I have a Cisco ASA 5505 that I am trying to configure anyconnect VPN and thought I have changed my configuration several times but when trying to access my static public IP of the outside interface IP address to download the image, I am not able to. Also when I do a packet-tracer I see it is being dropped via the acl when packets sourced from out side to the ASA via port 443 it drops due to ACL. So it look like that any thing trying to access the ASA via VPN is going to port 443 is going to my DMZ. Below is my config
XXXX# sh run
: Saved
:
ASA Version 8.4(3)
!
hostname XXXX
domain-name lookup
enable password pFTzVNrKdD9x5rhT encrypted
passwd zPBAmb8krxlXh.CH encrypted
names
!
interface Ethernet0/0
description Outside-interface
switchport access vlan 20
!
interface Ethernet0/1
description DMZ-Uplink
switchport access vlan 30
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
description Tacacs+IDS
switchport access vlan 10
switchport monitor Ethernet0/0
!
interface Ethernet0/5
switchport access vlan 10
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
description Wireless_AP_Loft
switchport access vlan 10
!
interface Vlan10
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
ip address x.x.x.249 255.255.255.248
!
interface Vlan30
no forward interface Vlan10
nameif dmz
security-level 50
ip address 172.16.30.1 255.255.255.0
!
boot system disk0:/asa843-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name lookup
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network Webserver_DMZ
host 172.16.30.8
object network Mailserver_DMZ
host 172.16.30.7
object network DMZ
subnet 172.16.30.0 255.255.255.0
object network FTPserver_DMZ
host 172.16.30.9
object network Public-IP-subnet
subnet x.x.x.248 255.255.255.248
object network FTPserver
host 172.16.30.8
object network Inside
subnet 192.168.10.0 255.255.255.0
object network VPN_SSL
subnet 10.101.4.0 255.255.255.0
access-list outside_in extended permit tcp any object Mailserver_DMZ eq www log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq 587 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq smtp log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq pop3 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq 2525 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq imap4 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq 465 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq 993 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq 995 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq 5901 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq https log
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging trap warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN_SSL 10.101.4.1-10.101.4.4 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static Inside Inside destination static VPN_SSL VPN_SSL
nat (outside,inside) source static VPN_SSL VPN_SSL
!
object network obj_any1
nat (inside,outside) static interface
object network Webserver_DMZ
nat (dmz,outside) static x.x.x.250
object network Mailserver_DMZ
nat (dmz,outside) static x.x.x..251
object network DMZ
nat (dmz,outside) static interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HNIC protocol tacacs+
aaa-server HNIC (inside) host 192.168.10.2
timeout 60
key *****
user-identity default-domain LOCAL
aaa authentication http console HNIC
aaa authentication ssh console HNIC
aaa authentication telnet console HNIC
aaa authentication secure-http-client
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint localtrust
enrollment self
crl configure
crypto ca trustpoint VPN_Articulate2day
enrollment self
subject-name CN=vpn.articulate2day.com
keypair sslvpnkey
crl configure
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 15
ssh version 2
console timeout 0
no vpn-addr-assign aaa
dhcp-client update dns
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
dhcpd address 192.168.10.100-192.168.10.150 inside
dhcpd enable inside
!
dhcpd address 172.16.30.20-172.16.30.23 dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 192.168.10.2
webvpn
enable outside
anyconnect image disk0:/anyconnect-linux-64-3.1.06079-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy VPN_SSL internal
group-policy VPN_SSL attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
address-pools value VPN_SSL
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl keepalive 15
anyconnect ssl compression deflate
anyconnect ask enable
username ronmitch50 password spn1SehCw8TvCzu7 encrypted
username ronmitch50 attributes
service-type remote-access
tunnel-group VPN_SSL_Clients type remote-access
tunnel-group VPN_SSL_Clients general-attributes
address-pool VPN_SSL
default-group-policy VPN_SSL
tunnel-group VPN_SSL_Clients webvpn-attributes
group-alias VPNSSL_GNS3 enable
tunnel-group VPN_SSL type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect esmtp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
XXXX#
