Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2508
Views
0
Helpful
3
Replies

Help configuring Cisco ASA 5506 OS 9.8

akawache1
Level 1
Level 1

‎08-11-2017 05:37 PM - edited ‎03-12-2019 02:48 AM

I have static IPs from a FIOS service.
One of the IPs is configured to my ASA 5506 WAN
I then have a LAN bridge configured with 4 ports 5-8. ASA Ip .246.1
The LAN subnet is .246.0
One of the LAN ports is connected to WRT3200 wireless router that is acting as an AP only with IP .246.2
The ASA has a site to site VPN to another network .254.0 subnet. The site to site vpn works just fine
The DNS on the ASA dhcpd is on the 254.0 subnet.
The ASA also has anyconnect VPN with subnet 10.10.246.0
I have machines connected to a LAN switch that is connected to the ASA and I have some machines connected to the Linksys WRT3200.

My problems:
1. communication between the .246 and .254 with the site to site vpn seems to be working fine. but, when I am at the .254 network with my client I am unable to ssh, telnet or ASDM to the ASA. Even though I have the sybnets defined to allow for that.
2. I am unable to ping the .246.2 (Linksys WRT3200ACM) from the .254, but I can ping .246.1 which is the ASA. I also can ping any machine connected to the LAN switch that is connected to the ASA but cannot ping the machines connected to teh WRT3200 even though they are on the same subnet .246.
3. When I connect to anyconnect from outside I lose my LAN communication and I lose my internet also. I can ping .246.1, but not .246.2.

So far that is what I noticed. please help

ASA config:
ASA Version 9.8(1)
!
domain-name mycompany.msft

names
ip local pool SSLClientPool 10.10.246.100-10.10.246.101 mask 255.255.255.0

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
 !
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif LAN_P5
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif LAN_P6
 security-level 100
 !
interface GigabitEthernet1/7
 bridge-group 1
 nameif LAN_P7
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif LAN_P8
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 192.168.246.1 255.255.255.0
!
boot system disk0:/asa981-lfbff-k8.SPA
ftp mode passive
dns server-group DefaultDNS
 domain-name mycompany.msft
 object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj_192.168.246.0_24
 subnet 192.168.246.0 255.255.255.0
object network obj_192.168.254.0_24
 subnet 192.168.254.0 255.255.255.0
object network obj-AnyconnectPool
 subnet 10.10.246.0 255.255.255.0
access-list 101 extended permit icmp any any
access-list acl_out extended permit icmp any any
access-list outside_1_cryptomap extended permit ip object obj_192.168.246.0_24 o
bject obj_192.168.254.0_24
access-list no_nat extended permit ip 192.168.246.0 255.255.255.0 10.10.246.0 25
5.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu LAN_P5 1500
mtu LAN_P6 1500
mtu LAN_P7 1500
mtu LAN_P8 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (LAN_P5,outside) source static obj_192.168.246.0_24 obj_192.168.246.0_24 des
tination static obj_192.168.254.0_24 obj_192.168.254.0_24 no-proxy-arp route-loo
kup
nat (LAN_P6,outside) source static obj_192.168.246.0_24 obj_192.168.246.0_24 des
tination static obj_192.168.254.0_24 obj_192.168.254.0_24 no-proxy-arp route-loo
kup
nat (LAN_P7,outside) source static obj_192.168.246.0_24 obj_192.168.246.0_24 des
tination static obj_192.168.254.0_24 obj_192.168.254.0_24 no-proxy-arp route-loo
kup
nat (LAN_P8,outside) source static obj_192.168.246.0_24 obj_192.168.246.0_24 des
tination static obj_192.168.254.0_24 obj_192.168.254.0_24 no-proxy-arp route-loo
kup
!
object network obj_any
 nat (LAN_P8,outside) dynamic interface
object network obj-AnyconnectPool
 nat (outside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication login-history
http server enable
http 192.168.246.0 255.255.255.0 LAN_P5
http 192.168.246.0 255.255.255.0 LAN_P6
http 192.168.246.0 255.255.255.0 LAN_P7
http 192.168.246.0 255.255.255.0 LAN_P8
http 192.168.254.0 255.255.255.0 LAN_P5
http 192.168.254.0 255.255.255.0 LAN_P6
http 192.168.254.0 255.255.255.0 LAN_P7
http 192.168.254.0 255.255.255.0 LAN_P8
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set 3des-md5 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map vpn 1 match address outside_1_cryptomap
crypto map vpn 1 set peer 2.2.2.2 3.3.3.3
crypto map vpn 1 set ikev1 transform-set 3des-md5
crypto map vpn interface outside
crypto ca trustpoint localtrust
 enrollment self
 fqdn sslvpn.andrewslogistics.msft
 subject-name CN=sslvpn.andrewslogistics.msft
 keypair sslvpnkey
 crl configure
crypto ca trustpool policy
crypto ca certificate chain localtrust
 certificate a84c8459
    30820324 3082020c a0030201 020204a8 4c845930 0d06092a 864886f7 0d01010b
  quit
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.246.0 255.255.255.0 LAN_P5
telnet 192.168.254.0 255.255.255.0 LAN_P5
telnet 192.168.246.0 255.255.255.0 LAN_P6
telnet 192.168.254.0 255.255.255.0 LAN_P6
telnet 192.168.246.0 255.255.255.0 LAN_P7
telnet 192.168.254.0 255.255.255.0 LAN_P7
telnet 192.168.254.0 255.255.255.0 LAN_P8
telnet timeout 5
no ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.246.0 255.255.255.0 LAN_P5
ssh 192.168.246.0 255.255.255.0 LAN_P6
ssh 192.168.246.0 255.255.255.0 LAN_P7
ssh 192.168.246.0 255.255.255.0 LAN_P8
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 10
management-access inside

dhcpd dns 192.168.254.100 74.40.74.40
dhcpd lease 28800
dhcpd domain andrewslogistics.msft
!
dhcpd address 192.168.246.240-192.168.246.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy SSLCLient internal
group-policy SSLCLient attributes
 dns-server value 192.168.254.100 74.40.74.40
 vpn-tunnel-protocol ssl-client
 default-domain value andrewslogistics.msft
 address-pools value SSLClientPool
dynamic-access-policy-record DfltAccessPolicy
username administrator password mcE1PLB0.XrcvIFM encrypted
username akawache password $sha512$5000$TWV/qz2jDmX+AC9zD9fxyQ==$qadxpwoXTfh7MZR
YMcR4iA== pbkdf2
username akawache attributes
 service-type remote-access
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group SSLClient type remote-access
tunnel-group SSLClient general-attributes
 default-group-policy SSLCLient
tunnel-group SSLClient webvpn-attributes
 group-alias ALIAKSOHO_RA enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end



      FIOS--->Unmanaged switch
            |      |     |
            |      |     |
             ASA5506
Anyconnect VPN<<IOS 9.3
 10.10.246.0  192.168.246.1 >>>>> Site to Site VPN
            |                   192.168.254.0
            |
         LAN Bridge
         Ports 5-8        
          |             |
          |             |
      Linksys       Unamanged
     WRT3200ACM   Switch
   192.168.246.2

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎08-13-2017 04:37 AM

1) I believe this is a symptom of the BVI interface on the inside. You cannot ssh, telnet ASDM to the BVI interface through VPN as of today as it does not allow you to put the following command:

http 0 0 inside

or 

ssh 0 0 inside

The bug for this is here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve82307/?reffering_site=dumpcr

2) Not sure what this the problem could be here. Maybe a default route on the Wireless router. I would recommend using a packet capture on the inside to see if the forward and return packets make it back.

3) Looks like you are sending all internet traffic to the ASA when connected via VPN (no split tunnel). You would need to add "same-security traffic permit intra-interface" to allow traffic to u-turn via the outside. You seem to have NAT rules already set up for that. Also, you would need to have NAT exempt rules in place for the VPN to the LAN segment.

0 Helpful

akawache1
Level 1
Level 1
In response to Rahul Govindan

‎08-17-2017 10:58 AM

can you help me with the needed configuration for number 3)

0 Helpful

Brian Schultz
Level 4
Level 4
In response to Rahul Govindan

‎11-13-2017 06:16 AM

Is CSCve82307 ever going to get fixed?  I know it is listed as an enhancement, but would be really nice to be able to manage branch sites across L2L tunnel again instead of having to open SSH to the outside interface.  This bug has been opened for a long time...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card