02-06-2022 08:39 PM
I just setup a 5512 ASA, the AnyConnect clients connect but are unable to talk to anything on the inside network.
I have included a sanitized config. Any assistance would be greatly appreciated!!
ASA Version 9.12(4)18
!
hostname TEST-ASA
domain-name TEST.org
enable password XXXXXXXXXXXXXXXXX
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto
ip local pool VPN-POOL 10.88.33.1-10.88.33.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address XXX.XXX.222.205 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.11.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name TEST.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network test-network
subnet 192.168.13.0 255.255.0.0
object network dispatch-network
subnet 192.168.12.0 255.255.255.0
object network admin-network
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_10.88.33.0_24
subnet 10.88.33.0 255.255.255.0
object-group network split-tunnel-networks
network-object 192.168.11.0 255.255.255.0
network-object object admin-network
network-object object cjnet-network
network-object object dispatch-network
access-list split_tunnel standard permit 192.168.11.0 255.255.255.0
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7161.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static split-tunnel-networks split-tunnel-networks destination static NETWORK_OBJ_10.88.33.0_24 NETWORK_OBJ_10.88.33.0_24 no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 XXX.XXX.222.201 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=TEST-ASA
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
http-headers
x-content-type-options
x-xss-protection
content-security-policy
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.8.02045-webdeploy-k9.pkg 1
anyconnect profiles MCT-User_client_profile disk0:/MCT-User_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_MCT-User internal
group-policy GroupPolicy_MCT-User attributes
wins-server none
dns-server value 192.168.11.9 192.168.11.10
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value mcso-fl.org
address-pools value VPN-POOL
webvpn
anyconnect profiles value MCT-User_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username TEST1 password XXXXXXXXXX privilege 15
tunnel-group MCT-User type remote-access
tunnel-group MCT-User general-attributes
address-pool VPN-POOL
default-group-policy GroupPolicy_MCT-User
tunnel-group MCT-User webvpn-attributes
group-alias MCT-User enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3bae6d255e1d00805bb2fd055f2e2bbd
: end
Solved! Go to Solution.
02-09-2022 04:43 PM
does 192.168.11.9 is added in your NAT exemption rule?
the way you describe it seems that 192.168.11.9 is showing in anyconnect routing table but ASA does have a NAT rule exeption for this IP address.
could you double check if its applied on NAT expemtion. and also could you give me output of the command "show nat detail"
all i can think is it has missing in NAT table on ASA.
02-11-2022 10:17 PM
I inadvertently figured something out, So any servers that use this ASA as the default gateway can be accessed from the AnyConnect VPN.
I believe it has something to do with ARP. How can I get the ASA to allow access to all devices in the subnet? not just the devices that connect to the internet through it??
02-11-2022 11:35 PM
It could be that the downstream router or core switch that is being used as the default gateway by the devices that are not pointing to the firewall doesn't have a route to get back to AnyConnect pool via the firewall.
02-12-2022 08:24 AM
I added the route to the default gateway and it resolved the issue!!
Thank you for the insight. I appreciate all of the assistance
02-12-2022 12:54 AM
@cruseb1 it does make sense what @Aref Alsouqi mentioned. is there any layer3 device present in between the ASA behind ASA inside interface?
do you have a topology diagram of your network?
02-07-2022 05:50 PM - edited 02-07-2022 05:54 PM
Here is the config after changes requested:
ASA Version 9.12(4)18
!
hostname TEST-ASA
domain-name TEST.org
enable password XXXXXXXX
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
names
no mac-address auto
ip local pool VPN-POOL 10.88.33.1-10.88.33.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address XXX.XXX.XXX.205 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.11.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name mcso-fl.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network cjnet-network
subnet 192.168.13.0 255.255.0.0
object network dispatch-network
subnet 192.168.12.0 255.255.255.0
object network admin-network
subnet 192.168.10.0 255.255.255.0
object network Anyconnect-network
subnet 10.88.33.0 255.255.255.0
object network inside-network
subnet 192.168.11.0 255.255.255.0
object-group network split-tunnel-networks
network-object object admin-network
network-object object cjnet-network
network-object object dispatch-network
network-object object inside-network
access-list split_tunnel standard permit 192.168.11.0 255.255.255.0
access-list split_tunnel standard permit 192.168.10.0 255.255.255.0
access-list split_tunnel standard permit 192.168.12.0 255.255.255.0
access-list outside_access_in extended permit ip object Anyconnect-network object inside-network
access-list outside_access_in extended permit ip object-group split-tunnel-networks object inside-network
access-list outside_access_in extended permit ip object Anyconnect-network 192.168.11.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
asdm image disk0:/asdm-7161.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192nat (inside,outside) source static split-tunnel-networks split-tunnel-networks destination static Anyconnect-network Anyconnect-network no-proxy-arp route-lookup ( I removed this after seeing two nat statements)
nat (inside,outside) source static inside-network inside-network destination static Anyconnect-network Anyconnect-network
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.201 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=MCSO-ASA
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
http-headers
x-content-type-options
x-xss-protection
content-security-policy
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.8.02045-webdeploy-k9.pkg 1
anyconnect profiles MCT-User_client_profile disk0:/MCT-User_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_MCT-User internal
group-policy GroupPolicy_MCT-User attributes
wins-server none
dns-server value 192.168.11.9 192.168.11.10
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value mcso-fl.org
address-pools value VPN-POOL
webvpn
anyconnect profiles value MCT-User_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username cruseb1 password $sha512$5000$WgZv0fQlt4m3IqWAQVU00Q==$5tXjLdltuxs3mTnKaECQpQ== pbkdf2 privilege 15
tunnel-group MCT-User type remote-access
tunnel-group MCT-User general-attributes
address-pool VPN-POOL
default-group-policy GroupPolicy_MCT-User
tunnel-group MCT-User webvpn-attributes
group-alias MCT-User enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7c5acc497dd2944357a1bb9caf8955eb
: end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide