Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA 5505 VPN Anyconnect no address assignment

I have a problem with ip assigment via anyconnect. I always get the message no assigned address via anyconnect. I assigned to my profile for vpn a address pool, but it's still not working. Here is my config:
 

 

hostname firewall
domain-name ITTRIPP.local
enable password 8K8UeTZ9KV5Lvofo encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool 192.168.178.0 192.168.178.151-192.168.178.171 mask 255.255.255.255
ip local pool net-10 10.0.0.1-10.0.0.10 mask 255.255.255.0
ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description Private Interface
 nameif inside
 security-level 100
 ip address 192.168.178.10 255.255.255.0
 ospf cost 10
!
interface Vlan2
 description Public Interface
 nameif outside
 security-level 0
 ip address 192.168.177.2 255.255.255.0
 ospf cost 10
!
interface Vlan3
 description DMZ-Interface
 nameif dmz
 security-level 0
 ip address 10.10.10.2 255.255.255.0
!
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
 name-server 192.168.178.3
 name-server 192.168.177.1
 domain-name ITTRIPP.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 192.168.178.x
 subnet 192.168.178.0 255.255.255.0
object network NETWORK_OBJ_192.168.178.0_26
 subnet 192.168.178.0 255.255.255.192
object service teamviewer
 service tcp source eq 5938
object service smtp_tls
 service tcp source eq 587
object service all_tcp
 service tcp source range 1 65535
object service udp_all
 service udp source range 1 65535
object network NETWORK_OBJ_192.168.178.128_26
 subnet 192.168.178.128 255.255.255.192
object network NETWORK_OBJ_10.0.0.0_28
 subnet 10.0.0.0 255.255.255.240
object-group service Internet-udp udp
 description UDP Standard Internet Services
 port-object eq domain
 port-object eq ntp
 port-object eq isakmp
 port-object eq 4500
object-group service Internet-tcp tcp
 description TCP Standard Internet Services
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq 465
 port-object eq pop3
 port-object eq 995
 port-object eq ftp
 port-object eq ftp-data
 port-object eq domain
 port-object eq ssh
 port-object eq telnet
object-group user DM_INLINE_USER_1
 user LOCAL\admin
 user LOCAL\lukas
 user LOCAL\sarah
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq ssh
object-group service 192.168.178.network tcp
 port-object eq 5000
 port-object eq 5001
object-group service DM_INLINE_SERVICE_1
 service-object object smtp_tls
 service-object tcp destination eq imap4
 service-object object teamviewer
object-group service DM_INLINE_SERVICE_2
 service-object object all_tcp
 service-object object udp_all
object-group service DM_INLINE_SERVICE_3
 service-object object all_tcp
 service-object object smtp_tls
 service-object object teamviewer
 service-object object udp_all
 service-object tcp destination eq imap4
object-group service vpn udp
 port-object eq 1701
 port-object eq 4500
 port-object eq isakmp
object-group service openvpn udp
 port-object eq 1194
access-list NAT-ACLs extended permit ip 192.168.178.0 255.255.255.0 any
access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside in                                                                                                                    terface]=-
access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any object                                                                                                                    -group Internet-udp
access-list inside-in extended permit tcp 192.168.178.0 255.255.255.0 any object                                                                                                                    -group Internet-tcp
access-list inside-in extended permit icmp 192.168.178.0 255.255.255.0 any
access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any eq sip                                                                                                                    
access-list inside-in extended permit object-group DM_INLINE_SERVICE_1 192.168.1                                                                                                                    78.0 255.255.255.0 any
access-list inside-in extended permit object-group DM_INLINE_SERVICE_2 192.168.1                                                                                                                    78.0 255.255.255.0 any
access-list outside-in remark -=[Access Lists For Incoming Packets on OUTSIDE in                                                                                                                    terface]=-
access-list outside-in extended permit icmp any 192.168.178.0 255.255.255.0 echo                                                                                                                    -reply
access-list outside-in extended permit tcp object-group-user DM_INLINE_USER_1 an                                                                                                                    y host 192.168.178.95 object-group DM_INLINE_TCP_1
access-list outside-in extended permit tcp any host 192.168.178.95 object-group                                                                                                                     192.168.178.network
access-list outside-in extended permit tcp any 192.168.178.0 255.255.255.0 eq si                                                                                                                    p
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.                                                                                                                    251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Nam                                                                                                                    e Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.                                                                                                                    252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbi                                                                                                                    os-ns
access-list dmz_access_in remark -=[Access Lists For Outgoing Packets from DMZ i                                                                                                                    nterface]=-
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_3 10.10                                                                                                                    .10.0 255.255.255.0 any
access-list dmz_access_in extended permit icmp 10.10.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp 10.10.10.0 255.255.255.0 any objec                                                                                                                    t-group Internet-tcp
access-list dmz_access_in extended permit udp 10.10.10.0 255.255.255.0 any objec                                                                                                                    t-group Internet-udp
pager lines 24
logging enable
logging buffer-size 30000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16                                                                                                                    8.178.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
nat (dmz,outside) source static any any destination static NETWORK_OBJ_192.168.1                                                                                                                    78.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16                                                                                                                    8.178.128_26 NETWORK_OBJ_192.168.178.128_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.0                                                                                                                    .0_28 NETWORK_OBJ_10.0.0.0_28 no-proxy-arp route-lookup
!
object network 192.168.178.x
 nat (inside,outside) dynamic interface
!
nat (dmz,outside) after-auto source dynamic 192.168.178.x interface
access-group inside-in in interface inside
access-group outside-in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.177.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ITTRIPP protocol ldap
aaa-server ITTRIPP (inside) host 192.168.178.3
 ldap-base-dn CN=Users,DC=ITTRIPP,DC=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Administrator,DC=ITTRIPP,DC=local
 server-type microsoft
user-identity default-domain LOCAL
eou allow none
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.178.0 255.255.255.0 inside
http redirect outside 80
http redirect inside 80
http redirect dmz 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-A                                                                                                                    ES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A                                                                                                                    ES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2                                                                                                                    56 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dmz_map interface dmz
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=firewall
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment self
 fqdn l1u.dyndns.org
 email mail@l1u.dyndns.org
 subject-name CN=l1u.dyndns.org,OU=VPN Services,O=ITTRIPP,C=DE,St=NRW,L=PLBG,EA=                                                                                                                    mail@l1u.dyndns.org
 serial-number
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
 certificate 6a871953
    308201cf 30820138 a0030201 0202046a 87195330 0d06092a 864886f7 0d010105
    0500302c 3111300f 06035504 03130866 69726577 616c6c31 17301506 092a8648
    86f70d01 09021608 66697265 77616c6c 301e170d 31343033 30373039 31303034
    5a170d32 34303330 34303931 3030345a 302c3111 300f0603 55040313 08666972
    6577616c 6c311730 1506092a 864886f7 0d010902 16086669 72657761 6c6c3081
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c0 8f17fa6c
    2f227dd9 9d2856e1 b1f8193b 13c61cfe 2d6cbf94 62373535 71db9ac7 5f4ad79f
    7594cfef 1360d88d ad3c69c1 6e617071 c6629bfa 3c77c2d2 a59b1ce1 39ae7a44
    3f8c852d f51d03c1 d9924f7c 24747bbb bf79af9a 68365ed8 7f56e58c a37c7036
    4db983e0 414d1b5e a8a2226f 7c76f50d d14ca714 252f7fbb d4a23d02 03010001
    300d0609 2a864886 f70d0101 05050003 81810019 0d0bbce4 31d9342c 3965eb56
    4dde42e0 5ea57cbb a79b3542 4897521a 8a6859c6 daf5e356 9526346d f13fb344
    260f3fc8 fca6143e 25b08f3d d6780448 3e0fdf6a c1fe5379 1b9227b1 cee01a20
    aa252698 6b29954e ea8bb250 4310ff96 f6c6f0dc 6c7c6021 3c72c756 f7b2e6a1
    1416d222 0e11ca4a 0f0b840a 49489303 b76632
  quit
crypto ca certificate chain ASDM_TrustPoint1
 certificate 580c1e53
    308202ff 30820268 a0030201 02020458 0c1e5330 0d06092a 864886f7 0d010105
    05003081 c3312230 2006092a 864886f7 0d010901 16136d61 696c406c 31752e64
    796e646e 732e6f72 67310d30 0b060355 04071304 504c4247 310c300a 06035504
    0813034e 5257310b 30090603 55040613 02444531 10300e06 0355040a 13074954
    54524950 50311530 13060355 040b130c 56504e20 53657276 69636573 31173015
    06035504 03130e6c 31752e64 796e646e 732e6f72 67313130 12060355 0405130b
    4a4d5831 3533345a 30575430 1b06092a 864886f7 0d010902 160e6c31 752e6479
    6e646e73 2e6f7267 301e170d 31343033 31353036 35303535 5a170d32 34303331
    32303635 3035355a 3081c331 22302006 092a8648 86f70d01 09011613 6d61696c
    406c3175 2e64796e 646e732e 6f726731 0d300b06 03550407 1304504c 4247310c
    300a0603 55040813 034e5257 310b3009 06035504 06130244 45311030 0e060355
    040a1307 49545452 49505031 15301306 0355040b 130c5650 4e205365 72766963
    65733117 30150603 55040313 0e6c3175 2e64796e 646e732e 6f726731 31301206
    03550405 130b4a4d 58313533 345a3057 54301b06 092a8648 86f70d01 0902160e
    6c31752e 64796e64 6e732e6f 72673081 9f300d06 092a8648 86f70d01 01010500
    03818d00 30818902 818100c0 8f17fa6c 2f227dd9 9d2856e1 b1f8193b 13c61cfe
    2d6cbf94 62373535 71db9ac7 5f4ad79f 7594cfef 1360d88d ad3c69c1 6e617071
    c6629bfa 3c77c2d2 a59b1ce1 39ae7a44 3f8c852d f51d03c1 d9924f7c 24747bbb
    bf79af9a 68365ed8 7f56e58c a37c7036 4db983e0 414d1b5e a8a2226f 7c76f50d
    d14ca714 252f7fbb d4a23d02 03010001 300d0609 2a864886 f70d0101 05050003
    81810087 8aca9c2b 40c9a326 4951c666 44c311b6 5f3914d5 69fcbe0a 13985b51
    336e3c1b ae29c922 c6c1c29d 161fd855 984b6148 c6cbd50f ff3dde66 a71473c4
    ea949f87 b4aca243 8151acd8 a4a426d1 7a434fbd 1a14bd90 0abe5736 4cd0f21b
    d194b3d6 9ae45fab 2436ccbf d59d6ba9 509580a0 ad8f4131 39e6ccf1 1b7a125d
    d50e4e
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable dmz client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.178.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.178.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign local
no ipv6-vpn-addr-assign aaa

dhcp-client update dns server both
dhcpd update dns both
!
dhcpd address 192.168.178.100-192.168.178.150 inside
dhcpd dns 192.168.178.3 192.168.177.1 interface inside
dhcpd wins 192.168.178.3 interface inside
dhcpd domain ITTRIPP.local interface inside
dhcpd update dns both interface inside
dhcpd option 3 ip 192.168.178.10 interface inside
dhcpd option 4 ip 192.168.178.3 interface inside
dhcpd option 6 ip 192.168.178.3 192.168.177.1 interface inside
dhcpd option 66 ip 192.168.178.95 interface inside
dhcpd enable inside
!
dhcpd address 192.168.177.100-192.168.177.150 outside
dhcpd dns 192.168.178.3 192.168.177.1 interface outside
dhcpd wins 192.168.178.3 interface outside
dhcpd domain ITTRIPP.local interface outside
dhcpd update dns both interface outside
dhcpd option 3 ip 192.168.177.2 interface outside
dhcpd option 4 ip 192.168.178.3 interface outside
dhcpd option 6 ip 192.168.178.3 interface outside
dhcpd enable outside
!
dhcpd address 10.10.10.100-10.10.10.150 dmz
dhcpd dns 192.168.178.3 192.168.177.1 interface dmz
dhcpd wins 192.168.178.3 interface dmz
dhcpd domain ITTRIPP.local interface dmz
dhcpd update dns both interface dmz
dhcpd option 3 ip 10.10.10.2 interface dmz
dhcpd option 4 ip 192.168.178.3 interface dmz
dhcpd option 6 ip 192.168.178.3 interface dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag                                                                                                                    e-rate 200
tftp-server inside 192.168.178.105 /volume1/data/tftp
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_TrustPoint1 dmz
ssl trust-point ASDM_TrustPoint0 dmz vpnlb-ip
ssl trust-point ASDM_TrustPoint1 inside
ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
webvpn
 enable inside
 enable outside
 enable dmz
 file-encoding 192.168.178.105 big5
 csd image disk0:/csd_3.5.2008-k9.pkg
 anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 2
 anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 3
 anyconnect profiles SSL-Profile_client_profile disk0:/SSL-Profile_client_profil                                                                                                                    e.xml
 anyconnect enable
 tunnel-group-list enable
 mus password *****
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.178.3
 dns-server value 192.168.178.3 192.168.177.1
 dhcp-network-scope 192.168.178.0
 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
 default-domain value ITTRIPP.local
 split-dns value ITTRIPP.local
 webvpn
  anyconnect firewall-rule client-interface public value outside-in
  anyconnect firewall-rule client-interface private value inside-in
group-policy GroupPolicy_SSL-Profile internal
group-policy GroupPolicy_SSL-Profile attributes
 wins-server value 192.168.178.3
 dns-server value 192.168.178.3 192.168.177.1
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 default-domain value ITTRIPP.local
 webvpn
  anyconnect profiles value SSL-Profile_client_profile type user
username sarah password PRgJuqNTubRwqXtd encrypted
username admin password QkbxX5Qv0P59Hhrx encrypted privilege 15
username lukas password KGLLoTxH9mCvWzVI encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool SSL-POOL
 secondary-authentication-server-group LOCAL
 authorization-server-group LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 ikev1 trust-point ASDM_TrustPoint0
 ikev1 radius-sdi-xauth
tunnel-group SSL-Profile type remote-access
tunnel-group SSL-Profile general-attributes
 address-pool SSL-POOL
 default-group-policy GroupPolicy_SSL-Profile
tunnel-group SSL-Profile webvpn-attributes
 group-alias SSL-Profile enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
 class class-default
  user-statistics accounting
!
service-policy global_policy global
mount FTP type ftp
 server 192.168.178.105
 path /volume1/data/install/microsoft/Cisco
 username lukas
 password ********
 mode passive
 status enable
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                                                   ; CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:998674b777e5fd1d3a131d93704ea0e1

 

 

Any idea why it's not working?

Everyone's tags (3)
1 REPLY
Hall of Fame Super Silver

You've got a lot going on

You've got a lot going on there but I'd focus on the line "no vpn-addr-assign local". Per the command reference that tells the ASA NOT to use the  local pool.

By the way, DHCP on the outside interface looks very counter-intutive, as does enabling VPN on all interfaces over every protocol.

259
Views
0
Helpful
1
Replies