cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2629
Views
20
Helpful
8
Replies

ASA 8.3 (1) - home unable to access remote office using SSL VPN connection

El Rondo
Level 1
Level 1

I have an old Cisco 5510 ASA 8.3 (1) been configured using ASDM 6.3 to linkup another office using site-to-site ipsec vpn connection especially for LAN-to-LAN implementation. That link was up, works fine and remain sustained for both of the sites. This ASA have been left to me since there is no more support from our contractor.

Previously there was IPSec remote access VPN have been configured to that ASA so that home users are able to access remote office using Cisco VPN Client from windows xp/7 platform. Currently there is no more windows XP/7 support from our side and we have to move on support only windows 10.
The challanges is now i have to configure SSL VPN Client (Anyconnect vpn client) from home to office on windows 10 platform. I have did the configuration as per recommendation from varoius website as well as cisco community. The connection was succeeded, i was able to connect to the office using latest cisco anyconnect secure mobility client v4.8.03036. I have splitted tunnelling the office subnet and internet connection with the hope that my split tunneling was ok. From the anyconnect client, the route details it shows that my split tunnel subnet was correctly displayed on secured routes (ipv4) and non-secured routes display 0.0.0.0/0. I was only able to access the internet and ping to my firewall but no access to my remote office. I did the No NAT examption to the VPN subnet created earlier in my codes but result remain unchanged.

My concern is that the SSL VPN license caused the limitation of the access to the my ASA? Due to my license limitation SSL VPN only supports 2 concurrent sessions. Herewith i attached the license details and sanitized the configuration file of my ASA for others to review and put some comments.

Really appreciate anyone who has come across into this issue before and share the solutions.

 

: Saved
:
ASA Version 8.3(1)
!
hostname DARLIE-ASA5510
domain-name darlie.com
enable password HHIHH&*Y*&*Y*&^&*^* encrypted
passwd ^*hjhJ&*HIH&Y encrypted
no names
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.9.9.2 255.255.255.224
!
interface Ethernet0/1
description Inside Interface
speed 1000
duplex full
nameif inside
security-level 100
ip address 172.16.255.254 255.255.255.248
!
interface Ethernet0/2
description DMZ Interface
nameif DMZ
security-level 70
ip address 172.16.6.1 255.255.255.224
!
interface Ethernet0/3
shutdown
nameif outside_old
security-level 0
ip address 1.1.1.100 255.255.255.224
!
interface Management0/0
shutdown
nameif management
security-level 0
ip address 172.16.0.253 255.255.255.0
management-only
!
regex Youtube "\.youtube\.com"
regex Facebook "\.facebook\.com"
banner login
banner login --------------------------------------------------------------------------------
banner login WARNING: Use of this system by unauthorized persons or in an
banner login unauthorized manner is strictly prohibited.
banner login --------------------------------------------------------------------------------
ftp mode passive
clock timezone MYT 8
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.16.4.5
name-server 172.16.4.9
domain-name darlie.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


object network Server
subnet 172.16.4.0 255.255.255.0
description # Server Network
object network User-DMZ
subnet 172.17.0.0 255.255.248.0
description # Inside to DMZ NAT
object network VPN-Pool
subnet 172.16.3.0 255.255.255.0
description # Remote Access VPN IP Pool
object network Server-DMZ
subnet 172.16.4.0 255.255.254.0
description # Server to DMZ NAT
object network Inside
subnet 172.16.255.248 255.255.255.248
description # Inside Network
object network User
subnet 172.17.0.0 255.255.248.0
description # USer LAN Network
object network PT-Network
subnet 172.31.0.0 255.255.224.0
description # network PT-Network
object-group network ALL-INSIDE
description All Known Inside Network
network-object object Server
network-object object Inside
network-object object User
object-group network DM_INLINE_NETWORK_1
network-object object Server
network-object object PT-Network


access-list DMZ_access_in extended permit ip object DMZ any
access-list outside_access_in extended deny tcp any any eq ssh
access-list outside_access_in extended permit ip any any
access-list PROXY_access_in extended permit ip any any
access-list management_access_in extended permit tcp any any eq ssh
access-list IPSecRemoteVPN extended permit ip object-group ALL-INSIDE any
access-list DMZ_access_out extended permit ip object-group ALL-INSIDE object DMZ
access-list DMZ_access_out extended permit icmp any any
access-list DMZ_access_out extended deny ip any object DMZ log critical
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group PT-Network
access-list global_access extended permit ip any any
access-list global_access_1 extended permit ip any any

pager lines 14
logging enable
logging timestamp
logging buffered debugging
logging trap errors
logging history informational
logging asdm errors
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu outside_old 1500
mtu management 1500
ip local pool IPSecPool 172.16.3.1-172.16.3.254 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
no failover
failover polltime unit 5 holdtime 15
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp permit any inside
icmp permit any DMZ
asdm history enable
arp timeout 14400
nat (inside,outside) source static ALL-INSIDE ALL-INSIDE destination static VPN-Pool VPN-Pool
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static PT-Network PT-Network
!

object network Server
nat (inside,outside) dynamic 10.9.9.12
object network User-DMZ
nat (inside,DMZ) static 172.17.0.0
object network Server-DMZ
nat (inside,DMZ) static 172.16.4.0

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group management_access_in in interface management control-plane
access-group global_access_1 global
!
router ospf 10
router-id 172.16.255.254
network 172.16.6.0 255.255.255.0 area 0
network 172.16.255.248 255.255.255.248 area 0
log-adj-changes
redistribute static
!
route outside 0.0.0.0 0.0.0.0 10.9.9.1 1
route outside 172.31.0.0 255.255.0.0 10.9.9.1 1
route outside 172.31.1.0 255.255.255.0 10.9.9.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
url-cache dst 128
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http 172.17.0.0 255.255.248.0 inside
http 172.16.4.0 255.255.255.0 inside
http 172.16.255.248 255.255.255.248 inside
http 172.16.3.0 255.255.255.0 inside
http 172.16.3.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
sysopt noproxyarp inside
sysopt noproxyarp DMZ
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map HQ-CRYPTO-MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 20 set peer 10.10.10.1
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map0 1 set pfs
crypto map outside_map0 1 set peer 10.10.10.1
crypto map outside_map0 1 set transform-set ESP-DES-MD5 ESP-AES-128-SHA
crypto map outside_map0 2 match address outside_cryptomap
crypto map outside_map0 2 set pfs
crypto map outside_map0 2 set peer 10.10.10.1
crypto map outside_map0 2 set transform-set ESP-DES-MD5 ESP-AES-128-SHA
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto ca trustpoint LOCALTRUST
enrollment self
subject-name CN=DARLIE,OU=IT,O=DARLIE,C=MY,St=PG
keypair VPNKEY
proxy-ldc-issuer
crl configure
crypto ca certificate chain LOCALTRUST
certificate 95a3b54c
a3633061 e701e1e6 96994f83 1f855ce8 a3b54c30 30818902 864886f7 0d010105
.
.
.
29302706 092a8648 86f70d01 0902161a 50455244 412d4153 41353531 302e7065

quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet 172.16.3.0 255.255.255.0 outside
telnet 172.31.1.0 255.255.255.0 outside
telnet 172.17.0.0 255.255.248.0 inside
telnet 172.16.255.252 255.255.255.252 inside
telnet 172.16.4.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 207.46.130.100 source outside
ssl trust-point LOCALTRUST outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1 regex "Windows NT"
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2 regex "Linux"
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3 regex "Intel Mac OS X"
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
group-policy VPNet internal
group-policy VPNet attributes
dns-server value 172.16.4.5
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSecRemoteVPN
address-pools value IPSecPool
webvpn
url-list none
svc ask enable default webvpn
customization none
username admin password YyYyYyYyYYy.XXxXxXxX. encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 1800 retry 10
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 1800 retry 10
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group (outside) LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 1800 retry 10
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
pre-shared-key *****
tunnel-group VPNet type remote-access
tunnel-group VPNet general-attributes
address-pool (inside) IPSecPool
address-pool IPSecPool
authentication-server-group (inside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
default-group-policy VPNet
tunnel-group VPNet webvpn-attributes
group-alias SSL enable
group-url https://10.9.9.1/SSL enable
tunnel-group VPNet ipsec-attributes
pre-shared-key *****
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all asdm_high_security_methods
match not request method head
match not request method get
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect ils
policy-map type inspect http HTTP-Block
description Blocked Website
parameters
protocol-violation action drop-connection log
class asdm_high_security_methods
drop-connection
match request header non-ascii
drop-connection
!
service-policy global_policy global
prompt hostname
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum 7657bt76b&YYhgggFYTR$%EFhgi9J98jjk
: end
asdm group DMZ_Servers DMZ
asdm history enable

 

5 Accepted Solutions

Accepted Solutions

Michael ONeil
Level 1
Level 1

a show version will show how many ssl vpn license you have.

you are only given 2 SSL VPN simultaneous connections by default.

Plus i would upgrade to 9.x code if possible.

the 5510 is EOL  

 

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eol_C51-727283.html

View solution in original post

as noted by @Michael ONeil he is right. your ASA unit has only complementary license which is by default 2. cisco also offering a free license due to coronavirus crisis here is the link https://blogs.cisco.com/tag/coronavirus.

please do not forget to rate.

View solution in original post

@El Rondo  Here I find few more links how cisco is helping the IT for remote network in these hard times 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215330-obtaining-an-emergency-covid-19-anyconne.html

 

 

https://blogs.cisco.com/security/cisco-expands-free-security-offerings-to-help-with-rise-in-remote-workers

 

you can also google it and also reach to your cisco local representative for cronavirus anyconnect offer or your cisco partner they will help you in this regards.

please do not forget to rate.

View solution in original post

The SSL VPN configuration looks ok to me from my quick review. You confirmed connection and spliy tunneling. There's a proper NAT exemption for the traffic going back to VPN clients.

Can you confirm that the internal network(s) know to route back to the ASA for the VPN-Pool (172.16.3.0/24) addresses? Do you have an internal host that you can test (for example, with Wireshark) to see the traffic arriving from VPN clients and being sent back?

View solution in original post

Marvin

 

You are absolutely right. Finally I have found the root cause that my core switch had dropped packet from internal network route back to ASA for the VPN-Pool (172.16.3.0/24) addresses.

 

Initially my core switch having such below config

 

interface Vlan3         (should be removed)
ip address 172.16.3.254 255.255.255.0    (should be removed)
no ip proxy-arp      (should be removed)
no ip route-cache cef      (should be removed)
no ip route-cache      (should be removed)

ip route 172.16.3.0 255.255.255.0 172.16.255.254 (remain unchanged)

After removed "interface Vlan3" blocks then suddenly packet went through to my internal LAN and split tunnel also working fine. Thanks God I slightly missed the core switch config that 172.16.3.0/24 addresses should not be created in the there since ASA already picked it up to be DHCP server and push those addresses for the remote clients.

 

Again I would sincerely like to thank you, Sheraz.Salim and Michael ONeil a lot for helping me in this issue even it took up a long period of time to be solved. However I will be using the emergency covid license for 13 weeks at the moment. Later I will sort it out on how to purchase the permanent activation key.

 

I would consider this ticket can be closed and solved.

 

Cheers :)

 

Best Regards,

AA

View solution in original post

8 Replies 8

Michael ONeil
Level 1
Level 1

a show version will show how many ssl vpn license you have.

you are only given 2 SSL VPN simultaneous connections by default.

Plus i would upgrade to 9.x code if possible.

the 5510 is EOL  

 

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eol_C51-727283.html

Hi Micheal,

 

Yup. there are only 2 sslvpn for simultaneous connections. I thought when the connection was up then everything was good to go but unfortunately i was wrong. I had checked the config the my new contractor and he did not find any misconfig. He suggested to upgrade the license.

 

FYI we already have one unit of latest 5525-X firepower running for the second line. I would probably considering to purchase an upgrade license for my 5510 unit and cross transfer the license to 5525-X unit when no longer needed it.

as noted by @Michael ONeil he is right. your ASA unit has only complementary license which is by default 2. cisco also offering a free license due to coronavirus crisis here is the link https://blogs.cisco.com/tag/coronavirus.

please do not forget to rate.

I had talked with our contractor about this. He had come an experience in similar case where cisco no longer allowed client to use cisco anyconnect (sslvpn) on platform windows 10 without first upgrade the license. The last one cisco allowed this which was on windows 7 but not anymore on windows 10. 

 

Sheraz.Salim - thanks for the link given about the free license. I had forward this to my contractor and waiting feedback from him. Hopefully there is something we can get from cisco during covid outbreak.

@El Rondo  Here I find few more links how cisco is helping the IT for remote network in these hard times 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215330-obtaining-an-emergency-covid-19-anyconne.html

 

 

https://blogs.cisco.com/security/cisco-expands-free-security-offerings-to-help-with-rise-in-remote-workers

 

you can also google it and also reach to your cisco local representative for cronavirus anyconnect offer or your cisco partner they will help you in this regards.

please do not forget to rate.

I had obtained the temporary license from the link and the the license activated as per said ssl vpn 250 users just for 13 weeks period. However i still unable to access my remote LAN or ping any host. My split tunnel working fine. I had attached the temporary license for your review.

 

During the activation process it prompted that "ASA 8.0.4+ or 8.1.2+ only" . Does it available to only that particular OS? or can it support my ASA 8.3 (+1) ?

 

I wonder what else can i do the make the ssl vpn works for this time being. Otherwise i have to find permanent solution by considering purchase the AnyConnect Essentials or AnyConnect Premium. 

 

Kindly advise

The SSL VPN configuration looks ok to me from my quick review. You confirmed connection and spliy tunneling. There's a proper NAT exemption for the traffic going back to VPN clients.

Can you confirm that the internal network(s) know to route back to the ASA for the VPN-Pool (172.16.3.0/24) addresses? Do you have an internal host that you can test (for example, with Wireshark) to see the traffic arriving from VPN clients and being sent back?

Marvin

 

You are absolutely right. Finally I have found the root cause that my core switch had dropped packet from internal network route back to ASA for the VPN-Pool (172.16.3.0/24) addresses.

 

Initially my core switch having such below config

 

interface Vlan3         (should be removed)
ip address 172.16.3.254 255.255.255.0    (should be removed)
no ip proxy-arp      (should be removed)
no ip route-cache cef      (should be removed)
no ip route-cache      (should be removed)

ip route 172.16.3.0 255.255.255.0 172.16.255.254 (remain unchanged)

After removed "interface Vlan3" blocks then suddenly packet went through to my internal LAN and split tunnel also working fine. Thanks God I slightly missed the core switch config that 172.16.3.0/24 addresses should not be created in the there since ASA already picked it up to be DHCP server and push those addresses for the remote clients.

 

Again I would sincerely like to thank you, Sheraz.Salim and Michael ONeil a lot for helping me in this issue even it took up a long period of time to be solved. However I will be using the emergency covid license for 13 weeks at the moment. Later I will sort it out on how to purchase the permanent activation key.

 

I would consider this ticket can be closed and solved.

 

Cheers :)

 

Best Regards,

AA

Review Cisco Networking for a $25 gift card