10-03-2013 04:55 PM
Hi,
I am setting up ASA 5505 for remote access SSL VPN now. After successfully login with Anyconnect Mobile Secure client, I am having problem to reach internal network. The screen shot of the route table on the client is as attached.
Can anyone give me a hand? Thanks.
Also, the running configuration is as below:
: Saved
:
ASA Version 8.2(5)
!
hostname myvpn
domain-name paragontesting.ca
names
name 10.30.0.0 Paragon_SSLVPN_IP01
dns-guard
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
switchport access vlan 5
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.14 255.255.255.0
!
interface Vlan2
nameif outside
security-level 1
ip address 10.50.0.1 255.255.255.224
!
interface Vlan5
no nameif
security-level 50
ip address 10.100.0.1 255.255.255.0
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.0.0.115
domain-name paragontesting.ca
access-list Internal standard permit 10.0.0.0 255.255.255.0
access-list Internal standard permit Paragon_SSLVPN_IP01 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.0.0.0 255.255.255.0 Paragon_SSLVPN_IP01 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip Paragon_SSLVPN_IP01 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Paragon_SSL_VPN_Pool2 10.30.0.100-10.30.0.109 mask 255.255.255.0
ip local pool Paragon_SSLVPN_Inside 10.30.0.1 mask 255.255.255.255
ip local pool SSL_VPN_IP_Pool 10.30.0.190-10.30.0.199 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.50.0.1 1
route inside 10.20.0.0 255.255.255.0 10.0.0.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Duo-LDAP protocol ldap
aaa-server Duo-LDAP (outside) host api-0c274afe.duosecurity.com
timeout 60
server-port 636
ldap-base-dn dc=DIAFSBNHYPCDKTTIS10Y,dc=duosecurity,dc=com
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=DIAFSBNHYPCDKTTIS10Y,dc=duosecurity,dc=com
ldap-over-ssl enable
server-type auto-detect
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 1.1.1.1 source outside prefer
ssl trust-point selfSign_2012 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc profiles Paragon_SSLVPN_01 disk0:/paragon_sslvpn_01.xml
svc enable
tunnel-group-list enable
group-policy ParagonPolicy01 internal
group-policy ParagonPolicy01 attributes
wins-server none
dns-server value 10.0.0.115
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Internal
default-domain value paragontesting.ca
webvpn
url-list none
customization value Due01
group-policy DfltGrpPolicy attributes
dns-server value 10.0.0.115
vpn-tunnel-protocol webvpn
default-domain value paragontesting.ca
webvpn
url-list value Paragon01
customization value Due01
username cisco password nt-encrypted
username cisco attributes
service-type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (outside) SSL_VPN_IP_Pool
address-pool SSL_VPN_IP_Pool
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization Due01
tunnel-group ParagonSSLVPN type remote-access
tunnel-group ParagonSSLVPN general-attributes
address-pool Paragon_SSL_VPN_Pool2
default-group-policy ParagonPolicy01
tunnel-group ParagonSSLVPN webvpn-attributes
customization Due01
group-alias SSLVPN enable
group-url https://10.50.0.1/SSLVPN disable
!
!
prompt hostname context
no call-home reporting anonymous
: end
asdm location Paragon_SSLVPN_IP01 255.255.255.0 inside
no asdm history enable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide