12-25-2011 10:28 PM - edited 02-21-2020 05:47 PM
Hello,
I am having an issue I need to have the outside interface terminate a ssl AnyConnect Client. I have several groups the will login and I need multiple inside interfaces to satisfy my security needs.
I have one group call ombudsman-mhdd and they need to go out interface g0/1.231 and another group called oet-router go out g0/1.232.
This works on my 8.2 box but I am having trouble routing traffic out these interfaces.
Any help would be greatly appreciated.
interface GigabitEthernet0/0
description trunk mplsfe-hub g1/10 - - null
nameif outside
security-level 0
ip address 207.171.92.25 255.255.255.252
!
interface GigabitEthernet0/1
description trunk mplsfe-hub g1/11 - - null
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.231
description mplsfe-hub g1/11.231 - null V17:vpn-crs
vlan 231
nameif inside
security-level 100
ip address 207.171.109.173 255.255.255.252
!
interface GigabitEthernet0/1.232
description mplsfe-hub g1/11.232 - null vpn-admin
vlan 232
nameif vpn-admin
security-level 100
ip address 207.171.120.29 255.255.255.252 interface GigabitEthernet0/0
description trunk mplsfe-hub g1/10 - - null
nameif outside
security-level 0
ip address 207.171.92.25 255.255.255.252
!
12-26-2011 02:32 AM
Hi,
I assume you're doing this via
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/uz.html#wp1547912
If so (unless someone has a better idea) I would suggest opening a TAC case so we have a look in depth, with full config and logs ;-)
M.
12-26-2011 07:45 AM
interface GigabitEthernet0/0
description trunk mplsfe-hub g1/10 - - null
nameif outside
security-level 0
ip address 207.171.92.25 255.255.255.252
!
interface GigabitEthernet0/1
description trunk mplsfe-hub g1/11 - - null
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.231
description mplsfe-hub g1/11.231 - null V17:vpn-crs
vlan 231
nameif inside
security-level 100
ip address 207.171.109.173 255.255.255.252
!
interface GigabitEthernet0/1.232
description mplsfe-hub g1/11.232 - null vpn-admin
vlan 232
nameif vpn-admin
security-level 100
ip address 207.171.120.29 255.255.255.252
This is the current config. I have a case open with them and they aren't having any success. This is very unusual we are acting as an ISP for various agencies to SSL into the network.
:
ASA Version 8.4(2)
!
hostname mplsfe-shpix
domain-name r.state.mn.us
names
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 10.10.10.2 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 156.98.47.21
name-server 207.171.71.71
name-server 156.98.1.1
domain-name r.state.mn.us
dns server-group ns1.state.mn.us
dns server-group ns2.state.mn.us
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ombudsman-mhdd-outside
subnet 10.77.25.0 255.255.255.224
object network oet-router-outside
subnet 10.77.25.64 255.255.255.192
object network 10.77.25.65
host 10.77.25.65
object network 172.20.111.117
host 172.20.111.117
object-group network dns-servers
network-object 156.98.47.21 255.255.255.255
network-object 156.98.1.1 255.255.255.255
network-object 156.98.47.20 255.255.255.255
network-object 156.99.222.4 255.255.255.255
network-object 207.171.71.71 255.255.255.255
object-group network inside-networks
description all state networks inside
network-object 156.98.0.0 255.255.0.0
network-object 156.99.0.0 255.255.0.0
network-object 136.234.0.0 255.255.0.0
network-object 207.171.0.0 255.255.0.0
network-object 64.8.0.0 255.255.0.0
network-object 172.0.0.0 255.0.0.0
network-object 10.0.0.0 255.0.0.0
access-list capin extended permit ip host 10.77.25.65 host 172.20.111.117
access-list capin extended permit ip host 172.20.111.117 host 10.77.25.65
no pager
logging enable
logging timestamp
logging buffer-size 10000
logging asdm-buffer-size 512
logging monitor debugging
logging buffered warn-vpn
logging facility 21
logging device-id hostname
mtu outside 1500
mtu inside 1500
mtu vpn-admin 1500
mtu management 1500
ip local pool ombudsman-mhdd 10.77.25.1-10.77.25.30 mask 255.255.255.224
ip local pool oet-router 10.77.25.65-10.77.25.126 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any inside
asdm image disk0:/asdm-645-204.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static inside-networks inside-networks destination static ombudsman-mhdd-outside ombudsman-mhdd-outside no-proxy-arp route-lookup
nat (outside,outside) source dynamic ombudsman-mhdd-outside interface
nat (any,vpn-admin) source static 10.77.25.65 interface destination static 172.20.111.117 172.20.111.117
nat (inside,vpn-admin) source static inside-networks inside-networks destination static oet-router-outside oet-router-outside no-proxy-arp route-lookup
!
object network ombudsman-mhdd-outside
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 207.171.92.26 1
route vpn-admin 0.0.0.0 0.0.0.0 207.171.120.30 2
route inside 10.0.0.0 255.0.0.0 207.171.109.174 1
route inside 64.8.0.0 255.255.0.0 207.171.109.174 1
route outside 68.87.77.134 255.255.255.255 207.171.92.26 1
route inside 136.234.0.0 255.255.0.0 207.171.109.174 1
route outside 136.234.20.1 255.255.255.255 156.99.224.241 1
route outside 136.234.168.137 255.255.255.255 207.171.92.26 1
route outside 136.234.168.141 255.255.255.255 207.171.92.26 1
route outside 136.234.197.28 255.255.255.255 207.171.92.26 1
route inside 156.98.0.0 255.255.0.0 207.171.109.174 1
route outside 156.98.1.1 255.255.255.255 207.171.92.26 1
route outside 156.98.1.168 255.255.255.248 207.171.92.26 1
route outside 156.98.3.136 255.255.255.248 207.171.92.26 1
route outside 156.98.48.176 255.255.255.255 207.171.92.26 1
route outside 156.98.75.0 255.255.255.0 156.98.75.3 1
route outside 156.98.75.253 255.255.255.255 207.171.92.26 1
route outside 156.98.77.245 255.255.255.255 207.171.92.26 1
route outside 156.98.99.4 255.255.255.255 207.171.92.26 1
route inside 156.99.0.0 255.255.0.0 207.171.109.174 1
route outside 156.99.0.40 255.255.255.248 207.171.92.26 1
route outside 156.99.11.56 255.255.255.248 207.171.92.26 1
route outside 156.99.11.120 255.255.255.248 207.171.92.26 1
route outside 156.99.23.56 255.255.255.248 207.171.92.26 1
route outside 156.99.26.64 255.255.255.248 207.171.92.26 1
route outside 156.99.26.80 255.255.255.248 207.171.92.26 1
route outside 156.99.28.120 255.255.255.248 207.171.92.26 1
route outside 156.99.31.96 255.255.255.240 207.171.92.26 1
route outside 156.99.34.216 255.255.255.248 207.171.92.26 1
route outside 156.99.34.232 255.255.255.248 207.171.92.26 1
route outside 156.99.38.225 255.255.255.255 207.171.92.26 1
route outside 156.99.41.163 255.255.255.255 207.171.92.26 1
route outside 156.99.63.16 255.255.255.248 207.171.92.26 1
route outside 156.99.63.24 255.255.255.248 207.171.92.26 1
route outside 156.99.90.141 255.255.255.255 207.171.92.26 1
route outside 156.99.90.142 255.255.255.255 207.171.92.26 1
route outside 156.99.90.160 255.255.255.248 207.171.92.26 1
route outside 156.99.90.176 255.255.255.248 207.171.92.26 1
route outside 156.99.93.159 255.255.255.255 207.171.92.26 1
route outside 156.99.98.72 255.255.255.248 207.171.92.26 1
route outside 156.99.106.232 255.255.255.248 207.171.92.26 1
route outside 156.99.115.224 255.255.255.248 207.171.92.26 1
route outside 156.99.124.128 255.255.255.240 207.171.92.26 1
route inside 172.0.0.0 255.0.0.0 207.171.109.174 1
route inside 172.16.0.0 255.240.0.0 207.171.109.174 1
route vpn-admin 172.20.111.116 255.255.255.252 207.171.120.30 2
route vpn-admin 172.25.224.0 255.255.248.0 207.171.87.126 2
route vpn-admin 172.25.232.0 255.255.248.0 207.171.87.126 2
route vpn-admin 172.25.240.0 255.255.240.0 207.171.87.126 2
route inside 207.171.0.0 255.255.0.0 207.171.109.174 1
route outside 207.171.110.90 255.255.255.255 156.99.224.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authorization command LOCAL
http server enable
sysopt connection tcpmss 1200
sysopt connection preserve-vpn-flows
auth-prompt prompt Enter RSA Token Codes
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint Intermediate
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint0-VPN2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint0-VPN2c
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPointVPN3
crl configure
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 864000
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
console timeout 30
management-access vpn-admin
dhcpd wins 156.98.47.21 156.98.47.20
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 156.99.23.20
ntp server 156.98.1.113
tftp-server inside 156.99.121.129 /home/tftpboot
ssl trust-point VPN_trust vpn-admin
ssl trust-point VPN_trust outside
ssl trust-point VPN_trust inside
webvpn
enable outside
enable inside
enable vpn-admin
anyconnect-essentials
anyconnect image disk0:/anyconnect-dart-win-2.5.3041-k9.pkg 1
anyconnect enable
tunnel-group-list enable
************************************
group-policy GroupPolicy_ombudsman-mhdd internal
group-policy GroupPolicy_ombudsman-mhdd attributes
banner value You are now logging on to the Ombudsman VPN. Unauthorized access to this network is strictly prohibited. By logging into this network you agree to a
ll State and Federal Laws Governing Remote Access.
wins-server value 156.99.113.62 156.99.113.61
dns-server value 156.99.113.62 156.99.113.61
vpn-tunnel-protocol ssl-client
group-lock value ombudsman-mhdd
default-domain value state.mn.us
address-pools value ombudsman-mhdd
webvpn
anyconnect modules value dart,vpngina
group-policy oet-router internal
*************************************
group-policy oet-router attributes
wins-server value 156.98.47.21 156.99.222.4
dns-server value 156.98.47.20 156.98.47.21
vpn-tunnel-protocol ssl-client
group-lock value oet-router
default-domain value admin.state.mn.us
vlan 232
webvpn
anyconnect modules value dart,vpngina
anyconnect ask none default anyconnect
****************************************
tunnel-group DefaultRAGroup webvpn-attributes
radius-reject-message
proxy-auth sdi
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 120 retry 5
tunnel-group DefaultWEBVPNGroup webvpn-attributes
radius-reject-message
tunnel-group ombudsman-mhdd type remote-access
tunnel-group ombudsman-mhdd general-attributes
address-pool ombudsman-mhdd
authentication-server-group keyfob
default-group-policy GroupPolicy_ombudsman-mhdd
tunnel-group ombudsman-mhdd webvpn-attributes
group-alias ombudsman-mhdd enable
tunnel-group oet-router type remote-access
tunnel-group oet-router general-attributes
address-pool oet-router
authentication-server-group keyfob
default-group-policy oet-router
tunnel-group oet-router webvpn-attributes
group-alias oet-router enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
mplsfe-shpix#
12-26-2011 07:54 PM
Thank you so much for replying. I did have a vlan attached to the group policy, I included it on the update I pasted in. Thanks for your opinion if you give me any advice I really appreciate it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide