.10.1 1
route INSIDE 10.0.30.0 255.255.254.0 10.0.10.1 1
route INSIDE 10.0.33.0 255.255.255.0 10.0.10.1 1
route INSIDE 10.0.40.0 255.255.254.0 10.0.10.1 1
route INSIDE 10.0.100.0 255.255.254.0 10.0.10.1 1
route INSIDE 10.30.0.0 255.255.0.0 10.0.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server Radius protocol radius
aaa-server Radius (INSIDE) host 10.0.40.11
key *
radius-common-pw *

aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.7.5 255.255.255.255 INSIDE
http 10.0.10.0 255.255.254.0 INSIDE
http 10.0.40.0 255.255.254.0 INSIDE
http 192.168.1.0 255.255.255.0 management
snmp-server host INSIDE 10.0.40.48 community *r version 2c
snmp-server host INSIDE 10.0.7.5 community * version 2c
snmp-server location DataCenter
snmp-server contact GWS_Dept
snmp-server community *

snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=vpn.servicenet.com,O=Service Net Warranty,C=US,St=Indiana,L=Jeffersonville
crl configure
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint3
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate *
  quit
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh timeout 5
ssh version 2
console timeout 10
management-access INSIDE
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 OUTSIDE
webvpn
enable OUTSIDE
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
  svc ask enable
username * password * encrypted privilege 15
tunnel-group ServiceNet type remote-access
tunnel-group ServiceNet general-attributes
address-pool VPNPool
authentication-server-group Radius
tunnel-group ServiceNet webvpn-attributes
group-alias ServiceNet enable
!
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
class global-class
  flow-export event-type all destination 10.0.40.49
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c77e902dae6042679df1666563413967

Silver

Re: AnyConnect VPN Setup Assistance

Can you make all the nat config as nat(INSIDE,outside) rather than nat(INSIDE,any)

You can make a test for one subnet as check. Also put a 1 after nat(INSIDE,outside)

for eg. nat (INSIDE,outside) 1 source static obj-10.0.7.0 obj-10.0.7.0 destination static obj-192.168.2.0 obj-192.168.2.0

  due to the bug :CSCtf89372

If it still fails apply captures on the inside for the particular traffic in both direction to see where its failing.

New Member

Re: AnyConnect VPN Setup Assistance

Ok, so I added all those but still can't get past the ASA. I can't use RDP or even ping through the ASA once after making the connection via AnyConnect client. The client shows an IP of 192.168.1.100, so its getting the correct IP from the pool. I did add the 1 after each of those nat statements like below:

nat (INSIDE,outside) 1 source static obj-10.0.33.0 obj-10.0.33.0 destination static obj-192.168.2.0 obj-192.168.2.0

nat (INSIDE,outside) 1 source static obj-10.0.7.0 obj-10.0.7.0 destination static obj-192.168.2.0 obj-192.168.2.0

nat (INSIDE,outside) 1 source static obj-10.0.18.0 obj-10.0.18.0 destination static obj-192.168.2.0 obj-192.168.2.0

nat (INSIDE,outside) 1 source static obj-10.0.40.0 obj-10.0.40.0 destination static obj-192.168.2.0 obj-192.168.2.0

nat (INSIDE,outside) 1 source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0

Here is my updated config, any ideas? I truely appreciate your help so far.

Cryptochecksum: 423eb27d 0014d430 e2e61dd3 5d4dfda3
!
ASA Version 8.3(1)
!
hostname ifnASA5520
domain-name sn.com
enable password * encrypted
passwd  *encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address * 255.255.255.0
!
interface GigabitEthernet0/1
description DMZ
nameif DMZ
security-level 0
ip address 192.168.3.5 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif INSIDE
security-level 100
ip address 10.0.10.5 255.255.254.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server 10.0.40.12
name-server 10.0.20.83
domain-name sn.com
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-10.0.40.0
subnet 10.0.40.0 255.255.254.0
object network obj-10.0.7.0
subnet 10.0.7.0 255.255.255.0
object network obj-10.0.33.0
subnet 10.0.33.0 255.255.255.0
object network obj-10.0.18.0
subnet 10.0.18.0 255.255.255.0
access-list DMZ_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
logging host INSIDE 10.0.40.49
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination INSIDE 10.0.40.48 9996
flow-export destination INSIDE 10.0.40.49 9996
mtu OUTSIDE 1500
mtu DMZ 1500
mtu INSIDE 1500
mtu management 1500
ip local pool VPNPool 192.168.2.100-192.168.2.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply OUTSIDE
icmp permit any INSIDE
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (INSIDE,OUTSIDE) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0
nat (INSIDE,OUTSIDE) source static obj-10.0.40.0 obj-10.0.40.0 destination static obj-192.168.2.0 obj-192.168.2.0
nat (INSIDE,OUTSIDE) source static obj-10.0.18.0 obj-10.0.18.0 destination static obj-192.168.2.0 obj-192.168.2.0
nat (INSIDE,OUTSIDE) source static obj-10.0.7.0 obj-10.0.7.0 destination static obj-192.168.2.0 obj-192.168.2.0
nat (INSIDE,OUTSIDE) source static obj-10.0.33.0 obj-10.0.33.0 destination static obj-192.168.2.0 obj-192.168.2.0
nat (INSIDE,OUTSIDE) source dynamic any interface
access-group DMZ_access_in in interface DMZ
route OUTSIDE 0.0.0.0 0.0.0.0 69.160.213.1 1
route INSIDE 10.0.7.0 255.255.255.0 10.0.10.1 1
route INSIDE 10.0.18.0 255.255.255.0 10.0.10.1 1
route INSIDE 10.0.30.0 255.255.254.0 10.0.10.1 1
route INSIDE 10.0.33.0 255.255.255.0 10.0.10.1 1
route INSIDE 10.0.40.0 255.255.254.0 10.0.10.1 1
route INSIDE 10.0.100.0 255.255.254.0 10.0.10.1 1
route INSIDE 10.30.0.0 255.255.0.0 10.0.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server Radius protocol radius
aaa-server Radius (INSIDE) host 10.0.40.11
key *

radius-common-pw *
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.7.5 255.255.255.255 INSIDE
http 10.0.10.0 255.255.254.0 INSIDE
http 10.0.40.0 255.255.254.0 INSIDE
http 0.0.0.0 0.0.0.0 INSIDE
http 192.168.1.0 255.255.255.0 management
snmp-server host INSIDE 10.0.40.48 community Drp3pp3r version 2c
snmp-server host INSIDE 10.0.7.5 community Drp3pp3r version 2c
snmp-server location DataCenter
snmp-server contact GWS_Dept
snmp-server community *
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=vpn.servicenet.com,O=Service Net Warranty,C=US,St=Indiana,L=Jeffersonville
crl configure
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint3
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate *
  quit
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh timeout 5
ssh version 2
console timeout 10
management-access INSIDE
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 OUTSIDE
webvpn
enable OUTSIDE
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
  svc ask enable
username * password * encrypted privilege 15
tunnel-group ServiceNet type remote-access
tunnel-group ServiceNet general-attributes
address-pool VPNPool
authentication-server-group Radius
tunnel-group ServiceNet webvpn-attributes
group-alias ServiceNet enable
!
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
class global-class
  flow-export event-type all destination 10.0.40.49
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:423eb27d0014d430e2e61dd35d4dfda3

Silver

Re: AnyConnect VPN Setup Assistance

"The client shows an IP of 192.168.1.100"? 

just checking,Isnt 192.168.2.0 the pool subnet?and your nat is setup for that pool only. Can you confirm it is getting thr right pool address?

New Member

Re: AnyConnect VPN Setup Assistance

Yeah, sorry, mistyped that statement. The IP on the client is showing 192.168.2.100.

Silver

Re: AnyConnect VPN Setup Assistance

Could you apply captures on the inside interface and see if you see echo requests going and replies cming back?

New Member

Re: AnyConnect VPN Setup Assistance

Not exactly sure how to do a capture. Using the ASDM, I was watching the real time log viewer but didn't even see the traffic coming across. I see the traffic when making the connection, but not when initiating traffic after the connection is made.

Silver

Re: AnyConnect VPN Setup Assistance

access-list testcap permit ip host

host

access-list testcap permit ip host

host

capture captest access-list testcap interface INSIDE

and check if you see packets coming and going.

New Member

Re: AnyConnect VPN Setup Assistance

Yeah, it looks like I am seeing the echos request coming across, but not a response:

ifnASA5520(config)# sh capture captest

4 packets captured

   1: 10:20:09.130654 192.168.2.100 > 10.0.7.5: icmp: echo request
   2: 10:20:14.582840 192.168.2.100 > 10.0.7.5: icmp: echo request
   3: 10:20:19.591461 192.168.2.100 > 10.0.7.5: icmp: echo request
   4: 10:20:24.596603 192.168.2.100 > 10.0.7.5: icmp: echo request
4 packets shown

I think I just figured it out. Thats the same subnet that I'm using on the old ASA, and the route on the core is pointing it back to the old ASA, and not the new one. I'll change the subnet that I'm using for the IP pool for the VPN clients to something different and let you know.

Silver

Re: AnyConnect VPN Setup Assistance

yup i think that has to be the prob

New Member

Re: AnyConnect VPN Setup Assistance

Looks like that worked. I added the new subnet, 192.168.5.0 to the core with a route to the new ASA. Then I did the following:

no object network obj-192.168.2.0

no access-list testcap extended permit ip host 192.168.2.100 host 10.0.7.5

no access-list testcap extended permit ip host 10.0.7.5 host 192.168.2.100

no nat (INSIDE,OUTSIDE) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0

no nat (INSIDE,OUTSIDE) source static obj-10.0.40.0 obj-10.0.40.0 destination static obj-192.168.2.0 obj-192.168.2.0

no nat (INSIDE,OUTSIDE) source static obj-10.0.18.0 obj-10.0.18.0 destination static obj-192.168.2.0 obj-192.168.2.0

no nat (INSIDE,OUTSIDE) source static obj-10.0.7.0 obj-10.0.7.0 destination static obj-192.168.2.0 obj-192.168.2.0

no nat (INSIDE,OUTSIDE) source static obj-10.0.33.0 obj-10.0.33.0 destination static obj-192.168.2.0 obj-192.168.2.0

no ip local pool VPNPool 192.168.2.100-192.168.2.150 mask 255.255.255.0

ip local pool VPNPool 192.168.5.100-192.168.5.150 mask 255.255.255.0

object network obj-192.168.5.0

subnet 192.168.5.0 255.255.255.0

nat (INSIDE,OUTSIDE) 1 source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.5.0 obj-192.168.5.0

nat (INSIDE,OUTSIDE) 1 source static obj-10.0.40.0 obj-10.0.40.0 destination static obj-192.168.5.0 obj-192.168.5.0

nat (INSIDE,OUTSIDE) 1 source static obj-10.0.18.0 obj-10.0.18.0 destination static obj-192.168.5.0 obj-192.168.5.0

nat (INSIDE,OUTSIDE) 1 source static obj-10.0.7.0 obj-10.0.7.0 destination static obj-192.168.5.0 obj-192.168.5.0

nat (INSIDE,OUTSIDE) 1 source static obj-10.0.33.0 obj-10.0.33.0 destination static obj-192.168.5.0 obj-192.168.5.0

Looks like its working, as I can now VPN into devices using the IP, but still having trouble with using DNS names. Any thoughts on that?

Silver

Re: AnyConnect VPN Setup Assistance

add DNS and WINS  servers to the corresponding Anyconnect group-policy so that it is pushed to the clients when they connect. Also make sure the servers are reachable when connected via Anyconnect.

New Member

Re: AnyConnect VPN Setup Assistance

rahgovin, thank you VERY much for your help in this. Now I just have to work on the clientless portion, but using the AnyConnect client is working perfectly now. Thanks a bunch

Silver

Re: AnyConnect VPN Setup Assistance

glad to hear its working

1155
Views
0
Helpful
20
Replies
CreatePlease to create content