problems with AnyConnect in ASA 5510 Ver. 8.4(2)

Posted on 2011-09-26
Medium Priority
Last Modified: 2012-08-13
Hello Techs,

i'm new in the cisco ASA stuff, but i 'm trying to setup a anyconnect with an ASA 5510. the problem  is that i can't get out to the internet or access any server.
first at all ,i can connect to the vpn with user created in the ASA and i got an ip from the ASA (  which is good too, my problem is that the default gateway showing for the vpn is (i'm not sure why) , and when i tried to ping my servers which are in the subnet getting time out.
i'm not sure if something is missging in my config , please advice.

asa01# show run
: Saved
ASA Version 8.4(2)
hostname asa01
domain-name mycompany.com
enable password 7xElFFjIAHUx9Pr encrypted
passwd 2KFQnDDD.dI.2KYOU encrypted
interface Ethernet0/0
 nameif OutSide
 security-level 0
 ip address 6X.XXX.XX.140
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 no nameif
 no security-level
 no ip address
banner motd           ** WARNING **
banner motd Unauthorized access prohibited. all access is
banner motd monitored, and trespassers shall be prosecuted
banner motd to the fullest extent of the law. 
ftp mode passive
dns server-group DefaultDNS
 domain-name mycompany.com
object network TC_10.10.12.0
object network VPN_10.10.25.0
object network ANY-
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended deny ip any any log
access-list splittunnel standard permit
pager lines 24
mtu OutSide 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpnpool
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,OutSide) source static TC_10.10.12.0 TC_10.10.12.0 destination static VPN_10.10.25.0 VPN_10.10.25.0
object network ANY-
 nat (inside,OutSide) dynamic interface
access-group outside-in in interface OutSide
route OutSide 6X.XXX.XX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http redirect OutSide 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint localtrust
 enrollment self
 fqdn webvpn.mycompany.com
 subject-name CN=webvpn.mycompany.com
 keypair webvpn
 crl configure
crypto ca certificate chain localtrust
 certificate 123d7c4e
    30820217 30820180 a0030201 02020412 3d7c4e30 0d06092a 864886f7 0d010105
    05003050 31233021 06035504 03131a77 65627670 6e2e7468 65746963 6b657463
    6c696e69 632e636f 6d312930 2706092a 864886f7 0d010902 161a7765 6276706e
    2e746865 7469636b 6574636c 696e6963 2e636f6d 301e170d 31313039 32333039
    35313038 5a170d32 31303932 30303935 3130385a 30503123 30210603 55040313
    1a776562 76706e2e 74686574 69636b65 74636c69 6e69632e 636f6d31 29302706
    d71ea3b8 1d49c87b b23e0db7 4bd6ac4b c728d399 99904978 a0795e02 04997d4d
    c3686a5a 9ddf0f20 5f9b2da3 1b8f010c 489b867f 991bd31c f520e6
telnet timeout 5
ssh OutSide
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust OutSide
 enable OutSide
 anyconnect image disk0:/anyconnect-dart-win-2.5.3051-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy AnyConnect-Policy internal
group-policy AnyConnect-Policy attributes
 dns-server value
 vpn-tunnel-protocol ssl-client ssl-clientless
  anyconnect keep-installer installed
  anyconnect ask enable default anyconnect timeout 20
username asa01 password 4FuE2Xuw1DD9F60 encrypted
username ssluser1 password 1ZUfK6gDDTDib encrypted
username ssluser1 attributes
 service-type remote-access
tunnel-group TCVPNUsers type remote-access
tunnel-group TCVPNUsers general-attributes
 address-pool vpnpool
 default-group-policy AnyConnect-Policy
tunnel-group TCVPNUsers webvpn-attributes
 group-alias sslgroup_users enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

Open in new window

Question by:juanchisv
  • 2
  • 2
LVL 18

Accepted Solution

jmeggers earned 2000 total points
ID: 36599365
So first, for internet access, you need to NAT traffic coming in from the outside in the VPN to "hairpin" back out the outside interface.  For that you need:

same-security-traffic permit intra-interface

object network VPN_10.10.25.0
 nat (OutSide,OutSide) dynamic interface

Regarding access to the inside devices, what are those devices using as their default gateway?  What I'm getting at is -- do they know where the VPN address pool is located?  You've done the "no NAT" command to keep traffic from the inside to the VPN subnet from being NATed, so that's good, that is required.  Looking for what else might be the cause.

Author Comment

ID: 36599933
hello jmeggers;

thanks for your quick response.
internet is working but really slow( i'm using my dns servers, should i use the ISP dns instead ??)

i currently have 3 devices en the Datacenter, router, asa and switch, originally everything is using the router to get the internet and i'm using the router for all ACLs which i'd like to change for the ASA, from the ASA i can ping the router no issue at all, i'm assuming now whith those changes my new defautl gateway should be which is the ASA , am i right? where do i need to configure the Default gateway for vpn connections,?  

thanks again,


Author Comment

ID: 36602587
hello jmeggers,

just an update i made a change in the ASA :
"ip local pool vpnpool"  and i changed it to "ip local pool vpnpool netmask"
with that change i'm getting now default Gateway : 1010.25.2.
but still cannot access any of my servers remotly.


IPv4 Address. . . . . . . . . . . :
  Subnet Mask . . . . . . . . . . . :
  Default Gateway . . . . . . . . . :
  DHCPv6 IAID . . . . . . . . . . . : 1107297690
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-8E-13-47-60-EB-6

  DNS Servers . . . . . . . . . . . :

Open in new window

LVL 18

Expert Comment

ID: 36914003
Hi, sorry for the delay.  Not sure if this is still an issue for you, or whether you figured something out.  What do the hosts on the inside LAN use as their default gateway, and if that gateway is not the ASA (it's another router or switch) does that router or switch know where the network is located?  If it doesn't know that the ASA is where it should send traffic destined for that address block, then it will send the traffic to its default route, which may or may not be correct.

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question