cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1612
Views
5
Helpful
20
Replies
dovla091
Beginner

ASA issue with either routing or ACL or NAT...

Hi,

I am configuring ASA for the first time. Usually I was playing with Cisco switches, HP switches and Cisco routers, but eventualy time comes for me to play with ASA. The network goes like this.

On HP switch there is two networks:

- admin (192.168.1.0/24 VLAN1)  (ports untagged 13-23)

- guestWifi (192.168.10.0/24 VLAN10) (ports untagged 1-12)

Tagged trk port (24) to pass VLAN 1 and VLAN 10 to ASA, and this is done just fine

HP Configuration:

show running-config

Running configuration:

; J9773A Configuration Editor; Created on release #YA.15.16.0006
; Ver #06:04.9c.63.ff.37.27:12
hostname "MDF-XXXX"
trunk 24 trk1 lacp
timesync sntp
sntp unicast
sntp 30
sntp server priority 1 194.239.123.230
snmp-server community "public" unrestricted
vlan 1
   name "XXXX-ADMINISTRATION"
   no untagged 1-12
   untagged 13-23,25-28
   tagged Trk1
   ip address 192.168.1.254 255.255.255.0
   ip helper-address 192.168.1.1
   exit
vlan 10
   name "XXXX-GUEST-WIFI"
   untagged 1-12
   tagged Trk1
   ip address 192.168.10.254 255.255.255.0
   ip helper-address 192.168.10.1
   exit
spanning-tree
spanning-tree Trk1 priority 4
no tftp server
no dhcp config-file-update
no dhcp image-file-update
password manager

I have setup the configuration for ASA as interface 1/1 to be outside with static IP of 93.164.15.50/30 and interface 1/2 to have two subinterfaces each per specific VLAN (so, gi1/2.1 - VLAN1 and gi1/2.10 - VLAN10) and ping from switch to ASA works flawlessly.

I have setup one default route as 0.0.0.0 0.0.0.0 93.164.15.49 1 which is the line between ASA and ISP box, when I try to ping from pc that simulates "gateway" to ASA, everything works as it should, but when I try to ping from switch to outside interface of ASA on IP 93.164.15.50/30 then I get no reply. Even thoug we are speaking of ICMP protocol, I presume that this also applies to all other traffic TCP/UDP.

ASA configuration:

 show running-config
: Saved

:
: Serial Number: JAD20230482
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(2)
!
hostname xxxxxxxxxx
enable password ciqYWBUSFqxNA58M encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet1/1
 description Outside interface for connecting to ISP box
 nameif outside
 security-level 0
 ip address 93.164.15.50 255.255.255.252
!
interface GigabitEthernet1/2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2.1
 description administration office network
 vlan 1
 nameif administration
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2.10
 description guest wifi network
 vlan 10
 nameif guestWifi
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 description Management of the ASA via ASDM
 management-only
 nameif Management
 security-level 80
 ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
object network administration
 subnet 192.168.1.0 255.255.255.0
 description administration network
object network guestwifi
 subnet 192.168.10.0 255.255.255.0
 description guest wifi zone
object network defaultRoute
 subnet 0.0.0.0 0.0.0.0
 description Default route
object-group network Inside_Networks
 description All Inside xxxxxx Networks
 network-object object administration
 network-object object guestwifi
pager lines 24
logging enable
mtu Management 1500
mtu administration 1500
mtu guestWifi 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.1.0 255.255.255.0 administration
icmp permit 192.168.1.0 255.255.255.0 guestWifi
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic Inside_Networks interface description Nat translation for xxxxx for all networks
route outside 0.0.0.0 0.0.0.0 93.164.15.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 Management
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=xxxxxx.xx
 keypair tokaicert.key
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.2.1,CN=xxxxxASA
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
 certificate 7fd59157
    30820339 30820221 a0030201 0202047f d5915730 0d06092a 864886f7 0d010105
    0500302c 3111300f 06035504 03130874 6f6b6169 2e646b31 17301506 092a8648
    86f70d01 09021608 546f6b61 69415341 301e170d 31363037 32323039 31353534
   
    0a00eae3 c1e13963 faa26a89 5fff7ee3 77f6bffc d373dc5c 75bd1db8 7a5f27bf
    f2f3aff7 a279c32e f174c6b5 c5f37dc9 4fbaa003 ded7161a 787f4e6f caad57b3
    1dfb9fe0 c3cc990f c11bc06f c142379d 1b91f5cb c10fc89a 6fcf5d49 39679a77
    087c68cf 8b6c803b 29c8a084 77baf819 78bac258 67c3b38c 65d28a7c df
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate 80d59157
    308202ce 308201b6 a0030201 02020480 d5915730 0d06092a 864886f7 0d010105
    05003029 3111300f 06035504 03130854 6f6b6169 41534131 14301206 03550403
    130b3139 322e3136 382e322e 31301e17 0d313630 37323231 31303532 385a170d
    32363037 32303131 30353238 5a302931 11300f06 03550403 1308546f 6b616941
   
    c8a71d39 a28b574b ae2d2a13 48cbca81 207f2455 1854a334 da51685a af280634
    2b397dc1 d237d294 7687145d da038bfa 418824f5 74b666a8 892572e5 85f550fd
    676612f8 4587203a fef23deb 263b8788 235b09f7 d61f8f62 59ec8f81 2ca964ff
    8074643a 47b551bb dd059fb8 a621da24 76651c7e 25d2686b 1da35983 beca326f
    3996fe1e b56ff5e8 1dbb18c9 6723d809 6b0e
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 administration
ssh 192.168.10.0 255.255.255.0 guestWifi
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address 192.168.1.2-192.168.1.253 administration
dhcpd dns 8.8.8.8 208.67.222.222 interface administration
dhcpd enable administration
!
dhcpd address 192.168.10.2-192.168.10.253 guestWifi
dhcpd dns 8.8.8.8 208.67.222.222 interface guestWifi
dhcpd enable guestWifi
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Management
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Management vpnlb-ip
dynamic-access-policy-record DfltAccessPolicy
username fellow password xxxxxxxx encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
: end

Can anyone explain where is the problem, because I cannot see it. Also if someone has some emulator or what, can you give me the correct answer what is missing in ASA. The reason for that is I am running production machine and I cannot do "try this, or try that". I hope you understand that.

Thank you in advance and have a great weekend :)

20 REPLIES 20

The new configuration looks like this:

: Saved

:
: Serial Number: JAD20230482
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by admin at 08:39:56.859 UTC Mon Aug 1 2016
!
ASA Version 9.5(2)
!
hostname XXXXXXX
enable password XXXXXXXXXXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool XXXXXVPN 10.16.0.2-10.16.0.50 mask 255.255.255.0
!
interface GigabitEthernet1/1
description Outside interface for connecting to TDC box
nameif outside
security-level 0
ip address 93.164.15.50 255.255.255.252
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.1
description administration office network
vlan 1
nameif administration
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2.10
description guest wifi network
vlan 10
nameif guestWifi
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
description Management of the ASA via ASDM
management-only
nameif Management
security-level 80
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
object network administration
subnet 192.168.1.0 255.255.255.0
description administration network
object network guestwifi
subnet 192.168.10.0 255.255.255.0
description guest wifi zone
object network defaultRoute
subnet 0.0.0.0 0.0.0.0
description Default route
object network outInterface
host 93.164.15.49
description Outside Interface
object network NETWORK_OBJ_10.16.0.0_26
subnet 10.16.0.0 255.255.255.192
object network guestWiFi
subnet 192.168.10.0 255.255.255.0
description Guest WiFi NAT rule
object-group network Inside_Networks
description All Inside XXXXX Networks
network-object object administration
network-object object guestwifi
access-list acl-administration extended permit ip any any
access-list acl-administration extended permit tcp any any eq www
access-list acl-administration extended permit tcp any any eq https
access-list acl-administration extended permit udp any any eq domain
access-list acl-administration extended permit tcp any any eq ftp
access-list acl-administration extended permit tcp any any eq ssh
access-list acl-guestWiFi extended permit ip any any
access-list acl-guestWiFi extended permit tcp any any eq www
access-list acl-guestWiFi extended permit tcp any any eq https
access-list acl-guestWiFi extended permit udp any any eq domain
access-list acl-guestWiFi extended permit tcp any any eq ftp
access-list acl-guestWiFi extended permit tcp any any eq ssh
access-list acl-outside extended deny ip any any log
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu administration 1500
mtu guestWifi 1500
mtu Management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.1.0 255.255.255.0 administration
icmp permit 192.168.10.0 255.255.255.0 guestWifi
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic Inside_Networks interface description Nat translation for XXXXX for all networks
access-group acl-outside in interface outside
access-group acl-administration in interface administration
access-group acl-guestWiFi in interface guestWifi
route outside 0.0.0.0 0.0.0.0 93.164.15.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 Management
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=XXXXX.dk
keypair XXXXXcert.key
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.2.1,CN=XXXXXASA
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
fqdn none
subject-name CN=192.168.2.1,CN=XXXXXASA
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 7fd59157
30820339 30820221 a0030201 0202047f d5915730 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130874 6f6b6169 2e646b31 17301506 092a8648
86f70d01 09021608 546f6b61 69415341 301e170d 31363037 32323039 31353534
5a170d32 36303732 30303931 3535345a 302c3111 300f0603 55040313 08746f6b
61692e64 6b311730 1506092a 864886f7 0d010902 1608546f 6b616941 53413082
0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100b2
4bab3c17 c1fe7ee3 1ab4a240 19731a37 14d58ea0 2dcf1c42 e422abe0 3f7f1720
2f314bd3 22da3f69 846b22ab 5408876f 87702a13 e401d170 003e6547 f993f23e
110436c7 9bf12c0c c16384cf 65c0c571 1cc0923c 82d7fd52 d5a7dc44 ef3b42aa
fa2d42bb 886591d2 617838c5 e75f9b2a 8482a0af 69195672 acb3f5b5 907c6572
4f332c3a 9ed0a4de 3d9f5397 a5665682 bb724d00 54bc2bc7 9ed3ef60 76ad8cb8
2db9a487 f2a7621b 9e747640 b12d4077 ee8a2bff d3e89a48 a9be6c34 6611d317
dd225d5e eb686acf 356ce336 92fbc927 1e1351a0 bf1dd7cf 1c31a405 5110f558
0a9cd525 7c12ab75 c671d7c6 67e3c88c c6abce60 8d9ada2b 1b39c6fd 33996502
03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
0101ff04 04030201 86301f06 03551d23 04183016 801455a3 a1c61dd5 8312f1d2
1432c403 ebf264d8 80fa301d 0603551d 0e041604 1455a3a1 c61dd583 12f1d214
32c403eb f264d880 fa300d06 092a8648 86f70d01 01050500 03820101 0082bed7
5d2e78cd 70081e7e ae935a98 6c0661fd a77c21cb aa2f2a4e 4c715d3b e9614643
b5866834 2572c2c7 237e7db2 4d970652 1060f74b 39aebb9e cbfcddf6 8a27e5bc
66652fbd de260d8e f249b1d7 a48b1306 257c0254 fdf22ebe 83d5bc8d 30b0209a
ce03c25f a09ea708 8c951f03 6bcdc78f a14840bd 33fa902f 8d43684d 0958bac9
0a00eae3 c1e13963 faa26a89 5fff7ee3 77f6bffc d373dc5c 75bd1db8 7a5f27bf
f2f3aff7 a279c32e f174c6b5 c5f37dc9 4fbaa003 ded7161a 787f4e6f caad57b3
1dfb9fe0 c3cc990f c11bc06f c142379d 1b91f5cb c10fc89a 6fcf5d49 39679a77
087c68cf 8b6c803b 29c8a084 77baf819 78bac258 67c3b38c 65d28a7c df
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 80d59157
308202ce 308201b6 a0030201 02020480 d5915730 0d06092a 864886f7 0d010105
05003029 3111300f 06035504 03130854 6f6b6169 41534131 14301206 03550403
130b3139 322e3136 382e322e 31301e17 0d313630 37323231 31303532 385a170d
32363037 32303131 30353238 5a302931 11300f06 03550403 1308546f 6b616941
53413114 30120603 55040313 0b313932 2e313638 2e322e31 30820122 300d0609
2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00d87015 6b1624e3
51654f85 b67728e4 644ef0f8 00cba542 5738af2e 2563af30 3a87c303 fac9d103
fa3f7dce 66b578c0 ac97e0b3 33de17a0 ce6e275d c390fdc0 996e78f9 31f5818c
19f300dc 5e95df11 1bee5930 0db37075 0de09b8c cf5f200f be8b987b fdb3f59e
f645dff9 250516db 2ea1fe9f ee1ad060 da6b4613 14eb2b16 e64f7b33 6845ec1a
3d5e0be2 4d921fbf f4a07b6b 2a066445 599ad783 8567096e b6275ea5 1001436a
0dedf5bb 0e2109d3 3b27c8b6 ed58a0c5 eb76a3a4 2282f1e7 e0e7a1c3 6a433191
965b66e7 07738ea9 f47f880d 86d4d9f8 85aedaed 77da07c5 d69c1858 13ba61aa
868d2b27 df569d2c db42fb7c 01572916 9ddc0cad 1bdef8c5 0d020301 0001300d
06092a86 4886f70d 01010505 00038201 010084a3 dcade758 f8853379 36278823
8b2d54e3 26cd6901 d0325261 3259fd56 c2016623 b49d8494 755c99f8 e04381dc
20172a71 f332f00a e5dda642 17bad134 7156bec2 7c2d4cf8 1a4eef71 4142161e
70b65439 4fa8a069 58cf1c18 20f4ff95 20d2cc84 443ab455 675e3c65 f25c620a
c8a71d39 a28b574b ae2d2a13 48cbca81 207f2455 1854a334 da51685a af280634
2b397dc1 d237d294 7687145d da038bfa 418824f5 74b666a8 892572e5 85f550fd
676612f8 4587203a fef23deb 263b8788 235b09f7 d61f8f62 59ec8f81 2ca964ff
8074643a 47b551bb dd059fb8 a621da24 76651c7e 25d2686b 1da35983 beca326f
3996fe1e b56ff5e8 1dbb18c9 6723d809 6b0e
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
certificate 81d59157
308202ce 308201b6 a0030201 02020481 d5915730 0d06092a 864886f7 0d010105
05003029 3111300f 06035504 03130854 6f6b6169 41534131 14301206 03550403
130b3139 322e3136 382e322e 31301e17 0d313630 37323231 33323934 375a170d
32363037 32303133 32393437 5a302931 11300f06 03550403 1308546f 6b616941
53413114 30120603 55040313 0b313932 2e313638 2e322e31 30820122 300d0609
2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00d87015 6b1624e3
51654f85 b67728e4 644ef0f8 00cba542 5738af2e 2563af30 3a87c303 fac9d103
fa3f7dce 66b578c0 ac97e0b3 33de17a0 ce6e275d c390fdc0 996e78f9 31f5818c
19f300dc 5e95df11 1bee5930 0db37075 0de09b8c cf5f200f be8b987b fdb3f59e
f645dff9 250516db 2ea1fe9f ee1ad060 da6b4613 14eb2b16 e64f7b33 6845ec1a
3d5e0be2 4d921fbf f4a07b6b 2a066445 599ad783 8567096e b6275ea5 1001436a
0dedf5bb 0e2109d3 3b27c8b6 ed58a0c5 eb76a3a4 2282f1e7 e0e7a1c3 6a433191
965b66e7 07738ea9 f47f880d 86d4d9f8 85aedaed 77da07c5 d69c1858 13ba61aa
868d2b27 df569d2c db42fb7c 01572916 9ddc0cad 1bdef8c5 0d020301 0001300d
06092a86 4886f70d 01010505 00038201 01005aa7 d6b1a7f1 79bcad68 29a57db4
bdcc99eb b796dde2 8eae59c6 ed1975ad 92c96965 97053f15 245f0901 d4719cc4
272a438a 7526122b 782ac0cb bc996681 3a94bd8a 150da41f a3abcb66 0657cf88
0f2129da 9ac9b893 f24dd328 b7a0d234 74def129 7afa9e2d 8429d439 f1d1cdbf
f94bd07b f86cc8d3 d20c9436 f42f9c02 1eede861 0392be6b bd8cb9fc 61083e44
6125bb28 6f83211b c30768c0 c493eefb 9c29b12a 7115928c 9e736d98 4c769402
b77cea98 56ddc824 cc94206a 5fdd126e 8985bd0b 3e0f05a4 23c39fae d3b2910d
e12e2262 434b2187 022265c2 a1ec7b5f 911b97c4 f5161db6 13b320d2 d31017f4
ec4ef27b d1ebac72 ded5dca9 b1997ca9 612c
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 administration
ssh 192.168.10.0 255.255.255.0 guestWifi
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local

dhcpd address 192.168.1.2-192.168.1.253 administration
dhcpd dns 8.8.8.8 208.67.222.222 interface administration
dhcpd enable administration
!
dhcpd address 192.168.10.2-192.168.10.253 guestWifi
dhcpd dns 8.8.8.8 208.67.222.222 interface guestWifi
dhcpd enable guestWifi
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 Management
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 Management vpnlb-ip
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
anyconnect profiles XXXXXVPN_client_profile disk0:/XXXXXVPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_XXXXXVPN internal
group-policy GroupPolicy_XXXXXVPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
default-domain none
webvpn
anyconnect profiles value XXXXXVPN_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username admin password XXXXXXXXXX/vz encrypted privilege 15
username root password XXXXXXXXXXX encrypted
tunnel-group XXXXXXVPN type remote-access
tunnel-group XXXXXXVPN general-attributes
address-pool XXXXXXVPN
default-group-policy GroupPolicy_XXXXXVPN
tunnel-group XXXXXVPN webvpn-attributes
group-alias XXXXXVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:1330b024c560599155b631d1d0eaa159
: end

I know that access list for allow ip and then other lists for www, domain, https doesn't make sense because the first one is applied and others are not relevant, but this is what I will change. It was only for a test. Now I need to find a solution for Anyconnect to be able to ping the internal administration and guestWiFi network when VPN is connected. I don't know if it is routing problem, or access lists or perhaps NAT that someone has mentioned on other topics...

Never mind, I figured it... :) I have created a new object and added both networks 10.0 and 1.0 to the object, and created from scratch anyconnect profile via wizard, and set the option to "nat exempt" for that object... I have tested and it worked. Thank you Luke for your help.

[@dovla091@gmail.com],

Glad you got everything sorted brother :-) Pleased to be of assistance.

Regards,
Luke


Please rate helpful posts and mark correct answers. 

Thank you mate, and have a great day :-)

Hi Luke,

You were right, I was missing access lists, but one more thing. ICMP is not inspected by default from ASA, so I had to modify something so I can test first and then implement. I was looking some tutorials regarding ASA over the weekend and have learned quite much. I tried today and it worked flawlessly. Now I only have issue with Anyconnect VPN. I have set the VPN anyconnect via wizard (because it is faster), and I can connect to the ASA, and get IP address of 10.16.0.2, but I cannot ping any of the internal network for example 192.168.1.1 which is interface of the ASA, or example 192.168.1.2 the machine that is connected... Am I missing some routes or is this also access-list issue?

Hey [@dovla091@gmail.com],

Have you had a chance to test this as of yet? I look forward to hearing back.

Kind regards,
Luke


Please rate helpful posts and mark correct answers.