04-27-2011 04:06 PM - edited 03-11-2019 01:26 PM
Hi Geeks
I have been trying to implement anyconnect vpn access on my asa 5505. I have eventually manage to connect to the asa.
the setup is this
inside interface network - 192.168.1.0 /24
outside interface - 192.168.0.0 /24
anyconnect pool address- 192.168.2.10- 192.168.2.20
router ip to isp - 192.168.0.1
the issues i have been facing are
1. unable to ping the asa inside interdace vlan 1- 192.168.1.1
2. unable to ping any other machine in the inside lan - 192.168.1.0/24
3. unable to browse the internet
4. i have tried nat commands for anyconnect client to bypass vpn without luck .
here is the config
ASA Version 8.2(4)
!
hostname ciscoasa
enable password DeviMZQXvoEmq3qZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 interface inside echo-reply
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool AnyconnectPool 192.168.2.10-192.168.2.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.xxxx.com
subject-name CN=sslvpn.xxxx.com
keypair sslvpnkey
crl configure
crypto ca certificate chain localtrust
certificate 184fb84d
308201eb 30820154 a0030201 02020418 4fb84d30 0d06092a 864886f7 0d010105
0500303a 31183016 06035504 03130f73 736c7670 6e2e616d 6d612e63 6f6d311e
301c0609 2a864886 f70d0109 02160f73 736c7670 6e2e616d 6d612e63 6f6d301e
170d3131 30343237 32313436 33315a17 0d323130 34323432 31343633 315a303a
31183016 06035504 03130f73 736c7670 6e2e616d 6d612e63 6f6d311e 301c0609
2a864886 f70d0109 02160f73 736c7670 6e2e616d 6d612e63 6f6d3081 9f300d06
092a8648 86f70d01 01010500 03818d00 30818902 818100d8 b1af1843 ad9d559b
4ff9e58d 14cd7b66 584c5b8b 966d386a 4b8750e2 58302049 d62248f0 31ec25f0
4b128961 ddcfb663 4d6fef06 13bb9be9 4a423589 481cf577 0041be15 ee201045
52fa8fb6 9eea4b4f 39acb799 2ac369d3 d3a61675 f3fdded9 a645d924 6321811e
88ccafba d517645b 0391476e e13ca4f7 53959793 d0656902 03010001 300d0609
2a864886 f70d0101 05050003 81810007 faa79f76 c03083a7 efe9fb41 9ed96981
03e2a5a1 94478148 9c7183e1 2d038066 2d95ec16 26ce47eb fcefe8b7 ecd1201e
091281c0 a1ec1065 0c1709e1 e9cb638e 28eb8106 5a585436 9613b2ef 56f964c7
152190bc 71cceb61 2de2a7de 24474008 7c0ea274 003f7cf2 725fbf40 04c83ff1
2082240f 234c88d2 43ed0629 3f3f29
quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.10-192.168.1.20 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd domain xxxx.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point localtrust outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy AnyconnectPolicy internal
group-policy AnyconnectPolicy attributes
vpn-tunnel-protocol svc
default-domain value xxxx.com
address-pools value AnyconnectPool
username user1 password p.08Izdx6LHxRMrm encrypted
username user1 attributes
service-type remote-access
tunnel-group AnyconnectProfile type remote-access
tunnel-group AnyconnectProfile general-attributes
address-pool AnyconnectPool
default-group-policy AnyconnectPolicy
tunnel-group AnyconnectProfile webvpn-attributes
group-alias AnyconnectClient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e6f054ea056faba96ca563ee44e06ce4
: end
ciscoasa#
Pls tell me where i am wrong and what corrections are needed to make it work. thanks again
Solved! Go to Solution.
04-27-2011 06:20 PM
1. To ping the ASA inside interface, please add the command: management-access inside
2. To access inside subnet, please add the following command:
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat
clear xlate
3. To browse the internet, you can configure split tunnel:
access-list split-acl permit 192.168.1.0 255.255.255.0
group-policy AnyconnectPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
4. The above should resolve the issue.
Hope that helps.
04-27-2011 06:20 PM
1. To ping the ASA inside interface, please add the command: management-access inside
2. To access inside subnet, please add the following command:
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat
clear xlate
3. To browse the internet, you can configure split tunnel:
access-list split-acl permit 192.168.1.0 255.255.255.0
group-policy AnyconnectPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
4. The above should resolve the issue.
Hope that helps.
04-28-2011 07:10 AM
thank you it worked like a charm. thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide