Not able to access Internet or Internal network via SSL AnyConnect

Robert Hefner — Tue, 12 Mar 2019 03:40:23 GMT

After connecting succesfully with Cisco AnyConnect version 3.0.05152 I am unable to access internal resources. Below is the configuration of the ASA.

Any input on the below would be appreciated

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.02.04 16:15:58 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
:
ASA Version 9.1(4)
!
hostname ASA
domain-name hb.local
enable password pEuUQweb2zEldXkE encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd pEuUQweb2zEldXkE encrypted
names
ip local pool Remote_VPN_DHCP_Pool 172.16.253.100-172.16.253.150 mask 255.255.255.0
!
interface Ethernet0/0
description *** Internet ***
nameif publicWAN
security-level 0
ip address X.X.X.X X.X.X.X.
!
interface Ethernet0/1
description *** Guest Wireless Network ***
nameif guest
security-level 50
ip address 10.0.254.1 255.255.255.0
!
interface Ethernet0/2
description *** Uplink to Branches ***
nameif Branches
security-level 100
ip address 192.168.254.1 255.255.255.0
!
interface Ethernet0/3
description *** Uplink to JHA ***
nameif JHA
security-level 0
ip address 10.0.8.1 255.255.255.0
!
interface Management0/0
description *** Managemnet Interface - NOT USED ***
management-only
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup publicWAN
dns domain-lookup guest
dns domain-lookup Branches
dns domain-lookup JHA
dns server-group DefaultDNS
name-server 172.16.1.2
domain-name hb.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-10.0.0.0
subnet 10.0.0.0 255.255.255.0
object network obj_guest
subnet 10.0.254.0 255.255.255.0
object network obj-172.16.1.0
subnet 172.16.1.0 255.255.255.0
object network obj-172.16.1.5
host 172.16.1.5
object network obj-172.16.1.5-01
host 172.16.1.5
access-list Branches extended permit icmp any4 any4
access-list Branches extended permit ip any4 any4
access-list JHA extended permit ip any4 any4
access-list JHA extended permit icmp any4 any4
access-list guest extended deny ip any4 10.0.1.0 255.255.255.0
access-list guest extended deny ip any4 10.0.2.0 255.255.255.0
access-list guest extended deny ip any4 10.0.3.0 255.255.255.0
access-list guest extended deny ip any4 10.0.4.0 255.255.255.0
access-list guest extended deny ip any4 10.0.5.0 255.255.255.0
access-list guest extended deny ip any4 10.0.6.0 255.255.255.0
access-list guest extended deny ip any4 10.0.7.0 255.255.255.0
access-list guest extended deny ip any4 10.0.8.0 255.255.255.0
access-list guest extended deny ip any4 10.0.9.0 255.255.255.0
access-list guest extended deny ip any4 10.0.10.0 255.255.255.0
access-list guest extended deny ip any4 172.16.0.0 255.255.0.0
access-list guest extended permit ip any4 any4
access-list guest extended permit icmp any4 any4
access-list traffic_send_ips_module extended permit ip any4 any4
access-list outside extended permit tcp any4 host 172.16.1.5 eq https
access-list outside extended permit tcp X.X.X.X 255.255.255.0 host 172.16.1.5 eq smtp
access-list outside extended permit tcp X.X.X.X. 255.255.255.0 host 172.16.1.5 eq smtp
access-list outside extended deny ip any4 any4 log interval 30
pager lines 50
logging enable
logging timestamp
logging monitor warnings

