03-24-2015 09:48 PM - edited 02-21-2020 08:09 PM
Hi Folks
I have configured anyconnect VPN on our corporate ASA and it's working fine with split tunnel and I can access Internet when connected.
Can you please let me know how can I access my inside network and beyond that? I don't have access to my inside network and I don't know what is lacking in my configuraion!
Any help would appreciated!
Here is my configuraion:
ASA Version 9.1(2)
!
hostname anyconnect-test
domain-name xxxxx.com
enable password xxxxx
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool ANYCONNECT-VPN 192.168.20.1-192.168.20.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 142.x.x.100 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 142.x.x.31 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.5.10 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name transalta.com
object network LOCAL
subnet 142.x.x.0 255.255.255.0
object network ANYCONNECT-VPN
subnet 192.168.20.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 142.x.x.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LOCAL LOCAL destination static ANYCONNECT-VPN ANYCONNECT-VPN no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 142.x.x.10 1
route inside 142.x.0.0 255.255.0.0 142.x.x.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=anyconnect-test
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 13caf954
3082030c 308201f4 a0030201 02020413 caf95430 0d06092a 864886f7 0d010105
05003048 31183016 06035504 03130f61 6e79636f 6e6e6563 742d7465 7374312c
302a0609 2a864886 f70d0109 02161d61 6e79636f 6e6e6563 742d7465 73742e74
72616e73 616c7461 2e636f6d 301e170d 31353033 30393038 30373239 5a170d32
35303330 36303830 3732395a 30483118 30160603 55040313 0f616e79 636f6e6e
6563742d 74657374 312c302a 06092a86 4886f70d 01090216 1d616e79 636f6e6e
6563742d 74657374 2e747261 6e73616c 74612e63 6f6d3082 0122300d 06092a86
4886f70d 01010105 00038201 0f003082 010a0282 010100d3 4491f744 631d707f
1146ddd2 c4687c02 3d4412bc 4df5a6c9 0998453b 3165d5f7 51ae9726 c5dda846
db0e4d07 2a748991 0c360185 aec2687b 49de80a5 7352fa66 13319568 31a9a745
61cfc6ba 965f6da3 a88fb11e fa41687b 399e98ba 022b7bf6 b01dc4fa 244e3aa0
ad88e646 84bb94c8 e0f41876 11469eee 2b93dc3b 5a960e24 62134320 183e8f56
33f4e157 5bb4b1fb 10dbc0e5 ed448187 667e6d3b 246eb836 8217c055 0292029a
e0c3ec02 99661155 a957b562 31c890ab 1df20c4d 7cdae3d1 6052e322 aa97be1d
b998b7d8 784ecaf5 f847ddcf e8005dd4 6e3489e1 24a7b641 f7b5a9ad 1c4c9c9f
7f3b2eee 314bf0c2 7ba5d3fc add93900 b0fc1116 fa2d6b02 03010001 300d0609
2a864886 f70d0101 05050003 82010100 cd1330b4 ceacda6b b4af5e74 c48bd27b
10d65af3 fa944679 7c3b7c67 ed91b1d6 a89588ba af15b8f8 d9c26191 e4f35991
d225cd7e 4b534f3f 76571612 47f4384f 105a283b 526c1208 a7034ab5 9992083e
10183293 067baf69 e1e77df5 20dc1924 28c0d807 1dc7a33f ec609684 d5482085
264949af bf485850 c9b91a64 cb0e5fc9 f43610a2 db31596a ad616748 e8d74a48
38355cfb 4efc0a05 4962962b 8551f8c8 c5cdba87 97ae795b 5a788fa0 6372d3c9
b4a0b74e 4b00fb88 26e794f9 daa984b0 f6254b0f 7a3a6476 b336bf5e dfc1eb0c
4c406191 4bc46450 35e8879e 9508b6bf c2cddb6d 547cbd68 ab5a4b45 b45c7f0f
fcddc81b 002076a7 781f40bb 703fb651
quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 142.x.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles anyconnect-test_client_profile disk0:/anyconnect-test_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy ANYCONNECT-VPN internal
group-policy ANYCONNECT-VPN attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
webvpn
anyconnect keep-installer installed
anyconnect ask enable default anyconnect timeout 10
username armani password jIgrPMz6vta5Ra5t encrypted
username armani attributes
service-type remote-access
tunnel-group ANYCONNECT-VPN type remote-access
tunnel-group ANYCONNECT-VPN general-attributes
address-pool ANYCONNECT-VPN
default-group-policy ANYCONNECT-VPN
tunnel-group ANYCONNECT-VPN webvpn-attributes
group-alias TAU_ANYCONNECT enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 6
subscribe-to-alert-group configuration periodic monthly 6
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b998e23e6a411047d8ea2222b9b55341
: end
03-27-2015 12:02 PM
Hi,
Do your internal hosts have a route back to the VPN pool?
03-30-2015 08:04 AM
Hi Adeolu,
Yes I have a directly connected 4506 switch that is conencted to out core Switches and runs EIGRP
I have statically routed that pool on that switch to point to inside interface of the ASA and redistributed it to into our EIGRP!
03-30-2015 08:06 AM
Just to highlight, my inside and outside subnet is class B public IP and my pool Address is class C Private address range.
All my access lists are also in place and I think they are ok.
I can copy them here if you'd like to have a look.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide