Solved

Cisco Anyconnect no internet connection

Posted on 2016-08-08
7
138 Views
Last Modified: 2016-08-09
Dear experts,

I am having problems with an anyconnect client setup on a cisco asa 5506 where there is no internet connection after i connect throught the client.
Any suggestions? here is the code.

Result of the command: "sh run"

: Saved
: 
: Serial Number: 
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1) 
!
hostname XXX-HKA-ASA
domain-name customer1.local
enable password zzzzzzzzzzzzzzzz encrypted
names
ip local pool Anyconnect_DHCP 172.16.0.100-172.16.0.200 mask 255.255.255.0

!
interface GigabitEthernet1/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1.6
 description 
 vlan 6
 nameif outside
 security-level 0
 pppoe client vpdn group Fieber-PPPoE
 ip address pppoe setroute 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0 
!
interface GigabitEthernet1/3
 nameif VOIP
 security-level 90
 ip address 192.168.40.254 255.255.255.0 
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa961-lfbff-k8.SPA
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name customer1.local
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network VOIP_NAT
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.0.192_27
 subnet 192.168.0.192 255.255.255.224
object network NETWORK_OBJ_192.168.0.0_24
 subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_172.16.0.0_24
 subnet 172.16.0.0 255.255.255.0
object network obj-inside-anyconnect
 subnet 172.16.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any 
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
access-list Anyconnect_ACL standard permit 192.168.0.0 255.255.255.0 
access-list Anyconnect_ACL standard permit 172.16.0.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu VOIP 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface dns
object network VOIP_NAT
 nat (VOIP,outside) dynamic interface dns
object network obj-inside-anyconnect
 nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable 444
http 192.168.0.0 255.255.255.0 inside
http xxx.xx.xxx.xxxx 255.255.255.255 outside
snmp-server host outside xxx.xx.xxx.xxxx poll community ***** version 2c
snmp-server location customer1
snmp-server contact Javelin ICT
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=XXX-HKA-ASA
 proxy-ldc-issuer
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
 certificate da94a157
    30820345 3082022d a0030201 020204da 94a15730 0d06092a 864886f7 0d010105 
    05003032 31143012 06035504 03130b4b 45542d48 4b412d41 5341311a 30180609 
    2a864886 f70d0109 02160b4b 45542d48 4b412d41 5341301e 170d3136 30383038 
    31343132 35355a17 0d323630 38303631 34313235 355a3032 31143012 06035504 
    03130b4b 45542d48 4b412d41 5341311a 30180609 2a864886 f70d0109 02160b4b 
    45542d48 4b412d41 53413082 0122300d 06092a86 4886f70d 01010105 00038201 
    0f003082 010a0282 010100e5 6dd895e8 d2ff102b edbf62ad 71ce2cf0 b23b66b6 
    c561601b d5c9bcf7 932b4e34 b6e4cf3f 3688639e 2d5167e4 b73fd67a 79aece41 
    c580fabe d62710f7 e7ce5cbb d91a1a31 c7901ca3 a81be244 8d342635 73648a72 
    408cff9c 9c344483 cc819531 7b86ac81 081779d7 2a1d8680 603c09c1 e2ce6165 
    860173d2 bdad82b5 9f8e224f 0a2e66fc 77345dae 026b1fee faf0857c b9f3caa9 
    70f97a1f 3562622f 862aa211 e9b2c5d6 4e1cdea8 75623d43 fb8cc74e 59d098dd 
    b28d7ab2 cae947d7 b53ae37c 32ac0be9 70079bf7 7140dbd3 313117a3 700675fc 
    7940990d a68a047f 84a35da0 c0acd5b0 5fddeb4b 732ae0ff 4d65fedc 172ec983 
    9a7a39f5 5ad05c7d 8e9f6102 03010001 a3633061 300f0603 551d1301 01ff0405 
    30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 
    80142580 5dfe099f 7a2327b8 99311591 8e580ca6 8623301d 0603551d 0e041604 
    1425805d fe099f7a 2327b899 3115918e 580ca686 23300d06 092a8648 86f70d01 
    01050500 03820101 00a186fa b2dbb59c d7983d7c 9f4ce518 1a1c4826 2934515d 
    addfb4ab ede51f42 84f70295 72258e4b 5e882744 8c9c5de2 f1d5f561 e8476d89 
    838f77df ce6c0508 97c32037 506abc23 1c8b9899 a7d0b2e7 67f4f160 ec145082 
    95c7ef68 fe7d6451 645eefbd b013d82c c104fed3 c0005566 cf5649d6 a827c495 
    8fa630ce f2d56185 375c4b12 fbf1cad8 0f960292 49c57387 fcbff99a 6378a0d1 
    70b2c893 2e7932f9 a7b66a94 cf7476d1 1e759030 4893e23c be383a3d 898a8635 
    d72569d3 26751452 f2ce7196 21492ca2 15c87d75 0c26e7ff ca2c3d0e 2a45bfed 
    e90c9494 874915f0 aa02e1bd a3edc213 daf666ef 6a8c6482 3150d6ca cc2096dc 
    dc50d787 beddec71 0a
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh xxx.xx.xxx.xxxx 255.255.255.255 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group Fieber-PPPoE request dialout pppoe
vpdn group Fieber-PPPoE localname fieber
vpdn group Fieber-PPPoE ppp authentication pap
vpdn username fieber password ***** store-local

dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 62.212.131.101 62.212.128.130 interface inside
dhcpd domain customer1.com interface inside
dhcpd option 3 ip 192.168.0.254 interface inside
dhcpd enable inside
!
dhcpd address 192.168.40.100-192.168.40.200 VOIP
dhcpd dns 62.212.131.130 interface VOIP
dhcpd domain voip.customer1.com interface VOIP
dhcpd option 3 ip 192.168.40.254 interface VOIP
dhcpd enable VOIP
!
ntp server 217.77.132.1 prefer
ssl cipher default custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.2.01035-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-4.2.01035-k9.pkg 2
 anyconnect profiles Anyconnect_customer1_client_profile disk0:/Anyconnect_customer1_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_Anyconnect_customer1 internal
group-policy GroupPolicy_Anyconnect_customer1 attributes
 wins-server none
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Anyconnect_ACL
 split-tunnel-all-dns enable
 webvpn
  anyconnect profiles value Anyconnect_customer1_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username chris password 3HGYUF6ThpNqg3J2 encrypted
username chris attributes
 password-storage disable
username javelin password hkK.yAUeUpkAJ0Hi encrypted privilege 15
tunnel-group Anyconnect_customer1 type remote-access
tunnel-group Anyconnect_customer1 general-attributes
 address-pool Anyconnect_DHCP
 default-group-policy GroupPolicy_Anyconnect_customer1
tunnel-group Anyconnect_customer1 webvpn-attributes
 group-alias Anyconnect_customer1 enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect pptp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:1d1efbf8c0eff0d10de8b3bcdc6dcd18
: end

Open in new window

0
Comment
Question by:jav_sevenofnine
  • 3
  • 2
  • 2
7 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 41747372
0
 

Author Comment

by:jav_sevenofnine
ID: 41747427
i allready done that. more suggestions?
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 250 total points
ID: 41747449
assuming this is the one?

group-policy GroupPolicy_Anyconnect_customer1 attributes
 wins-server none
 dns-server value 8.8.8.8 8.8.4.4

Add a domain name to the end of it

i.e.
group-policy GroupPolicy_Anyconnect_customer1 attributes
 default-domain value your domain.com

Then try again
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 9

Assisted Solution

by:Cheever000
Cheever000 earned 250 total points
ID: 41747802
The problem here appears to be this command.  
split-tunnel-all-dns enable

It forces to use the DNS server configured plus forces it over the tunnel, with out configuring the external NAT for the VPN pool this wouldn't work unless you use internal DNS server in the specified networks.  

if you remove that command you should be able to get that working.    Unless you have internal servers in the actual config and used those to mask your network.  If that is the case ignore me.
0
 

Author Comment

by:jav_sevenofnine
ID: 41748570
Ok! the internet connection works.
I have configured another DHCP scope for the anyconnect users.
The only thing i am missing is a route between the 172.16.0.x and the 192.168.0.0 network any suggestions? i tried to exempt. but it looks i am doing something wrong.
0
 
LVL 9

Assisted Solution

by:Cheever000
Cheever000 earned 250 total points
ID: 41748646
You don't need the Anyconnect pool in the split tunnel list, that being said shouldn't break it, you are missing your nat exemption.

nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static obj-inside-anyconnect obj-inside-anyconnect
0
 

Author Closing Comment

by:jav_sevenofnine
ID: 41749020
Thanks guys! its working!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now