Solved: Re: AnyConnect to Internal and Site to Site VPN

Isynth · ‎07-27-2018

Dear Community,

I am struggling to get get an connection from the AnyConnect clients to the inernal as well as the Site to Site VPN.

Anyconnect Network 10.10.200.0 --> ASA with internal network 10.10.100.0 connected --> remote l2l site 192.168.1.1

If I try to ping from the anyconnect client I can see on the asa debug that the ping reaches the asa. If I simulate the ping via packet tracer I get the following output for pings to Internal and Remote Site but only if anyconnect clients are connected and the 10.10.200.0 network is recognized as directly connected. If no anyconnect client is connected the packet tracer succeeds in establishing the connection:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

I tried with a permit any any acls but that doesn;t change a thing.

Thanks for your input

Roy Harrington · ‎12-19-2018

The access lists on local and remote vpn devices must be mirror images of each other. The acl you removed was part of your site to site cryptomap. You must have had an extra acl that the remote end did not have, thus VPN would not have worked.

View solution in original post

balaji.bandi · ‎07-27-2018

Can you show us your configuration and more logs on the client side.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Isynth · ‎07-27-2018

The logs on the client only tell the VPN client version and the remote IP no errors.

I can ping the outside interface of the ASA so the connection via AnyConnect works I guess.

Please check below for the webvpn config on the ASA

gbekmezi-DD · ‎07-27-2018

Do the S2S VPN and the remote access VPN terminate on the same ASA? Is it a full tunnel for the RA VPN? Running configuration would be good.

Isynth · ‎07-27-2018

Yes the RA and StS VPN terminate on the same ASA. Please let me know if you need further config.

I globally set permit any any in and out ACLs


group-policy GroupPolicy_users attributes
 wins-server none
 dns-server value 208.67.222.222
 vpn-filter value users_Intern
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value TestVPNAcl
 default-domain none
 address-pools value trustedVPN
 webvpn
  anyconnect profiles value UsersIntern_client_profile type user

tunnel-group UsersIntern type remote-access
tunnel-group UsersIntern general-attributes
 address-pool testvpn
 default-group-policy GroupPolicy_users
tunnel-group UsersIntern webvpn-attributes
 group-alias UsersIntern enable

username user attributes
 vpn-group-policy GroupPolicy_users

anyconnect enable
 tunnel-group-list enable

access-list TestVPNAcl standard permit 10.10.100.0 255.255.255.0
access-list TestVPNAcl standard permit 192.168.1.0 255.255.255.0

access-list users_Intern extended permit ip any any
access-list user_Intern extended permit tcp any any
access-list users_Intern extended permit udp any any
access-list users_Intern extended permit icmp any any

 UsersIntern_client_profile.xml
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
  <ServerList>
    <HostEntry>
      <HostName>prime (IPsec) IPv4</HostName>
      <HostAddress>12.12.12.12</HostAddress>
      <PrimaryProtocol>IPsec</PrimaryProtocol>
    </HostEntry>
  </ServerList>
</AnyConnectProfile>

Isynth · ‎07-28-2018

So the connection via AnnyConnect to the local network behind the ASA works. But Packetracer still shows that the package is dropped for the very same icmp echo request. Anybody can explain why?

Roy Harrington · ‎07-31-2018

-First off I'd like to let you know what you are doing is called hair-pinning also known as u-turning

.I see your using an ASA so the guide below may help you a bit.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

-Second don't base your sole troubleshooting on Packet tracer as its output is often misleading for example "dropped by acl" when in reality the problem could be with nat.

In your case once you connect with anyconnect and use that same ip for a packet tracer it will drop it. Using an unused ip in the anyconnect pool range will be more beneficial.

Since there are two parts to your adventure I would suggest breaking it into two parts

1-Being able to connect to anyconnect and ping ip on inside of network successfully (not the asa inside interface ip).

2-Get your tunnel up and be able to pass traffic across the tunnel

once these two parts are done you can start your outside,outside nat and "

same-security-traffic permit intra-interface

When you ping from the Anyconenct client to your internal network do you get a response? (again dont ping your inside interface ip this is not a valid test)

If you are not receiving a response back you can use an asp capture, its a good idea to also add a buffer so your asa does not crash

run a continuous ping on the anyconnect client

then on the asa

"cap cap type asp-drop buffer 500000"

then do a "show cap cap | i (anyconnect client ip)" to see whats happening to the traffic

remove the capture after with "no cap cap"

You can also do captures on the inside and outside interface to see how far the packet is making it.

Some info on captures

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

Isynth · ‎08-24-2018

Thank you very much for your detailed answer and troubleshooting guide.

I will dig into this again in a couple of days and try it out

Isynth · ‎08-29-2018

Hallo again,

The connection via Cisco Anyconnect to the internal Network now works fine.

Although I am still not able to ping to the remote SiteToSite VPN

If I ping from an Cisco Anyconnect client the Asa in the middle of the remote Site and the cisco Anyconnect client doesnt show any debug for the icmp packages.

I didn't configure split dns and on the Windows client I get the entry in the routing table

0.0.0.0          0.0.0.0      10.10.200.1      10.10.200.2      2

So everything should go to the Asa.

For every other network I ping even not existing private IPs I get an icmp debug on the ASA except for the 192.168.1.0/24 network which is the remote site private network connected threw VPN tunnel on the ASA which terminates the anyconnect client connection.

Any ideas why the icmp for only this specific network isn't shown on the ASA icmp debug?

Thanks

Isynth · ‎08-29-2018

Seems that the packets gets dropped by the acls.

Not sure why because I have an global acl in place gobally permitting everything for my VPN client network 10.10.200.0/24

Roy Harrington · ‎09-13-2018

Can you please provide the output from packet tracer ?

Isynth · ‎09-14-2018

Hallo Roy,

glad that you are interested in my little Problem

The connection from the Anyconnect clients to the 10.10.110 Network works fine

Also the Tunnel from the 10.10.110.0 Network to 192.168.1.1 Network works fine

The packets from the Anyconnect network get dropped by the firewall before it even reaches the icmp debug output on the asa if I try to ping the remote l2l site

 802.1Q vlan#100 P0 10.10.200.2 > 192.168.1.90: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

Packet tracer output for the same traffic:

packet-tracer input outside icmp 10.10.200.4 8 0 192.168.1.9$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.1.90/0 to 192.168.1.90/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internetOut in interface outside
access-list internetOut extended permit icmp any any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fbe11341bd0, priority=13, domain=permit, deny=false
        hits=16, user_data=0x7fbe09f39180, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp
Additional Information:
Static translate 10.10.200.4/0 to 10.10.200.4/0
 Forward Flow based lookup yields rule:
 in  id=0x7fbe109ff450, priority=6, domain=nat, deny=false
        hits=7022, user_data=0x7fbe10799630, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.10.200.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fbe0f8dbd40, priority=0, domain=nat-per-session, deny=true
        hits=248529, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fbe10576490, priority=0, domain=inspect-ip-options, deny=true
        hits=276998, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fbe13da5cf0, priority=70, domain=ipsec-tunnel-flow, deny=false
        hits=270, user_data=0x0, cs_id=0x7fbe11308520, reverse, flags=0x0, protocol=0
        src ip/id=10.10.200.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I have a global rule in place to permit all traffic from the Anyconnect VPN named Net_TrustedVPN

even if I put a global permit any any of all traffic the icmp packets get still dropped by the firewall.

further I added the rules for the SitetoSite Tunnel on the ASA

access-list l2l_list extended permit ip object Net_TrustedVPN object Net_DC

nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp

i cleared the ca but the acl entry doesn't show up?

 show crypto ipsec sa
interface: outside
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 10.10.100.1

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.200.2/255.255.255.255/0/0)
      current_peer: XXXXXXXX, username: aaaaa
      dynamic allocated peer ip: 10.10.200.2
      dynamic allocated peer ip(ipv6): 0.0.0.0

      local crypto endpt.: 10.10.100.1/4500, remote crypto endpt.: XXXXXXX/63481

    Crypto map tag: map_crypto_l2l, seq num: 1, local addr: 10.10.100.1

      access-list l2l_list extended permit ip 10.10.110.0 255.255.255.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.110.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: XXXXXXXX

I kindly appreciate any comments on this topic

Roy Harrington · ‎09-14-2018

Are you able to attach the full show run and x out the first 3 octets of any public ips ?

Isynth · ‎09-14-2018

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname asa
enable password 
names
ip local pool trustedVPN 10.10.200.1-10.10.200.250 mask 255.255.255.0

!
interface GigabitEthernet1/1
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet1/1.100
 vlan 100
 nameif outside
 security-level 100
 ip address 10.10.100.1 255.255.255.0
!
interface GigabitEthernet1/2
 nameif inside_1
 security-level 100
 no ip address
!
interface GigabitEthernet1/2.100
 vlan 10
 nameif TrustedIf
 security-level 100
 ip address 10.10.110.254 255.255.255.0
!
interface GigabitEthernet1/2.200
 vlan 20
 nameif InternIf
 security-level 80
 ip address 10.10.120.254 255.255.255.0
!
interface GigabitEthernet1/2.300
 vlan 30
 nameif ServerIf
 security-level 80
 ip address 10.10.130.254 255.255.255.0
!
interface GigabitEthernet1/2.400
 vlan 40
 nameif RestrictedIf
 security-level 50
 ip address 10.10.140.254 255.255.255.0
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif dings
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 nameif management
 security-level 100
 ip address 10.10.99.1 255.255.255.0
!
interface BVI1
 no nameif
 security-level 100
 no ip address
!
interface BVI10
 no nameif
 no security-level
 no ip address
!
interface BVI99
 no nameif
 no security-level
 no ip address
!
interface vni99
 no nameif
 no security-level
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network Net_DC
 subnet 192.168.1.0 255.255.255.0
object network Net_Trusted
 subnet 10.10.110.0 255.255.255.0
object network Net_Management
 subnet 10.10.99.0 255.255.255.0
object network NETWORK_OBJ_10.10.11.0_24
 subnet 10.10.11.0 255.255.255.0
object network NETWORK_OBJ_10.10.110.192_26
 subnet 10.10.110.192 255.255.255.192
object network Net_TrustedVPN
 subnet 10.10.200.0 255.255.255.0
 description VPN Client Employees Intern
object network Net_Aprol
 subnet 10.10.130.0 255.255.255.0
object network Net_Outside
 subnet 10.10.100.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object udp
 protocol-object tcp
access-list l2l_list extended permit ip object Net_Trusted object Net_DC
access-list l2l_list extended permit ip object Net_DC object Net_Trusted
access-list l2l_list extended permit ip object Net_Management object Net_DC
access-list l2l_list extended permit ip object Net_DC object Net_Management
access-list l2l_list extended permit ip object Net_TrustedVPN object Net_DC
access-list l2l_list extended permit ip object Net_DC object Net_TrustedVPN
access-list internetOut extended permit ip object Net_Trusted any
access-list internetOut extended permit icmp any any
access-list internetOut extended permit ip any 10.10.120.0 255.255.255.0 inactive
access-list internetOut extended permit ip object Net_Trusted 10.10.120.0 255.255.255.0
access-list internetOut extended permit ip object Net_Trusted object Net_Aprol
access-list internetOut extended permit ip object Net_TrustedVPN any
access-list internetOut extended permit ip object Net_TrustedVPN object Net_DC
access-list internetOut extended permit ip object Net_DC object Net_TrustedVPN
access-list internetOut extended permit ip object Net_TrustedVPN object Net_TrustedVPN
access-list internetOut extended permit ip any any inactive
access-list inetACL extended permit ip object Net_Trusted any
access-list InternIf_access_in_1 extended permit icmp any any
access-list InternIf_access_in_1 extended permit tcp any any eq telnet inactive
access-list InternIf_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any any inactive
access-list TrustedIf_access_in extended permit icmp any any
access-list InternIf_access_out extended permit ip any object Net_Trusted inactive
access-list InternIf_access_out extended permit ip object Net_Trusted 10.10.120.0 255.255.255.0
access-list InternIf_access_out extended permit ip object Net_TrustedVPN 10.10.120.0 255.255.255.0
access-list TestVPNAcl standard permit 10.10.110.0 255.255.255.0
access-list TestVPNAcl standard permit 192.168.1.0 255.255.255.0
access-list TestVPNAcl standard permit 10.10.120.0 255.255.255.0
access-list TestVPNAcl standard permit 10.10.100.0 255.255.255.0
access-list TestVPNAcl standard permit 10.10.130.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list User_Intern extended permit ip any any
access-list User_Intern extended permit tcp any any
access-list User_Intern extended permit udp any any
access-list User_Intern extended permit icmp any any
access-list nothing standard permit host 0.0.0.0
access-list ServerIf_access_in extended permit ip object Net_Trusted object Net_Aprol
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu TrustedIf 1500
mtu InternIf 1500
mtu ServerIf 1500
mtu RestrictedIf 1500
mtu inside_2 1500
mtu dings 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (TrustedIf,outside) source static Net_Trusted Net_Trusted destination static Net_DC Net_DC no-proxy-arp
nat (outside,TrustedIf) source static Net_DC Net_DC destination static Net_Trusted Net_Trusted no-proxy-arp
nat (InternIf,outside) source static any any destination static NETWORK_OBJ_10.10.11.0_24 NETWORK_OBJ_10.10.11.0_24 no-proxy-arp route-lookup
nat (TrustedIf,outside) source static Net_Trusted Net_Trusted destination static NETWORK_OBJ_10.10.110.192_26 NETWORK_OBJ_10.10.110.192_26 no-proxy-arp route-lookup
nat (outside,TrustedIf) source static Net_TrustedVPN Net_TrustedVPN destination static Net_Trusted Net_Trusted no-proxy-arp
nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp route-lookup
nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_TrustedVPN Net_TrustedVPN
nat (outside,outside) source static Net_DC Net_DC destination static Net_TrustedVPN Net_TrustedVPN no-proxy-arp route-lookup
!
object network Net_TrustedVPN
 nat (outside,outside) dynamic interface
access-group internetOut in interface outside
access-group TrustedIf_access_in in interface TrustedIf
access-group internetOut out interface TrustedIf
access-group InternIf_access_in_1 in interface InternIf
access-group InternIf_access_out out interface InternIf
access-group ServerIf_access_in in interface ServerIf
access-group internetOut global
route outside 0.0.0.0 0.0.0.0 10.10.100.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 10
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 dings
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
http 10.10.10.0 255.255.255.0 dings
http 10.10.10.0 255.255.255.0 inside_2
http 10.10.99.0 255.255.255.0 management
http XXX.XXX.XXX224 255.255.255.248 outside
http 10.10.110.0 255.255.255.0 TrustedIf
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set SetDC esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal secure
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map map_crypto_l2l 1 match address l2l_list
crypto map map_crypto_l2l 1 set pfs
crypto map map_crypto_l2l 1 set peer XXX.XXX.XXX.230
crypto map map_crypto_l2l 1 set ikev1 transform-set SetDC
crypto map map_crypto_l2l 1 set ikev2 ipsec-proposal secure
crypto map map_crypto_l2l 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map map_crypto_l2l interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=asa
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
 certificate 
    
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 3600
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
telnet timeout 5
ssh stricthostkeycheck
ssh XXX.XXX.XXX224 255.255.255.248 outside
ssh XXX.XXX.XXX.230 255.255.255.255 outside
ssh timeout 20
ssh version 2
ssh cipher encryption high
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1
console timeout 0

dhcpd dns 208.67.222.222 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 10.10.110.11-10.10.110.200 TrustedIf
dhcpd option 3 ip 10.10.110.254 interface TrustedIf
dhcpd enable TrustedIf
!
dhcpd address 10.10.120.11-10.10.120.240 InternIf
dhcpd option 3 ip 10.10.120.254 interface InternIf
dhcpd enable InternIf
!
dhcpd address 10.10.130.100-10.10.130.200 ServerIf
dhcpd option 3 ip 10.10.130.254 interface ServerIf
dhcpd enable ServerIf
!
dhcpd address 10.10.140.11-10.10.140.240 RestrictedIf
dhcpd option 3 ip 10.10.140.254 interface RestrictedIf
dhcpd enable RestrictedIf
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside_1
ssl trust-point ASDM_TrustPoint0 TrustedIf
ssl trust-point ASDM_TrustPoint0 InternIf
ssl trust-point ASDM_TrustPoint0 ServerIf
ssl trust-point ASDM_TrustPoint0 RestrictedIf
ssl trust-point ASDM_TrustPoint0 inside_2
ssl trust-point ASDM_TrustPoint0 dings
ssl trust-point ASDM_TrustPoint0 inside_4
ssl trust-point ASDM_TrustPoint0 inside_5
ssl trust-point ASDM_TrustPoint0 inside_6
ssl trust-point ASDM_TrustPoint0 inside_7
webvpn
 port 555
 enable outside
 dtls port 556
 anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
 anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3
 anyconnect profiles UserIntern_client_profile disk0:/UserIntern_client_profile.xml
 anyconnect profiles remoteUsersTest disk0:/remoteUsersTest_client_profile.xml
 anyconnect profiles remoteUsersTest_client_profile disk0:/remoteUsersTest_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_UserIntern internal
group-policy GroupPolicy_UserIntern attributes
 wins-server none
 dns-server value 208.67.222.222
 vpn-filter none
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 address-pools value trustedVPN
 client-firewall none
 client-access-rule none
 webvpn
  anyconnect profiles value UserIntern_client_profile type user
group-policy GroupPolicy_remoteUsersTest internal
group-policy GroupPolicy_remoteUsersTest attributes
 wins-server none
 dns-server value 208.67.222.222 208.67.222.220
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy excludespecified
 split-tunnel-network-list value TestVPNAcl
 default-domain none
 split-dns value 8.8.8.8
 address-pools value trustedVPN
 webvpn
  anyconnect profiles value remoteUsersTest_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username User1 password 
username User1 attributes
 vpn-group-policy GroupPolicy_UserIntern
 service-type remote-access
username vpntest password
username vpntest attributes
 service-type remote-access
username vpnuser password privilege 0
username cisco password  privilege 15
username corpadmin password  privilege 15
username User password 
username User attributes
 vpn-group-policy GroupPolicy_UserIntern
 service-type remote-access
tunnel-group XXX.XXX.XXX.230 type ipsec-l2l
tunnel-group XXX.XXX.XXX.230 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group remoteUsersTest type remote-access
tunnel-group remoteUsersTest general-attributes
 default-group-policy GroupPolicy_remoteUsersTest
tunnel-group remoteUsersTest webvpn-attributes
 group-alias remoteUsersTest enable
tunnel-group UserIntern type remote-access
tunnel-group UserIntern general-attributes
 address-pool trustedVPN
 default-group-policy GroupPolicy_UserIntern
tunnel-group UserIntern webvpn-attributes
 group-alias UserIntern enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Isynth · ‎09-17-2018

Removing this acl entry from the config solved the problem:

access-list l2l_list extended permit ip object Net_DC object Net_TrustedVPN

I would very much appreciate if somebody could explain why.