Solved

asa cannot ping the internal network

Posted on 2014-03-09
11
1,474 Views
Last Modified: 2014-03-18
I am trying for the life me to figure out why i am unable to ping my inside network.  My network goes INTERNET-->ROUTER-->ASA.  My router's ip address is 50.0.0.1.  I am able to ping and and ssh into my asa, but I am unable to ping my router or any computer on my network.  Does anyone have any ideas as to what could be causing this?  my config is below
ciscoasa# sh run
: Saved
:
ASA Version 9.0(3) 
!
hostname ciscoasa
enable password BggdpMwrc93GOttt encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool SSLClientPool 50.0.1.0-50.0.1.10 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 50
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 shutdown     
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan50
 nameif LAN
 security-level 0
 ip address 50.0.0.20 255.255.255.0 
!
boot system disk0:/asa903-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network 50.0.0.0
 subnet 50.0.0.0 255.255.255.0
object network VPN_SUBNETS
 subnet 50.0.1.0 255.255.255.0
object-group network INTERNAL
 network-object object 50.0.0.0
access-list split-tunnel standard permit 50.0.0.0 255.255.255.0 
access-list vpn-access extended permit ip 50.0.1.0 255.255.255.0 50.0.0.0 255.255.255.0 
pager lines 24
mtu LAN 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (LAN,any) source static any any destination static VPN_SUBNETS VPN_SUBNETS route-lookup
route LAN 0.0.0.0 0.0.0.0 50.0.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authorization command LOCAL 
http server enable
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 50.0.0.0 255.255.255.0 LAN
ssh 50.0.1.0 255.255.255.0 LAN
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn        
 enable LAN
 anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 vpn-filter value vpn-access
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 address-pools value SSLClientPool
username xxxxx password xxxxxxxxxxx encrypted privilege 15
username xxxxx attributes
 vpn-group-policy SSLClientPolicy
 service-type remote-access
tunnel-group SSLClientGroup type remote-access
tunnel-group SSLClientGroup general-attributes
 address-pool SSLClientPool
 default-group-policy SSLClientPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!             
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 

Open in new window

0
Comment
Question by:mmercaldi
  • 7
  • 4
11 Comments
 
LVL 4

Accepted Solution

by:
dusanm011 earned 500 total points
ID: 39917081
Hello mmercaldi,

it looks like to me that you have just one interface active, and it is Eth0/0, whish is connected to OUTSIDE presumably to your router. It has na ip address 50.0.0.20/24.

What confuses me is your description in Vlan50 SVI. It says it is "LAN" suggesting to Local Area Network which is common name for Inside.

Well if this is case, on Vlan50 should be (if it is inside ) wiht security level 100 (not zero - 0). And it should be connected to inside network (some inside switch or so..).
Than you should connect outside (security level 0) interface to router.

Inside and outside interfaces  should have ip addresses in different  networks. Ex: 172.254.1.0/30 for outside asa .1 router .2 And for inside can be 50.0.0.0/24

When starting the ping form asa use extended ping command so that you specify source and destination interfaces.

I hope it helps.
0
 

Author Comment

by:mmercaldi
ID: 39917402
my asa can ping everything, this asa is just being used for anyconnect so there should be no reason for inside, outside config.  They also do not need to be on different subnets as this is a common build for a lot of networks.
0
 

Author Comment

by:mmercaldi
ID: 39918846
So I tried what you said, but it did not work.  I added the following:
interface Vlan60
 nameif ASA_ONLY
 security-level 100
 ip address 60.0.0.1 255.255.255.0
!

nat (LAN,ASA_ONLY) source static obj-50.0.0.0 obj-50.0.0.0 destination static VPN_SUBNETS VPN_SUBNETS route-lookup

This still did not work
0
 

Author Comment

by:mmercaldi
ID: 39919621
so I changed my entire config, here it is, but still I am having the same issue.  This time it is using both the inside and outside nameifs.  Anyone got any ideas as to why I still can ping the ASA but not the rest of my outside network and yes my asa can ping the outside network, outside network meaning the router.

ciscoasa# sh run
: Saved
:
ASA Version 9.0(3) 
!
hostname ciscoasa
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool SSLClientPool 50.0.1.0-50.0.1.10 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 50
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 shutdown
!             
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan50
 nameif outside
 security-level 0
 ip address 50.0.0.20 255.255.255.0 
!
interface Vlan60
 nameif inside
 security-level 100
 ip address 60.0.0.1 255.255.255.0 
!
ftp mode passive
object network obj-50.0.0.0
 subnet 50.0.0.0 255.255.255.0
object network obj-60.0.0.0
 subnet 60.0.0.0 255.255.255.0
object network VPN_SUBNET
 subnet 50.0.1.0 255.255.255.0
object network ALL_HOSTS
 subnet 0.0.0.0 0.0.0.0
access-list split-tunnel standard permit 60.0.0.0 255.255.255.0 
access-list split-tunnel standard permit 50.0.0.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-60.0.0.0 obj-60.0.0.0 destination static VPN_SUBNET VPN_SUBNET
!
nat (inside,outside) after-auto source dynamic ALL_HOSTS interface
route outside 0.0.0.0 0.0.0.0 50.0.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authorization command LOCAL 
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 address-pools value SSLClientPool
username mercxi password encrypted privilege 15
username mercxi attributes
 vpn-group-policy SSLClientPolicy
 service-type remote-access
tunnel-group SSLClientGroup type remote-access
tunnel-group SSLClientGroup general-attributes
 address-pool SSLClientPool
 default-group-policy SSLClientPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b0f90a154e96555500f316f7c7963976
: end

Open in new window

0
 
LVL 4

Expert Comment

by:dusanm011
ID: 39920552
It looks like routing problem...

You probably have default gateway on your router showing 0.0.0.0 0.0.0.0 on it's outside interface so there is wher your packets destined for inside hosts goes.

You must have static route on your router saying where is your internal network ip subnet. And it is behind interface which connects router and asa.


Regards.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:mmercaldi
ID: 39921005
so you are saying I need this on my router?
ip route 50.0.0.0 255.255.255.0 60.0.0.1
0
 
LVL 4

Expert Comment

by:dusanm011
ID: 39923235
Yes if you want to ping the router indside interface (one between asa and router).
Anoterh usefull thing is that do nat on asa JUST for inside ip subent(s) not for all, it may get confusing

But what puzzels me is that you have eth 0/0 connected to outside, namely to router. What interface (phisical )on asa is connected to inside? I see all of them in "shut" mode except for eth0/0.

Is this your net-draft?

Internet < - >(WAN ip) Router (50.0.0.1/24) < - > eth0/0 (50.0.0.20/24) ASA eth ?/? (60.0.01/24) < - > Inside L3 (L2) switch < - > Internal hosts in subnet 60.0.0.0/24

Regards.
0
 

Author Comment

by:mmercaldi
ID: 39923414
so I rebuilt this one more time, this time just with a standard build so I can try to figure out what I am doing wrong as this is 9.0 not 8.4 and I know there have been some changes since

This is how it is going

INTERNET --> Cisco 881 router 50.0.0.1 and 192.168.5.1 --> 192.168.5.2 ASA 60.0.0.1 and the vpn subnet is 50.0.1.0

I hook up my laptop to the inside interface of 60.0.0.0 network and I cannot ping the router neither on 192.168.5.1 nor on 50.0.0.1 and I cannot ping the outside.  The router and a desktop on the 50.0.0.0 network can ping the asa on 60.0.0.1 and my laptop on the 60.0.0.0 network.  Figured once I can fix that I can fix the vpn issue, figured it would be simpler

hostname ciscoasa
enable password xxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool SSLClientPool 50.0.1.0-50.0.1.10 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 5
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 switchport access vlan 60
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan5
 nameif outside
 security-level 0
 ip address 192.168.5.2 255.255.255.252
!
interface Vlan60
 nameif inside
 security-level 100
 ip address 60.0.0.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit intra-interface
object network obj-50.0.0.0
 subnet 50.0.0.0 255.255.255.0
object network obj-60.0.0.0
 subnet 60.0.0.0 255.255.255.0
object network VPN_SUBNET
 subnet 50.0.1.0 255.255.255.0
object network ALL_HOSTS
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.5.0
 subnet 192.168.5.0 255.255.255.0
access-list split-tunnel standard permit 60.0.0.0 255.255.255.0
access-list split-tunnel standard permit 50.0.0.0 255.255.255.0
access-list split-tunnel standard permit 192.168.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-60.0.0.0 obj-60.0.0.0 destination static VPN_SUBNET VPN_SUBNET
!
object network obj-60.0.0.0
 nat (inside,outside) dynamic interface
object network VPN_SUBNET
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.5.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0

dhcpd dns 4.2.2.2
!
dhcpd address 60.0.0.2-60.0.0.10 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelall
 address-pools value SSLClientPool
username mercxi password xxxxxxxxxxx encrypted privilege 15
username mercxi attributes
 vpn-group-policy SSLClientPolicy
 service-type remote-access
tunnel-group SSLClientGroup type remote-access
tunnel-group SSLClientGroup general-attributes
 address-pool SSLClientPool
 default-group-policy SSLClientPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com

Open in new window

0
 
LVL 4

Expert Comment

by:dusanm011
ID: 39923521
add to class inspection_default section line "inspect icmp"
0
 

Author Comment

by:mmercaldi
ID: 39937267
I got it working, here is the code incase anyone wants it
ASA Version 9.0(3)
!
hostname ciscoasa
domain-name mercdomain.local
enable password xxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool SSLClientPool 50.0.1.0-50.0.1.10 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 5
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 switchport access vlan 60
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan5
 nameif outside
 security-level 0
 ip address 192.168.5.2 255.255.255.252
!
interface Vlan60
 nameif inside
 security-level 100
 ip address 60.0.0.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 50.0.0.1
 domain-name mercdomain.local
same-security-traffic permit intra-interface
object network obj-50.0.0.0
 subnet 50.0.0.0 255.255.255.0
object network obj-60.0.0.0
 subnet 60.0.0.0 255.255.255.0
object network VPN_SUBNET
 subnet 50.0.1.0 255.255.255.0
object network ALL_HOSTS
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.5.0
 subnet 192.168.5.0 255.255.255.0
access-list split-tunnel standard permit 60.0.0.0 255.255.255.0
access-list split-tunnel standard permit 50.0.0.0 255.255.255.0
access-list split-tunnel standard permit 192.168.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-60.0.0.0 obj-60.0.0.0 destination static VPN_SUBNET VPN_SUBNET
nat (outside,inside) source static VPN_SUBNET VPN_SUBNET
nat (outside,outside) source dynamic VPN_SUBNET interface
!
object network obj-60.0.0.0
 nat (inside,outside) dynamic interface
object network VPN_SUBNET
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.5.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0

dhcpd dns 4.2.2.2
!
dhcpd address 60.0.0.2-60.0.0.10 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 dns-server value 50.0.0.1
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelall
 default-domain value mercdomain.local
 address-pools value SSLClientPool
 webvpn
  anyconnect keep-installer installed
username mercxi password xxxxxxxxxxxx encrypted privilege 15
username mercxi attributes
 vpn-group-policy SSLClientPolicy
 service-type remote-access
tunnel-group SSLClientGroup type remote-access
tunnel-group SSLClientGroup general-attributes
 address-pool SSLClientPool
 default-group-policy SSLClientPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b9c59dcd15bbb08680132e7a6cf958cd
: end

Open in new window

0
 

Author Closing Comment

by:mmercaldi
ID: 39937276
in the end I had to get back to setting up a basic ASA.  Since the change in 8.3 it does not seem possible to setup a vpn on a stick with just one vlan
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
Transparency shows that a company is the kind of business that it wants people to think it is.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now