topic Thank you for your help! in Network Security

Routing to remote site through VPN

nwdls8725 — Tue, 12 Mar 2019 07:55:34 GMT

I set up a Site to Site VPN and everything is working fine where, I can access resources from both locations. However, when I connect to the VPN with cisco any connect client I can only access the resources on the 192.168.120.x subnet and not the remote's site subnet of 192.168.128.x. Any help on this would be greatly appreciated!

This is the run file of the VPN router at the main location

Result of the command: "show run"

: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name nwdls.com
enable password qpQ5myeZ6SQpH8vX encrypted
passwd HUeZALO3Fgqs0XMf encrypted
names
name 192.168.120.30 dvr
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 15
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.120.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 96.85.6.217 255.255.255.248
ospf cost 10
!
interface Vlan5
nameif dmz
security-level 50
ip address 192.168.121.1 255.255.255.0
ospf cost 10
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 192.168.120.25
name-server 75.75.75.75
name-server 75.75.75.76
domain-name nwdls.com
object network obj-192.168.120.248
subnet 192.168.120.248 255.255.255.248
object network obj-192.168.120.245
host 192.168.120.245
object network obj-192.168.120.0
subnet 192.168.120.0 255.255.255.128
object network obj-192.168.120.233
host 192.168.120.233
object network obj-192.168.120.233-01
host 192.168.120.233
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.121.2
host 192.168.121.2
object network obj-192.168.121.2-01
host 192.168.121.2
object network obj-192.168.121.2-02
host 192.168.121.2
object network NETWORK_OBJ_192.168.120.248_29
subnet 192.168.120.248 255.255.255.248
object network nwdls-dc
host 192.168.120.25
description Windows Server 2008 RC2
object network DVR
host 192.168.120.30
object service IPCAMS
service tcp source eq 5550 destination eq 5550
object network newfirewall
host 192.168.120.108
object service ssh
service tcp source eq ssh destination eq ssh
description ssh
object network john
host 71.11.173.163
object network SVN-HTTP-INTERNET
host 192.168.120.25
description access to svn on nwdls-dc
object network JOSHUA9-PORT
host 192.168.120.209
object network JOSHUA2-PORT
host 192.168.120.202
object network DVR-PORT
object network DVR-PORT2
object network obj-pool
subnet 192.168.120.240 255.255.255.240
object network NVR
host 192.168.120.30
description NVR
object network NVR1
host 192.168.120.30
object network NVR2
host 192.168.120.30
object network NVR3
host 192.168.120.30
object network NVR4
host 192.168.120.30
object network NVR5
host 192.168.120.30
object network NVR6
host 192.168.120.30
description NVR6
object service Field
service tcp destination eq www
object service Field2
service tcp destination eq https
object network WebserverPublic
host 207.70.142.9
object network Webserver
host 207.70.142.9
object network WEb
host 192.168.120.25
object network NETWORK_OBJ_192.168.120.0_24
subnet 192.168.120.0 255.255.255.0
object network NETWORK_OBJ_192.168.120.240_28
subnet 192.168.120.240 255.255.255.240
object network Remote-Site-Firewall
host 96.91.46.9
object network Remote-Site-Subnet
subnet 192.168.128.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service dvr-http tcp
port-object eq 10554
port-object eq 8000
object-group service dvr-remote tcp
port-object eq 5550
object-group service IPCAM tcp-udp
port-object eq 5550
object-group service svn-http tcp
description SVN Server access
port-object eq 8080
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
group-object svn-http
object-group service DM_INLINE_TCP_3 tcp
group-object svn-http
port-object eq www
port-object eq https
object-group service NVRPORTS tcp
description NVRPORTS
port-object eq 10554
port-object eq 8000
port-object eq rtsp
object-group service field tcp
port-object eq 10443
port-object eq 8180
object-group service DM_INLINE_TCP_2 tcp
port-object eq 8080
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq 8080
port-object eq 9150
access-list nwdls_splitTunnelAcl standard permit 192.168.120.0 255.255.255.0
access-list wendy_acl standard permit 192.168.120.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 192.168.120.30
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 554
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 10554
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 8000
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq rtsp
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 10554
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 8000
access-list outside_access_in extended permit tcp any host 192.168.120.202 eq ftp-data
access-list outside_access_in extended permit tcp any host 192.168.120.202 eq ftp
access-list outside_access_in extended permit tcp any host 207.70.142.9 eq www
access-list outside_access_in extended permit udp any host 192.168.120.233 range 10001 19999
access-list outside_access_in remark Whitney
access-list outside_access_in extended permit udp host 99.16.64.231 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.225.202 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 4.79.212.236 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.224.203 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.224.202 host 192.168.120.233 eq sip
access-list outside_access_in extended permit 21 any host 192.168.121.2
access-list outside_access_in extended permit icmp any host 207.70.142.9
access-list outside_access_in extended permit icmp any host 207.70.142.10 inactive
access-list outside_access_in extended permit tcp any host 192.168.121.2 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object-group TCPUDP any host 192.168.120.30 object-group IPCAM
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any host 192.168.120.25 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any interface outside eq 9150
access-list outside_access_in remark node access
access-list outside_access_in extended permit tcp any host 192.168.120.209 eq 9150
access-list outside_access_in extended permit tcp any host 192.168.120.209 eq 9418
access-list outside_access_in extended permit tcp any interface outside object-group dvr-http
access-list outside_access_in extended permit tcp any object DVR object-group dvr-http
access-list outside_access_in extended permit tcp any object-group NVRPORTS any object-group NVRPORTS
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 10080
access-list outside_access_in extended permit tcp any host 207.70.142.9 eq https
access-list outside_access_in extended permit tcp any host 192.168.120.25 eq https
access-list outside_access_in extended permit icmp any host 96.85.6.217
access-list inside_access_in extended permit ip 192.168.120.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 192.168.120.0 255.255.255.0 any
access-list inside_access_out extended permit ip any any
access-list dmz_access_in extended permit tcp any host 192.168.121.2 object-group DM_INLINE_TCP_3
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list Comcast-Outside_access_in extended permit ip any any
access-list EasyVPN_splitTunnelAcl standard permit 192.168.120.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.120.0 255.255.255.0 object Remote-Site-Subnet
pager lines 45
logging enable
logging timestamp
logging asdm-buffer-size 512
logging trap debugging
logging asdm debugging
logging mail critical
logging from-address ciscoasa@nwdls.com
logging host inside 192.168.120.203
logging class auth trap debugging asdm debugging
logging class session trap errors
logging class vpn trap debugging asdm debugging
logging class vpnc trap debugging
logging class vpnfo trap debugging
logging class webvpn trap debugging
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 305012
no logging message 305011
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool2 192.168.120.249-192.168.120.254 mask 255.255.255.0
ip local pool vpnpool3 192.168.120.241-192.168.120.248 mask 255.255.255.0
ip verify reverse-path interface outside
ipv6 access-list dmz_access_ipv6_in deny ip any any
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static obj-pool obj-pool no-proxy-arp route-lookup
nat (inside,any) source static any any destination static obj-192.168.120.248 obj-192.168.120.248 no-proxy-arp
nat (inside,any) source static any any destination static obj-192.168.120.245 obj-192.168.120.245 no-proxy-arp
nat (outside,inside) source static any any destination static interface DVR service IPCAMS IPCAMS
nat (inside,outside) source static NETWORK_OBJ_192.168.120.0_24 NETWORK_OBJ_192.168.120.0_24 destination static NETWORK_OBJ_192.168.120.240_28 NETWORK_OBJ_192.168.120.240_28 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.120.0_24 NETWORK_OBJ_192.168.120.0_24 destination static Remote-Site-Subnet Remote-Site-Subnet no-proxy-arp route-lookup
!
object network obj-192.168.120.0
nat (inside,dmz) static 192.168.120.0
object network obj-192.168.120.233
nat (inside,outside) static 96.85.6.218
object network obj-192.168.120.233-01
nat (inside,outside) dynamic 96.85.6.218
object network obj-192.168.121.2
nat (dmz,outside) static interface service tcp www www
object network obj-192.168.121.2-01
nat (dmz,outside) static interface service tcp ssh ssh
object network obj-192.168.121.2-02
nat (dmz,outside) dynamic interface
object network nwdls-dc
nat (inside,outside) static interface service tcp https https
object network JOSHUA9-PORT
nat (inside,outside) static interface service tcp 9150 9150
object network JOSHUA2-PORT
nat (inside,outside) static interface service tcp ftp-data ftp-data
object network NVR
nat (inside,outside) static interface service tcp 8000 8000
object network NVR1
nat (inside,outside) static interface service tcp 10554 10554
object network NVR2
nat (inside,outside) static interface service tcp rtsp rtsp
object network NVR3
nat (inside,outside) static interface service udp 8000 8000
object network NVR4
nat (inside,outside) static interface service udp 10554 10554
object network NVR5
nat (inside,outside) static interface service udp 554 554
object network NVR6
nat (inside,outside) static interface service tcp 10080 10080
!
nat (inside,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group dmz_access_ipv6_in in interface dmz
route outside 0.0.0.0 0.0.0.0 96.85.6.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable 8080
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 96.91.46.9
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 8080
crypto ikev2 enable outside client-services port 8080
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 192.168.120.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside

dhcpd dns 192.168.120.25 208.67.222.222
dhcpd wins 192.168.120.25
dhcpd lease 86400
dhcpd domain nwdls.com
dhcpd auto_config inside
dhcpd update dns
dhcpd option 3 ip 192.168.120.1
dhcpd option 66 ip 192.168.120.233
!
dhcpd address 192.168.120.50-192.168.120.119 inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 66.187.233.4 source outside prefer
webvpn
port 8080
enable outside
dtls port 8080
anyconnect image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.3054-k9.pkg 2
anyconnect profiles nwdls1 disk0:/nwdls1.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.120.25
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nwdls_splitTunnelAcl
group-policy EasyVPN internal
group-policy EasyVPN attributes
wins-server value 192.168.120.25
dns-server value 192.168.120.25 75.75.75.75
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EasyVPN_splitTunnelAcl
default-domain value nwdls.com
group-policy GroupPolicy_96.91.46.9 internal
group-policy GroupPolicy_96.91.46.9 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_Nwdlsx64 internal
group-policy GroupPolicy_Nwdlsx64 attributes
wins-server value 192.168.120.25
dns-server value 192.168.120.25
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
default-domain value nwdls.com
webvpn
anyconnect profiles value nwdls1 type user
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy nwdlsgroup internal
group-policy nwdlsgroup attributes
wins-server none
dns-server value 192.168.120.25
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
default-domain value nwdls.com
webvpn
url-list none
anyconnect ask enable default webvpn
group-policy nwdls internal
group-policy nwdls attributes
wins-server value 192.168.120.25
dns-server value 192.168.120.25
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
password-storage enable
ipsec-udp enable
default-domain value nwdls.com
username deena password 1jZizDREl2QRiv7H encrypted
username deena attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username Test password tEw.zBkWtr5cfsmI encrypted privilege 15
username derek password 3TzysbBXovQgzpHA encrypted
username derek attributes
vpn-group-policy nwdls
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username monica password Vl3AxqOzs1FaYFP1 encrypted
username monica attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username jill password IsB48p5obkwE/dw9 encrypted
username jimhorne password /74Kfw0gqsPfF82T encrypted
username jimhorne attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
username pete password RGOM9U0/BK5awC8Z encrypted
username pete attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
username admin password sM/cvVSkWC3aa0kQ encrypted privilege 15
username john password .Ay30EFU56VufM4C encrypted
username john attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username john2 password .Ay30EFU56VufM4C encrypted
username john2 attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage disable
username remotesite1 password 0quAjW6jr7HJmZTS encrypted privilege 0
username remotesite1 attributes
vpn-group-policy EasyVPN
username simply password Lf/AtECdBHaWjnY6 encrypted
username simply attributes
vpn-group-policy GroupPolicy_Nwdlsx64
memberof nwdls
username cisco password 3USUcOPFUiMCO4Jk encrypted
username simply2 password M7ISu.T1R2QrDasU encrypted
username simply2 attributes
vpn-group-policy GroupPolicy_Nwdlsx64
username matt password Mv7Iy4C7Z4wN9kXv encrypted
username matt attributes
vpn-group-policy nwdls
username matthews password X4kBHeuSkWam3waC encrypted
username matthews attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
username theran password CW2R4MKStb7xJwgZ encrypted
username theran attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
username root password Lm6zFIw1OvIlLNqp encrypted
username willie password i9HtXKw/5SwL8PXt encrypted
username whitney password bWAWSJFGmo8Y59O4 encrypted
username whitney attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout 30
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username whitney2 password bWAWSJFGmo8Y59O4 encrypted
username whitney2 attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
tunnel-group nwdlsvpn type remote-access
tunnel-group nwdlsvpn general-attributes
address-pool vpnpool2
default-group-policy nwdlsgroup
tunnel-group nwdls type remote-access
tunnel-group nwdls general-attributes
address-pool vpnpool3
default-group-policy nwdls
tunnel-group nwdls ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group nwdls ppp-attributes
authentication ms-chap-v2
tunnel-group Nwdlsx64 type remote-access
tunnel-group Nwdlsx64 general-attributes
address-pool vpnpool3
default-group-policy GroupPolicy_Nwdlsx64
tunnel-group Nwdlsx64 webvpn-attributes
group-alias Nwdlsx64 enable
tunnel-group nvpn type remote-access
tunnel-group nvpn general-attributes
authentication-server-group (outside) LOCAL
authorization-server-group (outside) LOCAL
tunnel-group nvpn ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group nvpn ppp-attributes
authentication ms-chap-v2
tunnel-group EasyVPN type remote-access
tunnel-group EasyVPN general-attributes
address-pool vpnpool3
default-group-policy EasyVPN
tunnel-group EasyVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 96.91.46.9 type ipsec-l2l
tunnel-group 96.91.46.9 general-attributes
default-group-policy GroupPolicy_96.91.46.9
tunnel-group 96.91.46.9 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:17fc5d963ace89c9be02359f7988bb09
: end

Hi,

Aditya Ganjoo — Tue, 21 Jun 2016 15:47:50 GMT

Hi,

I do not see 192.168.128.x subnet a part of the split tunnel ACL.

Could you please add it to the split tunnel ACL and test again with the Anyconnect client ?

Make sure you logoff from the client and relogin to the client after making this change.,

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Thank you for your help!

nwdls8725 — Tue, 21 Jun 2016 17:07:22 GMT

Thank you for your help!

I added a split-tunnel-list acl and applied it to the groupolicy NWdlsx64 and i'm still unable to get to the remote network? Did I implement it incorrectly?

Result of the command: "show run"

: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name nwdls.com
enable password qpQ5myeZ6SQpH8vX encrypted
passwd HUeZALO3Fgqs0XMf encrypted
names
name 192.168.120.30 dvr
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 15
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.120.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 96.85.6.217 255.255.255.248
ospf cost 10
!
interface Vlan5
nameif dmz
security-level 50
ip address 192.168.121.1 255.255.255.0
ospf cost 10
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 192.168.120.25
name-server 75.75.75.75
name-server 75.75.75.76
domain-name nwdls.com
object network obj-192.168.120.248
subnet 192.168.120.248 255.255.255.248
object network obj-192.168.120.245
host 192.168.120.245
object network obj-192.168.120.0
subnet 192.168.120.0 255.255.255.128
object network obj-192.168.120.233
host 192.168.120.233
object network obj-192.168.120.233-01
host 192.168.120.233
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.121.2
host 192.168.121.2
object network obj-192.168.121.2-01
host 192.168.121.2
object network obj-192.168.121.2-02
host 192.168.121.2
object network NETWORK_OBJ_192.168.120.248_29
subnet 192.168.120.248 255.255.255.248
object network nwdls-dc
host 192.168.120.25
description Windows Server 2008 RC2
object network DVR
host 192.168.120.30
object service IPCAMS
service tcp source eq 5550 destination eq 5550
object network newfirewall
host 192.168.120.108
object service ssh
service tcp source eq ssh destination eq ssh
description ssh
object network john
host 71.11.173.163
object network SVN-HTTP-INTERNET
host 192.168.120.25
description access to svn on nwdls-dc
object network JOSHUA9-PORT
host 192.168.120.209
object network JOSHUA2-PORT
host 192.168.120.202
object network DVR-PORT
object network DVR-PORT2
object network obj-pool
subnet 192.168.120.240 255.255.255.240
object network NVR
host 192.168.120.30
description NVR
object network NVR1
host 192.168.120.30
object network NVR2
host 192.168.120.30
object network NVR3
host 192.168.120.30
object network NVR4
host 192.168.120.30
object network NVR5
host 192.168.120.30
object network NVR6
host 192.168.120.30
description NVR6
object service Field
service tcp destination eq www
object service Field2
service tcp destination eq https
object network WebserverPublic
host 207.70.142.9
object network Webserver
host 207.70.142.9
object network WEb
host 192.168.120.25
object network NETWORK_OBJ_192.168.120.0_24
subnet 192.168.120.0 255.255.255.0
object network NETWORK_OBJ_192.168.120.240_28
subnet 192.168.120.240 255.255.255.240
object network Remote-Site-Firewall
host 96.91.46.9
object network Remote-Site-Subnet
subnet 192.168.128.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service dvr-http tcp
port-object eq 10554
port-object eq 8000
object-group service dvr-remote tcp
port-object eq 5550
object-group service IPCAM tcp-udp
port-object eq 5550
object-group service svn-http tcp
description SVN Server access
port-object eq 8080
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
group-object svn-http
object-group service DM_INLINE_TCP_3 tcp
group-object svn-http
port-object eq www
port-object eq https
object-group service NVRPORTS tcp
description NVRPORTS
port-object eq 10554
port-object eq 8000
port-object eq rtsp
object-group service field tcp
port-object eq 10443
port-object eq 8180
object-group service DM_INLINE_TCP_2 tcp
port-object eq 8080
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq 8080
port-object eq 9150
access-list nwdls_splitTunnelAcl standard permit 192.168.120.0 255.255.255.0
access-list wendy_acl standard permit 192.168.120.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 192.168.120.30
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 554
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 10554
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 8000
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq rtsp
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 10554
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 8000
access-list outside_access_in extended permit tcp any host 192.168.120.202 eq ftp-data
access-list outside_access_in extended permit tcp any host 192.168.120.202 eq ftp
access-list outside_access_in extended permit tcp any host 207.70.142.9 eq www
access-list outside_access_in extended permit udp any host 192.168.120.233 range 10001 19999
access-list outside_access_in remark Whitney
access-list outside_access_in extended permit udp host 99.16.64.231 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.225.202 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 4.79.212.236 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.224.203 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.224.202 host 192.168.120.233 eq sip
access-list outside_access_in extended permit 21 any host 192.168.121.2
access-list outside_access_in extended permit icmp any host 207.70.142.9
access-list outside_access_in extended permit icmp any host 207.70.142.10 inactive
access-list outside_access_in extended permit tcp any host 192.168.121.2 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object-group TCPUDP any host 192.168.120.30 object-group IPCAM
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any host 192.168.120.25 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any interface outside eq 9150
access-list outside_access_in remark node access
access-list outside_access_in extended permit tcp any host 192.168.120.209 eq 9150
access-list outside_access_in extended permit tcp any host 192.168.120.209 eq 9418
access-list outside_access_in extended permit tcp any interface outside object-group dvr-http
access-list outside_access_in extended permit tcp any object DVR object-group dvr-http
access-list outside_access_in extended permit tcp any object-group NVRPORTS any object-group NVRPORTS
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 10080
access-list outside_access_in extended permit tcp any host 207.70.142.9 eq https
access-list outside_access_in extended permit tcp any host 192.168.120.25 eq https
access-list outside_access_in extended permit icmp any host 96.85.6.217
access-list inside_access_in extended permit ip 192.168.120.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 192.168.120.0 255.255.255.0 any
access-list inside_access_out extended permit ip any any
access-list dmz_access_in extended permit tcp any host 192.168.121.2 object-group DM_INLINE_TCP_3
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list Comcast-Outside_access_in extended permit ip any any
access-list EasyVPN_splitTunnelAcl standard permit 192.168.120.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.120.0 255.255.255.0 object Remote-Site-Subnet
access-list Split_Tunnel_List standard permit 192.168.128.0 255.255.255.0
pager lines 45
logging enable
logging timestamp
logging asdm-buffer-size 512
logging trap debugging
logging asdm debugging
logging mail critical
logging from-address ciscoasa@nwdls.com
logging host inside 192.168.120.203
logging class auth trap debugging asdm debugging
logging class session trap errors
logging class vpn trap debugging asdm debugging
logging class vpnc trap debugging
logging class vpnfo trap debugging
logging class webvpn trap debugging
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 305012
no logging message 305011
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool2 192.168.120.249-192.168.120.254 mask 255.255.255.0
ip local pool vpnpool3 192.168.120.241-192.168.120.248 mask 255.255.255.0
ip verify reverse-path interface outside
ipv6 access-list dmz_access_ipv6_in deny ip any any
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static obj-pool obj-pool no-proxy-arp route-lookup
nat (inside,any) source static any any destination static obj-192.168.120.248 obj-192.168.120.248 no-proxy-arp
nat (inside,any) source static any any destination static obj-192.168.120.245 obj-192.168.120.245 no-proxy-arp
nat (outside,inside) source static any any destination static interface DVR service IPCAMS IPCAMS
nat (inside,outside) source static NETWORK_OBJ_192.168.120.0_24 NETWORK_OBJ_192.168.120.0_24 destination static NETWORK_OBJ_192.168.120.240_28 NETWORK_OBJ_192.168.120.240_28 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.120.0_24 NETWORK_OBJ_192.168.120.0_24 destination static Remote-Site-Subnet Remote-Site-Subnet no-proxy-arp route-lookup
!
object network obj-192.168.120.0
nat (inside,dmz) static 192.168.120.0
object network obj-192.168.120.233
nat (inside,outside) static 96.85.6.218
object network obj-192.168.120.233-01
nat (inside,outside) dynamic 96.85.6.218
object network obj-192.168.121.2
nat (dmz,outside) static interface service tcp www www
object network obj-192.168.121.2-01
nat (dmz,outside) static interface service tcp ssh ssh
object network obj-192.168.121.2-02
nat (dmz,outside) dynamic interface
object network nwdls-dc
nat (inside,outside) static interface service tcp https https
object network JOSHUA9-PORT
nat (inside,outside) static interface service tcp 9150 9150
object network JOSHUA2-PORT
nat (inside,outside) static interface service tcp ftp-data ftp-data
object network NVR
nat (inside,outside) static interface service tcp 8000 8000
object network NVR1
nat (inside,outside) static interface service tcp 10554 10554
object network NVR2
nat (inside,outside) static interface service tcp rtsp rtsp
object network NVR3
nat (inside,outside) static interface service udp 8000 8000
object network NVR4
nat (inside,outside) static interface service udp 10554 10554
object network NVR5
nat (inside,outside) static interface service udp 554 554
object network NVR6
nat (inside,outside) static interface service tcp 10080 10080
!
nat (inside,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group dmz_access_ipv6_in in interface dmz
route outside 0.0.0.0 0.0.0.0 96.85.6.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable 8080
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 96.91.46.9
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 8080
crypto ikev2 enable outside client-services port 8080
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 192.168.120.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside

dhcpd dns 192.168.120.25 208.67.222.222
dhcpd wins 192.168.120.25
dhcpd lease 86400
dhcpd domain nwdls.com
dhcpd auto_config inside
dhcpd update dns
dhcpd option 3 ip 192.168.120.1
dhcpd option 66 ip 192.168.120.233
!
dhcpd address 192.168.120.50-192.168.120.119 inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 66.187.233.4 source outside prefer
webvpn
port 8080
enable outside
dtls port 8080
anyconnect image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.3054-k9.pkg 2
anyconnect profiles nwdls1 disk0:/nwdls1.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.120.25
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nwdls_splitTunnelAcl
group-policy EasyVPN internal
group-policy EasyVPN attributes
wins-server value 192.168.120.25
dns-server value 192.168.120.25 75.75.75.75
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EasyVPN_splitTunnelAcl
default-domain value nwdls.com
group-policy GroupPolicy_96.91.46.9 internal
group-policy GroupPolicy_96.91.46.9 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_Nwdlsx64 internal
group-policy GroupPolicy_Nwdlsx64 attributes
wins-server value 192.168.120.25
dns-server value 192.168.120.25
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value nwdls.com
webvpn
anyconnect profiles value nwdls1 type user
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy nwdlsgroup internal
group-policy nwdlsgroup attributes
wins-server none
dns-server value 192.168.120.25
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
default-domain value nwdls.com
webvpn
url-list none
anyconnect ask enable default webvpn
group-policy nwdls internal
group-policy nwdls attributes
wins-server value 192.168.120.25
dns-server value 192.168.120.25
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
password-storage enable
ipsec-udp enable
default-domain value nwdls.com
username deena password 1jZizDREl2QRiv7H encrypted
username deena attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username Test password tEw.zBkWtr5cfsmI encrypted privilege 15
username derek password 3TzysbBXovQgzpHA encrypted
username derek attributes
vpn-group-policy nwdls
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username monica password Vl3AxqOzs1FaYFP1 encrypted
username monica attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username jill password IsB48p5obkwE/dw9 encrypted
username jimhorne password /74Kfw0gqsPfF82T encrypted
username jimhorne attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
username pete password RGOM9U0/BK5awC8Z encrypted
username pete attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
username admin password sM/cvVSkWC3aa0kQ encrypted privilege 15
username john password .Ay30EFU56VufM4C encrypted
username john attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username john2 password .Ay30EFU56VufM4C encrypted
username john2 attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage disable
username remotesite1 password 0quAjW6jr7HJmZTS encrypted privilege 0
username remotesite1 attributes
vpn-group-policy EasyVPN
username simply password Lf/AtECdBHaWjnY6 encrypted
username simply attributes
vpn-group-policy GroupPolicy_Nwdlsx64
memberof nwdls
username cisco password 3USUcOPFUiMCO4Jk encrypted
username simply2 password M7ISu.T1R2QrDasU encrypted
username simply2 attributes
vpn-group-policy GroupPolicy_Nwdlsx64
username matt password Mv7Iy4C7Z4wN9kXv encrypted
username matt attributes
vpn-group-policy nwdls
username matthews password X4kBHeuSkWam3waC encrypted
username matthews attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
username theran password CW2R4MKStb7xJwgZ encrypted
username theran attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
username root password Lm6zFIw1OvIlLNqp encrypted
username willie password i9HtXKw/5SwL8PXt encrypted
username whitney password bWAWSJFGmo8Y59O4 encrypted
username whitney attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout 30
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username whitney2 password bWAWSJFGmo8Y59O4 encrypted
username whitney2 attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
tunnel-group nwdlsvpn type remote-access
tunnel-group nwdlsvpn general-attributes
address-pool vpnpool2
default-group-policy nwdlsgroup
tunnel-group nwdls type remote-access
tunnel-group nwdls general-attributes
address-pool vpnpool3
default-group-policy nwdls
tunnel-group nwdls ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group nwdls ppp-attributes
authentication ms-chap-v2
tunnel-group Nwdlsx64 type remote-access
tunnel-group Nwdlsx64 general-attributes
address-pool vpnpool3
default-group-policy GroupPolicy_Nwdlsx64
tunnel-group Nwdlsx64 webvpn-attributes
group-alias Nwdlsx64 enable
tunnel-group nvpn type remote-access
tunnel-group nvpn general-attributes
authentication-server-group (outside) LOCAL
authorization-server-group (outside) LOCAL
tunnel-group nvpn ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group nvpn ppp-attributes
authentication ms-chap-v2
tunnel-group EasyVPN type remote-access
tunnel-group EasyVPN general-attributes
address-pool vpnpool3
default-group-policy EasyVPN
tunnel-group EasyVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 96.91.46.9 type ipsec-l2l
tunnel-group 96.91.46.9 general-attributes
default-group-policy GroupPolicy_96.91.46.9
tunnel-group 96.91.46.9 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:81ca3c881d365a36e418741578ab9dfb
: end

Hi,

Aditya Ganjoo — Tue, 21 Jun 2016 17:37:08 GMT

Hi,

Please check this link for doing this configuration:

https://supportforums.cisco.com/discussion/10914361/anyconnect-client-site-site-destination

This would help you to perform the same configuration.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Hi,

adam kalabadzi — Tue, 21 Jun 2016 22:53:32 GMT

Hi,

from the configuration i do see that your problem caused by split tunnel specified on the group policy.

group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nwdls_splitTunnelAcl

as your acl only allow you to subnet 192.168.120.0/24, so you will not be able to access another subnet through your vpn tunnel. All you need is add new entry on your acl for subnet 192.168.128.x

access-list nwdls_splitTunnelAcl standard permit 192.168.128.0 255.255.255.0

for detail about split tunnel, pls check on this http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_groups.html

Cheers,

Please rate helpful posts and mark correct answers.

Thank you Adam, I forgot it

nwdls8725 — Wed, 22 Jun 2016 13:27:57 GMT

Thank you Adam, I forgot it was inheriting from that default group policy. I added in the remote subnet to the nwdls_splitTunnelAcl and I still am unable to access the remote subnet? Anything else I might want to look at?

ciscoasa# show run access-list
access-list nwdls_splitTunnelAcl standard permit 192.168.120.0 255.255.255.0
access-list nwdls_splitTunnelAcl remark Remote Site
access-list nwdls_splitTunnelAcl standard permit 192.168.128.0 255.255.255.0
access-list wendy_acl standard permit 192.168.120.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 192.168.120.30
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 554
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 10554
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 8000
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq rtsp
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 10554
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 8000
access-list outside_access_in extended permit tcp any host 192.168.120.202 eq ftp-data
access-list outside_access_in extended permit tcp any host 192.168.120.202 eq ftp
access-list outside_access_in extended permit tcp any host 207.70.142.9 eq www
access-list outside_access_in extended permit udp any host 192.168.120.233 range 10001 19999
access-list outside_access_in remark Whitney
access-list outside_access_in extended permit udp host 99.16.64.231 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.225.202 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 4.79.212.236 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.224.203 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.224.202 host 192.168.120.233 eq sip
access-list outside_access_in extended permit 21 any host 192.168.121.2
access-list outside_access_in extended permit icmp any host 207.70.142.9
access-list outside_access_in extended permit icmp any host 207.70.142.10 inactive
access-list outside_access_in extended permit tcp any host 192.168.121.2 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object-group TCPUDP any host 192.168.120.30 object-group IPCAM
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any host 192.168.120.25 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any interface outside eq 9150
access-list outside_access_in remark node access
access-list outside_access_in extended permit tcp any host 192.168.120.209 eq 9150
access-list outside_access_in extended permit tcp any host 192.168.120.209 eq 9418
access-list outside_access_in extended permit tcp any interface outside object-group dvr-http
access-list outside_access_in extended permit tcp any object DVR object-group dvr-http
access-list outside_access_in extended permit tcp any object-group NVRPORTS any object-group NVRPORTS
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 10080
access-list outside_access_in extended permit tcp any host 207.70.142.9 eq https
access-list outside_access_in extended permit tcp any host 192.168.120.25 eq https
access-list outside_access_in extended permit icmp any host 96.85.6.217
access-list inside_access_in extended permit ip 192.168.120.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 192.168.120.0 255.255.255.0 any
access-list inside_access_out extended permit ip any any
access-list dmz_access_in extended permit tcp any host 192.168.121.2 object-group DM_INLINE_TCP_3
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list Comcast-Outside_access_in extended permit ip any any
access-list EasyVPN_splitTunnelAcl standard permit 192.168.120.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.120.0 255.255.255.0 object Remote-Site-Subnet
access-list Split_Tunnel_List standard permit 192.168.128.0 255.255.255.0