cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5428
Views
0
Helpful
22
Replies

Cannot access internal network though AnyConnect SSL VPN, ASA 9.1(6)

chris.curtiss
Level 1
Level 1

Hello Cisco Support Community,

 

I have a lab that consists of a two virtual environments connected to a 3750-G switch which is connected to a 2901 router which is connected to an ASA 5512-X which is connected to my ISP gateway. I have configured SSL VPN using AnyConnect and can establish a VPN connection to the ASA from outside but once connected I cannot access the internal network resources or access the internet. My network information and ASA configuration is listed below. Thank you very much for any assistance you can offer.

 

ISP Gateway Network: 10.1.10.0 /24

ASA to Router Network: 10.1.40.0 /30

VPN DHCP Pool: 10.1.30.0 /24

Range Network: 10.1.20.0 /24

Development Network: 10.1.10.0 /24

 

: Saved
:
: Serial Number: FCH18477CPT
: Hardware:   ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA Version 9.1(6)1
!
hostname ctcndasa01
enable password bcn1WtX5vuf3YzS3 encrypted
names
ip local pool cnd-vpn-dhcp-pool 10.1.30.1-10.1.30.200 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.1.40.1 255.255.255.252
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address X.X.X.237 255.255.255.248
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa916-1-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.1.30.0_24
 subnet 10.1.30.0 255.255.255.0
object network obj_any
object network obj_10.1.40.0
 subnet 10.1.40.0 255.255.255.0
object network obj_10.1.30.0
 subnet 10.1.30.0 255.255.255.0
access-list outside_access_in extended permit ip object NETWORK_OBJ_10.1.30.0_24 any
access-list NAT-EXEMPT extended permit ip 10.1.40.0 255.255.255.0 10.1.30.0 255.255.255.0
access-list 101 extended permit icmp any4 any4 echo-reply
access-list split standard permit 10.1.40.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-743.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj_10.1.40.0 obj_10.1.40.0 destination static obj_10.1.30.0 obj_10.1.30.0 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.1.30.0_24 NETWORK_OBJ_10.1.30.0_24 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
!
router eigrp 1
 network 10.1.10.0 255.255.255.0
 network 10.1.20.0 255.255.255.0
 network 10.1.30.0 255.255.255.0
 network 10.1.40.0 255.255.255.252
!
route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
http X.X.X.238 255.255.255.255 outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=10.1.30.254,CN=ctcndasa01
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate c902a155
    308201cd 30820136 a0030201 020204c9 02a15530 0d06092a 864886f7 0d010105
    0500302b 31133011 06035504 03130a63 74636e64 61736130 31311430 12060355
    0403130b 31302e31 2e33302e 32353430 1e170d31 35303731 32303530 3133315a
    170d3235 30373039 30353031 33315a30 2b311330 11060355 0403130a 6374636e
    64617361 30313114 30120603 55040313 0b31302e 312e3330 2e323534 30819f30
    0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a47cfc 6b5f8b9e
    9b106ad6 857ec34c 01028f71 d35fb7b5 6a61ea33 569fefca 3791657f eeee91f2
    705ab2ea 09207c4f dfbbc18a 749b19ae d3ca8aa7 3370510b a5a96fd4 f9e06332
    2e586ccc fa164c05 819d4355 db1a4b88 475f96a1 318f7031 40668a4d afa44384
    3ea59b78 5976f685 2abbdcf6 f3b448e5 30aa96a8 1ed4e178 4d020301 0001300d
    06092a86 4886f70d 01010505 00038181 0093656f 639e138e 90b69e66 b50190fc
    42d9b4a8 11828da4 e0765d9c 52d84f8b 8e70747e e760de88 c43dc5eb 1808bd0f
    fd2230c1 53f68ea1 00f3e956 97eb313e 26cc49d7 25b927b5 43d8d3fa f212fcaf
    59eb8104 98e3a1d9 e05d3bcb 428cd7c6 61b530f5 fe193d15 ef8c7f08 37ad16f5
    d8966b50 917a88bb f4f30d82 6f8b58ba 61
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 360
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0  vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 4
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 5
 anyconnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 6
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_cnd-vpn internal
group-policy GroupPolicy_cnd-vpn attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client
 default-domain none
username xxxx password GCOh1bma8K1tKZHa encrypted
tunnel-group cnd-vpn type remote-access
tunnel-group cnd-vpn general-attributes
 address-pool cnd-vpn-dhcp-pool
 default-group-policy GroupPolicy_cnd-vpn
tunnel-group cnd-vpn webvpn-attributes
 group-alias cnd-vpn enable
!
class-map icmp-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map icmp_policy
 class icmp-class
  inspect icmp
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:261228832f3b57983bcc2b4ed5a8a9d0
: end
asdm image disk0:/asdm-743.bin
no asdm history enable

 

 

1 Accepted Solution

Accepted Solutions

Can you confirm this is correct, your diagram shows your public IP on ASA as /30 whereas you have assinged on "outside" interface as /29?

 

 

View solution in original post

22 Replies 22

Arsen Gharibyan
Level 1
Level 1

Hello 

your slipt tunnel should point you to your internal network but now i think its pointing to your ROuter-ASA network  

 

Hello Arsen,

 

What statement do you recommend I change? Are you saying that I should change this?

access-list split standard permit 10.1.40.0 255.255.255.0

 

Thanks for the reply

 

Chris

 

rizwanr74
Level 7
Level 7

Remove this line:
nat (inside,outside) source static obj_10.1.40.0 obj_10.1.40.0 destination static obj_10.1.30.0 obj_10.1.30.0 no-proxy-arp route-lookup

 

Create an ACL with permit network you want to allow to accessed by remote-in users.

access-list tunnel-split standard permit 10.1.10.0 255.255.255.0
access-list tunnel-split standard permit 10.1.20.0 255.255.255.0

 

Now associate above acl to your group-policy.


group-policy GroupPolicy_cnd-vpn attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value tunnel-split

 

Creat an object-group indentify your dhcp pool range.


object-group network og-cndvpn-pool
 network-object 10.1.30.0 255.255.255.0

 

at last set the nat-examption for vpn-bound traffic.

nat (any,outside) source static any any destination static og-cndvpn-pool og-cndvpn-pool no-proxy-arp route-lookup

 

Thanks

Rizwan Rafeek

 

 

Rizwan,

 

Thank you for taking a look at my problem and assisting. I have made the changes that you suggested and now I cannot connect to the SSL VPN, nor can I ping my ASA outside interface from the outside. Below is the current config after I have made the changes you suggested. Thanks again.

 

ASA Version 9.1(6)1
!
hostname ctcndasa01
enable password bcn1WtX5vuf3YzS3 encrypted
names
ip local pool cnd-vpn-dhcp-pool 10.1.30.1-10.1.30.200 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.1.40.1 255.255.255.252
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 96.92.178.237 255.255.255.248
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa916-1-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.1.30.0_24
 subnet 10.1.30.0 255.255.255.0
object network obj_any
object network obj_10.1.40.0
 subnet 10.1.40.0 255.255.255.0
object network obj_10.1.30.0
 subnet 10.1.30.0 255.255.255.0
object-group network og-cndvpn-pool
 network-object 10.1.30.0 255.255.255.0
access-list outside_access_in extended permit ip object NETWORK_OBJ_10.1.30.0_24 any
access-list NAT-EXEMPT extended permit ip 10.1.40.0 255.255.255.0 10.1.30.0 255.255.255.0
access-list 101 extended permit icmp any4 any4 echo-reply
access-list split standard permit 10.1.40.0 255.255.255.0
access-list tunnel-split standard permit 10.1.10.0 255.255.255.0
access-list tunnel-split standard permit 10.1.20.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-743.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.1.30.0_24 NETWORK_OBJ_10.1.30.0_24 no-proxy-arp route-lookup
nat (any,outside) source static any any destination static og-cndvpn-pool og-cndvpn-pool no-proxy-arp route-lookup
access-group outside_access_in in interface outside
!
router eigrp 1
 network 10.1.10.0 255.255.255.0
 network 10.1.20.0 255.255.255.0
 network 10.1.30.0 255.255.255.0
 network 10.1.40.0 255.255.255.252
!
route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
http 96.92.178.238 255.255.255.255 outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=10.1.30.254,CN=ctcndasa01
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate c902a155
    308201cd 30820136 a0030201 020204c9 02a15530 0d06092a 864886f7 0d010105
    0500302b 31133011 06035504 03130a63 74636e64 61736130 31311430 12060355
    0403130b 31302e31 2e33302e 32353430 1e170d31 35303731 32303530 3133315a
    170d3235 30373039 30353031 33315a30 2b311330 11060355 0403130a 6374636e
    64617361 30313114 30120603 55040313 0b31302e 312e3330 2e323534 30819f30
    0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a47cfc 6b5f8b9e
    9b106ad6 857ec34c 01028f71 d35fb7b5 6a61ea33 569fefca 3791657f eeee91f2
    705ab2ea 09207c4f dfbbc18a 749b19ae d3ca8aa7 3370510b a5a96fd4 f9e06332
    2e586ccc fa164c05 819d4355 db1a4b88 475f96a1 318f7031 40668a4d afa44384
    3ea59b78 5976f685 2abbdcf6 f3b448e5 30aa96a8 1ed4e178 4d020301 0001300d
    06092a86 4886f70d 01010505 00038181 0093656f 639e138e 90b69e66 b50190fc
    42d9b4a8 11828da4 e0765d9c 52d84f8b 8e70747e e760de88 c43dc5eb 1808bd0f
    fd2230c1 53f68ea1 00f3e956 97eb313e 26cc49d7 25b927b5 43d8d3fa f212fcaf
    59eb8104 98e3a1d9 e05d3bcb 428cd7c6 61b530f5 fe193d15 ef8c7f08 37ad16f5
    d8966b50 917a88bb f4f30d82 6f8b58ba 61
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 360
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0  vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 4
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 5
 anyconnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 6
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_cnd-vpn internal
group-policy GroupPolicy_cnd-vpn attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value tunnel-split
 default-domain none
username cameron.sprague password HhevNYnY8W/LjGhp encrypted
username admin password mNB7gJsEBP6vBO4m encrypted
username hongjoon.mangiafico password oX1iOymYdM.fMj/r encrypted
username chris.curtiss password GCOh1bma8K1tKZHa encrypted
tunnel-group cnd-vpn type remote-access
tunnel-group cnd-vpn general-attributes
 address-pool cnd-vpn-dhcp-pool
 default-group-policy GroupPolicy_cnd-vpn
tunnel-group cnd-vpn webvpn-attributes
 group-alias cnd-vpn enable
!
class-map icmp-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map icmp_policy
 class icmp-class
  inspect icmp
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7512c868ab86b03e035faf6b6f6d6ea6
: end
asdm image disk0:/asdm-743.bin
no asdm history enable
 

Chris Curtiss

Hi Chris,

 

You haven't enable the tunnle group itself.

 

tunnel-group cnd-vpn webvpn-attributes
 group-url https://96.92.178.237/cnd-vpn enable

 

Please make sure, your any L3 switch have route back to your dhcp-pool i.e. 10.1.30.0/24 is being pushed towards your ASA's inside interface address.

 

Let me know, how this coming alone.

 

thanks

Rizwan Rafeek.

Hi Rizwan,

 

I enabled the tunnel group with the statement you provided.

tunnel-group cnd-vpn webvpn-attributes
group-url https://96.92.178.237/cnd-vpn enable

I still cannot establish a vpn connection anymore.

Thanks for getting back to me... I can't figure this out.

 

Chris

 

Rizwan,

 

In the ASSDM syslog, I see what I think is the VPN request coming in. It states the following.

 

TCP acces denied by ACL from 70.215.1.124/11275 to outside:96.92.178.237/80

 

Chris

 

 

Remove this line: nat (any,outside) source static any any destination static og-cndvpn-pool og-cndvpn-pool no-proxy-arp route-lookup

 

copy this instead.

nat (inside,outside) 1 source static any any destination static og-cndvpn-pool og-cndvpn-pool no-proxy-arp route-lookup

Rizwan,

 

Still no change... I cannot establish a VPN session or ping the outside interface from outside of the network. In the ASSDM syslog, I see what I think is the VPN request coming in, and the ICMP packets from my outside pings being dropped also. It states the following.

 

TCP acces denied by ACL from 70.215.1.124/11275 to outside:96.92.178.237/80

 

Chris

Outside interface is not pingable has nothing to do with you cannot vpn in.

"route outside 0.0.0.0 0.0.0.0 10.1.10.1 1"

 

Shouldn't your default route be pointing to your ISP's next-hop address instead?

 

 

I understand there is no relation between the vpn issue and not being able to ping the outside interface. I should have differentiated the two issues. I appologize...

 

"route outside 0.0.0.0 0.0.0.0 10.1.10.1 1"

My lab sits behind a commercial ISP gateway (modem). The gateway is also a DHCP server and provides NAT to its internal network (10.1.10.0/24). My ASA connects to a switchport on the gateway device and has static public IP.

The gateway also has a static public IP... should I change the default route to the gateway's public IP?

I still don't see how that is related to the syslog message showing my VPN request being denied due to an ACL.

 

I appologize for the confusion and any frustration I may cause. I am a novice and appreciate your time greatly!

 

Thanks

 

Chris

 

 

If you are remote-in to your ASA's public address and then the return traffic for vpn-users’ public address must ergress out in the same direction through which traffic came in, otherwise you will create asymmetric route.

 

Yes, please point your default route to ASA's next-hop address which is your ISP-device's IP and try it.

thanks

Have you put back the default-route to ASA's next-hop address which is your ISP-device's IP and try it?

Good morning Rizwan,

 

I just made the default route point to the outside interface of the ISP gateway (96.92.178.238). Still unable to establish a VPN connection.

 

Rizwan... you are incredibly helpful, and I appreciate that.

Current configuration attached.

 

 

Chris

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: