Solved

No network access with VPN Anyconnect on ASA5510

Posted on 2009-07-10
2
1,599 Views
Last Modified: 2012-05-07
I have a working asa5510 if I only use SSL clientless VPN.  Users are OK when using browser based connection.  If I use anyconnect ver 2.0 on client I can ping inside interface only, but can't ping or connect to any network hosts. Client connects to ASA5510 OK but no host access on the LAN. Below is code.  I know I don't have any no nat.  I tried everything with no luck so I removed all no nats.
ASA Version 8.0(3) 

!

hostname ASA5510

domain-name MIS

enable password cZ7kSRF9ydySxNhK encrypted

names

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address 72.80.80.2 255.255.255.0 

 ospf cost 10

!

interface Ethernet0/1

 nameif DMZ

 security-level 10

 ip address 10.6.6.1 255.255.255.0 

 ospf cost 10

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 nameif Inside

 security-level 100

 ip address 192.168.146.9 255.255.255.0 

 ospf cost 10

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

 ospf cost 10

 management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup Inside

dns server-group DefaultDNS

 name-server 192.168.146.251

 name-server 192.168.146.212

 domain-name MIS

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 1 extended permit tcp any host 172.16.100.13 eq 3101 

access-list 1 extended permit tcp any host 72.80.80.4 eq h323 

access-list 1 remark Verizon bridge to Polycom

access-list 1 extended permit udp any host 72.80.80.4 eq 1718 

access-list 1 remark Verizon bridge to Polycom

access-list 1 extended permit udp any host 72.80.80.4 eq 1719 

pager lines 24

logging enable

logging asdm-buffer-size 512

logging asdm errors

mtu Outside 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

ip local pool VPNPool 10.7.7.1-10.7.7.62 mask 255.255.255.192

ip local pool Temp 10.8.8.1-10.8.8.255 mask 255.255.255.0

ip local pool WhsePool1 10.7.7.193 mask 255.255.255.248

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (Inside) 1 0.0.0.0 0.0.0.0

static (Inside,Outside) 72.80.80.4 192.168.146.16 netmask 255.255.255.255 

access-group 1 in interface Outside

route Outside 0.0.0.0 0.0.0.0 72.80.80.1 1

route Inside 172.16.0.0 255.255.0.0 192.168.146.8 1

timeout xlate 8:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 7:00:00 absolute

 webvpn

  url-list value List1

aaa-server MISDomain protocol radius

 reactivation-mode timed

aaa-server MISDomain host 192.168.146.251

 key winradius

 radius-common-pw winradius

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.146.9 255.255.255.255 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self

 fqdn 72.80.80.2

 subject-name CN=72.80.80.2,OU=MIS,O=Mentholatum,C=US,St=New York,L=Orchard Park,EA=administrator@mentholatum.com

 keypair tmc.key

 no client-types

 proxy-ldc-issuer

 crl configure

crypto ca trustpoint LOCAL-CA-SERVER

 keypair LOCAL-CA-SERVER

 crl configure

crypto ca trustpoint ASDM_TrustPoint1

 enrollment self

 fqdn ASA5510

 subject-name CN=asa1.tmclink.com,OU=MIS,O=Mentholatum,C=US,St=NY,L=Orchard Park

 keypair LOCAL-CA-SERVER

 no client-types

 crl configure

crypto ca trustpoint ASDM_TrustPoint2

 enrollment self

 fqdn asa1.tmclink.com

 subject-name CN=asa1.tmclink.com,OU=MIS,O=Mentholatum,C=US,St=NY,L=Orchard Park

 keypair LOCAL-CA-SERVER

 no client-types

 crl configure

crypto ca server 

 smtp from-address administrator@mentholatum.com

crypto isakmp identity address 

crypto isakmp policy 5

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 10

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

client-update enable

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

ntp server 129.6.15.28 source Outside

ssl trust-point ASDM_TrustPoint2 Outside

webvpn

 enable Outside

 svc image disk0:/anyconnect-win-2.2.0128-k9.pkg 1

 svc enable

 tunnel-group-list enable

group-policy Brokers internal

group-policy Brokers attributes

 vpn-tunnel-protocol webvpn

 webvpn

  url-list value Broker_List

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol webvpn

group-policy MISVPN internal

group-policy MISVPN attributes

 vpn-simultaneous-logins 10

 vpn-idle-timeout 30

 vpn-tunnel-protocol webvpn

 split-tunnel-policy tunnelall

 address-pools value VPNPool

 webvpn

  svc keep-installer installed

  svc rekey time 30

  svc rekey method ssl

  svc ask none default webvpn

group-policy CognosVPN internal

group-policy CognosVPN attributes

 wins-server value 192.168.146.251

 dns-server value 192.168.146.251

 vpn-access-hours none

 vpn-simultaneous-logins 10

 vpn-idle-timeout none

 vpn-session-timeout none

 vpn-tunnel-protocol webvpn

 default-domain value mis

 vlan none

 address-pools value VPNPool

 webvpn

  url-list value List1

  filter none

  svc keep-installer installed

  svc rekey time none

  svc rekey method none

  svc ask none default webvpn

group-policy WhsePolicy internal

group-policy WhsePolicy attributes

 vpn-access-hours none

 vpn-simultaneous-logins 10

 vpn-idle-timeout none

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol svc 

 split-tunnel-policy tunnelall

 vlan none

 nac-settings none

 address-pools value WhsePool1

 webvpn

  svc rekey time none

  svc rekey method ssl

  svc ask none default webvpn

username XXXXXXX password yIGXsMc3fOxBFUxP5KlozA== nt-encrypted

username XXXXXXX attributes

 vpn-group-policy MISVPN

 vpn-tunnel-protocol svc 

 group-lock value MIS_SSL_Profile

 service-type remote-access

 webvpn

  svc ask none default svc

tunnel-group DefaultRAGroup general-attributes

 default-group-policy MISVPN

tunnel-group DefaultWEBVPNGroup general-attributes

 authentication-server-group MISDomain

 default-group-policy WhsePolicy

tunnel-group MIS_SSL_Profile type remote-access

tunnel-group MIS_SSL_Profile general-attributes

 address-pool WhsePool1

 authentication-server-group MISDomain

 authentication-server-group (Inside) MISDomain

 default-group-policy WhsePolicy

 password-management

tunnel-group MIS_SSL_Profile webvpn-attributes

 group-alias MIS disable

 group-alias Warehouse enable

tunnel-group MIS_SSL_Profile ppp-attributes

 authentication ms-chap-v2

tunnel-group CognosGroup type remote-access

tunnel-group CognosGroup general-attributes

 address-pool VPNPool

 authentication-server-group MISDomain

 default-group-policy CognosVPN

 password-management

tunnel-group CognosGroup webvpn-attributes

 radius-reject-message

 proxy-auth sdi

 group-alias Cognos enable

tunnel-group CognosGroup ppp-attributes

 authentication ms-chap-v2

tunnel-group Brokers type remote-access

tunnel-group Brokers general-attributes

 authentication-server-group (Outside) LOCAL

 default-group-policy Brokers

 password-management

tunnel-group Brokers webvpn-attributes

 authentication certificate

 radius-reject-message

 proxy-auth sdi

 group-alias brokers disable

 group-url https://72.80.80.2/brokers enable

tunnel-group Test type remote-access

tunnel-group Test general-attributes

 address-pool WhsePool1

 authentication-server-group MISDomain

 default-group-policy WhsePolicy

tunnel-group Test webvpn-attributes

 group-alias vpn enable

 group-url https://72.80.80.2/vpn enable

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

smtp-server 192.168.146.250

prompt hostname context 

Cryptochecksum:aaa5318a144c03f10f61a7ae369ef87e

: end

asdm image disk0:/asdm-603.bin

asdm location 69.95.230.98 255.255.255.255 Inside

asdm location 172.16.0.0 255.255.0.0 Inside

asdm location 10.7.7.0 255.255.255.192 Inside

asdm location 10.7.7.200 255.255.255.255 Inside

asdm location 10.7.7.192 255.255.255.248 Inside

asdm location 192.168.146.2 255.255.255.255 Inside

no asdm history enable

Open in new window

0
Comment
Question by:majic45
  • 2
2 Comments
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 24828132
First and foremost, you need to scrub your configuration of specifically identifiable information prior to publishing it to EE; especially password values, external IP addresses and references to your company's name.

Reviewing configuration now.  Will respond in a few minutes.
0
 
LVL 15

Accepted Solution

by:
WalkaboutTigger earned 500 total points
ID: 24828240
Login via AnyConnect and then execute the following command on the ASA:

show vpn-sessiondb svc

and post the results.

It appears you may just be a bit off in your configuration - review
 http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml#step7

Is this happening for all of your configured groups or just the MIS group?
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now