Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
393
Views
0
Helpful
0
Replies

Unable to reach internal network after remote SSL VPN connection

edliang321
Level 1
Level 1

‎10-03-2013 04:55 PM

Hi,

I am setting up ASA 5505 for remote access SSL VPN now. After successfully login with Anyconnect Mobile Secure client, I am having problem to reach internal network. The screen shot of the route table on the client is as attached.

Can anyone give me a hand? Thanks.

Also, the running configuration is as below:

: Saved

:

ASA Version 8.2(5)

!

hostname myvpn

domain-name paragontesting.ca

names

name 10.30.0.0 Paragon_SSLVPN_IP01

dns-guard

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 5

!

interface Ethernet0/6

switchport access vlan 5

!

interface Ethernet0/7

switchport access vlan 5

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.14 255.255.255.0

!

interface Vlan2

nameif outside

security-level 1

ip address 10.50.0.1 255.255.255.224

!

interface Vlan5

no nameif

security-level 50

ip address 10.100.0.1 255.255.255.0

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 10.0.0.115

domain-name paragontesting.ca

access-list Internal standard permit 10.0.0.0 255.255.255.0

access-list Internal standard permit Paragon_SSLVPN_IP01 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 10.0.0.0 255.255.255.0 Paragon_SSLVPN_IP01 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip Paragon_SSLVPN_IP01 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool Paragon_SSL_VPN_Pool2 10.30.0.100-10.30.0.109 mask 255.255.255.0

ip local pool Paragon_SSLVPN_Inside 10.30.0.1 mask 255.255.255.255

ip local pool SSL_VPN_IP_Pool 10.30.0.190-10.30.0.199 mask 255.255.255.240

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 10.50.0.1 1

route inside 10.20.0.0 255.255.255.0 10.0.0.11 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server Duo-LDAP protocol ldap

aaa-server Duo-LDAP (outside) host api-0c274afe.duosecurity.com

timeout 60

server-port 636

ldap-base-dn dc=DIAFSBNHYPCDKTTIS10Y,dc=duosecurity,dc=com

ldap-naming-attribute cn

ldap-login-password *****

ldap-login-dn dc=DIAFSBNHYPCDKTTIS10Y,dc=duosecurity,dc=com

ldap-over-ssl enable

server-type auto-detect

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 5

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 1.1.1.1 source outside prefer

ssl trust-point selfSign_2012 outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc profiles Paragon_SSLVPN_01 disk0:/paragon_sslvpn_01.xml

svc enable

tunnel-group-list enable

group-policy ParagonPolicy01 internal

group-policy ParagonPolicy01 attributes

wins-server none

dns-server value 10.0.0.115

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Internal

default-domain value paragontesting.ca

webvpn

  url-list none

  customization value Due01

group-policy DfltGrpPolicy attributes

dns-server value 10.0.0.115

vpn-tunnel-protocol webvpn

default-domain value paragontesting.ca

webvpn

  url-list value Paragon01

  customization value Due01

username cisco password  nt-encrypted

username cisco attributes

service-type remote-access

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool (outside) SSL_VPN_IP_Pool

address-pool SSL_VPN_IP_Pool

authentication-server-group (outside) LOCAL

authorization-server-group LOCAL

tunnel-group DefaultWEBVPNGroup webvpn-attributes

customization Due01

tunnel-group ParagonSSLVPN type remote-access

tunnel-group ParagonSSLVPN general-attributes

address-pool Paragon_SSL_VPN_Pool2

default-group-policy ParagonPolicy01

tunnel-group ParagonSSLVPN webvpn-attributes

customization Due01

group-alias SSLVPN enable

group-url https://10.50.0.1/SSLVPN disable

!

!

prompt hostname context

no call-home reporting anonymous

: end

asdm location Paragon_SSLVPN_IP01 255.255.255.0 inside

no asdm history enable

Labels:
Preview file
46 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents