topic anyconnect vpn, can't get internet in Network Security

anyconnect vpn, can't get internet

Neetu Bhushan — Tue, 12 Mar 2019 01:29:50 GMT

hi all,

need help again... my anyconnect vpn can't route to internet, but my inside interface can...

here' s my show run below,

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ciscoasa# sh run

: Saved

ASA Version 8.6(1)2

hostname ciscoasa

domain-name test1.com

enable password NuLKvvWGg.x9HEKO encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.0.50 255.255.255.0

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.64.1 255.255.255.0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

dns server-group DefaultDNS

domain-name test1.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network NETWORK_OBJ_192.168.64.64_27

subnet 192.168.64.64 255.255.255.224

no pager

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

ip local pool inside-pool-vpn 192.168.64.70-192.168.64.90 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.64.64_27 NETWORK_OBJ_192.168.64.64_27 no-proxy-arp route-lookup

nat (inside,outside) after-auto source dynamic any interface

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

route inside 192.168.64.0 255.255.255.0 192.168.64.1 10

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAPSERVERS protocol ldap

aaa-server LDAPSERVERS (inside) host 192.168.64.100

ldap-base-dn dc=test1,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn cn=administrator,cn=Users,dc=test1,dc=com

server-type auto-detect

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa.test1.com

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate e0a96d51

3082025c 308201c5 a0030201 020204e0 a96d5130 0d06092a 864886f7 0d010105

05003040 311b3019 06035504 03131263 6973636f 6173612e 74657374 312e636f

6d312130 1f06092a 864886f7 0d010902 16126369 73636f61 73612e74 65737431

2e636f6d 301e170d 31333034 31363139 34343139 5a170d32 33303431 34313934

3431395a 3040311b 30190603 55040313 12636973 636f6173 612e7465 7374312e

636f6d31 21301f06 092a8648 86f70d01 09021612 63697363 6f617361 2e746573

74312e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902

818100e1 1fc4496f 3f5a18f6 2809edf7 a83b4a72 f04f0a9b c38a49f4 010055c1

5b433440 b942f442 1816b281 3e4489ee 8e96bc85 8549ae99 613a02af 5f3c963f

dca6c79a 568eaf4c 25cd92f4 6700cfdb 794f9d8a 26a805bf 7136f75d 9346bc8c

7d18e40e 954d626a 9cf4882d 573f9552 e70bb2f8 04933034 50d93bd4 1de2ed32

71ea5302 03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06

03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 80148a71 8795f669

0435b43b 9290bfab a586025a a00a301d 0603551d 0e041604 148a7187 95f66904

35b43b92 90bfaba5 86025aa0 0a300d06 092a8648 86f70d01 01050500 03818100

bbba25e1 cf3926e6 682f5c42 08531f63 8d9f309a bad12c1e 2f610131 25a3e052

3f81d48a 924bd871 dd041600 85f68816 5faa4210 5f5f75e9 c98f182f 873cf014

1963122d e2fa9d35 b68e19a6 c47a6bd1 0d861234 2e1a8b01 cfc96ca7 de96ef59

3dd6cbf4 1651386b 25b2240d 097c8b83 5720367b 86d38de2 229eddf8 9ebf0864

quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

dhcpd address 192.168.64.40-192.168.64.60 inside

dhcpd dns 192.168.0.1 192.168.64.100 interface inside

dhcpd lease 200000 interface inside

dhcpd domain test1.com interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect profiles anyconnect-vpn_client_profile disk0:/anyconnect-vpn_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_anyconnect-vpn internal

group-policy GroupPolicy_anyconnect-vpn attributes

wins-server none

dns-server value 192.168.0.1 192.168.64.100

vpn-tunnel-protocol ikev2 ssl-client

default-domain value test1.com

webvpn

anyconnect profiles value anyconnect-vpn_client_profile type user

username rickyv password gw5iJZK0zpRVc1Ur encrypted

tunnel-group anyconnect-vpn type remote-access

tunnel-group anyconnect-vpn general-attributes

address-pool inside-pool-vpn

authentication-server-group LDAPSERVERS LOCAL

default-group-policy GroupPolicy_anyconnect-vpn

tunnel-group anyconnect-vpn webvpn-attributes

group-alias anyconnect-vpn enable

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:ee1ad0b35257ed2f09d75ebae6c4926c

: end

ciscoasa#

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

the digital cert is self signed and vpn can connect easily and user will have shared path, meaning vpn is working properly but user have no internet routing, also can't ping gw 192.168.64.1 from vpn client. my asdm is 6.6.

thanks for any comment you may add.

neetu

anyconnect vpn, can't get internet

Julio Carvajal — Wed, 17 Apr 2013 04:16:09 GMT

nat (outside,outside) source dynamic NETWORK_OBJ_192.168.64.64_27 interface

Let me know who it goes

anyconnect vpn, can't get internet

Neetu Bhushan — Wed, 17 Apr 2013 15:54:37 GMT

i'll try this later... i'm at work...

thanks a lot and more power.

anyconnect vpn, can't get internet

Julio Carvajal — Wed, 17 Apr 2013 17:03:33 GMT

Hello,

Sure Neetu,

Remember to rate all of the helpful posts

Re: anyconnect vpn, can't get internet

Neetu Bhushan — Wed, 17 Apr 2013 17:39:50 GMT

sorry the ip change now, since i'm testing in the office, i have another 5515x in the office and another at home...

here's my show run with filter on nat...

sh run | i nat

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.80.32_27 NETWORK_OBJ_10.0.80.32_27 no-proxy-arp route-lookup

nat (inside,outside) after-auto source dynamic any interface

now i changed it to your instruction

sh run | i nat

nat (outside,outside) source dynamic NETWORK_OBJ_10.0.80.32_27 interface

nat (inside,outside) after-auto source dynamic any interface

it can't route to internet, so i tried

sh run | i nat

nat (outside,outside) source dynamic NETWORK_OBJ_10.0.80.32_27 interface

nat (outside,outside) after-auto source dynamic any interface

it still can't route my user vpn with internet...

anyconnect vpn, can't get internet

Julio Carvajal — Wed, 17 Apr 2013 17:43:47 GMT

Hello Neetu,

I mean the nat you had before should still be there,

I just wanted to add one more:

nat (outside,outside) source dynamic NETWORK_OBJ_192.168.64.64_27 interface

Can you share the complete show run NAT?

Is there a way that we could use another subnet range ( diferent from the inside network) ?

Re: anyconnect vpn, can't get internet

Neetu Bhushan — Wed, 17 Apr 2013 17:54:04 GMT

i also tried this...

ciscoasa# sh run | i nat

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.80.32_27 NETWORK_OBJ_10.0.80.32_27 no-proxy-arp route-lookup

nat (outside,outside) source dynamic NETWORK_OBJ_10.0.80.32_27 interface

nat (inside,outside) after-auto source dynamic any interface

ciscoasa#

it didn't work...

yeah i could create another subnet... how can i modify the current pool for the vpn, the wizard have no edit on vpn...

Re: anyconnect vpn, can't get internet

Julio Carvajal — Wed, 17 Apr 2013 18:29:49 GMT

Okay let's do the following:

ip local-pool Anyconnect-test 192.168.100.1-192.168.100.100 netmask 255.255.255.0

tunnel-group anyconnect-vpn general-attributes

no address-pool inside-pool-vpn

address-pool Anyconnect-test

object network Anyconnect_Pool_Julio

subnet 192.168.100.0 255.255.255.0

no nat (outside,outside) source dynamic NETWORK_OBJ_10.0.80.32_27 interface

no nat (outside,outside) after-auto source dynamic any interface

nat (inside,outside) 1 source static any any destination static Anyconnect_Pool_Julio Anyconnect_Pool_Julio

nat (outside,outside) source dynamic Anyconnect_Pool_Julio interface

Let me know

Re: anyconnect vpn, can't get internet

Neetu Bhushan — Wed, 17 Apr 2013 21:55:45 GMT

i really appreciate your help...

something is not right in my test environment in the office... at home i can ping my AD host, but here in my office, it can't. so i have to test this at home.

thanks and more power... i will let you know later when i'm testing at home...

Re: anyconnect vpn, can't get internet

Julio Carvajal — Wed, 17 Apr 2013 21:57:15 GMT

Hello,

sure, keep me updated

Re: anyconnect vpn, can't get internet

Neetu Bhushan — Thu, 18 Apr 2013 03:35:23 GMT

here's my testing at home...

: Saved

: Written by enable_15 at 19:31:06.189 UTC Wed Apr 17 2013

ASA Version 8.6(1)2

hostname ciscoasa

domain-name test1.com

enable password NuLKvvWGg.x9HEKO encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.0.50 255.255.255.0

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.64.1 255.255.255.0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

dns server-group DefaultDNS

domain-name test1.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network NETWORK_OBJ_192.168.64.64_27

subnet 192.168.64.64 255.255.255.224

object network anyconnect-pool

subnet 192.168.100.0 255.255.255.0

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

ip local pool inside-pool-vpn 192.168.64.70-192.168.64.90 mask 255.255.255.0

ip local pool anyconnect-test 192.168.100.1-192.168.100.20 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static any any destination static anyconnect-pool anyconnect-pool

nat (outside,outside) source dynamic anyconnect-pool interface

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

route inside 192.168.64.0 255.255.255.0 192.168.64.1 10

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAPSERVERS protocol ldap

aaa-server LDAPSERVERS (inside) host 192.168.64.100

ldap-base-dn dc=test1,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password Test123

ldap-login-dn cn=administrator,cn=Users,dc=test1,dc=com

server-type auto-detect

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa.test1.com

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate d1ec6e51

3082025c 308201c5 a0030201 020204d1 ec6e5130 0d06092a 864886f7 0d010105

05003040 311b3019 06035504 03131263 6973636f 6173612e 74657374 312e636f

6d312130 1f06092a 864886f7 0d010902 16126369 73636f61 73612e74 65737431

2e636f6d 301e170d 31333034 31373138 34353433 5a170d32 33303431 35313834

3534335a 3040311b 30190603 55040313 12636973 636f6173 612e7465 7374312e