Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- Network Security
- You are welcome.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
470
Views
0
Helpful
3
Replies
Anyconnect access to internal network
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-06-2016 06:33 AM - edited 03-12-2019 01:37 AM
Hello
I believe I already read all post here about Annyconnect and access to internal network. But I can't found any solucion.
I need put all traffic in the tunnel, like internet, access to the internal network, and access to other tunnels (site-to-site). In this moment we can connect the AnnyConnect and after I only have internet on the tunnel if I use the IP, because I don't have access to the internal network and I can't use my DNS server. I think I'm missing one NAT but I can't figure out. Some one can take a look and help me, please.
Internal network 192.168.1.0 255.255.255.0
VPNPoll 192.168.20.0 255.255.255.0
Please tell me if you need more information.
: Serial Number: *******
: Hardware: ASA5515,*************
:
ASA Version 9.2(2)4
!
hostname CiscoAsaFirewall
domain-name office.frontiersin.org
enable password *******************
names
ip local pool VPN_DHCP 192.168.20.0-192.168.20.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 212.243.***.*** 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.248.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.220
domain-name office.frontiersin.org
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network obj_inside
subnet 192.168.1.0 255.255.255.0
description Lan
object network obj_anyconnectpool
subnet 192.168.20.0 255.255.255.0
object network inside_net
object network obj-AnyconnectPool
object network Rackspace_Cloud
subnet 10.176.0.0 255.240.0.0
object network VPN-LOCAL-TEST
subnet 192.168.24.0 255.255.248.0
object network VPN-REMOTE-TEST
subnet 10.176.0.0 255.240.0.0
object network AD-Server
host 192.168.1.220
object network inside
object network vpnpool
object-group network AZURE-INTEGRATION-SUBNET
description Subnet for Integration Environments on Azure
network-object 192.168.128.0 255.255.128.0
network-object *****************************
object-group network LOCAL-INSIDE-NETWORK
description Local Subnet
network-object 192.168.0.0 255.255.248.0
object-group service WinRDP tcp
description Windows Remote Desktop Connection
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp destination eq www
service-object tcp destination eq https
object-group network DM_INLINE_NETWORK_1
network-object object NETWORK_OBJ_192.168.20.0_24
network-object object obj_inside
object-group network obj-anyconnect
object-group network DM_INLINE_NETWORK_2
network-object object NETWORK_OBJ_192.168.20.0_24
network-object object obj_anyconnectpool
network-object object obj_inside
object-group network DM_INLINE_NETWORK_3
network-object object NETWORK_OBJ_192.168.20.0_24
network-object object obj_anyconnectpool
network-object object obj_inside
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list 101 extended permit ip object-group LOCAL-INSIDE-NETWORK object-group AZURE-INTEGRATION-SUBNET
access-list inside_access_in extended permit ip any any
access-list Local_LAN_Access remark Client Local LAN Access
access-list Local_LAN_Access standard permit 192.168.0.0 255.255.248.0
access-list global_access extended permit ip object-group DM_INLINE_NETWORK_2 any
access-list AnyConnet remark Allow users VPN can connect to internet
access-list AnyConnet extended permit object-group DM_INLINE_SERVICE_1 object NETWORK_OBJ_192.168.20.0_24 any
access-list natoutvpn extended permit ip 192.168.20.0 255.255.255.0 any
access-list anyconnect extended permit ip 192.168.20.0 255.255.255.0 any
access-list outside_cryptomap_1 extended permit ip object VPN-LOCAL-TEST object VPN-REMOTE-TEST
access-list INSIDE-NAT0 remark NAT0 for VPN
access-list INSIDE-NAT0 extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LOCAL-INSIDE-NETWORK LOCAL-INSIDE-NETWORK destination static AZURE-INTEGRATION-SUBNET AZURE-INTEGRATION-SUBNET
nat (inside,outside) source static obj_inside obj_inside destination static obj_anyconnectpool obj_anyconnectpool no-proxy-arp route-lookup
nat (inside,any) source static obj_inside obj_inside destination static obj_anyconnectpool obj_anyconnectpool no-proxy-arp description NONAT
nat (inside,outside) source dynamic NETWORK_OBJ_192.168.20.0_24 interface
nat (inside,outside) source static obj_inside obj_inside destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static obj_inside obj_inside no-proxy-arp route-lookup
nat (any,outside) source dynamic DM_INLINE_NETWORK_1 interface
nat (inside,outside) source dynamic any interface
nat (outside,outside) source dynamic NETWORK_OBJ_192.168.20.0_24 interface
nat (inside,outside) source dynamic obj_inside interface
nat (outside,outside) source dynamic obj_inside interface
!
nat (outside,outside) after-auto source dynamic obj_anyconnectpool interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 212.243.***.*** 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server group Frontiers v3 auth
snmp-server host inside 192.168.1.201 community ***** version 2c
snmp-server location Rack
snmp-server contact Vitor Fonseca
snmp-server community *****
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set AZURE-TRANSFORM esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map AZURE-CRYPTO-MAP 1 match address outside_cryptomap_1
crypto map AZURE-CRYPTO-MAP 1 set peer 95.138.146.99
crypto map AZURE-CRYPTO-MAP 1 set ikev1 transform-set ESP-AES-128-SHA E
crypto map AZURE-CRYPTO-MAP 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map AZURE-CRYPTO-MAP 100 match address 101
crypto map AZURE-CRYPTO-MAP 100 set peer 40.118.110.96 13.81.110.78
crypto map AZURE-CRYPTO-MAP 100 set ikev1 transform-set AZURE-TRANSFORM
crypto map AZURE-CRYPTO-MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map AZURE-CRYPTO-MAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=lausanne-vpn.frontiersin.net
keypair cert.key
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate *******************
**********************************
**********************************
**********************************
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate *******************
**********************************
**********************************
**********************************
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_lausanne-vpn internal
group-policy GroupPolicy_lausanne-vpn attributes
wins-server none
dns-server value 192.168.1.220
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value office.frontiersin.org
split-tunnel-all-dns enable
group-policy GroupPolicy_95.138.***.*** internal
group-policy GroupPolicy_95.138.***.*** attributes
vpn-tunnel-protocol ikev1 ikev2
username vafa.sarmas password *************
username vitor.fonseca password **************
tunnel-group lausanne-vpn type remote-access
tunnel-group lausanne-vpn general-attributes
address-pool VPN_DHCP
default-group-policy GroupPolicy_lausanne-vpn
tunnel-group lausanne-vpn webvpn-attributes
group-alias lausanne-vpn enable
tunnel-group 40.118.***.*** type ipsec-l2l
tunnel-group 40.118.***.*** ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 13.81.***.*** type ipsec-l2l
tunnel-group 13.81.***.*** ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 95.138.***.*** type ipsec-l2l
tunnel-group 95.138.***.*** general-attributes
default-group-policy GroupPolicy_95.138.***.***
tunnel-group 95.138.***.*** ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map icmp_policyexit
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
call-home reporting anonymous
hpm topN enable
Cryptochecksum:**********************************
: end
asdm image disk0:/asdm-762.bin
no asdm history enable
Labels:
- Labels:
-
NGFW Firewalls
3 Replies 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-06-2016 01:58 PM
Hi,
Looks like you have the relevant NATs in place. Is the firewall the default gateway for your internal network?, If not, do you require a route directing traffic for 192.168.20.0/24 back to your firewall.
Also, ensure you have permitted access to the internal network if you have a VPN filter in place.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-06-2016 11:11 PM
Hello Mattjones03
First many thanks for your quick reply. Because this a lab, I think you are correct and the problem is my firewall this not the default gateway in my internal network.
I will put this in place and after I will test again.
Thanks again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-06-2016 11:39 PM
You are welcome.
Let us know how you get on with this.
Please mark your question as answered/resolved if it indeed resolves your question
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents
