Double Colon as Default Gateway-ASA 5505

adam.fenner · ‎01-13-2017

I am new to setting up an ASA 5505 and am getting a weird issue. I can connect remotely to the VPN and I am given an inside IP address from the address pool but my default gateway is always wrong and always has :: and then the default gateway. Therefore i am not able to ping any devices on the network. The photo shows the ipconfig and below is the config file.

***
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(6)
!
hostname BBRemoteControls
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool Controls_IP_Pool 100.100.100.240-100.100.100.245 mask 255.255.255.
0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description Controls Network VLAN 200
nameif inside
security-level 100
ip address 100.100.100.252 255.255.255.0
!
interface Vlan2
description ISP Network VLAN 25
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
object network Controls1
subnet 100.100.100.0 255.255.255.0
access-list 100 extended permit ip any any
access-list NAT-EXEMPT extended permit ip 100.100.100.0 255.255.255.0 100.100.10
0.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network Controls1
nat (inside,outside) dynamic interface
access-group 100 in interface inside
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 0.0.0.0 0.0.0.0 100.100.100.1 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 100.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

-crypto information-

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point VPN_Controls outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1
anyconnect profiles BBAdam_client_profile disk0:/BBAdam_client_profile.xml
anyconnect profiles BBControls_client_profile disk0:/BBControls_client_profile.
xml
anyconnect profiles BB_Remote_Controls_client_profile disk0:/BB_Remote_Controls
_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_BBAdam internal
group-policy GroupPolicy_BBAdam attributes
wins-server none
dns-server none
vpn-tunnel-protocol ssl-client
default-domain none
webvpn
anyconnect profiles value BBAdam_client_profile type user
group-policy GroupPolicy_BB_Remote_Controls internal
group-policy GroupPolicy_BB_Remote_Controls attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2
default-domain none
webvpn
anyconnect profiles value BB_Remote_Controls_client_profile type user
group-policy GroupPolicy_BBControls internal
group-policy GroupPolicy_BBControls attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
default-domain none
webvpn
anyconnect profiles value BBControls_client_profile type user

tunnel-group BB_Remote_Controls type remote-access
tunnel-group BB_Remote_Controls general-attributes
address-pool Controls_IP_Pool
default-group-policy GroupPolicy_BB_Remote_Controls
tunnel-group BB_Remote_Controls webvpn-attributes
group-alias BB_Remote_Controls enable
tunnel-group VPN type remote-access
tunnel-group BBControls type remote-access
tunnel-group BBControls general-attributes
address-pool Controls_IP_Pool
default-group-policy GroupPolicy_BBControls
tunnel-group BBControls webvpn-attributes
group-alias BBControls enable
tunnel-group BBAdam type remote-access
tunnel-group BBAdam general-attributes
address-pool (inside) Controls_IP_Pool
address-pool Controls_IP_Pool
secondary-authentication-server-group LOCAL
default-group-policy GroupPolicy_BBAdam
tunnel-group BBAdam webvpn-attributes
group-alias BBAdam enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end

***

Rahul Govindan · ‎01-13-2017

The VPN Adapter default gateway should not really matter. As long as your routing table points to the Anyconnect adapter, traffic should route through the VPN tunnel to the ASA. For example, my VPN connection shows no default gateway.

   Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client V
irtual Miniport Adapter for Windows x64
   Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.45.50(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.107.5
                                       192.168.107.6
   NetBIOS over Tcpip. . . . . . . . : Enabled

Check your routing table after VPN connection to see if either a default route or network route points to the VPN adapter.

Now, I see one potential problem in your config that could be causing the issue. There is no nat statement to exempt traffic between local and VPN networks. You have a NAT statement to translate traffic to the interface for internet access and this would also NAT your return VPN traffic. You have to create a rule like this:

nat (inside,outside) 1 source static Controls1 Controls1 destination static Controls1 Controls1 no-proxy-arp route-lookup

You can reference the guide here to see relevant config:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html#anc13

adam.fenner · ‎01-17-2017

Sorry, i'm a little green, Here's the route table.