- Cisco Community
- Technology and Support
- Networking
- Routing
- Re: routing over anyconnect vpn
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-28-2019 07:11 PM
Hello, I'm having a routing issue over my anyconnect vpn.
I have 2 ASAs. The one with anyconnect has a direct connection to another asa over a 192.168.95.0/30 link.
From the anyconnect I can ping the IP 10.16.1.1 but I am unable to RDP into it (RDP is enabled as it works on the 10.15.2.0/24 network.)
Can anyone see anything that would block this? The below config is from my ASA that has anyconnect setup on it.
ASA Version 9.12(2)
!
domain-name company_name.corp
enable password ***** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
no names
name 10.245.245.0 VPN_IP_Pool
name 10.15.2.192 ssweb
dns-guard
no mac-address auto
ip local pool company_name-VPN-Pool 10.245.245.10-10.245.245.199 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 64.2.2.66 255.255.255.192
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.15.2.251 255.255.255.0
!
interface GigabitEthernet1/3
nameif voice
security-level 90
ip address 192.168.20.251 255.255.255.0
!
interface GigabitEthernet1/4
description Corp WiFi Interface
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4.33
description Printer
vlan 33
nameif Printers
security-level 100
ip address 10.15.33.251 255.255.255.0
!
interface GigabitEthernet1/5
nameif LW_WiFi
security-level 100
ip address 10.15.3.251 255.255.255.0
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6.4
description HR Department
vlan 4
nameif HR_Dept
security-level 100
ip address 10.15.4.251 255.255.255.0
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
nameif To_5516
security-level 0
ip address 192.168.95.2 255.255.255.252
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa9-12-2-lfbff-k8.SPA
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup voice
dns domain-lookup LW_WiFi
dns domain-lookup HR_Dept
dns server-group DefaultDNS
domain-name company_name.corp
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPN_IP_Pool
subnet 10.245.245.0 255.255.255.0
object network company_name_Internal_Range
subnet 10.15.2.0 255.255.255.0
object network ScreenConnect
object network 64.2.2.86
host 64.2.2.86
object network 64.2.2.67
host 64.2.2.67
object network 64.2.2.94
host 64.2.2.94
object service aamon
service tcp destination eq 10101
object service aamob1
service udp destination eq isakmp
description AA Mobility
object service aamob2
service udp destination eq 4500
description AA Mobility
object network ForecastTool
host 10.15.2.54
description Internal Address of Forecast Tool
object network ForecastTool-Ext
host 64.2.2.69
description External Address of Forecast Tool
object service forecasttl
service tcp destination eq www
description Allow port 7171 on forecast tool
object network NETWORK_OBJ_10.245.245.0_24
subnet 10.245.245.0 255.255.255.0
object network Printer-External-IP
host 64.2.2.70
description Printer IP
object service Spiceworks-9675
service tcp destination eq 9675
description Permit TCP 9675
object network company_name_Voice_Range
subnet 192.168.20.0 255.255.255.0
description voice IP range
object network Voice_NAT
host 64.2.2.71
description Voice_NAT
object network Google_DNS_1
host 8.8.8.8
description Google_DNS_1
object network Google_DNS_2
host 8.8.4.4
description Google_DNS_2
object service DHCP_Relay
service udp destination eq bootps
object service GoverLAN-agents
service tcp destination eq 15155
description Allow GoverLAN agents to 15155
object network Nextiva_Block_1
subnet 208.73.144.0 255.255.248.0
object network DMZ_Radius
host 192.168.10.254
object service RDP-Service
service tcp source eq 3395
object network nextiva_background_images
subnet 151.101.48.0 255.255.255.0
description website
object network Nextiva_Block_2
subnet 208.89.108.0 255.255.252.0
object service LWNAS_443
service tcp source range 1 65000 destination eq https
description LWNAS
object network LWNAS
host 10.15.2.55
object network LWNAS-EXT
host 64.2.2.74
description External Address of LWNAS
object network VPN
host 64.2.2.66
description VPN public IP
object network LW_WiFi
subnet 10.15.3.0 255.255.255.0
description LW_WiFi
object network HR_Dept
subnet 10.15.4.0 255.255.255.0
description HR department
object network HR_Public_IP
host 64.2.2.68
description HR
object service Radius
service udp source range 0 50000 destination eq 1814
object network NETWORK_OBJ_10.30.97.0_24
subnet 10.30.97.0 255.255.255.0
object network NETWORK_OBJ_10.15.2.0_24
subnet 10.15.2.0 255.255.255.0
object network Printers
subnet 10.15.33.0 255.255.255.0
description Printer VLAN
object network ICTDC01
host 10.15.2.1
description ICTDC01
object network ICTDC03
host 10.15.2.3
description ICTDC03
object network ICTDC06
host 10.15.2.6
description ICTDC06
object network HR_Nat
subnet 10.15.4.0 255.255.255.0
description HR Dept
object network Corp_WiFi
subnet 10.15.3.0 255.255.255.0
description LW Corp WiFi
object network Voice
subnet 192.168.20.0 255.255.255.0
description Voice
object network NETWORK_OBJ_192.168.95.0_24
subnet 192.168.95.0 255.255.255.0
object network NETWORK_OBJ_192.168.90.0_24
subnet 192.168.90.0 255.255.255.0
object network AUSDC01
host 192.168.90.10
description AUSDC01
object network Cacti
host 10.15.2.73
description Cacti VM
object network Observium
host 10.15.2.22
description Observium_VM
object network RDS_Network
subnet 10.16.1.0 255.255.255.0
description RDS VLAN
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp-udp
port-object eq 3389
object-group network Google_DNS_Group
network-object object Google_DNS_1
network-object object Google_DNS_2
object-group service DM_INLINE_TCP_20 tcp
port-object eq ftp
port-object eq ftp-data
object-group network DM_INLINE_NETWORK_2
object-group service DM_INLINE_SERVICE_12
service-object icmp
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group network PrivateNetworks
network-object 10.0.0.0 255.0.0.0
object-group network USG_Networks_To_Block
description Guest - Networks to block
network-object object company_name_Voice_Range
network-object object VPN_IP_Pool
network-object 10.15.3.0 255.255.255.0
network-object 10.15.4.0 255.255.255.0
network-object object HR_Dept
network-object object HR_Public_IP
network-object 10.0.0.0 255.0.0.0
network-object object company_name_Internal_Range
object-group service time-servers udp
port-object eq ntp
object-group network Nextiva_IP_Ranges
network-object object Nextiva_Block_1
group-object Google_DNS_Group
network-object object Nextiva_Block_2
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq sip
service-object udp destination eq sip
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp
service-object object LWNAS_443
object-group service mDNS udp
description udp 5353
port-object eq 5353
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group network Domain_Controllers
description ICT Domain Controllers
network-object object ICTDC01
network-object object ICTDC03
network-object object ICTDC06
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_TCP_2 tcp
group-object RDP
port-object eq ftp
port-object eq www
port-object eq https
port-object eq ssh
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group service DC_Comm tcp-udp
description DC communication between clients and DCs
port-object eq 135
port-object eq 445
object-group service Kerberos tcp-udp
description Kerberos Password Change
port-object eq 464
object-group service DM_INLINE_TCPUDP_1 tcp-udp
group-object DC_Comm
group-object Kerberos
port-object eq domain
object-group service Domain_Controllers_Auth udp
description Domain Controllers Authentication
port-object eq 88
object-group service LDAP udp
description UDP LDAP
port-object eq 389
object-group service DM_INLINE_UDP_1 udp
group-object Domain_Controllers_Auth
group-object LDAP
port-object eq netbios-ns
object-group service GC_Servers tcp
description GC servers
port-object eq 3268
port-object eq 3269
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
object-group service 3389 tcp-udp
description RDP
port-object eq 3389
object-group service DM_INLINE_TCPUDP_2 tcp-udp
group-object DC_Comm
group-object Kerberos
port-object eq domain
object-group service DM_INLINE_UDP_2 udp
group-object Domain_Controllers_Auth
group-object LDAP
group-object time-servers
object-group service DM_INLINE_TCPUDP_3 tcp-udp
group-object DC_Comm
group-object Kerberos
object-group network SMNP_Collectors
description SNMP Collectors
network-object object Cacti
network-object object Observium
access-list inside_nat0_outbound extended permit ip any object VPN_IP_Pool
access-list outside_access_in extended deny udp any object DMZ_Radius eq 5353
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit object forecasttl any4 object ForecastTool
access-list outside_access_in extended permit ip any object LWNAS
access-list 110 extended permit ip 10.0.0.0 255.0.0.0 object VPN_IP_Pool
access-list inside_access_in_1 extended permit ip 10.15.2.0 255.255.255.0 any
access-list inside_access_in extended permit ip any any
access-list ASA-Sourcefire extended permit ip any any inactive
access-list company_name-VPN-Split-Tunnel standard permit 10.15.0.0 255.255.0.0
access-list voice_access_in extended deny ip object-group PrivateNetworks any
access-list voice_access_in extended permit tcp 192.168.20.0 255.255.255.0 object nextiva_background_images object-group DM_INLINE_TCP_1
access-list voice_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.20.0 255.255.255.0 any
access-list voice_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.20.0 255.255.255.0 object-group Nextiva_IP_Ranges
access-list voice_access_in extended permit udp any any eq ntp
access-list voice_access_in extended deny ip any any log debugging
access-list voice_access_in extended deny icmp any any inactive
access-list To_5516_access_in extended permit object-group DM_INLINE_PROTOCOL_4 any object-group Domain_Controllers
access-list To_5516_access_in extended permit tcp any object-group Domain_Controllers object-group GC_Servers inactive
access-list To_5516_access_in extended permit udp any object-group Domain_Controllers object-group DM_INLINE_UDP_1 inactive
access-list To_5516_access_in extended permit object-group TCPUDP any object-group Domain_Controllers object-group DM_INLINE_TCPUDP_1 inactive
access-list To_5516_access_in extended deny object-group DM_INLINE_PROTOCOL_5 any any
access-list To_5516_access_in extended deny tcp any any object-group DM_INLINE_TCP_2
access-list To_5516_access_in extended deny tcp any any eq lpd
access-list DMZ_access_in extended permit ip any any
access-list DMZ-2_access_in extended deny ip any any inactive
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list from_outside extended permit icmp any any echo
access-list LW_WiFi_access_in extended deny ip any 192.168.20.0 255.255.255.0
access-list LW_WiFi_access_in extended deny ip any 10.15.4.0 255.255.255.0
access-list LW_WiFi_access_in extended permit ip any any
access-list HR_Dept_access_in extended deny ip any 192.168.100.0 255.255.255.0
access-list HR_Dept_access_in extended deny ip any 192.168.20.0 255.255.255.0
access-list HR_Dept_access_in extended deny ip any 10.15.3.0 255.255.255.0
access-list HR_Dept_access_in extended permit ip any any
access-list Printers_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list outside_cryptomap extended permit ip 10.15.2.0 255.255.255.0 object NETWORK_OBJ_192.168.90.0_24
access-list outside_cryptomap extended permit tcp object AUSDC01 object ICTDC01 object-group GC_Servers
access-list outside_cryptomap extended permit udp object AUSDC01 object ICTDC01 object-group DM_INLINE_UDP_2
access-list outside_cryptomap extended permit object-group TCPUDP object AUSDC01 object ICTDC01 object-group DM_INLINE_TCPUDP_3
!
tcp-map tmap
invalid-ack allow
seq-past-window allow
tcp-options md5 clear
!
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 200
logging buffered debugging
logging trap warnings
logging asdm debugging
logging host inside 10.15.2.226
mtu outside 1500
mtu inside 1500
mtu voice 1500
mtu Printers 1500
mtu LW_WiFi 1500
mtu HR_Dept 1500
mtu To_5516 1500
no failover
no monitor-interface Printers
no monitor-interface HR_Dept
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-7121.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static company_name_Internal_Range company_name_Internal_Range destination static NETWORK_OBJ_10.245.245.0_24 NETWORK_OBJ_10.245.245.0_24 no-proxy-arp route-lookup
nat (HR_Dept,outside) source static HR_Dept HR_Dept destination static NETWORK_OBJ_10.245.245.0_24 NETWORK_OBJ_10.245.245.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static company_name_Internal_Range company_name_Internal_Range destination static NETWORK_OBJ_192.168.95.0_24 NETWORK_OBJ_192.168.95.0_24 no-proxy-arp route-lookup inactive
nat (inside,outside) source static NETWORK_OBJ_10.15.2.0_24 NETWORK_OBJ_10.15.2.0_24 destination static NETWORK_OBJ_192.168.90.0_24 NETWORK_OBJ_192.168.90.0_24 no-proxy-arp route-lookup
!
object network ForecastTool
nat (inside,outside) static ForecastTool-Ext
object network LWNAS
nat (inside,outside) static LWNAS-EXT service tcp 5001 https
object network HR_Nat
nat (HR_Dept,outside) dynamic HR_Public_IP
object network Corp_WiFi
nat (LW_WiFi,outside) dynamic 64.2.2.67
object network Voice
nat (voice,outside) dynamic Voice_NAT
!
nat (Printers,outside) after-auto source dynamic Printers Printer-External-IP
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside control-plane
access-group inside_access_in in interface inside
access-group voice_access_in in interface voice
access-group Printers_access_in in interface Printers
access-group LW_WiFi_access_in in interface LW_WiFi
access-group HR_Dept_access_in in interface HR_Dept
access-group To_5516_access_in in interface To_5516
route outside 0.0.0.0 0.0.0.0 64.2.2.65 1
route To_5516 10.16.1.0 255.255.255.0 192.168.95.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:05:00 sip-invite 0:05:00 sip-disconnect 0:05:00
timeout sip-provisional-media 0:05:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server LDAP protocol ldap
reactivation-mode depletion deadtime 1
max-failed-attempts 5
aaa-server LDAP (inside) host 10.15.2.1
server-port 636
ldap-base-dn DC=company_name,DC=corp
ldap-scope subtree
ldap-naming-attribute userPrincipalName
ldap-login-password *****
ldap-login-dn CN=administrator,CN=Users,DC=company_name,DC=corp
ldap-over-ssl enable
server-type microsoft
aaa-server LDAP (inside) host 10.15.2.6
server-port 636
ldap-base-dn DC=company_name,DC=corp
ldap-scope subtree
ldap-naming-attribute userPrincipalName
ldap-login-password *****
ldap-login-dn CN=administrator,CN=Users,DC=company_name,DC=corp
ldap-over-ssl enable
server-type microsoft
aaa-server LDAP (inside) host 10.15.2.3
server-port 636
ldap-base-dn DC=company_name,DC=corp
ldap-scope subtree
ldap-naming-attribute userPrincipalName
ldap-login-password *****
ldap-login-dn CN=administrator,CN=Users,DC=company_name,DC=corp
ldap-over-ssl enable
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication login-history
http server enable 8443
http 10.15.2.0 255.255.255.0 inside
snmp-server host inside 10.15.2.73 community ***** version 2c
snmp-server host inside 10.15.2.22 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
sysopt connection tcpmss 1300
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-gcm-256 aes-256
protocol esp integrity sha-512 sha-384 sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 64.2.2.111
crypto map outside_map 1 set ikev2 ipsec-proposal AES-256
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=10.15.2.251,CN=LWASA1
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
fqdn none
subject-name CN=10.15.2.251,CN=LWASA1
crl configure
crypto ca trustpoint SSL-VPN
enrollment terminal
fqdn vpn.company_name.com
subject-name CN=*.company_name.com,OU=NA,O=company_name,C=US,St=KS,L=Wichita,EA=it@company_name.com
crl configure
crypto ca trustpoint VPN
enrollment terminal
crl configure
crypto ca trustpoint Intermediate
enrollment terminal
crl configure
crypto ca trustpoint Intermediate_2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint0
keypair SSL-VPN
crl configure
crypto ca trustpoint SSL-Trustpoint
enrollment terminal
subject-name CN=LWASA1
keypair SSL-Cert
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=*.company_name.com,O=company_name,C=US,St=KS,L=Wichita,EA=admin@company_name.com
keypair SSL-Cert_VPN
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto ca certificate chain Intermediate
certificate ca 2b2e6eead975366c148a6edba37c8c07
30820608 308203f0 a0030201 0202102b 2e6eead9 75366c14 8a6edba3 7c8c0730
0d06092a 864886f7 0d01010c 05003081 85310b30 09060355 04061302 4742311b
30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
41204c69 6d697465 64312b30 29060355 04031322 434f4d4f 444f2052 53412043
65727469 66696361 74696f6e 20417574 686f7269 7479301e 170d3134 30323132
30303030 30305a17 0d323930 32313132 33353935 395a3081 90310b30 09060355
04061302 4742311b 30190603 55040813 12477265 61746572 204d616e 63686573
74657231 10300e06 03550407 13075361 6c666f72 64311a30 18060355 040a1311
434f4d4f 444f2043 41204c69 6d697465 64313630 34060355 0403132d 434f4d4f
444f2052 53412044 6f6d6169 6e205661 6c696461 74696f6e 20536563 75726520
53657276 65722043 41308201 22300d06 092a8648 86f70d01 01010500 0382010f
00308201 0a028201 01008ec2 0219e1a0 59a4eb38 358d2cfd 01d0d349 c064c70b
62054516 3aa8a0c0 0c027f1d ccdbc4a1 6d7703a3 0f86f9e3 069c3e0b 818a9b49
1bad03be fa4bdb8c 20edd5ce 5e658e3e 0daf4cc2 b0b7455e 522f34de 482464b4
41ae0097 f7be67de 9ed07aa7 53803b7c adf59655 6f97470a 7c858b22 978db384
e09657d0 70186096 8fee2d07 939da1ba cad1cd7b e9c42a9a 2821914d 6f924f25
a5f27a35 dd26dc46 a5d0ac59 358cff4e 9143503f 59931e6c 5121ee58 14abfe75
50783e4c b01c8613 fa6b98bc e03b941e 8552dc03 9324186e cb275145 e670de25
43a40de1 4aa5edb6 7ec8cd6d ee2e1d27 735ddc45 3080aae3 b2410baf bd4487da
b9e51b9d 7faee585 82a50203 010001a3 82016530 82016130 1f060355 1d230418
30168014 bbaf7e02 3dfaa6f1 3c848ead ee3898ec d93232d4 301d0603 551d0e04
16041490 af6a3a94 5a0bd890 ea125673 df43b43a 28dae730 0e060355 1d0f0101
ff040403 02018630 12060355 1d130101 ff040830 060101ff 02010030 1d060355
1d250416 30140608 2b060105 05070301 06082b06 01050507 0302301b 0603551d
20041430 12300606 04551d20 00300806 0667810c 01020130 4c060355 1d1f0445
30433041 a03fa03d 863b6874 74703a2f 2f63726c 2e636f6d 6f646f63 612e636f
6d2f434f 4d4f444f 52534143 65727469 66696361 74696f6e 41757468 6f726974
792e6372 6c307106 082b0601 05050701 01046530 63303b06 082b0601 05050730
02862f68 7474703a 2f2f6372 742e636f 6d6f646f 63612e63 6f6d2f43 4f4d4f44
4f525341 41646454 72757374 43412e63 72743024 06082b06 01050507 30018618
68747470 3a2f2f6f 6373702e 636f6d6f 646f6361 2e636f6d 300d0609 2a864886
f70d0101 0c050003 82020100 4e2b764f 921c6236 89ba77c1 2705f41c d6449da9
9a3eaad5 6666013e ea49e6a2 35bcfaf6 dd958e99 35980e36 1875b1dd dd50727c
aedc7788 ce0ff790 20caa367 2e1f567f 7be144ea 4295c45d 0d015046 15f28189
596c8add 8cf112a1 8d3a428a 98f84b34 7b273b08 b46f243b 729d6374 583c1a6c
3f4fc711 9ac8a8f5 b537ef10 45c66cd9 e05e9526 b3ebada3 b9ee7f0c 9a663573
32604ee5 dd8a612c 6e521177 6896d318 75511500 1b7488dd e1c73804 4328e916
fdd905d4 5d472760 d6fb383b 6c72a294 f8421adf ed6f068c 45c20600 aae4e8dc
d9b5e173 78ecf623 dcd1dd6c 8e1a8fa5 ea547c96 b7c3fe55 8e8d495e fc64bbcf
3ebd96eb 69cdbfe0 48f16282 10e50c46 57f233da d0c863ed c61f9405 964a1a91
d1f7ebcf 8f52ae0d 08d93ea8 a051e9c1 8774d5c9 f774ab2e 53fbbb7a fb97e2f8
1f268fb3 d2a0e037 5b283b31 e50e572d 5ab8ad79 ac5e2066 1aa5b9a6 b539c1f5
9843ffee f9a7a7fd eeca243d 8016c417 8f8ac160 a10cae5b 4347914b d59a175f
f9d487c1 c28cb7e7 e20f3019 3786ace0 dc4203e6 94a89dae fd0f2451 94ce9208
d1fc50f0 03407b88 59ed0edd acd27782 34dc0695 02d890f9 2dea37d5 1a60d067
20d7d842 0b45af82 68dedd66 24379029 94194619 25b880d7 cbd48628 6a447026
2362a99f 866fbfba 9070d256 778578ef ea25a917 ce50728c 003aaae3 db63349f
f8067101 e28220d4 fe6fbdb1
quit
crypto ca certificate chain Intermediate_2
certificate ca 2766ee56eb49f38eabd770a2fc84de22
30820574 3082045c a0030201 02021027 66ee56eb 49f38eab d770a2fc 84de2230
0d06092a 864886f7 0d01010c 0500306f 310b3009 06035504 06130253 45311430
12060355 040a130b 41646454 72757374 20414231 26302406 0355040b 131d4164
64547275 73742045 78746572 6e616c20 54545020 4e657477 6f726b31 22302006
03550403 13194164 64547275 73742045 78746572 6e616c20 43412052 6f6f7430
1e170d30 30303533 30313034 3833385a 170d3230 30353330 31303438 33385a30
8185310b 30090603 55040613 02474231 1b301906 03550408 13124772 65617465
72204d61 6e636865 73746572 3110300e 06035504 07130753 616c666f 7264311a
30180603 55040a13 11434f4d 4f444f20 4341204c 696d6974 6564312b 30290603
55040313 22434f4d 4f444f20 52534120 43657274 69666963 6174696f 6e204175
74686f72 69747930 82022230 0d06092a 864886f7 0d010101 05000382 020f0030
82020a02 82020100 91e85492 d20a56b1 ac0d24dd c5cf4467 74992b37 a37d2370
0071bc53 dfc4fa2a 128f4b7f 1056bd9f 7072b761 7fc94b0f 17a73de3 b00461ee
ff1197c7 f4863e0a fa3e5cf9 93e6347a d9146be7 9cb385a0 827a76af 7190d7ec
fd0dfa9c 6cfadfb0 82f4147e f9bec4a6 2f4f7f99 7fb5fc67 4372bd0c 00d689eb
6b2cd3ed 8f981c14 ab7ee5e3 6efcd8a8 e49224da 436b62b8 55fdeac1 bc6cb68b
f30e8d9a e49b6c69 99f87848 3045d5ad e10d3c45 60fc3296 5127bc67 c3ca2eb6
6bea46c7 c720a0b1 1f65de48 08baa44e a9f28346 3784ebe8 cc814843 674e722a
9b5cbd4c 1b288a5c 227bb4ab 98d9eee0 5183c309 464e6d3e 99fa9517 da7c3357
413c8d51 ed0bb65c af2c631a df57c83f bce95dc4 9baf4599 e2a35a24 b4baa956
3dcf6faa ff4958be f0a8fff4 b8ade937 fbbab8f4 0b3af9e8 43421e89 d884cb13
f1d9bbe1 8960b88c 2856ac14 1d9c0ae7 71ebcf0e dd3da996 a148bd3c f7afb50d
224cc011 81ec563b f6d3a2e2 5bb7b204 22529580 9369e88e 4c65f191 032d7074
02ea8b67 15296952 02bbd7df 506a5546 bfa0a328 617f70d0 c3a2aa2c 21aa47ce
289c0645 76bf8218 27b4d5ae b4cb50e6 6bf44c86 7130e9a6 df1686e0 d8ff40dd
fbd04288 7fa3333a 2e5c1e41 118163ce 18716b2b eca68ab7 315c3a6a 47e0c379
59d6201a aff26a98 aa72bc57 4ad24b9d bb10fcb0 4c41e5ed 1d3d5e28 9d9cccbf
b351daa7 47e58453 02030100 01a381f4 3081f130 1f060355 1d230418 30168014
adbd987a 34b426f7 fac42654 ef03bde0 24cb541a 301d0603 551d0e04 160414bb
af7e023d faa6f13c 848eadee 3898ecd9 3232d430 0e060355 1d0f0101 ff040403
02018630 0f060355 1d130101 ff040530 030101ff 30110603 551d2004 0a300830
06060455 1d200030 44060355 1d1f043d 303b3039 a037a035 86336874 74703a2f
2f63726c 2e757365 72747275 73742e63 6f6d2f41 64645472 75737445 78746572
6e616c43 41526f6f 742e6372 6c303506 082b0601 05050701 01042930 27302506
082b0601 05050730 01861968 7474703a 2f2f6f63 73702e75 73657274 72757374
2e636f6d 300d0609 2a864886 f70d0101 0c050003 82010100 64bf83f1 5f9a85d0
cdb8a129 570de85a f7d1e93e f276046e f15270bb 1e3cff4d 0d746acc 818225d3
c3a02a5d 4cf5ba8b a16dc454 0975c7e3 270e5d84 79374013 77f5b4ac 1cd03bab
1712d6ef 34187e2b e979d3ab 57450caf 28fad0db e5509588 bbdf8557 697d92d8
52ca7381 bf1cf3e6 b86e6611 05b31e94 2d7f9195 9259f14c cea39171 4c7c470c
3b0b19f6 a1b16c86 3e5caac4 2e82cbf9 0796ba48 4d90f294 c8a973a2 eb067b23
9ddea2f3 4d559f7a 61459818 68c75e40 6b23f579 7aef8cb5 6b8bb76f 46f47bf1
3d4b04d8 9380595a e041241d b28f1560 5847dbef 6e46fd15 f5d95f9a b3dbd8b8
e440b3cd 9739ae85 bb1d8ebc dc879bd1 a6eff13b 6f10386f
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 00e012bc3f3cc8d9315b22fe41ffe8c359
30820558 30820440 a0030201 02021100 e012bc3f 3cc8d931 5b22fe41 ffe8c359
300d0609 2a864886 f70d0101 0b050030 8190310b 30090603 55040613 02474231
1b301906 03550408 13124772 65617465 72204d61 6e636865 73746572 3110300e
06035504 07130753 616c666f 7264311a 30180603 55040a13 11434f4d 4f444f20
4341204c 696d6974 65643136 30340603 55040313 2d434f4d 4f444f20 52534120
446f6d61 696e2056 616c6964 6174696f 6e205365 63757265 20536572 76657220
4341301e 170d3137 31313137 30303030 30305a17 0d323030 37323732 33353935
395a305d 3121301f 06035504 0b131844 6f6d6169 6e20436f 6e74726f 6c205661
6c696461 74656431 1d301b06 0355040b 1314506f 73697469 76655353 4c205769
6c646361 72643119 30170603 5504030c 102a2e6c 6f646765 776f726b 732e636f
6d308201 22300d06 092a8648 86f70d01 01010500 0382010f 00308201 0a028201
0100f34c f298b44e b01ce3e9 fbdb4c21 a95539ab 8799dfed c36b1296 6be8e64f
caf38893 d37944b9 df32a461 b5cffa55 ffd625b0 eea02bb4 fb44a134 950e357f
0a382bfb 6f208c26 4e77aa3e f7fab493 a0882c5d cfb7b9a1 b6790d4c 3b5a2cb4
951d5eb9 487258b2 f38150a0 5ca913d4 7b5d9a69 728009a6 20c09dc2 7f1ad775
badfe7ab 359a1c38 b7c603f1 40237284 0359270d 5d34a4ee ea6012a7 72dcb0aa
f6cbdb9b 8d8b7ed0 5d3e34eb 79b5e755 daa2159b 3e3bb9ff 51643284 f3f82984
6faa051b bc8c817e ee84f763 b0e6aaad 437cee4a 8d2c54bd 169f36f4 aab59b9b
718c9304 0c255ae2 333bfcfc 4467359b beaa69c6 4e90f125 ec7926c2 2cdcf72e
0a850203 010001a3 8201dd30 8201d930 1f060355 1d230418 30168014 90af6a3a
945a0bd8 90ea1256 73df43b4 3a28dae7 301d0603 551d0e04 16041461 8af5c513
251f80aa cad412f9 4adf7b96 9a293f30 0e060355 1d0f0101 ff040403 0205a030
0c060355 1d130101 ff040230 00301d06 03551d25 04163014 06082b06 01050507
03010608 2b060105 05070302 304f0603 551d2004 48304630 3a060b2b 06010401
b2310102 0207302b 30290608 2b060105 05070201 161d6874 7470733a 2f2f7365
63757265 2e636f6d 6f646f2e 636f6d2f 43505330 08060667 810c0102 01305406
03551d1f 044d304b 3049a047 a0458643 68747470 3a2f2f63 726c2e63 6f6d6f64
6f63612e 636f6d2f 434f4d4f 444f5253 41446f6d 61696e56 616c6964 6174696f
6e536563 75726553 65727665 7243412e 63726c30 81850608 2b060105 05070101
04793077 304f0608 2b060105 05073002 86436874 74703a2f 2f637274 2e636f6d
6f646f63 612e636f 6d2f434f 4d4f444f 52534144 6f6d6169 6e56616c 69646174
696f6e53 65637572 65536572 76657243 412e6372 74302406 082b0601 05050730
01861868 7474703a 2f2f6f63 73702e63 6f6d6f64 6f63612e 636f6d30 2b060355
1d110424 30228210 2a2e6c6f 64676577 6f726b73 2e636f6d 820e6c6f 64676577
6f726b73 2e636f6d 300d0609 2a864886 f70d0101 0b050003 82010100 04e7fff7
d20f5ac0 69b2cab1 b0afe51c 05531eb2 7815ea55 1ee4ec7f 831c47f5 33caa33b
e503d6cd 9bd66c43 8e0e1c49 3d2e468c 27334e0f 888b8d1f 6c5cddc6 0d0bf39b
e95be0ee 57f9d063 72c30081 aa7f3db8 dea0e754 89c63cfb 63c4695b 2d0b5cfd
b6d1a5ec 94568891 5a9ddabf 5eaa364d 2d5ef2e7 4175807d 1318998e 167ba740
a282f001 59bc7537 33b33123 4b12f27d 16018bf7 ce6db853 ea31b990 a095077e
b5e20ea4 a1605d96 f131a267 ec284d2f f0f9ea3d ba61ddd4 8053935c 601e8a5c
6c014973 4fd69341 e87364e1 2c32741a ba1cc7cd c9e9968f 981a1f34 4e30443e
3c89fbcc 568521b9 1995e471 5aca74b3 6ac27ab2 764881c4 1829a7df
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha512 sha384 sha256
group 14 5
prf sha512 sha384 sha256
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 10.15.2.0 255.255.255.0 inside
ssh timeout 5
ssh version 1 2
ssh cipher encryption high
console timeout 0
management-access inside
dhcprelay server 10.15.2.1 inside
dhcprelay enable voice
dhcprelay enable LW_WiFi
dhcprelay enable HR_Dept
dhcprelay setroute voice
dhcprelay setroute LW_WiFi
dhcprelay setroute HR_Dept
dhcprelay timeout 60
priority-queue outside
tx-ring-limit 256
priority-queue voice
tx-ring-limit 256
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter use-database
dynamic-filter enable
dynamic-filter whitelist
name usps.com
ntp server 208.80.96.96
ntp server 10.15.2.1 source inside prefer
ntp server 184.105.192.247
ntp server 50.116.38.157
ntp server 72.249.38.88
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default fips
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 DHE-RSA-AES256-GCM-SHA384"
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group20
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-win-4.7.03052-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macos-4.7.03052-webdeploy-k9.pkg 2 regex "Intel Mac OS X"
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
webvpn
anyconnect ssl rekey method ssl
group-policy GroupPolicy_company_name internal
group-policy GroupPolicy_company_name attributes
