mmercaldi
asked on
Cisco ASA SSL VPN not able to reach my network
I currently have a cisco router and a cisco asa. The cisco asa is only used for ssl vpn only, nothing more. I have onyl 1 static IP to work with and I so far configred the asa so I can login from the outside using the ssl vpn, however after I login I cannot access anything on the remote network I am trying to connect to. Attached is my config, please let me know if I am missing something.
Thanks
Thanks
ciscoasa# sh run
: Saved
:
ASA Version 8.2(3)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 50
!
interface Ethernet0/1
switchport access vlan 50
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan50
nameif inside
security-level 100
ip address 50.0.0.100 255.255.255.0
!
ftp mode passive
access-list NONAT extended permit ip 50.0.0.0 255.255.255.0 70.0.0.0 255.255.255.0
access-list split-tunnel standard permit 50.0.0.0 255.255.255.0
pager lines 24
mtu inside 1500
ip local pool WebVPNPool 70.0.0.50-70.0.0.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route inside 0.0.0.0 0.0.0.0 50.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable inside
svc image disk0:/anyconnect-dart-win-2.5.2017-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy WebVPNPolicy internal
group-policy WebVPNPolicy attributes
dns-server value 50.0.0.1 4.2.2.2
vpn-tunnel-protocol svc
group-lock value WebVPNAccessProfile
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
address-pools value WebVPNPool
webvpn
svc ask none default svc
hidden-shares none
file-entry disable
file-browsing disable
url-entry disable
username aaaaa attributes
service-type remote-access
tunnel-group WebVPNAccessProfile type remote-access
tunnel-group WebVPNAccessProfile general-attributes
default-group-policy WebVPNPolicy
tunnel-group WebVPNAccessProfile webvpn-attributes
group-alias WebVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:73bed0bc5d7f5219a105ea5d7034be00
: end
ciscoasa#
ASKER
what is the best way to do this, again do not forget this is vpn only not really any NATTING is going on this ASA
Well you still need an outside and inside interface. How else do you want to connect to you internal network?
Here is an example of an ASA with webvpn (also have a look at how the interfaces are set up):
ASA Version 7.2(1)
hostname ciscoasa
domain-name cisco.com
enable password 9jNfZuG3TC5tCVH0 encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.160 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.2.2.1 255.255.255.0
interface Ethernet0/2
nameif DMZ1
security-level 50
no ip address
interface Management0/0
description For Mgt only
shutdown
nameif Mgt
security-level 0
ip address 10.10.10.1 255.255.255.0
management-only
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu Mgt 1500
icmp permit any outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.2.2.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.22.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
!
!--- group policy configurations
!
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
webvpn
functions url-entry file-access file-entry file-browsing mapi port-forward filter
http-proxy auto-download citrix
username cisco password 53QNetqK.Kqqfshe encrypted
!
!--- asdm configurations
!
http server enable
http 10.2.2.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
!--- tunnel group configurations
!
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy GroupPolicy1
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 10.2.2.2 master timeout 2 retry 2
!
telnet timeout 5
ssh 172.22.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
!
!--- webvpn configurations
!
webvpn
enable outside
url-list ServerList "WSHAWLAP" cifs://10.2.2.2 1
url-list ServerList "FOCUS_SRV_1" https://10.2.2.3 2
url-list ServerList "FOCUS_SRV_2" http://10.2.2.4 3
!
prompt hostname context
!
end
For the complete story, go to: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
Here is an example of an ASA with webvpn (also have a look at how the interfaces are set up):
ASA Version 7.2(1)
hostname ciscoasa
domain-name cisco.com
enable password 9jNfZuG3TC5tCVH0 encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.160 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.2.2.1 255.255.255.0
interface Ethernet0/2
nameif DMZ1
security-level 50
no ip address
interface Management0/0
description For Mgt only
shutdown
nameif Mgt
security-level 0
ip address 10.10.10.1 255.255.255.0
management-only
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu Mgt 1500
icmp permit any outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.2.2.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.22.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
!
!--- group policy configurations
!
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
webvpn
functions url-entry file-access file-entry file-browsing mapi port-forward filter
http-proxy auto-download citrix
username cisco password 53QNetqK.Kqqfshe encrypted
!
!--- asdm configurations
!
http server enable
http 10.2.2.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
!--- tunnel group configurations
!
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy GroupPolicy1
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 10.2.2.2 master timeout 2 retry 2
!
telnet timeout 5
ssh 172.22.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
!
!--- webvpn configurations
!
webvpn
enable outside
url-list ServerList "WSHAWLAP" cifs://10.2.2.2 1
url-list ServerList "FOCUS_SRV_1" https://10.2.2.3 2
url-list ServerList "FOCUS_SRV_2" http://10.2.2.4 3
!
prompt hostname context
!
end
For the complete story, go to: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
Wait a sec.
I've been thinking (I sometimes do ;).
You have one public ip? So your router holds that ip and the ASA is behind it (and behind nat)?
I've been thinking (I sometimes do ;).
You have one public ip? So your router holds that ip and the ASA is behind it (and behind nat)?
ASKER
when I do that I get this message
ciscoasa(config)# int e0/3
ciscoasa(config-if)# nameif outside
ERROR: This command can only be configured on VLAN interfaces
ciscoasa(config)# int e0/3
ciscoasa(config-if)# nameif outside
ERROR: This command can only be configured on VLAN interfaces
Full walkthorugh http://www.petenetlive.com/KB/Article/0000069.htm
ASKER
erniebeek: yes I only have 1 static ip, the client is too cheap to buy a second for whatever reason
My wrong, 5505 works with vlans, something like this:
ASA Version 7.2(2)
!
hostname yourASA
domain-name yourdomain.com
enable password yourpassword
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 111.111.111.111 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd yourpassword
ftp mode passive
dns server-group DefaultDNS
domain-name yourdomain.com
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 111.111.111.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
ASA Version 7.2(2)
!
hostname yourASA
domain-name yourdomain.com
enable password yourpassword
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 111.111.111.111 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd yourpassword
ftp mode passive
dns server-group DefaultDNS
domain-name yourdomain.com
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 111.111.111.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
ASKER
right but my router is controlling all vlans, which I could get a vlan mismatch and if I have 2 vlan 50's wouldnt that cause a bunch of errors?
ASKER
PeteLong:
I attempted to do this however again I do not have an outside interface
I attempted to do this however again I do not have an outside interface
So, how is your router setp up?
Perhaps it's an idea to change the router so it bridges, that way the ASA gets the public ip and you would be able to set up everything from there.
Perhaps it's an idea to change the router so it bridges, that way the ASA gets the public ip and you would be able to set up everything from there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks, I will be able to try this tonight
ASKER
here is what i have now, and I am still getting the same issue
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 50
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan50
nameif outside
security-level 0
ip address 50.0.0.200 255.255.255.0
!
ftp mode passive
access-list outsideACL extended permit icmp any any
access-list outsideACL extended permit ip any any
access-list http-list2 extended permit ip any any
access-list Split_Tunnel_List standard permit 50.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
ip local pool SSLClientPool 70.0.0.10-70.0.0.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outsideACL in interface outside
route outside 0.0.0.0 0.0.0.0 50.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-dart-win -2.5.2017- k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 50.0.0.1 4.2.2.2
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
address-pools value SSLClientPool
username mercxi password o0zmZzwk0jklo95r encrypted
username mercxi attributes
service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNCLIENT enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3ba021f51e1 1b7e3d2bb3 267f071035 f
: end
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 50
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan50
nameif outside
security-level 0
ip address 50.0.0.200 255.255.255.0
!
ftp mode passive
access-list outsideACL extended permit icmp any any
access-list outsideACL extended permit ip any any
access-list http-list2 extended permit ip any any
access-list Split_Tunnel_List standard permit 50.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
ip local pool SSLClientPool 70.0.0.10-70.0.0.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outsideACL in interface outside
route outside 0.0.0.0 0.0.0.0 50.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-dart-win
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 50.0.0.1 4.2.2.2
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
address-pools value SSLClientPool
username mercxi password o0zmZzwk0jklo95r encrypted
username mercxi attributes
service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNCLIENT enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3ba021f51e1
: end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with erniebeek on this one. These two commands should be added to your config.
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
I also agree that your network will need a route propagated through it directing traffic destined for your vpn pool address range back to your ASA.
If those two tidbits don't help any, maybe you can get us a little more info on the error you get when you attempt to connect to a device after connecting to your vpn. Debug log info from the ASA might be helpful too.
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
I also agree that your network will need a route propagated through it directing traffic destined for your vpn pool address range back to your ASA.
If those two tidbits don't help any, maybe you can get us a little more info on the error you get when you attempt to connect to a device after connecting to your vpn. Debug log info from the ASA might be helpful too.
ASKER
thanks ernie and alex, I will be able to try this tonight after the client office move
Good luck. I you need any more assistance, let us know.
I'll be logged on again later this evening and through the weekend too so if you need more assistance over the weekend, post up and I'll see what I can do.
ASKER
I added the 2 lines, I can ping the asa which is 50.0.0.200 but I cannot ping anything else on the network, am I doing something else wrong? below is my router config
mercrouter#sh run
Building configuration...
Current configuration : 6444 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname mercrouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login MYVPN local
aaa authorization network myvpnnetwork local
!
!
aaa session-id common
memory-size iomem 10
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-1180740580
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1180740580
revocation-check none
rsakeypair TP-self-signed-1180740580
!
!
crypto pki certificate chain TP-self-signed-1180740580
certificate self-signed 01
30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313830 37343035 3830301E 170D3131 30313239 30323130
30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383037
34303538 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1EB 6CDBB205 DDFDD5ED CE0B6830 99F62E28 7CC7B540 2C55CA39 9C550A5C
A6425AA8 15587DF4 F0DB8F91 D1DD5365 865F081C BB200B6D 22EE005B 7BF4E532
112FA528 F4046AF6 4F708E05 6CAB3E17 D00C608C BEAAC94C 2EFCE6E2 2C563E8D
6656A291 98AC4132 59A33002 DBFFB89C 905D17A3 BD03E09F 767C094D 04403168
68410203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
551D1104 0E300C82 0A6D6572 63726F75 74657230 1F060355 1D230418 30168014
3908E4CF A30572BB C3AB5B41 2270B5C9 25EDCFAA 301D0603 551D0E04 16041439
08E4CFA3 0572BBC3 AB5B4122 70B5C925 EDCFAA30 0D06092A 864886F7 0D010104
05000381 81000E1D 2F01E667 360FD4AA FC197F5F F42B2B6D E6B162A3 730CB229
DECE8ACE 96CF1367 B990E1E9 42DC3CB4 04BCDC92 C6DFEAE1 2460D519 A064BD04
3F44CB3A 0D05FA9B 11549D81 23DCCAF4 D1D4E92F 88869C8E AA410919 225C4296
74246005 E5994F37 EBB07738 6F99FE0F 8156EADD 7E633A09 3C1851DC 81B753CE
C166F6DD 86A8
quit
ip source-route
!
!
!
ip dhcp pool mypool
network 50.0.0.0 255.255.255.0
default-router 50.0.0.1
dns-server 50.0.0.1 4.2.2.2
!
ip dhcp pool tvpool
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1 4.2.2.2
!
ip dhcp pool vlan80pool
network 80.0.0.0 255.255.255.0
default-router 80.0.0.1
dns-server 80.0.0.1 4.2.2.2
!
!
ip cef
ip name-server 4.2.2.1
!
no ipv6 cef
!
!
multilink bundle-name authenticated
license boot module c880-data level advipservices
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group XXXXXXXX
key merc84
dns 50.0.0.1
domain xxxxxxxxxxx
pool myvpnpool
acl myvpnacl
netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto dynamic-map DYN_MAP 1
set transform-set myset
!
!
crypto map mymap client authentication list MYVPN
crypto map mymap isakmp authorization list myvpnnetwork
crypto map mymap client configuration address respond
crypto map mymap 65535 ipsec-isakmp dynamic DYN_MAP
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
switchport access vlan 50
switchport trunk allowed vlan 1,2,10,50,80,1002-1005
switchport mode trunk
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 50
!
interface FastEthernet3
switchport access vlan 80
!
interface FastEthernet4
ip address xxx
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 51.0.0.1 255.255.255.0
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport access vlan 50
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan50
ip address 50.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan80
ip address 80.0.0.1 255.255.255.0
ip access-group 112 in
ip nat inside
ip virtual-reassembly
!
ip local pool myvpnpool 65.0.0.10 65.0.0.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
ip http server
ip http authentication local
no ip http secure-server
!
!
ip dns server
ip nat inside source static tcp 50.0.0.200 1000 interface FastEthernet4 1000
ip nat inside source static tcp 50.0.0.200 443 interface FastEthernet4 443
ip nat inside source route-map ISP1 interface FastEthernet4 overload
!
ip access-list extended aclblock1
deny ip 50.0.0.0 0.0.0.255 80.0.0.0 0.0.0.255
deny ip 80.0.0.0 0.0.0.255 50.0.0.0 0.0.0.255
permit ip any any
ip access-list extended myvpnacl
permit ip 50.0.0.0 0.0.0.255 65.0.0.0 0.0.0.255
!
access-list 101 deny ip 80.0.0.0 0.0.0.255 65.0.0.0 0.0.0.255
access-list 101 deny ip 10.10.10.0 0.0.0.255 65.0.0.0 0.0.0.255
access-list 101 deny ip 50.0.0.0 0.0.0.255 65.0.0.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 50.0.0.0 0.0.0.255 any
access-list 101 permit ip 80.0.0.0 0.0.0.255 any
access-list 110 permit ip 80.0.0.0 0.0.0.255 host 50.0.0.1
access-list 110 deny ip 80.0.0.0 0.0.0.255 50.0.0.0 0.0.0.255
access-list 110 permit ip any any
access-list 111 deny ip 50.0.0.0 0.0.0.255 80.0.0.0 0.0.0.255
access-list 111 permit ip any any
access-list 112 deny ip 80.0.0.0 0.0.0.255 50.0.0.0 0.0.0.255
access-list 112 permit ip any any
!
!
!
!
route-map ISP1 permit 10
match ip address 101
match interface FastEthernet4
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
!
scheduler max-task-time 5000
end
ASKER
it finally worked
I had to add the 2 lines
global (outside) 10 interface
nat (outside) 10 70.0.0.0 255.255.255.0
I had to add the 2 lines
global (outside) 10 interface
nat (outside) 10 70.0.0.0 255.255.255.0
ASKER
for anyone's knowledge below is the working config
ASA Version 8.2(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 50
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan50
nameif outside
security-level 0
ip address 50.0.0.200 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outsideACL extended permit icmp any any
access-list outsideACL extended permit ip any any
access-list http-list2 extended permit ip any any
access-list Split_Tunnel_List standard permit 50.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
ip local pool SSLClientPool 70.0.0.10-70.0.0.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (outside) 10 70.0.0.0 255.255.255.0
access-group outsideACL in interface outside
route outside 0.0.0.0 0.0.0.0 50.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.2017-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 50.0.0.1 4.2.2.2
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
address-pools value SSLClientPool
username mercxi password o0zmZzwk0jklo95r encrypted
username mercxi attributes
service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNCLIENT enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ac438d718f03c06d7b590baa7c0fbe52
: end
ciscoasa#
Good job! glad you got it working. And also great you posted the compete solution here. And last but not least: thx for the points.
Sweet. Glad we were able to help.
AND
I don't see an inside network........... (the real inside private network).