Whoa! Changes in latest ASDM / IOS throwing me off

gnurph69 · ‎09-06-2011

I'm setting up an ASA 5505 with IOS 8.4(2) and ASDM 6.4(5) using the SSL client (well, and the Clientless SSL, but one thing at a time.) This is for a SOHO (they're on a cable modem) such that I should be able to remotely VPN into this system from anywhere on the Internet for support purposes.

I have the certificate generated, I can authenticate via AnyConnect - no errors. I'm used to using NAT exempt commands to move forward, but the ASA is telling me that my commands are invalid (as are the suggestions from the Cisco site, which apply to an earlier version of the ASA's software.) My local LAN access is fine.

Symptoms:

I can't ping anything on the only network behind the firewall. (I can ping myself.)
If I do a "route print" on my Windows box, it is routing correctly.
I've got to be missing something basic, but for the life of me, I can't see it. I'd guess split tunneling, but ... who knows?

My network behind the 5505 is 192.168.0.0/24; I have a VPN-Pool of 192.168.101.0/24;

My object groups are basic:

object network VLAN1

subnet 192.168.0.0 255.255.255.0

object network VPN

subnet 192.168.101.0 255.255.255.0

object-group icmp-type Allowed_ICMP

icmp-object echo

icmp-object echo-reply

icmp-object traceroute

icmp-object unreachable

icmp-object time-exceeded

I have an extended IP access-list called VPN2Anywhere that permits access for both IP and ICMP, and a standard one called SplitTunnel:

access-list VPN2Anywhere extended permit ip 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0 log disable

access-list VPN2Anywhere extended permit icmp 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0 object-group Allowed_ICMP log disable

access-list VPN2Anywhere extended permit ip 192.168.101.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list VPN2Anywhere extended permit icmp 192.168.101.0 255.255.255.0 192.168.0.0 255.255.255.0 object-group Allowed_ICMP log disable

access-list SplitTunnel standard permit 192.168.0.0 255.255.255.0

access-list SplitTunnel standard permit 192.168.101.0 255.255.255.0

my NAT is relatively simple:

nat (inside,any) source static VPN VPN destination static VLAN1 VLAN1

nat (inside,outside) source dynamic any interface

I didn't create a lot in the way of new policies - just modify the existing ones.:

dynamic-access-policy-record DfltAccessPolicy

description "Default Access Policy"

network-acl VPN2Anywhere

webvpn

appl-acl All-Permit

file-browsing enable

file-entry enable

http-proxy enable

url-entry enable

group-policy DfltGrpPolicy attributes

wins-server value 192.168.0.253

dns-server value 192.168.0.253

vpn-tunnel-protocol ssl-client

ipsec-udp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN2Anywhere

default-domain value WK9.com

address-pools value VPN-Pool

webvpn

filter value All-Permit

anyconnect ask none default webvpn

customization value DfltCustomization

smart-tunnel enable AllExternalApplications

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPN-Pool

authorization-server-group LOCAL

authorization-required

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias VPN enable

What am I missing here?

Thanks!

Jennifer Halim · ‎09-07-2011

A few modifications are required for it to work:

1) Split tunnel ACL should not include the VPN pool, so you should remove the following:

no access-list SplitTunnel standard permit 192.168.101.0 255.255.255.0

2) Split tunnel ACL assign to the group-policy is incorrect, it should be the standard ACL (SplitTunnel):

vpn-tunnel-protocol ssl-client

no split-tunnel-network-list value VPN2Anywhere

split-tunnel-network-list value SplitTunnel

3) NAT statement is the other way round. The existing NAT should be removed:

no nat (inside,any) source static VPN VPN destination static VLAN1 VLAN1

To be changed to:

nat (inside,outside) source static VLAN1 VLAN1 destination static VPN VPN

Hope this resolves the issue.