asa ssl and ipsec vpns not able to ping my internet network

can you run a debug and see what`s going on?

what should I debug, I ran debug webvpn, but thats not the problem since the sessions are created fine  its just the 50.0.1.0 traffic is not being routed to the 50.0.0.0 traffic i think but I could be wrong

debug crypto ipsec and debug crypto isakmp

apparently there I did not configure split tunneling for the ipsec part,
I added the lines
ciscoasa(config)# group-policy mercgroup internal
ciscoasa(config)# group-policy mercgroup attributes
ciscoasa(config-group-policy)#  split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)#  split-tunnel-network-list value Split_Tunnel_L$
but still unable to keep my connection to the ASA or the internet when I vpn into the device with ipsec

can you try to run a debug now? if you don`t get anything just increase the verbosity level

I am having some issues with the vpn client, is there anything I can do to test out he anyconnect?

honestly the webvpn is what I care more about

well there can be many things that can be wrong thats why the best approach is to run a debug on the switch... you can`t really see a whole lot from the client side.

I will be able to do testing later on tonight

unfortunately I have no way of testing this out atleast for another couple of days.  I do know there there is an issue with webvpn becuase I should be able to get to the sslvpn site even when I am on location which I cannot do right now in the network.  I have usually set these up on cisco ios routers and 1 standalone vpn device, I know there is definitely a route or an ACL missing somethere, anyone have any clues?

try adding these attributes to you policy for webvpn:

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 webvpn
  functions url-entry file-access file-entry file-browsing mapi port-forward filter
   http-proxy auto-download citrix

tried adding it, i found out why i couldnt test it out successfully earlier, turns out the network i have access too shared the same lan as the other lan ont he remote end.  I will try this tomorrow

I also got the split tunneling working, I ran the debug as I am pinging 50.0.0.1 on the ipsec vpn, and I am not really seeing much that is telling me any issues
here is my log, which gives me no errors, as I said before its a route I am missing


Apr 20 06:00:59 [IKEv1]: IP = 1, IKE_DECODE RECEIVED Message (msgid=7247e6d8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, processing hash payload
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, processing notify payload
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, Received keep-alive of type DPD R-U-THERE (seq number 0x40a0a7d)
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x40a0a7d)
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, constructing blank hash payload
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, constructing qm hash payload
Apr 20 06:00:59 [IKEv1]: IP = 1, IKE_DECODE SENDING Message (msgid=ac46f1c5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

can you go through this guide?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml

and then run a debug again with increased verbouse level?

I did, I also do not use the gui I used the CLI

Debug showed nothing

also debugging hte vpn will nto work, as I said before it connects fine which is what the debugs for both crypto and webvpn would troubleshoot, its just not connecting to my local routes  attached is my config

ASA Version 8.2(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan2
 mac-address 0024.141e.0454
 nameif outside
 security-level 0
 ip address 1111111111111111
!
interface Vlan3
 nameif inside
 security-level 100
 ip address 172.16.50.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit tcp any interface outside eq telnet
access-list NONAT extended permit ip 50.0.0.0 255.255.255.0 50.0.1.0 255.255.255.0
access-list NONAT extended permit ip 50.0.0.0 255.255.255.0 50.0.200.0 255.255.255.0
access-list NONAT extended permit ip 172.16.50.0 255.255.255.0 50.0.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 50.0.0.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.16.50.0 255.255.255.0
access-list IPSEC_SPLIT_TUNNEL standard permit 50.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool SSLVPN 50.0.1.100-50.0.1.120 mask 255.255.255.0
ip local pool ipsecpool 50.0.200.20-50.0.200.40
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface telnet 50.0.0.1 telnet netmask 255.255.255.255
access-group 101 in interface outside
route inside 10.10.10.0 255.255.255.0 172.16.50.2 1
route inside 50.0.0.0 255.255.255.0 172.16.50.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ts2 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dmap 10 set transform-set ts2
crypto map imap 10 ipsec-isakmp dynamic dmap
crypto map imap interface outside
crypto ca trustpoint localtrust
 enrollment self
 fqdn test
 subject-name CN=test
 keypair sslvpnkey
 crl configure
crypto ca certificate chain localtrust
 certificate 9dbea54d
    30820203 3082016c a0030201 0202049d bea54d30 0d06092a 864886f7 0d010105
    05003046 311e301c 06035504 03131573 736c7670 6e2e6d65 7263646f 6d61696e
    2e636f6d 31243022 06092a86 4886f70d 01090216 1573736c 76706e2e 6d657263
    646f6d61 696e2e63 6f6d301e 170d3131 30343136 31323534 34305a17 0d323130
    34313331 32353434 305a3046 311e301c 06035504 03131573 736c7670 6e2e6d65
    7263646f 6d61696e 2e636f6d 31243022 06092a86 4886f70d 01090216 1573736c
    76706e2e 6d657263 646f6d61 696e2e63 6f6d3081 9f300d06 092a8648 86f70d01
    01010500 03818d00 30818902 81810097 6c015cc8 bfc77e00 d1abd13c df20ad7e
    fe98a191 c74fdedd 4b599580 bde953e7 47d78772 a5dcfbd9 e2edb782 d3cb363f
    e1c0f9ea 71eeab04 ba60da98 ee226c18 206267b9 271bac67 6ee15ee9 c5a22611
    ae81db28 1a6d887f d88722b5 8937d1cc 96731cb4 b28a6550 561c5974 563fbe93
    62754c34 22ef538d 6d1ff6a3 ea5e4102 03010001 300d0609 2a864886 f70d0101
    05050003 81810068 0487cfcc 9a1efb0d 53000bcb 4e84db11 e01bbfaf 8b4e535f
    c6bca0d5 4190924b 1d33628f 21ca4ffa f5e13291 f34f0ce4 a56bb0ed dc7b8b9f
    7e29d8ff 8ab2527e c978e950 5b1f9895 5aa18f32 e0a32018 6f07caf5 02a79b5e
    0d543fa9 ac231e14 93da7d51 d5d02080 ac9f73c8 64ce97c5 4464cd24 c123bb61
    f9c0034d 0a7fec
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
<--- More --->webvpn_file_encoding.c:webvpn_get_file_encoding_db_first[68]
webvpn_db.c:webvpn_get_server_db_first[161]
 enable outside
 svc image disk0:/anyconnect-dart-win-2.5.2017-k9.pkg 1
 svc image disk0:/anyconnect-linux-2.5.2019-k9.pkg 2
webvpn_file_encoding.c:webvpn_get_file_encoding_db_first[68]
 svc enable
 tunnel-group-list enable
group-policy SSL_GROUP_POLICY internal
group-policy SSL_GROUP_POLICY attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 address-pools value SSLVPN
group-policy mercgroup internal
group-policy mercgroup attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value IPSEC_SPLIT_TUNNEL
username mercxi password aaaaaaaaaaaaaaaaaaaaaaaaaaa
username mercxi attributes
 service-type remote-access
webvpn_db.c:webvpn_get_port_forward_db_first[818]
tunnel-group SSLCLIENTPROFILE type remote-access
tunnel-group SSLCLIENTPROFILE general-attributes
 default-group-policy SSL_GROUP_POLICY
tunnel-group SSLCLIENTPROFILE webvpn-attributes
 group-alias SSLVPNClient enable
tunnel-group mercgroup type remote-access
tunnel-group mercgroup general-attributes
 address-pool ipsecpool
 default-group-policy mercgroup
tunnel-group mercgroup ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d286be586b492d6535244f301d06df1b
: end

Select allOpen in new window

are you receiving an ip address?

do you get the proper routes?

can you run a traceroute? where does it die?

I do get the proper IP address,  and when I ran a tracert it looks like no routes are put in

what`s the output of netstat -nr

50.0.0.0        255.0.0.0      50.0.200.21     50.0.200.21       10
         50.0.0.0    255.255.255.0      50.0.200.21     50.0.200.21       1
      50.0.200.21  255.255.255.255        127.0.0.1       127.0.0.1       10
   50.255.255.255  255.255.255.255      50.0.200.21     50.0.200.21       10

i dont see 50.0.200.21 as a default gateway anywhere in your config

i think your getting the wrong ip can you verify?

the 50.0.200.21 is the ip i get when i vpn in, using the ipsec, using webvpn i would get a 50.0.1.X ip address

yes i understand however you need a gateway that points to your ASA, if your ip is 50.0.200.21 you can`t have a default gateway for that network yourself because your just going in to a loop

hmm interesting, so how should I put in my gateway for either ipsec or ssl

do you get the same results in using webvpn and client vpn?

yes

you got the wrong subnet here:

ip local pool SSLVPN 50.0.1.100-50.0.1.120 mask 255.255.255.0

that`s /24

what does interface reffer to in the following line? it should be an ip address
global (outside) 1 interface

The NAT statement to define what to encrypt

example
nat (outside) 1 192.168.10.0 255.255.255.0

which groupplocy are you ussing for the client vpn?

it should be configured like this:

group-policy clientgroup internal
group-policy clientgroup attributes
vpn-idle-timeout 20

split-tunnel-policy tunnelall

then you need to configure the crypto map`s for the ipsec

also add this line in:

crypto map imap 10 ipsec-isakmp dynamic ts2

isakmp identity address
isakmp enable outside

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

also the tunnel group should have something like this:

tunnel-group name type ipsec-ra
tunnel-group name general-attributes
address-pool vpnpool

default-group-policy clientgroup
tunnel-group name ipsec-attributes
pre-shared-key *

make sure the pre-shared key you put in here you also put in the client for the group authentication setting i believe

how is my mask wrong?  also that code is for asa 7, I am on 8.2, sorry I should have put in there and all of these steps are for if I could not vpn in, I can vpn in just cannot communicate.  also regarding my ip addresses I changed them around in the code I posted here so people would not find out my ip address

you are missing stuff in your config... you are able to connect that doesn`t mean that your config is correct.

im not saying that its correct, but I did put all of that stuff in it is in my current config right now that posted a few posts ago, but I do not understand why I need to change the netmask for my ssl dhcp pool.


also just so you know mercgorup is for ipsec the other one is for ssl

i think i know the answer, i found some errors in my config, some rrors in my nat statements

good stuff let us know the results

no dice
I read somewhere to add these lines
nat (outside) 1 50.0.100.0 255.255.255.0
nat (outside) 1 50.0.200.0 255.255.255.0
and I also did a router eigrp statement on both the asa and cisco router
router eigrp 100
network 50.0.0.0
network 172.16.50.0

still no luck

it worked thanks alot

basically it was the match address command, I thought I did not need that for vpn clients, also whats weird is that none of the examples on the net require it

also was missing the nat traversal