Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
861
Views
0
Helpful
1
Replies

Cisco ASA 5505 firewall internal network connectivity

nitinf7
Level 1
Level 1

‎10-16-2019 05:48 AM - edited ‎02-21-2020 09:35 AM

Hi There,

I am a new bee to cisco firewalls.
I have cisco asa 5505 firewall configured, as per configuration I am able to access internet.

Also I configured ssl vpn but I am not able access my internal network after successful connection.

Please help anyone to sort out this.

I am not getting what I did wrong.

Below is the my running configuration.

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password nGXsT5fL.Mu855Pf encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.5 Router
name 203.111.20.6 StaticIP
name 192.168.1.15 client
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address StaticIP 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
regex domainlist1 "\.yahoo\.com"
regex denied_http_domains " [(0-9A-Za-z)*]facebook\.com"
!
time-range VPN
!
ftp mode passive
clock timezone IST 5 30
dns domain-lookup inside
dns domain-lookup outside
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list outside_cryptomap_65535.65535 extended permit ip any any inactive
access-list inside_mpc extended permit tcp any any eq https inactive
access-list split-tunnel standard permit 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list all extended permit ip any any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool DDVPN 192.168.1.10-192.168.1.100 mask 255.255.255.0
ipv6 access-list outside_access_ipv6_in permit ip any any
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 norandomseq
static (inside,outside) tcp interface www Router www netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface 3789 Router 3789 netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface 3889 Router 3889 netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface 4240 Router 4240 netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface 5222 Router 5222 netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface ftp Router ftp netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface 40094 Router 40094 netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface ssh Router ssh netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface 3989 Router 3989 netmask 255.255.255.255 norandomseq
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
route outside 0.0.0.0 0.0.0.0 203.111.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl all
network-acl outside_access_in
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address outside_cryptomap_65535.65535
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=mpass
keypair mpass-vpn
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=vpn.mpass.com
keypair mpassvpn.key
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint5
enrollment self
subject-name CN=mpass
keypair mpass
proxy-ldc-issuer
crl configure
crypto ca server
shutdown
smtp from-address admin@mpass.null
crypto ca certificate chain ASDM_TrustPoint5
certificate 14947c5d
30820234 3082019d a0030201 02020414 947c5d30 0d06092a 864886f7 0d010104
0500302c 3111300f 06035504 03130869 6e66696e 74757331 17301506 092a8648
86f70d01 09021608 696e6669 6e747573 301e170d 31393039 31343037 31373430
5a170d32 39303931 31303731 3734305a 302c3111 300f0603 55040313 08696e66
696e7475 73311730 1506092a 864886f7 0d010902 1608696e 66696e74 75733081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 8181008b 6c4d53fb
969d06c8 3fc0f002 a79bdc01 12657870 84c7074c f70b1298 19b73b34 2747b66b
703c3b12 bc15b8da 27b3490f 8113fc77 baaee5a7 c27264cd 138dc77e 388dc63e
93264f8a f16675d3 b0cde7f2 5ce06e7b 1b9d0510 7aa31869 02f5a007 988550f3
9e647d80 091fa045 22d223db 0b37c1ec 3fbeb38e 6cbe2b28 190b6902 03010001
a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04
04030201 86301f06 03551d23 04183016 80141ce1 b4d40eba a8628070 f28ee7c0
0f5e50a3 1900301d 0603551d 0e041604 141ce1b4 d40ebaa8 628070f2 8ee7c00f
5e50a319 00300d06 092a8648 86f70d01 01040500 03818100 45f0710e 4869aa7f
8eb9cf60 53460deb e9dff632 17ec5774 652d3b76 6cbfc080 83554b82 8ad1bba9
67ea30f2 12197359 faa72c28 88ad7a7f 28dfd9db 2006f018 d4b1d680 75038e70
b2e5f7e4 14f63e32 ab9ee019 5039189a c1999413 4bf985ca e6ecaedb f5d5f3b7
79d5dcd6 e092b027 943d34a2 81e201e5 81e66e18 d54d93fa
quit
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.1.21 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside vpnclient-wins-override
!
dhcpd address Router-192.168.1.254 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd lease 86400 interface inside
dhcpd ping_timeout 60 interface inside
dhcpd domain mpass.com interface inside
dhcpd auto_config outside vpnclient-wins-override interface inside
dhcpd enable inside
!
vpnclient server StaticIP
vpnclient mode client-mode
vpnclient vpngroup admintest password ********
vpnclient username admin password ********
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint5 outside
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
internal-password enable
group-policy SSLCLientPolicy internal
group-policy DD_VPN_GRP_PLCY internal
group-policy DD_VPN_GRP_PLCY attributes
wins-server value 8.8.8.4
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mpass
address-pools value mpvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec svc
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy mpass internal
group-policy mpass attributes
vpn-access-hours value VPN
vpn-tunnel-protocol webvpn
username xyz password 8PDm1xTMeoFAc0hE encrypted
username xyz attributes
service-type remote-access
username abc password mr07r1nVCYTWfwiX encrypted
username abc attributes
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group DD_VPN_PROFILE type remote-access
tunnel-group DD_VPN_PROFILE general-attributes
address-pool DDVPN
default-group-policy DD_VPN_GRP_PLCY
tunnel-group DD_VPN_PROFILE webvpn-attributes
group-alias DDVPNClient enable
!
class-map type regex match-any DomianBlockList
match regex domainlist1
class-map type regex match-any DomainDenyList
match regex denied_http_domains
class-map type inspect http match-all DenyDomainClass
match request header if-match regex class DomainDenyList
class-map type inspect http match-all asdm_medium_security_methods
match not request method head
match not request method post
match not request method get
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all asdm_high_security_methods
match not request method head
match not request method get
class-map httptraffic
match access-list inside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
class DenyDomainClass
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:96aae06c8889567ff0fd23cf4c669610
: end

0 Helpful
1 Reply 1

nitinf7
Level 1
Level 1

‎10-20-2019 11:32 PM

Please help anyone with this.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card