ASA5505 VPN not passing traffic?

so I have configured my ASA5505 to allow anyconnect VPN connections, I can get usrs authenticated, but no traffic is passing via the VPN! the client machines can't ping or use DNS or even connect directly via IP? what did I do wrong?

config pasted below

Cryptochecksum: df0ff69e 1d3a30b9 b74c7ddd 0ce57ef7
: Saved
: Written by enable_15 at 09:55:51.983 EDT Fri Sep 7 2012
!
ASA Version 8.2(5)
!
hostname wdsipix
domain-name wdsi.com
enable password PpeDmUNk2pTf/51l encrypted
passwd hw8nzUD4wywn3O9o encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.0.4 255.0.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.40.143.238 255.255.255.240
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name viwinco.com
access-list outside extended permit tcp any host 69.40.143.226 eq smtp
access-list outside extended permit tcp any host 69.40.143.228 eq www
access-list outside extended permit tcp any host 69.40.143.228 eq https
access-list viwinco_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
pager lines 10
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool wdsipool 10.1.0.200-10.1.0.205 mask 255.0.0.0
ip local pool wdsi2 192.168.10.1-192.168.10.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.0.0.0
static (inside,outside) 69.40.143.226 10.1.0.2 netmask 255.255.255.255
static (inside,outside) 69.40.143.228 10.1.0.38 netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 69.40.143.225 1
route inside 192.168.1.0 255.255.255.0 10.1.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.1.0.36 source inside
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 wins-server value 10.1.0.36
 dns-server value 10.1.0.36
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 default-domain value wdsi.com
 address-pools value wdsipool
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 wins-server value 10.1.0.36
 dns-server value 10.1.0.36
 vpn-tunnel-protocol svc
 default-domain value wdsi.com
group-policy wdsi internal
group-policy wdsi attributes
 wins-server value 10.1.0.36
 dns-server value 10.1.0.36
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value wdsi_splitTunnelAcl
 default-domain value wdsi.com
 client-firewall none
username ldeluca password 6nE8ufe7KIxRA7ws encrypted privilege 0
username ldeluca attributes
 vpn-group-policy wdsi
 webvpn
  file-browsing enable
  file-entry enable
  hidden-shares visible
 vpn-group-policy wdsi
username Hadmin password QV0TauuHD0/mYF9T encrypted privilege 0
username Hadmin attributes
 vpn-group-policy wdsi
username mstoppie password KrNkB19DprSqp/A. encrypted
username mstoppie attributes
 vpn-group-policy wdsi
 webvpn
  url-list none
  sso-server none
tunnel-group wdsi type remote-access
tunnel-group wdsi general-attributes
 address-pool wdsipool
 authorization-server-group LOCAL
 default-group-policy wdsi
 dhcp-server 10.1.0.36
tunnel-group wdsi ipsec-attributes
 pre-shared-key V1wDsi0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
policy-map type inspect esmtp testesmtpmap
 parameters
  no mask-banner
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:df0ff69e1d3a30b9b74c7ddd0ce57ef7
: end
LVL 1
HHRSS2008Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

fgasimzadeCommented:
Add the following

access-list outside extended permit ip 10.1.0.0 255.255.255.0 10.1.0.0 255.0.0.0

I would also suggest changing your vpn DHCP pool to anything else than inside network. It can cause routing problems in the future
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
John MeggersNetwork ArchitectCommented:
Are your users getting an IP address assigned? In my ASA config, I have the address pool also listed under the group-policy, which you don't have.

group-policy WebVPN_Policy attributes
 vpn-tunnel-protocol svc
 address-pools value ssl_pool

Not saying that's clearly the solution, but it may be worth a try.

I'm also not sure, but it looks like you may be kind of "overlapping" your configs for IPSec and WebVPN. I only see one tunnel-group, and it refers to IPSec. I suggest you clearly differentiate your IPSec config from the WebVPN config, even going as far as to use separate address pools (makes troubleshooting easier).
0
HHRSS2008Author Commented:
I will try these suggestions guys many thanks so far!
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

fgasimzadeCommented:
Yeah, right, do you get an IP address?
0
HHRSS2008Author Commented:
this appears to have done the trick!
0
HHRSS2008Author Commented:
yes, was already getting ip addresses,

however just for giggles here is the new config (I started over from scratch)

ignore the "outside" address, I am running this in a lab at the moment,


hostname ciscoasa
domain-name viwincoinc.local
enable password PpeDmUNk2pTf/51l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.0.4 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
ftp mode passive
dns server-group DefaultDNS
 domain-name viwincoinc.local
access-list inside_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.224
access-list outside extended permit ip 10.1.0.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list outside extended permit ip 172.16.0.0 255.255.255.0 172.16.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
ip local pool tunnelpool 172.16.1.1-172.16.1.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.1.0.10 255.255.255.255 inside
http 0.0.0.0 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 svc enable
group-policy tunnel internal
group-policy tunnel attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec svc
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value viwincoinc.local
 split-tunnel-all-dns disable
 address-pools value tunnelpool
username wdsiadmin password FT3xgrO3PKZFQ6Da encrypted privilege 15
username user1 password PGnSGUEfrPQwrESm encrypted privilege 0
username user1 attributes
 vpn-group-policy tunnel
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group tunnel type remote-access
tunnel-group tunnel general-attributes
 address-pool tunnelpool
 default-group-policy tunnel
tunnel-group tunnel ipsec-attributes
 pre-shared-key WdsipresharedKey
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8b61a4509827e50c2c83581b3b4da425
: end
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.