07-13-2013 09:01 AM - edited 02-21-2020 07:01 PM
I'm trying to configure AnyConnect VPN, but I can't figure 2 two things;
1. In the AnyConnect profile all traffic is tunneled, unfortunately the clients aren't able to connect to the ASA nor to internet.
2. Clients connected to the SplitTunnel profile aren't able to contact the ASA.
Below is my config:
: Saved
:
ASA Version 8.4(4)3
!
hostname ASA01
enable password ****** encrypted
passwd ***** encrypted
names
name 192.168.2.253 Guest_WAP
name 10.5.5.150 SynologyDS
name 10.6.6.0 VPN_Network
!
interface Ethernet0/0
switchport access vlan 6
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 2
!
interface Vlan1
nameif LAN
security-level 100
ip address 10.5.5.254 255.255.255.0
!
interface Vlan2
nameif Guest
security-level 20
ip address 192.168.1.254 255.255.255.0
!
interface Vlan6
nameif outside
security-level 0
ip address pppoe setroute
!
boot system disk0:/asa844-3-k8.bin
ftp mode passive
clock timezone GMT 0
dns domain-lookup LAN
dns server-group DefaultDNS
name-server SynologyDS
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPN_Network
subnet 10.6.6.0 255.255.255.0
object network LAN_Network
subnet 10.5.5.0 255.255.255.0
object network Guest_Network
subnet 192.168.1.0 255.255.255.0
object network Guest_WAP
host 192.168.2.253
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list LAN_access_in extended permit ip any any
access-list LAN_access_in extended permit ip object VPN_Network any
access-list Outside_access_in extended permit ip object VPN_Network any
access-list LAN_nat0_outbound extended permit ip any any
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list AnyConnect_SplitTunnel standard permit 10.5.5.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 20096
logging asdm-buffer-size 500
logging asdm informational
mtu LAN 1500
mtu Guest 1500
mtu outside 1500
ip local pool AnyConnect_DHCP_Pool 10.6.6.1-10.6.6.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,LAN) source static VPN_Network VPN_Network
nat (outside,outside) source dynamic VPN_Network interface
nat (LAN,outside) source dynamic LAN_Network interface
access-group LAN_access_in in interface LAN
access-group Guest_access_in in interface Guest
access-group Outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl LAN_nat0_outbound
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.5.5.0 255.255.255.0 LAN
http VPN_Network 255.255.255.0 LAN
http VPN_Network 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.5.5.0 255.255.255.0 LAN
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group KPNrequest dialout pppoe
vpdn group KPN localname ******
vpdn group KPN ppp authentication pap
vpdn username ***** password ***** store-local
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.40 Guest
dhcpd dns SynologyDS 8.8.8.8 interface Guest
dhcpd enable Guest
!
webvpn
enable outside
anyconnect image disk0:/anyconnect-macosx-i386-3.1.01065-k9.pkg 3
anyconnect image disk0:/anyconnect-win-2.5.6005-k9.pkg 4
anyconnect profiles AnyConnect disk0:/anyconnect.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy SplitTunnel internal
group-policy SplitTunnel attributes
wins-server none
dns-server value 10.5.5.150 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AnyConnect_SplitTunnel
split-tunnel-all-dns disable
group-policy AnyConnect internal
group-policy AnyConnect attributes
wins-server none
dns-server value 10.5.5.150
vpn-tunnel-protocol ssl-client ssl-clientless
webvpn
url-list value AnyConnect
anyconnect profiles value AnyConnect type user
always-on-vpn profile-setting
username **** password ***** encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool AnyConnect_DHCP_Pool
secondary-authentication-server-group DUO-LDAP use-primary-username
default-group-policy AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
group-url *******
tunnel-group SplitTunnel type remote-access
tunnel-group SplitTunnel general-attributes
address-pool AnyConnect_DHCP_Pool
default-group-policy SplitTunnel
tunnel-group SplitTunnel webvpn-attributes
group-alias SplitTunnel enable
group-url ***** enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:4ca9289170b2f56081e2f027a538d220
: end
07-14-2013 10:43 PM
Hi
You said that you can't get the any connect client to connect?
Can you check the activation keys to make sure 3des license is installed.
Also is this connected behind a firewall or is this connected at the edge?
Sent from Cisco Technical Support Android App
07-15-2013 02:39 AM
Hi Tarik,
The ASA is directly connected to internet using pppoe. AnyConnect clients are able to connect, but when they're connected they can't access the ASA internal ip address (by ping/asdm). Also they can't access the internet through the ASA.
07-15-2013 05:59 AM
As for the management access (say ASDM) to the LAN interface through the tunnel, you should issue management-access LAN.
About clients not being able to access Internet. Does the clients aquire IP addresses? Are the able to access LAN? To me, tunnel-group and NAT config seems to be fine.
07-15-2013 08:03 AM
Management access is available to the internal network (10.5.5.0/24), except for the AnyConnect client's (10.6.6.0/24).
I will try your suggestion to issue the 'management-access LAN' command when I'm home.
The AnyConnect client gets an 10.6.6.x ip address and is able to access the internal network.
07-18-2013 02:28 AM
hi ,
let try to remove below entry nd check
access-list LAN_access_in extended permit ip object VPN_Network any
access-group LAN_access_in in interface LAN
nat (outside,outside) source dynamic VPN_Network interface
07-18-2013 02:32 AM
add one ACL source any or either you VPN Pool range Destination you LAN ..
access-list LAN_access_in extended permit ip VPN_POOL LAN
access-group LAN_access_in in interface LAN
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: