Anyconnect access to internal network

frontiersin — Tue, 12 Mar 2019 08:37:39 GMT
Hello
I believe I already read all post here about Annyconnect and access to internal network. But I can't found any solucion.
I need put all traffic in the tunnel, like internet, access to the internal network, and access to other tunnels (site-to-site). In this moment we can connect the AnnyConnect and after I only have internet on the tunnel if I use the IP, because I don't have access to the internal network and I can't use my DNS server. I think I'm missing one NAT but I can't figure out. Some one can take a look and help me, please.
Internal network 192.168.1.0 255.255.255.0
VPNPoll 192.168.20.0 255.255.255.0
Please tell me if you need more information.
: Serial Number: *******
: Hardware: ASA5515,*************
:
ASA Version 9.2(2)4 
!
hostname CiscoAsaFirewall
domain-name office.frontiersin.org
enable password *******************
names
ip local pool VPN_DHCP 192.168.20.0-192.168.20.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 212.243.***.*** 255.255.255.248 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.248.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.220
 domain-name office.frontiersin.org
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.20.0_24
 subnet 192.168.20.0 255.255.255.0
object network obj_inside
 subnet 192.168.1.0 255.255.255.0
 description Lan
object network obj_anyconnectpool
 subnet 192.168.20.0 255.255.255.0
object network inside_net
object network obj-AnyconnectPool
object network Rackspace_Cloud
 subnet 10.176.0.0 255.240.0.0
object network VPN-LOCAL-TEST
 subnet 192.168.24.0 255.255.248.0
object network VPN-REMOTE-TEST
 subnet 10.176.0.0 255.240.0.0
object network AD-Server
 host 192.168.1.220
object network inside
object network vpnpool
object-group network AZURE-INTEGRATION-SUBNET
 description Subnet for Integration Environments on Azure
 network-object 192.168.128.0 255.255.128.0
 network-object *****************************
object-group network LOCAL-INSIDE-NETWORK
 description Local Subnet
 network-object 192.168.0.0 255.255.248.0
object-group service WinRDP tcp
 description Windows Remote Desktop Connection
 port-object eq 3389
object-group service DM_INLINE_SERVICE_1
 service-object icmp 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
object-group network DM_INLINE_NETWORK_1
 network-object object NETWORK_OBJ_192.168.20.0_24
 network-object object obj_inside
object-group network obj-anyconnect
object-group network DM_INLINE_NETWORK_2
 network-object object NETWORK_OBJ_192.168.20.0_24
 network-object object obj_anyconnectpool
 network-object object obj_inside
object-group network DM_INLINE_NETWORK_3
 network-object object NETWORK_OBJ_192.168.20.0_24
 network-object object obj_anyconnectpool
 network-object object obj_inside
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
access-list 101 extended permit ip object-group LOCAL-INSIDE-NETWORK object-group AZURE-INTEGRATION-SUBNET 
access-list inside_access_in extended permit ip any any 
access-list Local_LAN_Access remark Client Local LAN Access
access-list Local_LAN_Access standard permit 192.168.0.0 255.255.248.0 
access-list global_access extended permit ip object-group DM_INLINE_NETWORK_2 any 
access-list AnyConnet remark Allow users VPN can connect to internet
access-list AnyConnet extended permit object-group DM_INLINE_SERVICE_1 object NETWORK_OBJ_192.168.20.0_24 any 
access-list natoutvpn extended permit ip 192.168.20.0 255.255.255.0 any 
access-list anyconnect extended permit ip 192.168.20.0 255.255.255.0 any 
access-list outside_cryptomap_1 extended permit ip object VPN-LOCAL-TEST object VPN-REMOTE-TEST 
access-list INSIDE-NAT0 remark NAT0 for VPN
access-list INSIDE-NAT0 extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any 
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0 
access-list SPLIT_TUNNEL extended permit ip 192.168.1.0 255.255.255.0 any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LOCAL-INSIDE-NETWORK LOCAL-INSIDE-NETWORK destination static AZURE-INTEGRATION-SUBNET AZURE-INTEGRATION-SUBNET
nat (inside,outside) source static obj_inside obj_inside destination static obj_anyconnectpool obj_anyconnectpool no-proxy-arp route-lookup
nat (inside,any) source static obj_inside obj_inside destination static obj_anyconnectpool obj_anyconnectpool no-proxy-arp description NONAT
nat (inside,outside) source dynamic NETWORK_OBJ_192.168.20.0_24 interface
nat (inside,outside) source static obj_inside obj_inside destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static obj_inside obj_inside no-proxy-arp route-lookup
nat (any,outside) source dynamic DM_INLINE_NETWORK_1 interface
nat (inside,outside) source dynamic any interface
nat (outside,outside) source dynamic NETWORK_OBJ_192.168.20.0_24 interface
nat (inside,outside) source dynamic obj_inside interface
nat (outside,outside) source dynamic obj_inside interface
!
nat (outside,outside) after-auto source dynamic obj_anyconnectpool interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 212.243.***.*** 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server group Frontiers v3 auth 
snmp-server host inside 192.168.1.201 community ***** version 2c
snmp-server location Rack
snmp-server contact Vitor Fonseca
snmp-server community *****
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set AZURE-TRANSFORM esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map AZURE-CRYPTO-MAP 1 match address outside_cryptomap_1
crypto map AZURE-CRYPTO-MAP 1 set peer 95.138.146.99 
crypto map AZURE-CRYPTO-MAP 1 set ikev1 transform-set ESP-AES-128-SHA E
crypto map AZURE-CRYPTO-MAP 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map AZURE-CRYPTO-MAP 100 match address 101
crypto map AZURE-CRYPTO-MAP 100 set peer 40.118.110.96 13.81.110.78 
crypto map AZURE-CRYPTO-MAP 100 set ikev1 transform-set AZURE-TRANSFORM
crypto map AZURE-CRYPTO-MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map AZURE-CRYPTO-MAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 subject-name CN=lausanne-vpn.frontiersin.net
 keypair cert.key
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate *******************
 **********************************
 **********************************
 **********************************
 quit
crypto ca certificate chain ASDM_TrustPoint0
 certificate *******************
 **********************************
 **********************************
 **********************************
 quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 5
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_lausanne-vpn internal
group-policy GroupPolicy_lausanne-vpn attributes
 wins-server none
 dns-server value 192.168.1.220
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelall
 default-domain value office.frontiersin.org
 split-tunnel-all-dns enable
group-policy GroupPolicy_95.138.***.*** internal
group-policy GroupPolicy_95.138.***.*** attributes
 vpn-tunnel-protocol ikev1 ikev2 
username vafa.sarmas password *************
username vitor.fonseca password **************
tunnel-group lausanne-vpn type remote-access
tunnel-group lausanne-vpn general-attributes
 address-pool VPN_DHCP
 default-group-policy GroupPolicy_lausanne-vpn
tunnel-group lausanne-vpn webvpn-attributes
 group-alias lausanne-vpn enable
tunnel-group 40.118.***.*** type ipsec-l2l
tunnel-group 40.118.***.*** ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 13.81.***.*** type ipsec-l2l
tunnel-group 13.81.***.*** ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 95.138.***.*** type ipsec-l2l
tunnel-group 95.138.***.*** general-attributes
 default-group-policy GroupPolicy_95.138.***.***
tunnel-group 95.138.***.*** ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map icmp-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
policy-map icmp_policyexit
policy-map icmp_policy
 class icmp-class
 inspect icmp 
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map 
 inspect ftp 
 inspect h323 h225 
 inspect h323 ras 
 inspect rsh 
 inspect rtsp 
 inspect esmtp 
 inspect sqlnet 
 inspect skinny 
 inspect sunrpc 
 inspect xdmcp 
 inspect sip 
 inspect netbios 
 inspect tftp 
 inspect ip-options 
 class class-default
 user-statistics accounting
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context 
call-home reporting anonymous
hpm topN enable
Cryptochecksum:**********************************
: end
asdm image disk0:/asdm-762.bin
no asdm history enable
Hi,

mattjones03 — Tue, 06 Dec 2016 21:58:06 GMT
Hi,
Looks like you have the relevant NATs in place. Is the firewall the default gateway for your internal network?, If not, do you require a route directing traffic for 192.168.20.0/24 back to your firewall.
Also, ensure you have permitted access to the internal network if you have a VPN filter in place.
Hello Mattjones03

frontiersin — Wed, 07 Dec 2016 07:11:54 GMT
Hello Mattjones03
First many thanks for your quick reply. Because this a lab, I think you are correct and the problem is my firewall this not the default gateway in my internal network.
I will put this in place and after I will test again.
Thanks again.
You are welcome.

mattjones03 — Wed, 07 Dec 2016 07:39:00 GMT
You are welcome.
Let us know how you get on with this.
Please mark your question as answered/resolved if it indeed resolves your question
topic You are welcome. in Network Security

Anyconnect access to internal network

Hi,

Hello Mattjones03

You are welcome.
