09-08-2011 09:58 PM
I've got a client that recently got an ASA 5505. E0/0 is connected to the outside, E0/1 connected to the internal server (Win 2008). The ASA "local network" is 172.30.1.0/24; my internal network is 192.168.1.0/24. I'm able to connect from home through AnyConnect and get a proper address (which I've got a pool of 172.30.1.64/26 assigned for VPN users), but no traffic from my computer will go to the internal network, nor will the internal server (or the ASA for that matter) can't talk to my VPN'd computer.
On the firewall settings on the ASA, I've got it all open: any/any on both inside and outside, just to try and get anything to go through. I've even got split-tunneling working, but not traffic-passing! The config is below (redacting local AAA users). Any help would be appreciated!
: Saved : ASA Version 8.2(1) ! hostname MGFP-ASA domain-name mgfp.local enable password z3wSfrC0H.OIDKq4 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 172.30.1.1 255.255.255.0 ! interface Vlan2 mac-address 0006.259d.7411 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive clock timezone MST -7 dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.1.5 name-server 208.67.222.222 name-server 208.67.220.220 domain-name mgfp.local access-list outside_access_in extended permit ip any any access-list outside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.192 255.255.255.192 inactive access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0 access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0 access-list inside_access_in extended permit ip 172.30.1.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in remark Allow VPN traffic inside. access-list inside_access_in extended permit ip any any access-list inside_access_out remark Allow traffic from internal to VPN access-list inside_access_out extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0 access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0 access-list SPLIT-TUNNEL standard permit 172.30.1.0 255.255.255.0 access-list inside_nat0_outbound_2 extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0 pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool VPN-Router 172.30.1.64-172.30.1.96 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list NONAT nat (inside) 1 0.0.0.0 0.0.0.0 access-group inside_access_in in interface inside access-group inside_access_out out interface inside access-group outside_access_in in interface outside ! router rip ! route inside 192.168.1.0 255.255.255.0 172.30.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy webvpn svc ask none default svc aaa-server Providers protocol ldap aaa-server Providers (inside) host 192.168.1.5 timeout 5 server-type microsoft http server enable http 192.168.1.0 255.255.255.0 inside http 172.30.1.0 255.255.255.0 inside http 206.128.64.74 255.255.255.255 outside http 206.169.38.99 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 206.128.64.74 255.255.255.255 outside ssh 206.169.38.99 255.255.255.255 outside ssh timeout 5 console timeout 0 dhcp-client client-id interface outside dhcpd update dns ! dhcpd address 172.30.1.16-172.30.1.32 inside dhcpd dns 8.8.8.8 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside svc image disk0:/anyconnect-win-2.5.3054-k9.pkg 2 svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 svc enable group-policy DfltGrpPolicy attributes vpn-tunnel-protocol svc webvpn address-pools value VPN-DHCP webvpn svc ask none default svc group-policy Remote internal group-policy Remote attributes vpn-tunnel-protocol l2tp-ipsec svc split-tunnel-network-list value SPLIT-TUNNEL group-policy VPN internal group-policy VPN attributes vpn-tunnel-protocol l2tp-ipsec svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL address-pools value VPN-Router webvpn url-list none svc ask enable default svc username <REDACTED> ! tunnel-group VPN-REMOTE type remote-access tunnel-group VPN-REMOTE general-attributes address-pool VPN-Router default-group-policy VPN ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:ab7141d99a375cc04aa2787280689577 : end no asdm history enable