cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2401
Views
5
Helpful
7
Replies

AnyConnect ping is good but http does not work ASA 5520

AnyConnect is working but I can't access the web server but ping works.  Attached is the full configuration.  I had to remove the nat to get it to work.

((( no nat (inside,outside) source static 192.168.172.0_24 192.168.172.0_24 destination static )))

anyconnect_172_crop.png

Here us the Wireshark on the client for the ping and http://192.168.172.3:80 (ping is at the bottom)

192.168.172.3<->192.168.172.5

anyconnect_wireshark_http_80.jpg

Here is Wireshark for "telnet 192.167.172.3 80" it tries to connect then tries again.

wireshark_capture_telnet_80_crop.jpg

CONFIGURATION  -  CONFIGURATION  -  CONFIGURATION  -  CONFIGURATION  -  CONFIGURATION  -  

webvpn

anyconnect image flash:anyconnect-win-4.6.03049-webdeploy-k9.pkg

enable outside

anyconnect enable

sysopt connection permit-vpn

ip local pool VPN_POOL 192.168.172.5-192.168.172.10 mask 255.255.255.0

access-list SPLIT_TUNNEL standard permit 192.168.172.0 255.255.255.0

group-policy ANYCONNECT_POLICY internal

group-policy ANYCONNECT_POLICY attributes

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_TUNNEL

dns-server value 192.168.168.1

webvpn

anyconnect keep-installer installed

anyconnect ask none default anyconnect

anyconnect dpd-interval client 30

tunnel-group MY_TUNNEL type remote-access

tunnel-group MY_TUNNEL general-attributes

default-group-policy ANYCONNECT_POLICY

address-pool VPN_POOL

exit

tunnel-group MY_TUNNEL webvpn-attributes

group-alias SSL_USERS enable

webvpn

tunnel-group-list enable

username SSL_USER password SSLPassword

username SSL_USER attributes

service-type remote-access

end

 

**************************************************************************************

Client AnyConnect VPN Client > Statistics > Details > Export (AnyConnect-ExportedStats.txt

Cisco AnyConnect Secure Mobility Client Version 4.6.03049

VPN Stats
Bytes Received: 28837
Bytes Sent: 84930
Compressed Bytes Received: 0
Compressed Bytes Sent: 0
Compressed Packets Received: 0
Compressed Packets Sent: 0
Control Bytes Received: 1603
Control Bytes Sent: 1779
Control Packets Received: 43
Control Packets Sent: 65
Encrypted Bytes Received: 13797
Encrypted Bytes Sent: 129090
Encrypted Packets Received: 65
Encrypted Packets Sent: 694
Inbound Bypassed Packets: 0
Inbound Discarded Packets: 0
Outbound Bypassed Packets: 0
Outbound Discarded Packets: 0
Packets Received: 16
Packets Sent: 623
Session Disconnect: None
Time Connected: 00:11:12

Protocol Info
Active Protocol
Protocol Cipher: DHE_RSA_AES256_SHA
Protocol Compression: None
Protocol State: Connected
Protocol: DTLS
Inactive Protocol
Protocol Cipher: DHE_RSA_AES256_SHA
Protocol Compression: None
Protocol State: Connected
Protocol: TLSv1.0

Tunnel Mode (IPv4): Split Include
Tunnel Mode (IPv6): Drop All Traffic
Dynamic Tunnel Exclusion: None
Dynamic Tunnel Inclusion: None

Routes
Secure Routes
192.168.172.0 24
192.168.168.1 32

Non-tunneled Routes
0.0.0.0 0

Firewall Rules

OS Version
Windows 7 : WinNT 6.1.7601 Service Pack 1

Windows IP Configuration

Host Name . . . . . . . . . . . . : ADMIN-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 4:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::9656:3601:37c6:aff6%19(Preferred)
Link-local IPv6 Address . . . . . : fe80::b58a:5504:566f:2e1%19(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.172.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : ::
DNS Servers . . . . . . . . . . . : 192.168.168.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Generic Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
Physical Address. . . . . . . . . : A4-BA-DB-9E-9B-DC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8127:186d:6b35:22cb%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.168.144(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, April 04, 2019 1:17:14 PM
Lease Expires . . . . . . . . . . : Thursday, April 04, 2019 4:34:21 PM
Default Gateway . . . . . . . . . : 192.168.168.1
DHCP Server . . . . . . . . . . . : 192.168.168.1
DHCPv6 IAID . . . . . . . . . . . : 245676763
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-D5-9B-C7-A4-BA-DB-9E-9B-DC
DNS Servers . . . . . . . . . . . : 192.168.168.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.fios-router.home:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{27727A6C-3A86-41F1-A263-4D585139B6DF}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
===========================================================================
Interface List
19...00 05 9a 3c 7a 00 ......Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
11...a4 ba db 9e 9b dc ......Generic Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.168.1 192.168.168.144 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.168.0 255.255.255.0 On-link 192.168.168.144 276
192.168.168.1 255.255.255.255 On-link 192.168.168.144 21
192.168.168.144 255.255.255.255 On-link 192.168.168.144 276
192.168.168.232 255.255.255.255 On-link 192.168.168.144 21
192.168.168.255 255.255.255.255 On-link 192.168.168.144 276
192.168.172.0 255.255.255.0 On-link 192.168.172.5 257
192.168.172.5 255.255.255.255 On-link 192.168.172.5 257
192.168.172.255 255.255.255.255 On-link 192.168.172.5 257
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.168.144 276
224.0.0.0 240.0.0.0 On-link 192.168.172.5 10000
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.168.144 276
255.255.255.255 255.255.255.255 On-link 192.168.172.5 10000
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
19 21 ::/0 On-link
1 306 ::1/128 On-link
19 276 fe80::/64 On-link
11 276 fe80::8127:186d:6b35:22cb/128
On-link
19 276 fe80::9656:3601:37c6:aff6/128
On-link
19 276 fe80::b58a:5504:566f:2e1/128
On-link
1 306 ff00::/8 On-link
11 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

**************************************************************************************

server asa172-232# show vpn-sessiondb detail svc filter name SSL_USER

asa172-232# show vpn-sessiondb detail svc filter name SSL_USER

Session Type: AnyConnect Detailed

Username : SSL_USER Index : 3
Assigned IP : 192.168.172.5 Public IP : 192.168.168.144
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)none
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)none
Bytes Tx : 15854 Bytes Rx : 400618
Pkts Tx : 20 Pkts Rx : 2538
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : ANYCONNECT_POLICY Tunnel Group : MY_TUNNEL
Login Time : 07:55:18 UTC Thu Apr 4 2019
Duration : 1h:31m:07s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 3.1
Public IP : 192.168.168.144
Encryption : none Hashing : none
TCP Src Port : 49373 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
Client OS : Windows
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.6.03049
Bytes Tx : 7627 Bytes Rx : 900
Pkts Tx : 5 Pkts Rx : 1
Pkts Tx Drop : 0 Pkts Rx Drop : 0

SSL-Tunnel:
Tunnel ID : 3.2
Assigned IP : 192.168.172.5 Public IP : 192.168.168.144
Encryption : AES256 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Src Port : 49376
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.6.03049
Bytes Tx : 7627 Bytes Rx : 453
Pkts Tx : 5 Pkts Rx : 5
Pkts Tx Drop : 0 Pkts Rx Drop : 0

DTLS-Tunnel:
Tunnel ID : 3.3
Assigned IP : 192.168.172.5 Public IP : 192.168.168.144
Encryption : none Hashing : none
Encapsulation: DTLSv1.0 UDP Src Port : 53356
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.6.03049
Bytes Tx : 600 Bytes Rx : 399391
Pkts Tx : 10 Pkts Rx : 2533
Pkts Tx Drop : 0 Pkts Rx Drop : 0

NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 5468 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :

 

 

1 Accepted Solution

Accepted Solutions

Hello,

 

the split tunnel ACL does not look right. It needs to specify the network of the inside interface. Instead of:

 

access-list SPLIT_TUNNEL standard permit 192.168.173.0 255.255.255.0

 

use

 

access-list SPLIT_TUNNEL standard permit 192.168.172.0 255.255.255.0

 

Also, add the words in bold to your NAT exemption:

 

nat (inside,outside) source static 192.168.172.0_24 192.168.172.0_24 destination static 192.168.173.0_24 192.168.173.0_24 no-proxy-arp route-lookup

View solution in original post

7 Replies 7

Hello,

 

looking at your configuration it seems that your VPN pool is derived from the same network as your inside ?

 

ip local pool VPN_POOL 192.168.172.5-192.168.172.10 mask 255.255.255.0

 

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.172.1 255.255.255.0

 

Typically you would need a NAT exemption from the inside/local network to your VPN pool addresses. This is not possible as both are in the same network. Try and change the VPN pool to something different:

 

ip local pool VPN_POOL 192.168.173.5-192.168.173.10 mask 255.255.255.0

 

and then add a network object for the pool, and the NAT exemption:

 

object network 192.168.173.0_24
subnet 192.168.173.0 255.255.255.0

!

nat (inside,outside) source static 192.168.172.0_24 192.168.172.0_24 destination static 192.168.173.0_24 192.168.173.0_24

 

 

 

 

Hi Grorg, Thank you for your recommendation.  I entered the configuration that you suggested into the ASA firewall, it went in OK and the AnyConnect client runs OK, but it doesn't work.  The ASA firewall that I'm using to get into the enclave is not the default-router used to get to the internet.  The AnyConnect client connects but the default-router is blank, like this "Default Gateway  . . . . . . .::"   How does the client route from the AnyConnect network, 192.1687.173.0, through the ASA outside interface, 192,.168.168.232, to the ASA inside network 192.168.172.0?

 

When I ping from the client to inside of the AnyConnect connection, the ping goes out the wrong Ethernet Adapter.  The main NIC is used, Ethernet adapter Local Area Connection, instead of the AnyConnect NIC, Ethernet adapter Local Area Connection 4?  See the following.

 

Ethernet adapter Local Area Connection 4:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client V
irtual Miniport Adapter for Windows x64
Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::94e7:a99b:49e6:4d41%19(Preferred)
Link-local IPv6 Address . . . . . : fe80::b58a:5504:566f:2e1%19(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.173.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : ::
DNS Servers . . . . . . . . . . . : 192.168.168.1
NetBIOS over Tcpip. . . . . . . . : Enabled

 

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Generic Marvell Yukon 88E8040 PCI-E Fast
Ethernet Controller
Physical Address. . . . . . . . . : A4-BA-DB-9E-9B-DC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8127:186d:6b35:22cb%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.168.144(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, April 08, 2019 9:45:39 AM
Lease Expires . . . . . . . . . . : Monday, April 08, 2019 1:45:38 PM
Default Gateway . . . . . . . . . : 192.168.168.1
DHCP Server . . . . . . . . . . . : 192.168.168.1
DHCPv6 IAID . . . . . . . . . . . : 245676763
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-D5-9B-C7-A4-BA-DB-9E-9B-DC

DNS Servers . . . . . . . . . . . : 192.168.168.1
NetBIOS over Tcpip. . . . . . . . : Enable

 

The examples that I see on the internet show an ASA doing only Anyconnect.  I've got to have the same ASA 1) nat to the internet, 2) build ipsec tunnels to remote customers (ASA-to-ASA), 3) Port Map some inside servers to the outside, 4) get AnyConnect working to get to inside servers. 

Hello,

 

post the current full configuration of your ASA, including the changes you have made...

Thank you for taking a look :-)

There are now tunnels from the command "sh cry ipsec sa"

Note that I had to remove the overload nat to get anyconnect to work (when I was using the same network for the inside and the anyconnect pool. "nat (inside,outside) after-auto source dynamic any interface"  This is the nat that worked with the PAT, L3 tunnels, and the overload nat to the internet.

 

Here are the NATs that play well with others :-)

asa172-232# sh start | i nat
nat (inside,outside) source static 192.168.172.0_24 192.168.172.0_24 destination static 192.168.180.0_24 192.168.180.0_24 no-proxy-arp route-lookup
nat (inside,outside) static interface service tcp www 8888
nat (inside,outside) static interface service tcp ssh 2222
nat (inside,outside) after-auto source dynamic any interface
asa172-232#

 

Here is what I added with your recommendations.

webvpn
anyconnect image flash:anyconnect-win-4.6.03049-webdeploy-k9.pkg
enable outside
anyconnect enable
sysopt connection permit-vpn
ip local pool VPN_POOL 192.168.173.5-192.168.173.10 mask 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.173.0 255.255.255.0
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
dns-server value 192.168.168.1
webvpn
anyconnect keep-installer installed
anyconnect ask none default anyconnect
anyconnect dpd-interval client 30
tunnel-group MY_TUNNEL type remote-access
tunnel-group MY_TUNNEL general-attributes
default-group-policy ANYCONNECT_POLICY
address-pool VPN_POOL
exit
tunnel-group MY_TUNNEL webvpn-attributes
group-alias SSL_USERS enable
webvpn
tunnel-group-list enable
username SSL_USER password SSLPassword
username SSL_USER attributes
service-type remote-access
end

Hello,

 

the split tunnel ACL does not look right. It needs to specify the network of the inside interface. Instead of:

 

access-list SPLIT_TUNNEL standard permit 192.168.173.0 255.255.255.0

 

use

 

access-list SPLIT_TUNNEL standard permit 192.168.172.0 255.255.255.0

 

Also, add the words in bold to your NAT exemption:

 

nat (inside,outside) source static 192.168.172.0_24 192.168.172.0_24 destination static 192.168.173.0_24 192.168.173.0_24 no-proxy-arp route-lookup

WOW it works!!! Everything works - but I haven't tested the L3 tunnel yet.  I have to build up another 5505.  But NAT overload, PAT outside:8080 to inside:80, VPN Anyconnect all work.

 

You're the best Georg.  Thank you for your time once again.   

Georg, I just got an amazing find.  Its a 5520 with an SSM-20 module and it is fully configured.  Sometimes you get lucky on Craigslist :-)  Looking at this configuration makes me feel like a kindergartner  :-/  Check it out!!!!  I sanitized it so, hopefully, there is no trace to the original owner....Used Cisco ip address for routable IPs.  This ASA is really locked down.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: