07-09-2013 03:50 PM
anyconnect vpn connection is established - but can not connect to server? server IP is 192.168.0.4
Thank you
ASA Version 8.2(1)
!
hostname ciscoasa5505
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 208.0.0.162 255.255.255.248
!
interface Vlan5
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.0.4
name-server 208.0.0.11
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service TS-780 tcp-udp
port-object eq 780
object-group service Graphon tcp-udp
port-object eq 491
object-group service Allworx-2088 udp
port-object eq 2088
object-group service allworx-15000 udp
port-object range 15000 15511
object-group service allworx-2088 udp
port-object eq 2088
object-group service allworx-5060 udp
port-object eq sip
object-group service allworx-8081 tcp
port-object eq 8081
object-group service allworx-web tcp
port-object eq 8080
object-group service allworx udp
port-object range 16001 16010
object-group service allworx- udp
port-object range 16384 16393
object-group service remote tcp-udp
port-object eq 779
object-group service billing1 tcp-udp
port-object eq 8080
object-group service billing-1521 tcp-udp
port-object eq 1521
object-group service billing-6233 tcp-udp
port-object range 6233 6234
object-group service billing2-3389 tcp-udp
port-object eq 3389
object-group service olivia-3389 tcp-udp
port-object eq 3389
object-group service olivia-777 tcp-udp
port-object eq 777
object-group network group
network-object host 192.168.0.15
network-object host 192.168.0.4
object-group service allworx1 tcp-udp
description 8080
port-object eq 8080
object-group service allworx_15000 udp
port-object range 15000 15511
object-group service allworx_16384 udp
port-object range 16384 16393
object-group service DM_INLINE_UDP_1 udp
group-object allworx_16384
port-object range 16384 16403
object-group service allworx-5061 udp
port-object range 5061 5062
object-group service ananit tcp-udp
port-object eq 880
access-list outside_access_in extended permit object-group TCPUDP any host 208.0.0.164 object-group billing-6233
access-list outside_access_in extended permit object-group TCPUDP any host 208.0.0.164 object-group billing-1521
access-list outside_access_in extended permit object-group TCPUDP any host 208.0.0.164 object-group billing2-3389
access-list outside_access_in extended permit tcp any host 208.0.0.164 eq https
access-list outside_access_in extended permit tcp any host 208.0.0.164 eq www
access-list outside_access_in extended permit tcp any host 208.0.0.164 eq ftp
access-list outside_access_in extended permit object-group TCPUDP any host 208.0.0.164 object-group billing1
access-list outside_access_in extended permit object-group TCPUDP any host 208.0.0.162 eq domain
access-list outside_access_in extended permit tcp any host 208.0.0.162 eq www
access-list outside_access_in extended permit object-group TCPUDP any host 208.0.0.162 object-group remote
access-list outside_access_in extended permit tcp any host 208.0.0.162 eq smtp
access-list outside_access_in extended permit object-group TCPUDP any host 208.0.0.162 object-group olivia-777
access-list outside_access_in extended permit udp any host 208.0.0.162 object-group Allworx-2088 inactive
access-list outside_access_in extended permit udp any host 208.0.0.162 object-group allworx-5060 inactive
access-list outside_access_in extended permit tcp any host 208.0.0.162 object-group allworx-web inactive
access-list outside_access_in extended permit tcp any host 208.0.0.162 object-group allworx-8081 inactive
access-list outside_access_in extended permit udp any host 208.0.0.162 object-group allworx-15000 inactive
access-list outside_access_in extended permit udp any host 208.0.0.162 object-group DM_INLINE_UDP_1 inactive
access-list outside_access_in extended permit udp any host 208.0.0.162 object-group allworx-5061 inactive
access-list outside_access_in extended permit object-group TCPUDP any host 208.0.0.162 object-group ananit inactive
access-list outside_access_in extended deny ip host 151.1.68.194 host 208.0.0.164
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list ping extended permit icmp any any echo-reply
access-list inside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 1 standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging buffered notifications
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool remote_pool 192.168.100.30-192.168.100.60 mask 255.255.255.0
ip local pool remote 192.168.0.20-192.168.0.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.0.0 255.255.255.0
alias (inside) 192.168.0.4 99.63.129.65 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.0.4 smtp netmask 255.255.255.255
static (inside,outside) tcp interface domain 192.168.0.4 domain netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.0.4 www netmask 255.255.255.255
static (inside,outside) tcp interface 777 192.168.0.15 777 netmask 255.255.255.255
static (inside,outside) tcp interface 779 192.168.0.4 779 netmask 255.255.255.255
static (inside,outside) udp interface domain 192.168.0.4 domain netmask 255.255.255.255
static (inside,outside) tcp interface 880 192.168.0.16 880 netmask 255.255.255.255
static (inside,outside) tcp 208.0.0.164 3389 192.168.0.185 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 208.0.0.161 1
route inside 192.168.50.0 255.255.255.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.0.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 108.0.0.97
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 69.0.0.54
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime none
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime none
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface dmz
dhcpd auto_config outside
!
dhcpd address 192.168.0.20-192.168.0.50 inside
dhcpd dns 192.168.0.4 208.0.0.11 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
group-policy anyconnect internal
group-policy anyconnect attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable
username olivia password Zta1M8bCsJst9NAs encrypted
username graciela password CdnZ0hm9o72q6Ddj encrypted
tunnel-group 69.0.0.54 type ipsec-l2l
tunnel-group 69.0.0.54 ipsec-attributes
pre-shared-key *
tunnel-group 108.0.0.97 type ipsec-l2l
tunnel-group 108.0.0.97 ipsec-attributes
pre-shared-key *
tunnel-group anyconnect type remote-access
tunnel-group anyconnect general-attributes
address-pool remote
default-group-policy anyconnect
tunnel-group anyconnect webvpn-attributes
group-alias anyconnect enable
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect icmp
!
service-policy global-policy global
: end
asdm location 208.0.0.164 255.255.255.255 inside
asdm location 192.168.0.15 255.255.255.255 inside
asdm location 192.168.50.0 255.255.255.0 inside
asdm location 192.168.1.0 255.255.255.0 inside
no asdm history enable
Solved! Go to Solution.
07-10-2013 03:33 PM
Right now your nat 0 (NAT exemption) follows the access list:
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
Return traffic from your server at 192.168.0.4 to the VPN pool (192.168.0.20-50) will not match that access-list and thus be NATted. The TCP connection will not establish due to Reverse Path Forwarding (RPF) failure - traffic is asymmetrically NATted.
So try adding an entry to the access list like:
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
...it's a bit counter-intuitive but necessary as your VPN pool is carved out of your inside network space. You could also do as Shaoqin suggest below and use a distinct network but you would still have to add an access-list entry to exempt the outbound traffic from NAT.
07-09-2013 09:10 PM
I may have missed it but did you exempt your clients' VPN pool addresses from NAT?
07-10-2013 03:18 PM
how to do that?...
Thank you
07-10-2013 03:33 PM
Right now your nat 0 (NAT exemption) follows the access list:
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
Return traffic from your server at 192.168.0.4 to the VPN pool (192.168.0.20-50) will not match that access-list and thus be NATted. The TCP connection will not establish due to Reverse Path Forwarding (RPF) failure - traffic is asymmetrically NATted.
So try adding an entry to the access list like:
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
...it's a bit counter-intuitive but necessary as your VPN pool is carved out of your inside network space. You could also do as Shaoqin suggest below and use a distinct network but you would still have to add an access-list entry to exempt the outbound traffic from NAT.
07-10-2013 08:53 AM
can you try a pool other than the inside interface subnet?
Sent from Cisco Technical Support iPad App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: