Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3323
Views
0
Helpful
15
Replies

CISCO ASA 9.1 Remote Access VPN client were unable to ping/access other inside subnets/vlan

drlbaluyut
Level 1
Level 1

‎01-27-2016 05:36 PM - edited ‎03-12-2019 12:12 AM

Hi guys

I've been having an issue about this for a week now.

My setup is ASA connected to a Layer3 switch with vlan 158 (10.158.0.0 /16) and vlan 193 (10.193.0.0 /16). Vlan 193 is for our servers.

ASA inside interface is connected to vlan 158 on layer 3 switch with an ip address of 10.158.2.6 255.255.0.0

MY VPN pool is 172.30.30.1 to 172.30.30.10 /16

After connecting to the VPN with assigned IP from VPN pool, I was successful on connecting to 10.158.0.0 network after I created a NO NAT rule between vlan158 and VPN pool.

Doing the same no NAT rule between vpn pool and my server subnet in VLAN 193 (10.193.0.0 /16), I was unable to ping host on vlan 193.

nat (inside,outside) source static ServerSubnet ServerSubnet destination static RA_VPN_TEST RA_VPN_TEST

I don't think there's a routing issue here because pings from ASA inside interface to VLAN 193 are all successful using the gateway of vlan 158.

Please see running-config below.

Take note of the ff: first.

1. Management interface is disconnected to vlan 193.

2. Majority of twice nat rules are inactive.

3. Majority of Network nat object are also inactive. 

ASA Version 9.1(1)
!
hostname SMMDZRA002
domain-name smmph.local
enable password 8T8R6XdsfHe6TaJO encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd iimrgUvTSQcRUuCl encrypted
names
ip local pool mypool 172.16.1.1-172.16.1.254
ip local pool mailpool 10.158.30.1-10.158.30.254
ip local pool 158POOL 172.30.30.1-172.30.30.10 mask 255.255.0.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.248
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.158.2.6 255.255.0.0
!
interface GigabitEthernet0/2
 shutdown
 nameif intf2
 security-level 0
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 10.193.1.250 255.255.0.0
!
ftp mode passive
clock timezone SGT 8
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.193.1.1
 name-server 10.193.1.6
 domain-name smmph.local
same-security-traffic permit inter-interface
object network OBJ-10.158.2.25
 host 10.158.2.25
object network OBJ-10.158.2.2
 host 10.158.2.2
object network OBJ-10.159.1.2
 host 10.159.1.2
object network obj-10.60.1.7
 host 10.60.1.7
object network obj-10.60.1.60
 host 10.60.1.60
object network obj-10.60.1.85
 host 10.60.1.85
object network obj-10.60.1.91
 host 10.60.1.91
object network obj-10.60.1.206
 host 10.60.1.206
object network obj-10.60.1.241
 host 10.60.1.241
object network obj-10.60.1.244
 host 10.60.1.244
object network obj-10.60.1.245
 host 10.60.1.245
object network obj-10.60.1.246
 host 10.60.1.246
object network obj-10.60.1.247
 host 10.60.1.247
object network obj-10.158.2.4
 host 10.158.2.4
object network obj-10.158.2.11
 host 10.158.2.11
object network obj-10.158.2.12
 host 10.158.2.12
object network obj-10.158.2.28
 host 10.158.2.28
object network obj-10.158.2.38
 host 10.158.2.38
object network obj-10.158.2.50
 host 10.158.2.50
object network obj-10.158.2.52
 host 10.158.2.52
object network obj-10.158.10.6
 host 10.158.10.6
object network obj-10.159.1.4
 host 10.159.1.4
object network obj-10.159.1.10
 host 10.159.1.10
object network obj-10.159.1.251
 host 10.159.1.251
object network obj-10.159.1.253
 host 10.159.1.253
object network obj-10.159.0.0_16
 subnet 10.159.0.0 255.255.0.0
object network obj-172.16.1.0_24
 subnet 172.16.1.0 255.255.255.0
object network obj-10.158.30.0_24
 subnet 10.158.30.0 255.255.255.0
object network obj-10.158.0.0_16
 subnet 10.158.0.0 255.255.0.0
object network obj-outside
 host 203.177.11.5
object network obj-10.20.1.0_24
 subnet 10.20.1.0 255.255.255.0
object network obj-10.30.1.0_24
 subnet 10.30.1.0 255.255.255.0
object network obj-10.40.1.0_24
 subnet 10.40.1.0 255.255.255.0
object network obj-10.50.1.0_24
 subnet 10.50.1.0 255.255.255.0
object network obj-10.60.1.0_24
 subnet 10.60.1.0 255.255.255.0
object network obj-10.70.1.0_24
 subnet 10.70.1.0 255.255.255.0
object network obj-10.80.1.0_24
 subnet 10.80.1.0 255.255.255.0
object network obj-10.90.1.0_24
 subnet 10.90.1.0 255.255.255.0
object network obj-10.20.0.0_16
 subnet 10.20.0.0 255.255.0.0
object network obj-10.30.0.0_16
 subnet 10.30.0.0 255.255.0.0
object network obj-10.40.0.0_16
 subnet 10.40.0.0 255.255.0.0
object network obj-10.50.0.0_16
 subnet 10.50.0.0 255.255.0.0
object network obj-10.60.0.0_16
 subnet 10.60.0.0 255.255.0.0
object network obj-10.70.0.0_16
 subnet 10.70.0.0 255.255.0.0
object network obj-10.80.0.0_16
 subnet 10.80.0.0 255.255.0.0
object network obj-10.90.0.0_16
 subnet 10.90.0.0 255.255.0.0
object network obj-144.36.217.201
 host 144.36.217.201
object network obj-58.137.205.2
 host 58.137.205.2
object network obj-10.161.2.250
 host 10.161.2.250
 description Manila Proxy IP
object network SMMPH-IT_IP
 range 10.161.2.96 10.161.2.102
 description SMMPH-IT_IP
object network NETWORK_OBJ_10.158.0.0_16
 subnet 10.158.0.0 255.255.0.0
object network NETWORK_OBJ_10.158.10.80_29
 subnet 10.158.10.80 255.255.255.248
object network inside158
 subnet 10.158.0.0 255.255.0.0
object network ServerSub2
 subnet 10.193.1.0 255.255.255.0
object network ServerSubnet
 subnet 10.193.0.0 255.255.0.0
object network IN158
 subnet 10.158.0.0 255.255.0.0
object network IN161
 subnet 10.161.0.0 255.255.0.0
object network IN193
 subnet 10.193.1.0 255.255.255.0
object network INSIDE158
 subnet 10.158.0.0 255.255.0.0
object network INSIDE161
 subnet 10.161.0.0 255.255.0.0
object network INSIDE193
 subnet 10.193.0.0 255.255.0.0
object network obj10.158.2.50
 host 10.158.2.50
object network 203.177.11.3
 host 203.177.11.3
object network obj10.158.2.25
 host 10.158.2.25
object network 203.177.11.3(S)
 host 203.177.11.3
object network obj-10.60.1.242
 host 10.60.1.242
object network obj-10.60.1.243
 host 10.60.1.243
object network RA_VPN_TEST
 subnet 172.30.0.0 255.255.0.0
access-list 101 extended permit ip 10.159.0.0 255.255.0.0 172.16.1.0 255.255.255.0
access-list 101 extended permit ip 10.159.0.0 255.255.0.0 10.158.30.0 255.255.255.0
access-list 101 extended permit ip 10.158.0.0 255.255.0.0 10.158.30.0 255.255.255.0
access-list ftp.jgc.co.jp extended permit tcp host 10.158.10.130 host 150.5.65.99 eq ftp
access-list acl-outside extended deny tcp host 60.254.0.0 any eq www
access-list 102 extended permit ip 10.158.0.0 255.255.0.0 host 144.36.217.201
access-list 103 extended permit ip 10.159.0.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.20.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.30.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.40.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.50.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.60.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.70.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.80.1.0 255.255.255.0 host 144.36.217.201
access-list 103 extended permit ip 10.90.1.0 255.255.255.0 host 144.36.217.201
access-list 104 extended permit ip 10.158.0.0 255.255.0.0 host 58.137.205.2
access-list 105 extended permit ip 10.159.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.20.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.30.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.40.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.50.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.60.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.70.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.80.0.0 255.255.255.0 host 58.137.205.2
access-list 105 extended permit ip 10.90.0.0 255.255.255.0 host 58.137.205.2
access-list inside_access_in remark Cisco IronPort C170
access-list inside_access_in extended permit ip object OBJ-10.158.2.25 any inactive
access-list inside_access_in remark Manila Mail Server
access-list inside_access_in extended permit ip object OBJ-10.158.2.2 any inactive
access-list inside_access_in remark Manila Proxy
access-list inside_access_in remark Blue Coat 300
access-list inside_access_in extended permit ip object obj-10.161.2.250 any
access-list inside_access_in remark Manila Proxy
access-list inside_access_in extended permit ip object obj-10.158.2.50 any
access-list inside_access_in extended permit ip host 10.158.2.103 any
access-list SMMPH standard permit 10.193.0.0 255.255.0.0
no pager
logging enable
logging buffered debugging
logging trap notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu management 1500
ip verify reverse-path interface outside
ip audit attack action alarm drop reset
no failover
icmp unreachable rate-limit 10 burst-size 5
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static ServerSubnet ServerSubnet destination static RA_VPN_TEST RA_VPN_TEST
nat (inside,outside) source static obj-10.159.0.0_16 obj-10.159.0.0_16 destination static obj-172.16.1.0_24 obj-172.16.1.0_24 inactive
nat (inside,outside) source static obj-10.159.0.0_16 obj-10.159.0.0_16 destination static obj-10.158.30.0_24 obj-10.158.30.0_24
nat (inside,outside) source static obj-10.158.0.0_16 obj-10.158.0.0_16 destination static obj-10.158.30.0_24 obj-10.158.30.0_24
nat (inside,outside) source dynamic obj-10.158.0.0_16 interface
nat (inside,outside) source dynamic obj-10.20.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.30.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.40.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.50.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.60.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.70.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.80.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.90.1.0_24 interface destination static obj-144.36.217.201 obj-144.36.217.201 inactive
nat (inside,outside) source dynamic obj-10.158.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.159.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.20.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.30.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.40.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.50.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.60.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.70.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.80.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source dynamic obj-10.90.0.0_16 interface destination static obj-58.137.205.2 obj-58.137.205.2 inactive
nat (inside,outside) source static NETWORK_OBJ_10.158.0.0_16 NETWORK_OBJ_10.158.0.0_16 destination static NETWORK_OBJ_10.158.10.80_29 NETWORK_OBJ_10.158.10.80_29 no-proxy-arp route-lookup inactive
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.158.10.80_29 NETWORK_OBJ_10.158.10.80_29 no-proxy-arp route-lookup inactive
!
object network OBJ-10.158.2.25
 nat (inside,outside) static 203.177.11.3 net-to-net
object network OBJ-10.158.2.2
 nat (inside,outside) static 203.177.11.4 net-to-net
object network OBJ-10.159.1.2
 nat (inside,outside) static 203.177.11.2 net-to-net
object network obj-10.60.1.7
 nat (inside,outside) dynamic interface
object network obj-10.60.1.60
 nat (inside,outside) dynamic interface
object network obj-10.60.1.85
 nat (inside,outside) dynamic interface
object network obj-10.60.1.91
 nat (inside,outside) dynamic interface
object network obj-10.60.1.206
 nat (inside,outside) dynamic interface
object network obj-10.60.1.241
 nat (inside,outside) dynamic interface
object network obj-10.60.1.244
 nat (inside,outside) dynamic interface
object network obj-10.60.1.245
 nat (inside,outside) dynamic interface
object network obj-10.60.1.246
 nat (inside,outside) dynamic interface
object network obj-10.60.1.247
 nat (inside,outside) dynamic interface
object network obj-10.158.2.4
 nat (inside,outside) dynamic interface
object network obj-10.158.2.11
 nat (inside,outside) dynamic interface
object network obj-10.158.2.12
 nat (inside,outside) dynamic interface
object network obj-10.158.2.28
 nat (inside,outside) dynamic interface
object network obj-10.158.2.38
 nat (inside,outside) dynamic interface
object network obj-10.158.2.50
 nat (inside,outside) dynamic interface
object network obj-10.158.2.52
 nat (inside,outside) dynamic interface
object network obj-10.158.10.6
 nat (inside,outside) dynamic interface
object network obj-10.159.1.4
 nat (inside,outside) dynamic interface
object network obj-10.159.1.10
 nat (inside,outside) dynamic interface
object network obj-10.159.1.251
 nat (inside,outside) dynamic interface
object network obj-10.159.1.253
 nat (inside,outside) dynamic interface
object network obj-10.60.1.242
 nat (inside,outside) dynamic interface
object network obj-10.60.1.243
 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 122.52.52.41 1
route inside 10.0.0.0 255.0.0.0 10.158.1.1 1
route inside 10.159.0.0 255.255.0.0 10.158.2.100 1
route management 10.161.2.0 255.255.255.0 10.193.255.254 1
route inside 192.168.10.0 255.255.255.252 10.158.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
 action terminate
dynamic-access-policy-record DAP-GP-VPNAC-TEST2
dynamic-access-policy-record DAP-GP-VPNAC-TEST
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server SG-GP-VPNAC-TEST protocol ldap
aaa-server SG-GP-VPNAC-TEST (inside) host 10.193.1.1
 ldap-base-dn dc=smmph, dc=local
 ldap-scope subtree
 ldap-naming-attribute SamAccountName
 ldap-login-password *****
 ldap-login-dn cn=administrator, cn=users, dc=smmph, dc=local
 server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 10.158.0.0 255.255.0.0 inside
http 10.159.1.16 255.255.255.255 inside
http 10.161.2.0 255.255.255.0 inside
http 10.161.2.99 255.255.255.255 management
http 10.161.2.101 255.255.255.255 management
http 10.161.2.102 255.255.255.255 management
http 10.161.2.98 255.255.255.255 management
http 10.161.2.96 255.255.255.255 management
http 10.161.2.97 255.255.255.255 management
http 10.193.1.0 255.255.255.0 inside
snmp-server host inside 10.158.254.254 poll community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 10 set ikev1 transform-set myset
crypto dynamic-map dynmap 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto ca trustpoint SMMDZRA002_TrustPoint0
 enrollment self
 subject-name CN=SMMDZRA002
 keypair SMMDZRA002KP
 crl configure
crypto ca trustpool policy
crypto ca certificate chain SMMDZRA002_TrustPoint0
 certificate d9ac7656
    308201fb 30820164 a0030201 020204d9 ac765630 0d06092a 864886f7 0d010105
    05003042 31133011 06035504 03130a53 4d4d445a 52413030 32312b30 2906092a
    864886f7 0d010902 161c534d 4d445a52 41303032 2e436973 636f4153 412d3535
    34352e63 6f6d301e 170d3136 30313231 30373236 33345a17 0d323630 31313830
    37323633 345a3042 31133011 06035504 03130a53 4d4d445a 52413030 32312b30
    2906092a 864886f7 0d010902 161c534d 4d445a52 41303032 2e436973 636f4153
    412d3535 34352e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00
    30818902 818100b8 4eb35cdb f45b2a35 aeee5a0c 8ff0b915 04a71205 7eea4f1d
    4f8416a4 23f44f0a 34745bfb 188b25a2 fc4ce95a 7c434084 bc553439 518d52e2
    68f41793 58b40c17 254c3854 c05708be ce28597b a6e4174a 78d5bcda 926dfec2
    a1a187d0 6237fff8 dc19814a ea902e02 a0c4cb79 75ead721 f48a2bd4 27212348
    151657fc b9909502 03010001 300d0609 2a864886 f70d0101 05050003 81810047
    6ae1e858 25a8c692 4f1efbfc 31ad9c00 bb24285c 6a6d6b20 ce24ba54 2f45347b
    d4852c07 5445fd63 291e7a56 72804cbf aa23bb9f 40775a46 785efcd1 4cf28531
    3562e30e d1b27787 86f46c66 80807934 5b115e56 14c29d88 3df5870a 4d708763
    2c442855 701da13f 5574ee6e 3e74f342 72742440 cfcefc37 eb7ee98b 0dfcb3
  quit
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint SMMDZRA002_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
telnet 10.158.0.0 255.255.0.0 inside
telnet 10.159.0.0 255.255.0.0 inside
telnet 10.60.1.0 255.255.255.0 inside
telnet 10.158.0.0 255.255.0.0 intf2
telnet 10.159.0.0 255.255.0.0 intf2
telnet 10.60.1.0 255.255.255.0 intf2
telnet timeout 5
ssh 10.161.2.98 255.255.255.255 inside
ssh 10.161.2.99 255.255.255.255 inside
ssh 10.161.2.0 255.255.255.0 management
ssh timeout 5
console timeout 0
management-access management
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point SMMDZRA002_TrustPoint0 outside
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect profiles CP-GP-VPNAC-TEST_client_profile disk0:/CP-GP-VPNAC-TEST_client_profile.xml
 anyconnect profiles CP-VPNAC-TEST2_client_profile disk0:/CP-VPNAC-TEST2_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_CP-GP-VPNAC-TEST internal
group-policy GroupPolicy_CP-GP-VPNAC-TEST attributes
 wins-server none
 dns-server value 10.193.1.1 10.193.1.6
 vpn-tunnel-protocol ikev2 ssl-client
 default-domain value smmph.local
 webvpn
  anyconnect profiles value CP-GP-VPNAC-TEST_client_profile type user
group-policy GroupPolicy_CP-VPNAC-TEST2 internal
group-policy GroupPolicy_CP-VPNAC-TEST2 attributes
 wins-server none
 dns-server value 10.193.1.1 10.193.1.6
 vpn-tunnel-protocol ikev2 ssl-client
 default-domain value smmph.local
 webvpn
  anyconnect profiles value CP-VPNAC-TEST2_client_profile type user

tunnel-group CP-GP-VPNAC-TEST type remote-access
tunnel-group CP-GP-VPNAC-TEST general-attributes
 address-pool 158POOL
 authentication-server-group SG-GP-VPNAC-TEST
 default-group-policy GroupPolicy_CP-GP-VPNAC-TEST
tunnel-group CP-GP-VPNAC-TEST webvpn-attributes
 group-alias CP-GP-VPNAC-TEST enable
tunnel-group CP-VPNAC-TEST2 type remote-access
tunnel-group CP-VPNAC-TEST2 general-attributes
 address-pool 158POOL
 authentication-server-group SG-GP-VPNAC-TEST
 default-group-policy GroupPolicy_CP-VPNAC-TEST2
tunnel-group CP-VPNAC-TEST2 webvpn-attributes
 group-alias CP-VPNAC-TEST2 enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect http
  inspect icmp
 class class-default
  set connection decrement-ttl
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 23
  subscribe-to-alert-group configuration periodic monthly 23
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:210096a352e0a30803fcf07d6f2a2aa1

Thank you in advance!

Labels:
0 Helpful
15 Replies 15

drlbaluyut
Level 1
Level 1
In response to jagmeesi

‎01-31-2016 04:47 PM

Hi

I still cannot ping the vpn client ip address from 193 hosts. Might be a routing issue also?

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card