juanchisv
asked on
problems with AnyConnect in ASA 5510 Ver. 8.4(2)
Hello Techs,
i'm new in the cisco ASA stuff, but i 'm trying to setup a anyconnect with an ASA 5510. the problem is that i can't get out to the internet or access any server.
first at all ,i can connect to the vpn with user created in the ASA and i got an ip from the ASA (10.10.25.0/24) which is good too, my problem is that the default gateway showing for the vpn is 10.0.0.1 (i'm not sure why) , and when i tried to ping my servers which are in the subnet 10.10.12.0 getting time out.
i'm not sure if something is missging in my config , please advice.
thanks,
i'm new in the cisco ASA stuff, but i 'm trying to setup a anyconnect with an ASA 5510. the problem is that i can't get out to the internet or access any server.
first at all ,i can connect to the vpn with user created in the ASA and i got an ip from the ASA (10.10.25.0/24) which is good too, my problem is that the default gateway showing for the vpn is 10.0.0.1 (i'm not sure why) , and when i tried to ping my servers which are in the subnet 10.10.12.0 getting time out.
i'm not sure if something is missging in my config , please advice.
thanks,
asa01# show run
: Saved
:
ASA Version 8.4(2)
!
hostname asa01
domain-name mycompany.com
enable password 7xElFFjIAHUx9Pr encrypted
passwd 2KFQnDDD.dI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif OutSide
security-level 0
ip address 6X.XXX.XX.140 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.12.253 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.10.20.253 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
banner motd ** WARNING **
banner motd Unauthorized access prohibited. all access is
banner motd monitored, and trespassers shall be prosecuted
banner motd to the fullest extent of the law.
ftp mode passive
dns server-group DefaultDNS
domain-name mycompany.com
object network TC_10.10.12.0
subnet 10.10.12.0 255.255.255.0
object network VPN_10.10.25.0
subnet 10.10.25.0 255.255.255.0
object network ANY-0.0.0.0
subnet 0.0.0.0 0.0.0.0
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended deny ip any any log
access-list splittunnel standard permit 10.10.12.0 255.255.255.0
pager lines 24
mtu OutSide 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpnpool 10.10.25.1-10.10.25.50
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,OutSide) source static TC_10.10.12.0 TC_10.10.12.0 destination static VPN_10.10.25.0 VPN_10.10.25.0
!
object network ANY-0.0.0.0
nat (inside,OutSide) dynamic interface
access-group outside-in in interface OutSide
route OutSide 0.0.0.0 0.0.0.0 6X.XXX.XX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http redirect OutSide 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint localtrust
enrollment self
fqdn webvpn.mycompany.com
subject-name CN=webvpn.mycompany.com
keypair webvpn
crl configure
crypto ca certificate chain localtrust
certificate 123d7c4e
30820217 30820180 a0030201 02020412 3d7c4e30 0d06092a 864886f7 0d010105
05003050 31233021 06035504 03131a77 65627670 6e2e7468 65746963 6b657463
6c696e69 632e636f 6d312930 2706092a 864886f7 0d010902 161a7765 6276706e
2e746865 7469636b 6574636c 696e6963 2e636f6d 301e170d 31313039 32333039
35313038 5a170d32 31303932 30303935 3130385a 30503123 30210603 55040313
1a776562 76706e2e 74686574 69636b65 74636c69 6e69632e 636f6d31 29302706
d71ea3b8 1d49c87b b23e0db7 4bd6ac4b c728d399 99904978 a0795e02 04997d4d
c3686a5a 9ddf0f20 5f9b2da3 1b8f010c 489b867f 991bd31c f520e6
quit
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 OutSide
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust OutSide
webvpn
enable OutSide
anyconnect image disk0:/anyconnect-dart-win-2.5.3051-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy AnyConnect-Policy internal
group-policy AnyConnect-Policy attributes
dns-server value 10.10.12.11 10.10.12.2
vpn-tunnel-protocol ssl-client ssl-clientless
webvpn
anyconnect keep-installer installed
anyconnect ask enable default anyconnect timeout 20
username asa01 password 4FuE2Xuw1DD9F60 encrypted
username ssluser1 password 1ZUfK6gDDTDib encrypted
username ssluser1 attributes
service-type remote-access
tunnel-group TCVPNUsers type remote-access
tunnel-group TCVPNUsers general-attributes
address-pool vpnpool
default-group-policy AnyConnect-Policy
tunnel-group TCVPNUsers webvpn-attributes
group-alias sslgroup_users enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:74f260f4a91b5209dd6636b1edcfb9fb
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hello jmeggers,
just an update i made a change in the ASA :
"ip local pool vpnpool 10.10.25.1-10.10.25.50" and i changed it to "ip local pool vpnpool 10.10.25.1-10.10.25.50 netmask 255.255.255.0"
with that change i'm getting now default Gateway : 1010.25.2.
but still cannot access any of my servers remotly.
thanks,
just an update i made a change in the ASA :
"ip local pool vpnpool 10.10.25.1-10.10.25.50" and i changed it to "ip local pool vpnpool 10.10.25.1-10.10.25.50 netmask 255.255.255.0"
with that change i'm getting now default Gateway : 1010.25.2.
but still cannot access any of my servers remotly.
thanks,
IPv4 Address. . . . . . . . . . . : 10.10.25.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.25.2
DHCPv6 IAID . . . . . . . . . . . : 1107297690
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-8E-13-47-60-EB-6
DNS Servers . . . . . . . . . . . : 10.10.12.11
10.10.12.2
Hi, sorry for the delay. Not sure if this is still an issue for you, or whether you figured something out. What do the hosts on the inside LAN use as their default gateway, and if that gateway is not the ASA (it's another router or switch) does that router or switch know where the 10.10.25.0 network is located? If it doesn't know that the ASA is where it should send traffic destined for that address block, then it will send the traffic to its default route, which may or may not be correct.
ASKER
thanks for your quick response.
internet is working but really slow( i'm using my dns servers, should i use the ISP dns instead ??)
i currently have 3 devices en the Datacenter, router 10.10.12.254, asa 10.10.12.253 and switch 10.10.12.250, originally everything is using the router to get the internet and i'm using the router for all ACLs which i'd like to change for the ASA, from the ASA i can ping the router no issue at all, i'm assuming now whith those changes my new defautl gateway should be 10.10.12.253 which is the ASA , am i right? where do i need to configure the Default gateway for vpn connections,?
thanks again,