11-14-2011 07:10 AM - edited 02-21-2020 05:42 PM
I have an ADA5505 that I am running the latest IOS and I have setup AnyConnect and downloaded the 90-day demo license for Mobility.
I am able to connect on the Windows platform fine and have full access and DNS but if I connect using the iPad I cannot connect to any resources in my network or even ping. The AnyConnect for Mobility Client seems to connect OK and shows a proper IP address from the VPN pool.
Any ideas as to what may cause this? Here is the config. (Note there is a legacy VPN (GorrillVpn) that fill be removed once AnyConnect is working properly).
Thanks,
Bill
names
dns-guard
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.97.239.154 255.255.255.248
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.0.0.12
domain-name corp.gorrillpalmer.com
object network obj-10.0.0.0
subnet 10.0.0.0 255.255.255.0
object network obj-172.16.1.0
subnet 172.16.1.0 255.255.255.0
object network obj-10.0.0.12
host 10.0.0.12
object network obj-10.0.0.10
host 10.0.0.10
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
access-list allow extended permit tcp any host 10.0.0.12 eq smtp
access-list allow extended permit tcp any host 10.0.0.12 eq pop3
access-list allow extended permit tcp any host 10.0.0.12 eq 3389
access-list allow extended permit tcp any host 10.0.0.12 eq www
access-list allow extended permit tcp any host 10.0.0.12 eq https
access-list allow extended permit tcp any host 24.97.239.156 eq 3389
access-list allow extended permit tcp any host 10.0.0.10 eq 3389
access-list 108 extended permit ip 10.0.0.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool test 172.16.1.1-172.16.1.255 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
asdm history enable
arp timeout 14400
nat (inside,any) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-172.16.1.0 obj-172.16.1.0 no-proxy-arp
!
object network obj-10.0.0.12
nat (inside,outside) static 24.97.239.155
object network obj-10.0.0.10
nat (inside,outside) static 24.97.239.157
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (inside,outside) dynamic obj-0.0.0.0
access-group allow in interface outside
route outside 0.0.0.0 0.0.0.0 24.97.239.153 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server GorrillPalmer protocol nt
aaa-server GorrillPalmer (outside) host 10.0.0.12
timeout 5
nt-auth-domain-controller gpserver2
user-identity default-domain LOCAL
http server enable
http server idle-timeout 60
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set ikev1 transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp nat-traversal 11
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.10 255.255.255.255 inside
telnet 10.0.0.12 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy 2 internal
group-policy 2 attributes
vpn-idle-timeout 30
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 10.0.0.12
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 108
default-domain value corp.gorrillpalmer.com
group-policy gorrillvpn internal
group-policy gorrillvpn attributes
wins-server value 10.0.0.10
dns-server value 10.0.0.10
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 108
default-domain value corp.gorrillpalmer.com
username GorrillVPN password 7519RsdR4ewBN7nI encrypted privilege 0
username GorrillVPN attributes
vpn-group-policy DfltGrpPolicy
tunnel-group DefaultRAGroup general-attributes
address-pool (outside) test
tunnel-group gorrillvpn type remote-access
tunnel-group gorrillvpn general-attributes
address-pool test
default-group-policy gorrillvpn
tunnel-group gorrillvpn ipsec-attributes
ikev1 pre-shared-key *****
ikev1 user-authentication none
tunnel-group 2 type remote-access
tunnel-group 2 general-attributes
default-group-policy 2
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool (inside) test
address-pool test
authentication-server-group (outside) GorrillPalmer
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect ils
inspect ip-options
class class-default
user-statistics accounting
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
01-11-2012 07:29 AM
i to am having the same issue. here is what i found to make it work. but i dont like the work arround. i found that my company network is 192.168.1.xxx ip scheme and my users ipad and home network is also 192.168.1.xxx. so anything he tries to connect to at work just wont flow over the vpn tunnel. once i changed his home network router to 10.0.0.1, everything worked just fine. but the fact is most places he will travel to will likely have 192.168.1.xxx access points as that is such a common ip scheme. so im trying to figure out a way around that. anybody have any ideas? other than changing my company's internal ip scheme.
02-03-2012 01:17 PM
There is no way around this. A business network should never be 192.168.0.x or 192.168.1.x for this very reason.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide