A lot of the garbage in that config is from hours of trying to just "make things work" i'm modifying my config in the way you suggested. Some of it may be due to the fact that i've had to use my "inside" interface for the tunnel by fowarding port 443 on the router it is connected to. I know that it's not a very good set up, but because this network was poorly managed over the years, it seems like any changes I make have a ripple effect that brings the whole office to it's knees. I'm trying you fixes now, and i'll let you know.

Ok. I removed the two offending routes and added the one you suggested. i also changed the acl. I'll post a new config. Still no connection. When i try to ping 192.168.201.60 from 192.168.202.2 it just fails.

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name cisco

enable password xxx encrypted

passwd xxx encrypted

names

name 68.191.xxx.xxx outside

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.201.200 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address outside 255.255.255.0

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.201.1

domain-name cisco

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network obj-192.168.201.0

access-list NAT-EXEMPT extended permit ip 192.168.201.0 255.255.255.0 192.168.201.0 255.255.255.0 inactive

access-list NAT-EXEMPT extended permit ip any 192.168.202.0 255.255.255.0 inactive

access-list NAT-EXEMPT extended permit ip 192.168.202.0 255.255.255.0 any inactive

access-list NAT-EXEMPT extended permit icmp any any inactive

access-list any extended permit ip any any inactive

access-list any extended permit object-group TCPUDP any any inactive

access-list any extended permit icmp any any inactive

access-list inside_access_in extended permit ip any any inactive

access-list inside_access_in extended permit object-group TCPUDP any any inactive

access-list inside_access_in extended permit icmp any any inactive

access-list outside_access_in extended permit ip any any inactive

access-list outside_access_in extended permit object-group TCPUDP any any inactive

access-list outside_access_in extended permit icmp any any inactive

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.201.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0 inactive

access-list inside_nat0_outbound extended permit icmp any any inactive

access-list inside_nat0_outbound_1 extended permit ip any any inactive

access-list INSIDE-NAT0 remark NAT0 for VPN

access-list INSIDE-NAT0 extended permit ip 192.168.201.0 255.255.255.0 192.168.202.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool VPNIP 192.168.201.201-192.168.201.250 mask 255.255.255.0

ip local pool KunduVPN 192.168.202.1-192.168.202.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list INSIDE-NAT0

nat (inside) 1 192.168.201.0 255.255.255.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 68.191.229.121 1

route outside 0.0.0.0 255.255.255.255 68.191.229.121 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.201.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

  quit

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

enable inside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.201.1

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value cisco

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

webvpn

  svc ask enable

group-policy KunduVPN internal

group-policy KunduVPN attributes

wins-server none

dns-server value 192.168.201.1

vpn-tunnel-protocol svc webvpn

default-domain value cisco

username test password P4ttSyrm33SV8TYp encrypted

username RomaT password Bj5wAxjI5c95ZBqu encrypted privilege 0

username RomaT attributes

vpn-group-policy DfltGrpPolicy

tunnel-group DefaultRAGroup general-attributes

address-pool VPNIP

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group KunduVPN type remote-access

tunnel-group KunduVPN general-attributes

address-pool (inside) VPNIP

address-pool KunduVPN

authentication-server-group (inside) LOCAL

default-group-policy KunduVPN

tunnel-group KunduVPN webvpn-attributes

group-alias KunduVPN enable

group-url https://68.191.229.122/KunduVPN enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:8f3ab6d716ea47e853c8cd55ba5be3e4

: end

no asdm history enable

Ok,

Some things to try/check

You could add the command

management-access inside

This would enable connections through the VPN to the "inside" interface IP address directly. You could for example try to send ICMP to the interface IP address of 192.168.201.200 directly and see if that works. If it works this would confirm that the VPN is atleast forwarding the traffic to the ASA.

You could naturally also configure traffic capture for the ICMP traffic and confirm that the ASA sees ICMP Echo from the VPN Client leaving through the "inside" interface and if it sees anything coming back.

access-list VPN-CAP permit icmp 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list VPN-CAP permit icmp 192.168.201.0 255.255.255.0 192.168.202.0 255.255.255.0

capture VPN-CAP type raw-data access-list VPN-CAP interface inside buffer 1000000 circular-buffer

You could then connect with the VPN Client and try ICMP and then issue the command

show capture

This should tell us if any traffic is capture. If you see traffic captured then you can issue the following command

show capture VPN-CAP

This should tell us what the ASA has actually captured and would show us if the internal host replies to the ICMP

You could also send the capture to a host and open it with Wireshark for example

copy /pcap capture:VPN-CAP tftp://x.x.x.x/VPN-CAP.pcap

Though if you cant access any LAN host then I guess you might be able to maybe even send it to your VPN Client

You can remove the capture and its data with the command (this wont remove the ACL)

no capture VPN-CAP

- Jouni

I just noticed I am now also getting error messages, which is new. They are as follows.

3          Jan 30 2014          09:10:06          710003          71.87.x.x          49672          192.168.201.200          80          TCP access denied by ACL from 71.87.X.x/49672 to inside:192.168.201.200/80

and

6          Jan 30 2014          09:11:20          110003          192.168.201.200          443          71.87.x.x 49675          Routing failed to locate next hop for TCP from inside:192.168.201.200/443 to inside:71.87.x.x/49675

the 71.87.x.x ip is the remote user ip address.

also, since making your initial changes, I can now no longer get to the anyconnect log in screen

Hi,

Is there actually anything connected to your "outside" interface then? If these connections are coming from behind the "inside" interface then this is truly a strange setup.

You can confirm if anything is connected behind the "outside" interface with the command

show arp

It should show ARP of the devices directly connected to the ASA or through some other L2 device.

If your users gateway out of the LAN network truly is located behind the "inside" interface then you probably need to add the old default route back to the configuration instead of the one poiting to the "outside".

The NAT0 configuration should still apply.

- Jouni

Also,

Is the ASA gateway for your LAN users or some other device?

Just wondering if the original NAT0 configuration is actually required if all your traffic just take a turn at the ASA before heading to some other gateway device out of the network.

- Jouni

This is how the network was set up when i got to it. There is an broadband modem/gateway connected to a charter cable connection. This gateway seems to be functioning as a bridge which hands all traffic over to a common wireless router. The router has a connection to a 16 port switch that all the office pcs are connected to. Some PC's have static IPs, some are DHCP. There is also an application file server and a fax server on the 16 port switch. Because they have so many ports forwarded to random machines, and static IPs that make no sense orginizationally. When I attempted to connect the ASA directly to the Broadband modem/gateway... I could not get any traffic from the outside world into the ASA. Moving it behind the router seemed to fix that. However, the router was still blocking SSL traffic. So I forwarded port 443 on the router to the inside interface and turned VPN access on on the inside interface. This finally gave me outside VPN access, but i still couldn't get access to networked drives through the VPN.

The office has started their business day so I can not access the networks again until later today when the doctors have gone home. I will get all the info I can when they pack up for the day

I'm pretty sure you've hit the nail on the head. Routing has got to be the issue. Later tonight I'm going to try to put the asa between the gateway and the router and reconfigure. I didn't want to do something that high up on the network infrastructure, but the router cannot route traffic to any subnet besides it's own so this is my only choice. If I hit problems I'll probably post another reply on here. Thank you so much for your help so far JouniForss!

You were absolutely right. I had to bite the bullet and restructure the network. Once I put it together in a logical, organized manner, I had no issues. Thank you Jouni!