Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

No network access with VPN Anyconnect on ASA5510

Posted on 2009-07-10
2
Medium Priority
?
1,637 Views
Last Modified: 2012-05-07
I have a working asa5510 if I only use SSL clientless VPN.  Users are OK when using browser based connection.  If I use anyconnect ver 2.0 on client I can ping inside interface only, but can't ping or connect to any network hosts. Client connects to ASA5510 OK but no host access on the LAN. Below is code.  I know I don't have any no nat.  I tried everything with no luck so I removed all no nats.
ASA Version 8.0(3) 
!
hostname ASA5510
domain-name MIS
enable password cZ7kSRF9ydySxNhK encrypted
names
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 72.80.80.2 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/1
 nameif DMZ
 security-level 10
 ip address 10.6.6.1 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif Inside
 security-level 100
 ip address 192.168.146.9 255.255.255.0 
 ospf cost 10
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 192.168.146.251
 name-server 192.168.146.212
 domain-name MIS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 1 extended permit tcp any host 172.16.100.13 eq 3101 
access-list 1 extended permit tcp any host 72.80.80.4 eq h323 
access-list 1 remark Verizon bridge to Polycom
access-list 1 extended permit udp any host 72.80.80.4 eq 1718 
access-list 1 remark Verizon bridge to Polycom
access-list 1 extended permit udp any host 72.80.80.4 eq 1719 
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm errors
mtu Outside 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
ip local pool VPNPool 10.7.7.1-10.7.7.62 mask 255.255.255.192
ip local pool Temp 10.8.8.1-10.8.8.255 mask 255.255.255.0
ip local pool WhsePool1 10.7.7.193 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) 72.80.80.4 192.168.146.16 netmask 255.255.255.255 
access-group 1 in interface Outside
route Outside 0.0.0.0 0.0.0.0 72.80.80.1 1
route Inside 172.16.0.0 255.255.0.0 192.168.146.8 1
timeout xlate 8:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 7:00:00 absolute
 webvpn
  url-list value List1
aaa-server MISDomain protocol radius
 reactivation-mode timed
aaa-server MISDomain host 192.168.146.251
 key winradius
 radius-common-pw winradius
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.146.9 255.255.255.255 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn 72.80.80.2
 subject-name CN=72.80.80.2,OU=MIS,O=Mentholatum,C=US,St=New York,L=Orchard Park,EA=administrator@mentholatum.com
 keypair tmc.key
 no client-types
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint LOCAL-CA-SERVER
 keypair LOCAL-CA-SERVER
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment self
 fqdn ASA5510
 subject-name CN=asa1.tmclink.com,OU=MIS,O=Mentholatum,C=US,St=NY,L=Orchard Park
 keypair LOCAL-CA-SERVER
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment self
 fqdn asa1.tmclink.com
 subject-name CN=asa1.tmclink.com,OU=MIS,O=Mentholatum,C=US,St=NY,L=Orchard Park
 keypair LOCAL-CA-SERVER
 no client-types
 crl configure
crypto ca server 
 smtp from-address administrator@mentholatum.com
crypto isakmp identity address 
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
client-update enable
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
ntp server 129.6.15.28 source Outside
ssl trust-point ASDM_TrustPoint2 Outside
webvpn
 enable Outside
 svc image disk0:/anyconnect-win-2.2.0128-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy Brokers internal
group-policy Brokers attributes
 vpn-tunnel-protocol webvpn
 webvpn
  url-list value Broker_List
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol webvpn
group-policy MISVPN internal
group-policy MISVPN attributes
 vpn-simultaneous-logins 10
 vpn-idle-timeout 30
 vpn-tunnel-protocol webvpn
 split-tunnel-policy tunnelall
 address-pools value VPNPool
 webvpn
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask none default webvpn
group-policy CognosVPN internal
group-policy CognosVPN attributes
 wins-server value 192.168.146.251
 dns-server value 192.168.146.251
 vpn-access-hours none
 vpn-simultaneous-logins 10
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol webvpn
 default-domain value mis
 vlan none
 address-pools value VPNPool
 webvpn
  url-list value List1
  filter none
  svc keep-installer installed
  svc rekey time none
  svc rekey method none
  svc ask none default webvpn
group-policy WhsePolicy internal
group-policy WhsePolicy attributes
 vpn-access-hours none
 vpn-simultaneous-logins 10
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol svc 
 split-tunnel-policy tunnelall
 vlan none
 nac-settings none
 address-pools value WhsePool1
 webvpn
  svc rekey time none
  svc rekey method ssl
  svc ask none default webvpn
username XXXXXXX password yIGXsMc3fOxBFUxP5KlozA== nt-encrypted
username XXXXXXX attributes
 vpn-group-policy MISVPN
 vpn-tunnel-protocol svc 
 group-lock value MIS_SSL_Profile
 service-type remote-access
 webvpn
  svc ask none default svc
tunnel-group DefaultRAGroup general-attributes
 default-group-policy MISVPN
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group MISDomain
 default-group-policy WhsePolicy
tunnel-group MIS_SSL_Profile type remote-access
tunnel-group MIS_SSL_Profile general-attributes
 address-pool WhsePool1
 authentication-server-group MISDomain
 authentication-server-group (Inside) MISDomain
 default-group-policy WhsePolicy
 password-management
tunnel-group MIS_SSL_Profile webvpn-attributes
 group-alias MIS disable
 group-alias Warehouse enable
tunnel-group MIS_SSL_Profile ppp-attributes
 authentication ms-chap-v2
tunnel-group CognosGroup type remote-access
tunnel-group CognosGroup general-attributes
 address-pool VPNPool
 authentication-server-group MISDomain
 default-group-policy CognosVPN
 password-management
tunnel-group CognosGroup webvpn-attributes
 radius-reject-message
 proxy-auth sdi
 group-alias Cognos enable
tunnel-group CognosGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group Brokers type remote-access
tunnel-group Brokers general-attributes
 authentication-server-group (Outside) LOCAL
 default-group-policy Brokers
 password-management
tunnel-group Brokers webvpn-attributes
 authentication certificate
 radius-reject-message
 proxy-auth sdi
 group-alias brokers disable
 group-url https://72.80.80.2/brokers enable
tunnel-group Test type remote-access
tunnel-group Test general-attributes
 address-pool WhsePool1
 authentication-server-group MISDomain
 default-group-policy WhsePolicy
tunnel-group Test webvpn-attributes
 group-alias vpn enable
 group-url https://72.80.80.2/vpn enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
smtp-server 192.168.146.250
prompt hostname context 
Cryptochecksum:aaa5318a144c03f10f61a7ae369ef87e
: end
asdm image disk0:/asdm-603.bin
asdm location 69.95.230.98 255.255.255.255 Inside
asdm location 172.16.0.0 255.255.0.0 Inside
asdm location 10.7.7.0 255.255.255.192 Inside
asdm location 10.7.7.200 255.255.255.255 Inside
asdm location 10.7.7.192 255.255.255.248 Inside
asdm location 192.168.146.2 255.255.255.255 Inside
no asdm history enable

Open in new window

0
Comment
Question by:majic45
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 24828132
First and foremost, you need to scrub your configuration of specifically identifiable information prior to publishing it to EE; especially password values, external IP addresses and references to your company's name.

Reviewing configuration now.  Will respond in a few minutes.
0
 
LVL 15

Accepted Solution

by:
WalkaboutTigger earned 1500 total points
ID: 24828240
Login via AnyConnect and then execute the following command on the ASA:

show vpn-sessiondb svc

and post the results.

It appears you may just be a bit off in your configuration - review
 http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml#step7

Is this happening for all of your configured groups or just the MIS group?
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question