Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
335
Views
0
Helpful
2
Replies

Unable to connect from VPN to inside network and internet outside ASA 5506

zaleski
Level 1
Level 1

‎06-28-2018 05:11 AM - edited ‎02-21-2020 07:55 AM

Good morning, 

I have trouble with ASA 5506 configuration. I want to allow VPN users connect to servers inside my network and also give them access to internet without split tunneling. Can anybody told me what is wrong with my configuration? I was bothering for a alomost week new and I am running out of ideas.

My ASA configuration: 

 

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

:

ASA Version 9.6(1)

!

hostname eagle

enable password 5UiZfO/vuL5HK8Pr encrypted

names

ip local pool sales_addresses 10.4.5.10-10.4.5.20 mask 255.255.255.0

 

!

interface GigabitEthernet1/1

nameif outside

security-level 0

ip address 95.50.103.140 255.255.255.248

!

interface GigabitEthernet1/2

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface GigabitEthernet1/3

shutdown     

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/6

shutdown

no nameif

no security-level

no ip address

!

 

interface GigabitEthernet1/7

shutdown     

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/8

shutdown

no nameif

no security-level

no ip address

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

ftp mode passive

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network sales_addresses

subnet 10.4.5.0 255.255.255.0

access-list OUTSIDE extended permit icmp any4 any4 echo

access-list inside_nat_vpn extended permit ip 192.168.100.0 255.255.255.0 10.4.5.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging buffer-size 512000

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (any,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface

nat (outside,outside) after-auto source dynamic sales_addresses interface

access-group OUTSIDE in interface outside

route outside 0.0.0.0 0.0.0.0 95.50.103.137 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set myset esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set myset mode transport

crypto ipsec ikev1 transform-set L2TP-tunnel esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set L2TP-tunnel mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association replay window-size 128

crypto ipsec security-association pmtu-aging infinite

crypto ipsec df-bit clear-df outside

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65533 set ikev1 transform-set L2TP-tunnel ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65534 set ikev1 transform-set myset ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 myset

crypto map SRG_VPN 64553 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map SRG_VPN interface outside

crypto ca trustpool policy

crypto isakmp identity address

crypto isakmp nat-traversal 1500

crypto ikev1 enable outside

crypto ikev1 enable inside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2      

lifetime 86400

crypto ikev1 policy 2

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 3

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

crypto ikev1 policy 5

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2      

lifetime 86400

crypto ikev1 policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh scopy enable

ssh stricthostkeycheck

ssh 192.168.100.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

vpn-sessiondb max-anyconnect-premium-or-essentials-limit 50

l2tp tunnel hello 100

 

dhcpd dns 8.8.8.8

dhcpd auto_config outside

!

dhcpd address 192.168.100.5-192.168.100.250 inside

dhcpd enable inside

!             

dhcprelay timeout 60

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol l2tp-ipsec

ipsec-udp enable

split-tunnel-all-dns enable

dynamic-access-policy-record DfltAccessPolicy

username ****** password ******** encrypted privilege 15

username ****** password *************== nt-encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool sales_addresses

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group sales-tunnel type remote-access

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:70585bdddf8228b13e037317a9157744

: end         

Labels:
0 Helpful
2 Replies 2

Dennis Mink
VIP Alumni
VIP Alumni

‎06-28-2018 05:19 AM

does a vpn connected client have all required routes? like a default route ?  do route print from win. prompt

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

zaleski
Level 1
Level 1
In response to Dennis Mink

‎06-28-2018 06:11 AM

 

Only route which I have is this route :

route outside 0.0.0.0 0.0.0.0 95.50.103.137 1

 

Internet:

Destination        Gateway            Flags        Refs      Use   Netif Expire

default            link#12            UCS            55        0    ppp0

default            192.168.0.1        UGScI           9        0     en0

8.8.8.8            link#12            UHWIi          19      363    ppp0

10                 ppp0               USc             1        0    ppp0

95.50.103.140      192.168.0.1        UGHS            2      428     en0

127                localhost          UCS             0        0     lo0

localhost          localhost          UH              1    11489     lo0

169.254            link#5             UCS             0        0     en0

192.168.0          link#5             UCS             3        0     en0

192.168.0.1/32     link#5             UCS             1        0     en0

 

224.0.0/4          link#12            UmCS            0        0    ppp0

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card