Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2090
Views
0
Helpful
2
Replies

Cisco ASA 5515 - Anyconnect users can't ping other Anyconnect users. How can I allow icmp traffic between Anyconnect users?

Go to solution
Dosmakhanbetov
Level 1
Level 1

ā€Ž10-10-2013 04:28 AM - edited ā€Ž02-21-2020 07:13 PM

ASA configuration is  below!



ASA Version 9.1(1)

!

hostname ASA

domain-name xxx.xx

names

ip local pool VPN_CLIENT_POOL 192.168.12.1-192.168.12.254 mask 255.255.255.0

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 192.168.11.1 255.255.255.0

!

interface GigabitEthernet0/1

description Interface_to_VPN

nameif outside

security-level 0

ip address 111.222.333.444 255.255.255.240

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.5.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name www.ww

same-security-traffic permit intra-interface

object network LAN

subnet 192.168.11.0 255.255.255.0

description LAN

object network SSLVPN_POOL

subnet 192.168.12.0 255.255.255.0

access-list VPN_CLIENT_ACL standard permit 192.168.11.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (outside,inside) source static SSLVPN_POOL SSLVPN_POOL destination static LAN LAN

route outside 0.0.0.0 0.0.0.0 111.222.333.443 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

  url-list none

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authorization exec LOCAL

http server enable

http 192.168.5.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpoint ASDM_TrustPoint5

enrollment terminal

email user@domain.com

subject-name CN=ASA

ip-address 111.222.333.444

crl configure

crypto ca trustpoint ASDM_TrustPoint6

enrollment terminal

fqdn vpn.domain.com

email user@domain.com

subject-name CN=vpn.domain.com

ip-address 111.222.333.444

keypair sslvpn

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint6

telnet timeout 5

ssh 192.168.11.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

no ipv6-vpn-addr-assign aaa

no ipv6-vpn-addr-assign local

dhcpd address 192.168.5.2-192.168.5.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint6 outside

webvpn

enable outside

csd image disk0:/csd_3.5.2008-k9.pkg

anyconnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

group-policy VPN_CLIENT_POLICY internal

group-policy VPN_CLIENT_POLICY attributes

wins-server none

dns-server value 192.168.11.198

vpn-simultaneous-logins 5

vpn-session-timeout 480

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_CLIENT_ACL

default-domain value mycomp.local

address-pools value VPN_CLIENT_POOL

webvpn

  anyconnect ssl dtls enable

  anyconnect keep-installer installed

  anyconnect ssl keepalive 20

  anyconnect ssl rekey time 30

  anyconnect ssl rekey method ssl

  anyconnect dpd-interval client 30

  anyconnect dpd-interval gateway 30

  anyconnect dtls compression lzs

  anyconnect modules value vpngina

  customization value DfltCustomization

group-policy IT_POLICY internal

group-policy IT_POLICY attributes

wins-server none

dns-server value 192.168.11.198

vpn-simultaneous-logins 3

vpn-session-timeout 120

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_CLIENT_ACL

default-domain value company.com

address-pools value VPN_CLIENT_POOL

webvpn

  anyconnect ssl dtls enable

  anyconnect keep-installer installed

  anyconnect ssl keepalive 20

  anyconnect dtls compression lzs

  customization value DfltCustomization

username vpnuser password PA$$WORD encrypted

username vpnuser attributes

vpn-group-policy VPN_CLIENT_POLICY

service-type remote-access

username vpnuser2 password PA$$W encrypted

username vpnuser2 attributes

service-type remote-access

username admin password ADMINPA$$ encrypted privilege 15

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool VPN_CLIENT_POOL

default-group-policy VPN_CLIENT_POLICY

tunnel-group VPN webvpn-attributes

authentication aaa certificate

group-alias VPN_to_R enable

tunnel-group IT_PROFILE type remote-access

tunnel-group IT_PROFILE general-attributes

address-pool VPN_CLIENT_POOL

default-group-policy IT_POLICY

tunnel-group IT_PROFILE webvpn-attributes

authentication aaa certificate

group-alias IT enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Patrick Moubarak
Level 4
Level 4

ā€Ž10-11-2013 04:19 PM

Hi,

here's what you need:

same-security-traffic permit intra-interface

access-list VPN_CLIENT_ACL standard permit 192.168.12.0 255.255.255.0

nat (outside,outside) source static SSLVPN_POOL SSLVPN_POOL destination static SSLVPN_POOL SSLVPN_POOL

Patrick

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Patrick Moubarak
Level 4
Level 4

ā€Ž10-11-2013 04:19 PM

Hi,

here's what you need:

same-security-traffic permit intra-interface

access-list VPN_CLIENT_ACL standard permit 192.168.12.0 255.255.255.0

nat (outside,outside) source static SSLVPN_POOL SSLVPN_POOL destination static SSLVPN_POOL SSLVPN_POOL

Patrick

0 Helpful

Go to solution
Dosmakhanbetov
Level 1
Level 1
In response to Patrick Moubarak

ā€Ž10-21-2013 04:52 AM

Hi,

Thank you for your reply!

0 Helpful
Customers Also Viewed These Support Documents