logging buffered informational
logging trap warnings
logging asdm informational
logging queue 2048
logging device-id hostname
logging host Branches 172.16.1.80
flow-export destination Branches 172.16.1.80 2055
flow-export template timeout-rate 15
mtu publicWAN 1500
mtu guest 1500
mtu Branches 1500
mtu JHA 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any publicWAN
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,publicWAN) dynamic interface
object network obj-10.0.0.0
nat (Branches,JHA) static 10.0.0.0
object network obj_guest
nat (guest,publicWAN) dynamic interface
object network obj-172.16.1.0
nat (Branches,JHA) static 172.16.1.0
object network obj-172.16.1.5
nat (Branches,publicWAN) static interface service tcp smtp smtp
object network obj-172.16.1.5-01
nat (Branches,publicWAN) static interface service tcp https https
access-group outside in interface publicWAN
access-group guest in interface guest
access-group Branches in interface Branches
access-group JHA in interface JHA
route publicWAN 0.0.0.0 0.0.0.0 X.X.X.X. 1
route Branches 10.0.0.0 255.255.0.0 192.168.254.2 1
route Branches 10.0.5.0 255.255.255.0 192.168.254.2 1
route Branches 10.28.11.0 255.255.255.0 192.168.254.2 1
route Branches 10.55.4.0 255.255.255.0 192.168.254.2 1
route Branches 10.55.6.0 255.255.255.0 192.168.254.2 1
route Branches 10.57.4.0 255.255.255.0 192.168.254.2 1
route Branches 10.57.6.0 255.255.255.0 192.168.254.2 1
route Branches 10.71.4.0 255.255.255.0 192.168.254.2 1
route Branches 10.71.6.0 255.255.255.0 192.168.254.2 1
route JHA 10.150.0.0 255.255.0.0 10.0.8.254 1
route JHA 10.251.4.0 255.255.255.0 10.0.8.254 1
route Branches 172.16.0.0 255.255.0.0 192.168.254.2 1
route Branches 172.28.0.0 255.255.0.0 192.168.254.2 1

route Branches 172.28.250.0 255.255.255.0 192.168.254.2 1
route Branches 192.9.200.0 255.255.255.0 192.168.254.2 1
route Branches 192.9.201.0 255.255.255.0 192.168.254.2 1
route Branches 192.9.220.0 255.255.255.0 192.168.254.2 1
route Branches 200.0.0.0 255.255.0.0 192.168.254.2 1
route Branches 200.0.11.0 255.255.255.0 192.168.254.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
always-on-vpn profile-setting
aaa-server HB_LDAP_Group protocol ldap
aaa-server HB_LDAP_Group (Branches) host 172.16.1.2
server-port 636
ldap-base-dn CN=VPN LDAP,OU=HB Users,DC=hb,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn VPN LDAP
ldap-over-ssl enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.0.0 Branches
http 172.16.0.0 255.255.0.0 Branches
snmp-server host Branches 172.16.1.80 community *****
snmp-server location Seagoville
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
sysopt connection timewait
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 publicWAN
ssh 10.0.0.0 255.255.0.0 Branches
ssh 172.16.0.0 255.255.0.0 Branches
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd domain hb.local
!
dhcpd address 10.0.254.100-10.0.254.200 guest
dhcpd dns 12.127.17.72 12.127.17.73 interface guest
dhcpd enable guest
!
threat-detection rate acl-drop rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.28 source publicWAN
webvpn
port 4443
enable publicWAN
enable Branches
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.05152-k9.pkg 2
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 172.16.1.2
vpn-tunnel-protocol ikev2 ssl-client
default-domain value hb.local
split-tunnel-all-dns enable
username HBAdmin password azFWMwV/tQh/YjoW encrypted
tunnel-group Remote_VPN_Users type remote-access
tunnel-group Remote_VPN_Users general-attributes
address-pool Remote_VPN_DHCP_Pool
authentication-server-group HB_LDAP_Group LOCAL
default-group-policy GroupPolicy1
dhcp-server 172.16.1.2
tunnel-group Remote_VPN_Users webvpn-attributes
group-alias RemoteVPNUsers enable
!
class-map inspection_default
match default-inspection-traffic
class-map ips_module_class_map
match access-list traffic_send_ips_module
!
!

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect icmp
inspect ip-options
class ips_module_class_map
ips inline fail-open
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1c38a95ce10dab97ac6ad2e99823f5a2
: end

ASA# exit

Logoff

Not able to access Internet or Internal network via SSL AnyConne

Marius Gunnerud — Mon, 10 Feb 2014 14:09:52 GMT

Looks like you are missing the nonat statement. Try adding the following and test (adjust the source subnet to match your needs)

object network VPN_range

range 172.16.253.100 172.16.253

nat (Branches,publicWAN) source static obj-10.0.0.0 obj-10.0.0.0 destination static VPN_range VPN_range

--
Please remember to rate and select a correct answer

Not able to access Internet or Internal network via SSL AnyConne

Marius Gunnerud — Mon, 10 Feb 2014 14:10:28 GMT

Also depending on your requirements you may want to configure split tunneling.

--
Please remember to rate and select a correct answer

topic Not able to access Internet or Internal network via SSL AnyConne in Network Security

Not able to access Internet or Internal network via SSL AnyConnect

Not able to access Internet or Internal network via SSL AnyConne

Not able to access Internet or Internal network via SSL AnyConne