Unable to reach internal networks from AnyConnect VPN - ASA ver 8.6

wesdouglas — Tue, 26 Mar 2019 00:51:26 GMT

Goodmorning all, I am trying to configure an AnyConnect solution using a pair of 5545x ASA's running 8.6 software. I am unable to access my internal network when connected to VPN.

When I do a packet trace from an unassigned IP address in the VPN DHCP pool the flow is created alright but when I packet trace using an IP that has been assigned to an AnyConnect client the flow is not created.The trace gets as far as webvpn-svc and gets dropped. I'm hoping this is an easy fix and another pair of eyes will be able to spot it for me Packet trace and config are below.

Thanks very much in advance for any help.

: Saved

ASA Version 8.6(1)2

hostname uk-abz-p-vpn-01

enable password xxxxxxxxx encrypted

passwd xxxxxxxxxxxx encrypted

names

interface GigabitEthernet0/0

description External DMZ

speed 1000

duplex full

nameif PUBLIC

security-level 0

ip address 10.30.34.3 255.255.255.0

interface GigabitEthernet0/1

description Internal DMZ

speed 1000

duplex full

nameif PRIVATE

security-level 100

ip address 10.30.35.1 255.255.255.0

interface GigabitEthernet0/2

speed 1000

duplex full

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

speed 1000

duplex full

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/4

speed 1000

duplex full

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/5

speed 1000

duplex full

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/6

speed 1000

duplex full

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/7

description LAN/STATE Failover Interface

speed 1000

duplex full

interface Management0/0

speed 1000

duplex full

nameif management

security-level 0

ip address 10.30.112.9 255.255.255.0

management-only

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00

dns domain-lookup management

dns server-group DefaultDNS

name-server 10.1.0.1

name-server 10.1.0.2

same-security-traffic permit intra-interface

object network TSUK-AnyConnectVPN

subnet 10.44.10.0 255.255.255.0

object-group network TSUK-Networks

network-object 10.0.0.0 255.0.0.0

network-object 172.0.0.0 255.0.0.0

network-object 192.168.0.0 255.255.0.0

access-list PUBLIC_access_in extended permit ip object TSUK-AnyConnectVPN object-group TSUK-Networks

pager lines 24

logging enable

logging timestamp

logging buffer-size 1048576

logging buffered debugging

logging asdm informational

mtu PUBLIC 1500

mtu PRIVATE 1500

mtu management 1500

ip local pool test 10.44.10.10-10.44.10.12 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface FAILOVER GigabitEthernet0/7

failover link FAILOVER GigabitEthernet0/7

failover interface ip FAILOVER 10.35.13.209 255.255.255.252 standby 10.35.13.210

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

nat (PRIVATE,PUBLIC) source static TSUK-Networks TSUK-Networks destination static TSUK-AnyConnectVPN TSUK-AnyConnectVPN no-proxy-arp route-lookup

access-group PUBLIC_access_in in interface PUBLIC

route PUBLIC 0.0.0.0 0.0.0.0 10.30.34.254 1

route PRIVATE 10.0.0.0 255.0.0.0 10.30.35.254 1

route management 10.1.0.193 255.255.255.255 10.30.112.254 1

route management 10.50.102.0 255.255.255.0 10.30.112.254 1

route PRIVATE 192.168.0.0 255.255.0.0 10.30.35.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server aberdeen protocol tacacs+

aaa-server aberdeen (management) host 10.30.49.6

key *****

aaa-server Cisco_ACS protocol radius

aaa-server TalismanRSA protocol sdi

user-identity default-domain LOCAL

aaa authentication ssh console aberdeen LOCAL

aaa authentication enable console aberdeen LOCAL

aaa authentication http console aberdeen LOCAL

http server enable

http 10.50.0.0 255.255.0.0 management

http 10.1.0.0 255.255.0.0 management

snmp-server host management 10.1.0.193 community ***** version 2c

snmp-server location Aberdeen Data Centre

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256