Solved: AnnyConnect VPN

batumibatumi · ‎02-23-2011

Dear All,

I have Windwos Server 2008 R2 and Cisco ASA 5505.

I configured ASA and when i try my publick IP i can connect it using annyconnect VPN. I also can ping ASA's inside interface but i can not access server.

I also configure RAIUS server on my server 2008 and ASA. communication between them is fine.

Could you please give me advice how to solve this problem, as it is very important for me ?

Thank you in advance

Best Regards,

Giorgi

Jennifer Halim · ‎02-23-2011

You are missing the NAT exemption.

Assuming that you are using the SSLClientPool 192.168.25.0/24 because the other group-policy does not have any ip pool assigned and I am not sure which group you are using:

object network obj-192.168.25.0

subnet 192.168.25.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_10.48.0.0_24 NETWORK_OBJ_10.48.0.0_24 destination static obj-192.168.25.0 obj-192.168.25.0

If you are actually using the other pool OSLO-POOL 172.20.1.0/24, then pls configure the following:

object network obj-172.20.1.0

subnet 172.20.1.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_10.48.0.0_24 NETWORK_OBJ_10.48.0.0_24 destination static obj-172.20.1.0 obj-172.20.1.0

Then "clear xlate" after the above.

That should resolve the issue.

View solution in original post

Jennifer Halim · ‎02-23-2011

A few things to look at:

1) Are you able to access any other hosts in the same subnet as your Windows Server? or nothing works in the same subnet?

2) Point 1 is to prove if it is configuration issue on the ASA, or it is issue with Windows Server?

3) You can actually check if firewall on the Windows Server is enabled that could possibly block the connection from the AnyConnect client. You might want to try disabling the windows firewall, or allow the AnyConnect client pool subnet access to the server.

4) If you can share your ASA config and also the ip address of the Windows server, we can see if ASA config is OK or any modification is required.

batumibatumi · ‎02-23-2011

ASA Version 8.3(1)

!

hostname OSLO-ASA

domain-name domain.name.ORG

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.48.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner exec STOP !!! Unauthorized access is denied !!!

banner login STOP !!! Unauthorized access is denied !!!

banner asdm STOP !!! Unauthorized access is denied !!!

boot system disk0:/asa831-k8.bin

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.48.0.2

domain-name domain.name.ORG

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Inside-PAT-Outside

subnet 10.48.0.0 255.255.255.0

description Inside Network Translation to Outside Interface

object network NETWORK_OBJ_10.48.0.0_24

subnet 10.48.0.0 255.255.255.0

object network NETWORK_OBJ_172.20.1.0_28

subnet 172.20.1.0 255.255.255.240

object network NETWORK_OBJ_10.41.0.0_24

subnet 10.41.0.0 255.255.255.0

object network NETWORK_OBJ_10.48.1.0_24

subnet 10.48.1.0 255.255.255.0

object network NETWORK_OBJ_10.49.0.0_24

subnet 10.49.0.0 255.255.255.0

object network Server

host 10.48.0.2

object network COnnection

host 10.48.0.2

object network INT-AD1

host 10.48.0.2

description AD / RADIUS

access-list OSLO_splitTunnelAcl standard permit 10.48.0.0 255.255.255.0

access-list OSLO_splitTunnelAcl remark Split Tunnel

access-list OSLO_splitTunnelAcl standard permit x.x.x.x 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.48.0.0 255.255.255.0 10.41.0.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.48.0.0 255.255.255.0 10.49.0.0 255.255.255.0

access-list no_nat extended permit ip host 10.48.0.2 192.168.25.0 255.255.255.0

pager lines 24

logging enable

mtu inside 1500

mtu outside 1500

ip local pool OSLO-POOL 172.20.1.1-172.20.1.10 mask 255.255.255.0

ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0

ip verify reverse-path interface inside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

object network Inside-PAT-Outside

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z

aaa-server TEST-AD protocol radius

aaa-server TEST-AD (inside) host 10.48.0.2

key *****

radius-common-pw *****

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa local authentication attempts max-fail 16

enrollment terminal

subject-name CN=OSLO-ASA

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

subject-name CN=domain-name

ip-address x.x.x.x

keypair 34sslvpey1

crl configure

crypto ca certificate chain ASDM_TrustPoint1

certificate 14a7624d

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint1 outside vpnlb-ip

ssl trust-point ASDM_TrustPoint1 outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy OSLO internal

group-policy OSLP attributes

dns-server value 10.48.0.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value OSLO_splitTunnelAcl

default-domain value domain.name.ORG

group-policy clientgroup internal

group-policy clientgroup attributes

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value OLSO_splitTunnelAcl

address-pools value SSLClientPool

webvpn

svc keep-installer installed

svc rekey time 30

svc rekey method ssl

svc ask none default webvpn

tunnel-group SSLgroup webvpn-attributes

group-alias clientgroup enable

Jennifer Halim · ‎02-23-2011

You are missing the NAT exemption.

Assuming that you are using the SSLClientPool 192.168.25.0/24 because the other group-policy does not have any ip pool assigned and I am not sure which group you are using:

object network obj-192.168.25.0

subnet 192.168.25.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_10.48.0.0_24 NETWORK_OBJ_10.48.0.0_24 destination static obj-192.168.25.0 obj-192.168.25.0

If you are actually using the other pool OSLO-POOL 172.20.1.0/24, then pls configure the following:

object network obj-172.20.1.0

subnet 172.20.1.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_10.48.0.0_24 NETWORK_OBJ_10.48.0.0_24 destination static obj-172.20.1.0 obj-172.20.1.0

Then "clear xlate" after the above.

That should resolve the issue.

batumibatumi · ‎02-23-2011

LOT OF THANK for your answer ... !!!

THANKS ... (sun)

batumibatumi · ‎02-23-2011

1) Are you able to access any other hosts in the same subnet as your Windows Server? or nothing works in the same subnet? - NO I can not !!!

3) You can actually check if firewall on the Windows Server is enabled that could possibly block the connection from the AnyConnect client. You might want to try disabling the windows firewall, or allow the AnyConnect client pool subnet access to the server. - I am using Kaspersky and it is turnoff but no result...

I have already put ASA's configuration ...