Solved

problems with AnyConnect in ASA 5510 Ver. 8.4(2)

Posted on 2011-09-26
4
1,331 Views
Last Modified: 2012-08-13
Hello Techs,

i'm new in the cisco ASA stuff, but i 'm trying to setup a anyconnect with an ASA 5510. the problem  is that i can't get out to the internet or access any server.
first at all ,i can connect to the vpn with user created in the ASA and i got an ip from the ASA (10.10.25.0/24)  which is good too, my problem is that the default gateway showing for the vpn is 10.0.0.1 (i'm not sure why) , and when i tried to ping my servers which are in the subnet 10.10.12.0 getting time out.
i'm not sure if something is missging in my config , please advice.
thanks,

asa01# show run
: Saved
:
ASA Version 8.4(2)
!
hostname asa01
domain-name mycompany.com
enable password 7xElFFjIAHUx9Pr encrypted
passwd 2KFQnDDD.dI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif OutSide
 security-level 0
 ip address 6X.XXX.XX.140 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.12.253 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 10.10.20.253 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
banner motd           ** WARNING **
banner motd Unauthorized access prohibited. all access is
banner motd monitored, and trespassers shall be prosecuted
banner motd to the fullest extent of the law. 
ftp mode passive
dns server-group DefaultDNS
 domain-name mycompany.com
object network TC_10.10.12.0
 subnet 10.10.12.0 255.255.255.0
object network VPN_10.10.25.0
 subnet 10.10.25.0 255.255.255.0
object network ANY-0.0.0.0
 subnet 0.0.0.0 0.0.0.0
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended deny ip any any log
access-list splittunnel standard permit 10.10.12.0 255.255.255.0
pager lines 24
mtu OutSide 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpnpool 10.10.25.1-10.10.25.50
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,OutSide) source static TC_10.10.12.0 TC_10.10.12.0 destination static VPN_10.10.25.0 VPN_10.10.25.0
!
object network ANY-0.0.0.0
 nat (inside,OutSide) dynamic interface
access-group outside-in in interface OutSide
route OutSide 0.0.0.0 0.0.0.0 6X.XXX.XX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http redirect OutSide 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint localtrust
 enrollment self
 fqdn webvpn.mycompany.com
 subject-name CN=webvpn.mycompany.com
 keypair webvpn
 crl configure
crypto ca certificate chain localtrust
 certificate 123d7c4e
    30820217 30820180 a0030201 02020412 3d7c4e30 0d06092a 864886f7 0d010105
    05003050 31233021 06035504 03131a77 65627670 6e2e7468 65746963 6b657463
    6c696e69 632e636f 6d312930 2706092a 864886f7 0d010902 161a7765 6276706e
    2e746865 7469636b 6574636c 696e6963 2e636f6d 301e170d 31313039 32333039
    35313038 5a170d32 31303932 30303935 3130385a 30503123 30210603 55040313
    1a776562 76706e2e 74686574 69636b65 74636c69 6e69632e 636f6d31 29302706
    d71ea3b8 1d49c87b b23e0db7 4bd6ac4b c728d399 99904978 a0795e02 04997d4d
    c3686a5a 9ddf0f20 5f9b2da3 1b8f010c 489b867f 991bd31c f520e6
  quit
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 OutSide
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust OutSide
webvpn
 enable OutSide
 anyconnect image disk0:/anyconnect-dart-win-2.5.3051-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy AnyConnect-Policy internal
group-policy AnyConnect-Policy attributes
 dns-server value 10.10.12.11 10.10.12.2
 vpn-tunnel-protocol ssl-client ssl-clientless
 webvpn
  anyconnect keep-installer installed
  anyconnect ask enable default anyconnect timeout 20
username asa01 password 4FuE2Xuw1DD9F60 encrypted
username ssluser1 password 1ZUfK6gDDTDib encrypted
username ssluser1 attributes
 service-type remote-access
tunnel-group TCVPNUsers type remote-access
tunnel-group TCVPNUsers general-attributes
 address-pool vpnpool
 default-group-policy AnyConnect-Policy
tunnel-group TCVPNUsers webvpn-attributes
 group-alias sslgroup_users enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:74f260f4a91b5209dd6636b1edcfb9fb
: end

Open in new window

0
Comment
Question by:juanchisv
  • 2
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
Comment Utility
So first, for internet access, you need to NAT traffic coming in from the outside in the VPN to "hairpin" back out the outside interface.  For that you need:

same-security-traffic permit intra-interface

object network VPN_10.10.25.0
 nat (OutSide,OutSide) dynamic interface

Regarding access to the inside devices, what are those devices using as their default gateway?  What I'm getting at is -- do they know where the VPN address pool is located?  You've done the "no NAT" command to keep traffic from the inside to the VPN subnet from being NATed, so that's good, that is required.  Looking for what else might be the cause.
0
 

Author Comment

by:juanchisv
Comment Utility
hello jmeggers;

thanks for your quick response.
internet is working but really slow( i'm using my dns servers, should i use the ISP dns instead ??)

i currently have 3 devices en the Datacenter, router 10.10.12.254, asa 10.10.12.253 and switch 10.10.12.250, originally everything is using the router to get the internet and i'm using the router for all ACLs which i'd like to change for the ASA, from the ASA i can ping the router no issue at all, i'm assuming now whith those changes my new defautl gateway should be 10.10.12.253 which is the ASA , am i right? where do i need to configure the Default gateway for vpn connections,?  

thanks again,

0
 

Author Comment

by:juanchisv
Comment Utility
hello jmeggers,

just an update i made a change in the ASA :
"ip local pool vpnpool 10.10.25.1-10.10.25.50"  and i changed it to "ip local pool vpnpool 10.10.25.1-10.10.25.50 netmask 255.255.255.0"
with that change i'm getting now default Gateway : 1010.25.2.
but still cannot access any of my servers remotly.

thanks,



IPv4 Address. . . . . . . . . . . : 10.10.25.1(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 10.10.25.2
  DHCPv6 IAID . . . . . . . . . . . : 1107297690
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-8E-13-47-60-EB-6

  DNS Servers . . . . . . . . . . . : 10.10.12.11
                                      10.10.12.2

Open in new window

0
 
LVL 18

Expert Comment

by:jmeggers
Comment Utility
Hi, sorry for the delay.  Not sure if this is still an issue for you, or whether you figured something out.  What do the hosts on the inside LAN use as their default gateway, and if that gateway is not the ASA (it's another router or switch) does that router or switch know where the 10.10.25.0 network is located?  If it doesn't know that the ASA is where it should send traffic destined for that address block, then it will send the traffic to its default route, which may or may not be correct.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now