Solved

CISCO ASA 5505 AnyConnect VPN has no access to Internet

Posted on 2011-09-28
3
809 Views
Last Modified: 2012-05-12
Hi,

I'm trying to configure my CISCO ASA 5505 for AnyConnect and this work perfectly when I connect to devices on my internal network. But when I try to connect to external devices (like; www.google.com) it doesn't connect. I tried everything but nothing helps.

Can anyone have a look at my configuration to see what I have done wrong?

Regards,

Kasper
ASA5505# show conf
: Saved
: Written by enable_15 at 22:20:58.657 CEDT Wed Sep 28 2011
!
ASA Version 8.4(1)
!
hostname ASA5505
domain-name any.local
enable password /wZSFa8JcaXHgzSh encrypted
passwd /wZSFa8JcaXHgzSh encrypted
names
!
interface Vlan1
 description Ethernet0/1-0/7
 nameif inside
 security-level 100
 ip address 172.30.10.254 255.255.255.0
!
interface Vlan2
 description Ethernet0/0
 nameif outside
 security-level 0
 ip address 178.xxx.x59.130 255.255.255.192
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 172.30.10.254
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name any.local
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 192.168.100.0
 subnet 192.168.100.0 255.255.255.0
 description 192.168.100.0/24
object network inside-network
 subnet 172.30.10.0 255.255.255.0
object network NETWORK_OBJ_172.30.10.128_26
 subnet 172.30.10.128 255.255.255.192
access-list GroupPolicy_AnyConnect standard permit 172.30.10.0 255.255.255.0
access-list Outside_access_in extended permit ip 172.30.10.0 255.255.255.0 172.30.10.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 172.30.10.0 255.255.255.0 172.30.10.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 172.30.10.0 255.255.255.0 178.xxx.x59.128 255.255.255.192
pager lines 24
logging enable
logging asdm informational
logging from-address any@mail.com
logging recipient-address any@mail.com level errors
mtu inside 1500
mtu outside 1500
ip local pool VPN 172.30.10.155-172.30.10.160 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static inside-network inside-network
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.30.10.128_26 NETWORK_OBJ_172.30.10.128_26
!
object network obj_any
 nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 178.xxx.x59.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http server session-timeout 5
http 172.30.10.0 255.255.255.0 inside
snmp-server location Office-DH
snmp-server contact any@mail.com
snmp-server community 8 m7bJKcbNsng+8WOCVqosnY+jbxGyWYOciA==
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ASA5505
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint any.url.com
 enrollment terminal
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 843e814e
    30820349 30820231 a0030201 02020484 3e814e30 0d06092a 864886f7 0d010105
    05003034 3110300e 06035504 03130741 53413535 30353120 301e0609 2a864886
    f70d0109 02161141 53413535 30352e64 77762e6c 6f63616c 301e170d 31313039
    32373138 33373030 5a170d32 31303932 34313833 3730305a 30343110 300e0603
    55040313 07415341 35353035 3120301e 06092a86 4886f70d 01090216 11415341
    35353035 2e647776 2e6c6f63 616c3082 0122300d 06092a86 4886f70d 01010105
    00038201 0f003082 010a0282 010100ae 6ec6a6e4 5f8f4e03 73fb39ca e338bae1
    c4d7c63a xxxxxxxxxx
quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 172.30.10.0 255.255.255.0 inside
telnet timeout 5
ssh 172.30.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside

dhcpd dns 8.8.8.8 8.8.4.4
dhcpd ping_timeout 1000
dhcpd domain any.local
!
dhcpd address 172.30.10.101-172.30.10.150 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd ping_timeout 1000 interface inside
dhcpd domain any.local interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 65.23.154.62 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy EasyVPN internal
group-policy EasyVPN attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list value EasyVPN
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
 wins-server none
 dns-server value 172.30.10.254
 vpn-tunnel-protocol ikev2 ssl-client
 default-domain none
 webvpn
  anyconnect profiles value AnyConnect_client_profile type user
username kdewaard password mhKFBtPhrZNtWTA6 encrypted
tunnel-group EasyVPN type remote-access
tunnel-group EasyVPN general-attributes
 default-group-policy EasyVPN
tunnel-group EasyVPN webvpn-attributes
 group-alias EasyVPN enable
 group-url https://178.xxx.x59.130/EasyVPN enable
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
 address-pool VPN
 default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
 group-alias AnyConnect enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
password encryption aes
hpm topN enable
Cryptochecksum:8e2152404870b7f7ac23e555a9b6cce0
ASA5505#

Open in new window

0
Comment
Question by:xiss
3 Comments
 
LVL 12

Expert Comment

by:jjmartineziii
Comment Utility
Try this command:

show run all | i same-security-traffic permit intra-interface


If you don't get anything back, try adding that command to your config and trying again. This allows traffic to be sent out the same interface it was received.
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
Comment Utility
I suspect you also need a NAT command for traffic coming in on the outside interface.  

object network inside-network
 nat (outside,outside) dynamic interface
0
 
LVL 1

Author Comment

by:xiss
Comment Utility
Thanks, this helped me allot. The problen whas indeed that I needed the NAT command. The final thing whas that I specified the wrong DNS server in my VPN connection Profile. Everything works now!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSH logs Cisco switch 4 28
Sync Azure AD to a local AD Server 4 33
reserve ip based on mac addresses 6 68
cisco VIRL 2 10
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now