ASA5520 - Help with anyconnect VPN - Cisco Community

631

Views

0

Helpful

3

Replies

Hello

I have just set up anyconnect vpn on my box. I'm running ASA 8.4. I can connect with anyconnet client, but i cant access any networks.

Whats wrong?

This is my config:

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password PLBb27eKLE1o9FTB encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif WAN

security-level 0

ip address dhcp setroute

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network 10.0.0.10

host 10.0.0.10

object network 10.0.0.10_rdp

host 10.0.0.10

object network NETWORK_OBJ_10.0.0.0_24

subnet 10.0.0.0 255.255.255.0

object network NETWORK_OBJ_10.0.1.0_24

subnet 10.0.1.0 255.255.255.0

object-group icmp-type DM_INLINE_ICMP_1

icmp-object echo-reply

icmp-object time-exceeded

icmp-object unreachable

access-list WAN_access_in extended permit tcp any object 10.0.0.10 eq 2453

access-list WAN_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1

pager lines 24

logging enable

logging asdm warnings

mtu WAN 1500

mtu inside 1500

ip local pool SSLVPN_Pool 10.0.1.10-10.0.1.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

nat (inside,WAN) source static any any destination static NETWORK_OBJ_10.0.1.0_24 NETWORK_OBJ_10.0.1.0_24 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,WAN) dynamic interface

object network 10.0.0.10_rdp

nat (any,WAN) static interface service tcp 2453 2453

access-group WAN_access_in in interface WAN

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map WAN_map interface WAN

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn hostname

subject-name CN=hostname

keypair sslvpnkeypair

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 49b52651

308201f7 30820160 a0030201 02020449 b5265130 0d06092a 864886f7 0d010105

05003040 311b3019 06035504 0313126c 6f67696e 2e707269 6d657465 63682e6e

6f312130 1f06092a 864886f7 0d010902 16126c6f 67696e2e 7072696d 65746563

682e6e6f 301e170d 31333032 32323038 30353038 5a170d32 33303232 30303830

3530385a 3040311b 30190603 55040313 126c6f67 696e2e70 72696d65 74656368

2e6e6f31 21301f06 092a8648 86f70d01 09021612 6c6f6769 6e2e7072 696d6574

6563682e 6e6f3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902

818100a3 97d3d609 da8f5bbc e0ba9a5a 2342bf51 4367f2bc dc6837dc dec289a9

1cc2f163 8026741f c5a2cce7 4476dfd8 9cb9e5b2 5fbaca71 1f9a73a5 43828d8f

90da4f7e 006e3c8d fbdbd43e 9b407f75 a191c002 13b80c41 c81c53ba 17674ee7

1157d305 2776f368 392b8269 c488415a 1d88296f 4cdb5041 533f55f9 445e5fb1

9689c902 03010001 300d0609 2a864886 f70d0101 05050003 81810065 22ceb16b

f72dcf2b c9f634f8 ec23de91 af88bd14 a89b8f69 7aaa643a 535dd8e0 526ab27a

f0e51ac3 a783c990 c2dfdd70 28130ae6 7e1121ac 8e5992d3 fff73ce3 f842a903

bd5b6db1 0127e563 10258fd8 0eeb29b1 5acb2709 1578418c 2ba604ca 4f96525b

9309632f 4ed7d560 c4ca2e4c b596c639 374f632a 5797b4d3 8ba75a

quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable WAN client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.30-10.0.0.80 inside

dhcpd dns 82.147.40.2 82.147.40.34 interface inside

dhcpd lease 691200 interface inside

dhcpd enable inside

!

no threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 WAN

webvpn

enable WAN

anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1

anyconnect profiles SSLVPN_client_profile disk0:/SSLVPN_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

group-policy GroupPolicy_SSLVPN internal

group-policy GroupPolicy_SSLVPN attributes

wins-server none

dns-server value 82.147.40.2

vpn-tunnel-protocol ikev2 ssl-client

default-domain none

webvpn

anyconnect profiles value SSLVPN_client_profile type user

username thomas password dZfdrhtfPFvvxpnH encrypted

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

address-pool SSLVPN_Pool

default-group-policy GroupPolicy_SSLVPN

tunnel-group SSLVPN webvpn-attributes

group-alias SSLVPN enable

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:e119cd420d57e1f89ac411a561768517

: end

asdm image disk0:/asdm-711-52.bin

no asdm history enable

3 Replies 3

Check if hosts on networks, you're trying to connect to, have correct route to vpn-pool subnet through an ASAs inside interface.

Not sure if I get what you are saying. Can you explain it?

And are the rest of the config correct?

Thomas,

Look to see if you have this setup. It might be easier to look for this using ASDM. under Configuration\Romote Access VPN\Network (Client) Access\Group Policies. Click on your defailt GrpPolicy. Under Advanced click on split Tunneling.

Policy: Tunnel Network List Below

Network List: Admin_Split_Tunnel......... Click manage on right side.

click add.... add inside network and mask (Example 10.0.0.0/8 Standard Access List) action = permit.

Hope this helps

John

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking products for a $25 gift card