ASA5516 VPN Configuration

mitchell.brewer — Fri, 21 Feb 2020 16:10:35 GMT

I have very little experience with configuring ASA devices or VPNs, but I was recently tasked with setting up an ASA5516 with a Cisco AnyConnect VPN Only license as an alternative to our legacy VPN service. I've gone through the setup process outlined in the documentation. The outside interface has a static private IP address that is Static-NATed to a public IP address. I can access AnyConnect from any computer on the same private network as the outside interface, using the private outside IP address, but can't access it using the public IP address from any computer- it just tries for awhile then gives up. I don't control the NAT device, but I am assured that it is configured and correct ports are open. I would appreciate any help that will get me pointed in the right direction to get the device configured correctly.

Here is the current running configuration:

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.10.30.245 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.10.11 outside
domain-name lps.umd.edu
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any
nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.1.1,CN=olbers
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 18dad19e267de8bb4a2158cdcc6b3b4a
    308204d3 308203bb a0030201 02021018 dad19e26 7de8bb4a 2158cdcc 6b3b4a30
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d30
    36313130 38303030 3030305a 170d3336 30373136 32333539 35395a30 81ca310b
    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
    74776f72 6b313a30 38060355 040b1331 28632920 32303036 20566572 69536967
    6e2c2049 6e632e20 2d20466f 72206175 74686f72 697a6564 20757365 206f6e6c
    79314530 43060355 0403133c 56657269 5369676e 20436c61 73732033 20507562
    6c696320 5072696d 61727920 43657274 69666963 6174696f 6e204175 74686f72
    69747920 2d204735 30820122 300d0609 2a864886 f70d0101 01050003 82010f00
    3082010a 02820101 00af2408 08297a35 9e600caa e74b3b4e dc7cbc3c 451cbb2b
    e0fe2902 f95708a3 64851527 f5f1adc8 31895d22 e82aaaa6 42b38ff8 b955b7b1
    b74bb3fe 8f7e0757 ecef43db 66621561 cf600da4 d8def8e0 c362083d 5413eb49
    ca595485 26e52b8f 1b9febf5 a191c233 49d84363 6a524bd2 8fe87051 4dd18969
    7bc770f6 b3dc1274 db7b5d4b 56d396bf 1577a1b0 f4a225f2 af1c9267 18e5f406
    04ef90b9 e400e4dd 3ab519ff 02baf43c eee08beb 378becf4 d7acf2f6 f03dafdd
    75913319 1d1c40cb 74241921 93d914fe ac2a52c7 8fd50449 e48d6347 883c6983
    cbfe47bd 2b7e4fc5 95ae0e9d d4d143c0 6773e314 087ee53f 9f73b833 0acf5d3f
    3487968a ee53e825 15020301 0001a381 b23081af 300f0603 551d1301 01ff0405
    30030101 ff300e06 03551d0f 0101ff04 04030201 06306d06 082b0601 05050701
    0c046130 5fa15da0 5b305930 57305516 09696d61 67652f67 69663021 301f3007
    06052b0e 03021a04 148fe5d3 1a86ac8d 8e6bc3cf 806ad448 182c7b19 2e302516
    23687474 703a2f2f 6c6f676f 2e766572 69736967 6e2e636f 6d2f7673 6c6f676f
    2e676966 301d0603 551d0e04 1604147f d365a7c2 ddecbbf0 3009f343 39fa02af
    33313330 0d06092a 864886f7 0d010105 05000382 01010093 244a305f 62cfd81a
    982f3dea dc992dbd 77f6a579 2238ecc4 a7a07812 ad620e45 7064c5e7 97662d98
    097e5faf d6cc2865 f201aa08 1a47def9 f97c925a 0869200d d93e6d6e 3c0d6ed8
    e6069140 18b9f8c1 eddfdb41 aae09620 c9cd6415 3881c994 eea28429 0b136f8e
    db0cdd25 02dba48b 1944d241 7a05694a 584f60ca 7e826a0b 02aa2517 39b5db7f
    e784652a 958abd86 de5e8116 832d10cc defda882 2a6d281f 0d0bc4e5 e71a2619
    e1f4116f 10b595fc e7420532 dbce9d51 5e28b69e 85d35bef a57d4540 728eb70e
    6b0e06fb 33354871 b89d278b c4655f0d 86769c44 7af6955c f65d3208 33a454b6
    183f685c f2424a85 3854835f d1e82cf2 ac11d6a8 ed636a
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 9d25105b
    308202ca 308201b2 a0030201 0202049d 25105b30 0d06092a 864886f7 0d01010b
    05003027 310f300d 06035504 0313066f 6c626572 73311430 12060355 0403130b
    3139322e 3136382e 312e3130 1e170d31 38303631 34313230 3630325a 170d3238
    30363131 31323036 30325a30 27310f30 0d060355 04031306 6f6c6265 72733114
    30120603 55040313 0b313932 2e313638 2e312e31 30820122 300d0609 2a864886
    f70d0101 01050003 82010f00 3082010a 02820101 00f61d3d c0547779 cd05debb
    c21ac3c9 aad0973e c994e204 8c0acdfd c52ea24c 600c8940 6997c1cc 7abbb50e
    a257c197 c2eb62ae 8be84bff fafe9164 149d9e8e 08222dec cad956cc f1d99d78
    29158f21 c7243dad f0eaf99c 4edfa5b4 1627a608 2e530deb 1e5423d7 6ed7258c
    0fba8431 e12266f0 12406901 b4756e3d 984a69a1 abf9c14d dc6d0400 58263bb2
    646bf2d6 82c8ed81 84346684 0e495887 46280125 19b0f0a5 be164431 93af2d38
    2ccde7fb a6f0a9da c27d0801 631923ae 8afbe600 a33662d4 a6ab794c 64939b1f
    bce8c470 b43d6844 d51c7ad1 f279b246 c8c7aa45 2de02ba6 b443b607 4a84fd5b
    aa2f8d2a 7ca78990 f31b489e 0159484c 9b1472a7 1b020301 0001300d 06092a86
    4886f70d 01010b05 00038201 01005dbd b9901910 6033bfb0 d5ec2682 e0072551
    abc522a9 d5ec6d3b b53b9725 cf2ffc0e ef39ed41 512bab9b b1604ed1 1748fdbf
    0daf6c6c a4b12a03 7193308d 142d892a a1394069 2494ba8e dc09661e a536473a
    4b018db9 68571bd8 dbf679da f5b54d7f 03413816 6e07cef2 551e6219 cdd0c3f8
    a60c46ad a816e29a 6565262d 6a52f11c 7c2d5c38 272305b0 884e2569 4c8b0e4e
    47028dfa 24aaa2ec 99d277a2 9ff9be35 e021e193 4abe1b93 26fb3053 d2d1f280
    01f8b82b d8177084 04addda3 217b0e34 ac12ee1c 2f0521b4 c07ed191 50fbc43b
    4b606b1d c7e4abe7 fa29e8f0 ed529969 76d09f8d 9253ac24 fb3af3ee bedb94c4
    5eb2993e 2d75ac4a 9166b374 65ee
quit
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 10.10.30.0 255.255.255.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
webvpn
enable outside
enable inside
anyconnect image disk0:/anyconnect-linux64-4.6.01098-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.6.01098-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-win-4.6.01098-webdeploy-k9.pkg 3
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
dns-server value 10.10.10.11
vpn-tunnel-protocol ssl-client
default-domain value lps.umd.edu
dynamic-access-policy-record DfltAccessPolicy
username XXXXXXXX password XXXXXXXX
username XXXXXXXX password XXXXXXXX
tunnel-group MYGRP-ASA-VPN type remote-access
tunnel-group MYGRP-ASA-VPN general-attributes
address-pool VPN-CLIENT-POOL
default-group-policy GroupPolicy1
tunnel-group MYGRP-ASA-VPN webvpn-attributes
group-alias MYGRP enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
service call-home

Re: ASA5516 VPN Configuration

Rahul Govindan — Fri, 31 Aug 2018 16:40:17 GMT

You are missing the default route on the ASA:

"route outside 0 0 <next-hop-ip>"

Without this, the ASA would not know how to route traffic to the internet. Within the same network would work because it does a L2 lookup instead of routing.

Re: ASA5516 VPN Configuration

mitchell.brewer — Fri, 31 Aug 2018 19:06:30 GMT

Thank you Rahul! I added the default route and I can now connect remotely, download the AnyConnect software, and connect to the VPN. However, while I am connected to the VPN I have no Internet access, and can't access any remote systems.

Re: ASA5516 VPN Configuration

mitchell.brewer — Fri, 31 Aug 2018 19:08:59 GMT

I see there are other posts covering this new issue I have so I'm doing more research. Thank you!

Re: ASA5516 VPN Configuration

Rahul Govindan — Fri, 31 Aug 2018 19:25:11 GMT

You need NAT exemption for accessing internal hosts. For internet access, you would need to configure Split tunneling. An example using both these concepts given below:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html#anc6

topic Re: ASA5516 VPN Configuration in Network Security

ASA5516 VPN Configuration

Re: ASA5516 VPN Configuration

Re: ASA5516 VPN Configuration

Re: ASA5516 VPN Configuration

Re: ASA5516 VPN Configuration