wins-server none
dns-server value 10.15.2.1 10.15.2.9
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value company_name-VPN-Split-Tunnel
default-domain value company_name.corp
webvpn
anyconnect ssl rekey method ssl
group-policy GroupPolicy_64.2.2.111 internal
group-policy GroupPolicy_64.2.2.111 attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
user-message "No access for you!! :("
action terminate
dynamic-access-policy-record Cisco_VPN_Users
description "Cisco VPN Users LDAP Group"
quota management-session 4
username admin password ***** encrypted privilege 15
tunnel-group company_name type remote-access
tunnel-group company_name general-attributes
address-pool company_name-VPN-Pool
authentication-server-group LDAP LOCAL
default-group-policy GroupPolicy_company_name
tunnel-group company_name webvpn-attributes
group-alias company_name enable
tunnel-group 64.2.2.111 type ipsec-l2l
tunnel-group 64.2.2.111 general-attributes
default-group-policy GroupPolicy_64.2.2.111
tunnel-group 64.2.2.111 ipsec-attributes
ikev1 pre-shared-key
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
!
class-map MiCloud-Signaling
match dscp af31
class-map MiCloud-Voice
match dscp ef
class-map Voice
match dscp ef
class-map inspecttion_default
class-map Sourcefire-class
match access-list ASA-Sourcefire
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map p1_priority
class Voice
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
class Sourcefire-class
sfr fail-open
Thank you
Solved! Go to Solution.
- Labels:
-
Other Routing
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2019 01:01 PM
It appears my issue was with the VPN split tunnel. added the 10.16.1.0/24 subnet and problem solved.
Thanks for the input
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-28-2019 11:59 PM
Hi there,
The connections arriving via Gi1/8 are hitting the ACL To_5516_access_in . This ACL is permitting IP and ICMP traffic to three DCs which reside in the 10.15.2.0/24 , so I assume the pings you say are working are to these servers?
If you want access to 10.16.1.0 (RDS_Network) then you need to add some lines to the To_5516_access_in
! access-list To_5516_access_in extended line 5 permit object-group TCPUDP any RDS_Network object-group RDP !
cheers,
Seb.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2019 05:49 AM
Thank you for your response. I am able to ping those IP's, but I can also ping 10.16.1.1 and 10.16.1.3 which I should also be able to remote desktop into but am unable to. The 3 DC's I can ping because anyconnect is on the same ASA as those. The 10.16.1.0/24 network resides on another ASA which connects to this ASA over port 1/8.
Thanks for the help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2019 04:25 AM
To me it looks like you have only allowed ICMP from the Anyconnect clients:
access-list outside_access_in extended permit icmp any any
As far as I remember the AnyConnect traffic needs to be allowed from the outside interface somehow.
Have you tried the packet tracer feature?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2019 06:27 AM
I have done the packet trace, and it appears to allow the packet through.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2019 06:27 AM
I have done the packet trace, and it appears to allow the packet through.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2019 06:28 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2019 01:01 PM
It appears my issue was with the VPN split tunnel. added the 10.16.1.0/24 subnet and problem solved.
Thanks for the input
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
