- Cisco Community
- Technology and Support
- Security
- VPN
- Hi cwhlaw2009,
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-29-2015 06:44 PM - edited 02-21-2020 08:36 PM
Dear Everyone,
My office use ASA 5505 and i use anyconnect from outside (sometime oversea), i can connect my office network and through ASA access internet, but i can't access ASA and local network (my client network). WHY?
Office 192.168.10.0/24
VPN 192.168.11.0/24
How can I fix it?
ASA Version 9.2(3)
!
hostname ciscoasa
enable password XXXXXXXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXX encrypted
names
ip local pool VPN-Pool 192.168.11.1-192.168.11.10 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address AAA.BBB.CCC.DDD EEE.FFF.GGG.HHH
!
boot system disk0:/asa923-k8.bin
ftp mode passive
clock timezone HKST 8
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit intra-interface
object network VPN_Pool
subnet 192.168.11.0 255.255.255.240
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,outside) source dynamic VPN_Pool interface
nat (inside,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
!
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 AAA.BBB.CCC.DDD 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable XXXXX
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ciscoasa
crl configure
crypto ca trustpoint Anyconnect_Self_Signed_Cert
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
subject-name CN=115.160.145.114,CN=ciscoasa
crl configure
crypto ca trustpool policy
crypto ca certificate chain Anyconnect_Self_Signed_Cert
certificate 5c7d4156
308202d4 308201bc a0030201 0202045c 7d415630 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 31353131 31303131 31363231
5a170d32 35313130 37313131 3632315a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082
0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100cc
af43a895 8c2c3f49 ad16c4b9 a855b47b 773f4245 1954c728 7c568245 6ddc02ab
78c45473 eb4073f6 401d1dca 050dc53f cfb93f58 68087f6d 03334fc1 53f41daa
454ff4bb 691235ab 34e21d98 830788b4 4cfecef4 204e9c95 76b1b417 b5cf746c
60063e89 0ffe5381 42694cf8 d1be20d4 4c95d9c6 93041af2 94783de0 fe93cf67
4ad8954f 5392790b 4ded225c c3128cba 8d3ee07b f9fd2208 34b1956c be0a774a
d054a290 14316cc0 1670bdea f04c828b 7f9483fb 409fa707 fbe5a257 33597fed
ca790881 b1d4d3dc b0e1095e bf04014e 19c5cfeb f74aac57 ee39cd6e 7389cdd1
8b9421fa ee2b99ae df07fba1 0b506cd8 ea9f64c5 dd9169ad 157fcdb7 f6cfff02
03010001 300d0609 2a864886 f70d0101 05050003 82010100 c8719770 1305bd9c
2608f039 0dc6b058 0dfe3d88 76793a18 8f601dda 8553b893 d95e3b25 30ef7354
772f7d0b 772869d7 372f8f5c f32992af fa2c8b6e 0f0ae4ce 4e068b8d b7916af2
affa1953 5bfd01a6 1a3c147d 75d95d8c 1122fa85 3905f27b 2474aff4 11fff24f
c305b648 b4c9d8d4 9dcf444b 9326cda3 0c4635d0 90ff8dd8 9444726c 82e002ec
be120937 0414c20a 39df72fb 76cd9c38 cde9afda 019e9230 66e5dba8 ed208eae
5faabb85 ff04f8f2 c36b724b 62ec52cc f967ee1d 1a6458fc 507a2377 45c20635
2c14c431 baac678a dcc20329 4db7aa51 02c36904 75b5f307 f1cc056d 726bc436
597a3814 4ccd421d cb77d8f5 46a8ae69 2d617ac8 2160d7af
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 5d7d4156
30820308 308201f0 a0030201 0202045d 7d415630 0d06092a 864886f7 0d010105
05003046 3111300f 06035504 03130863 6973636f 61736131 18301606 03550403
130f3131 352e3136 302e3134 352e3131 34311730 1506092a 864886f7 0d010902
16086369 73636f61 7361301e 170d3135 31313130 31323136 35395a17 0d323531
31303731 32313635 395a3046 3111300f 06035504 03130863 6973636f 61736131
18301606 03550403 130f3131 352e3136 302e3134 352e3131 34311730 1506092a
864886f7 0d010902 16086369 73636f61 73613082 0122300d 06092a86 4886f70d
01010105 00038201 0f003082 010a0282 010100cc af43a895 8c2c3f49 ad16c4b9
a855b47b 773f4245 1954c728 7c568245 6ddc02ab 78c45473 eb4073f6 401d1dca
050dc53f cfb93f58 68087f6d 03334fc1 53f41daa 454ff4bb 691235ab 34e21d98
830788b4 4cfecef4 204e9c95 76b1b417 b5cf746c 60063e89 0ffe5381 42694cf8
d1be20d4 4c95d9c6 93041af2 94783de0 fe93cf67 4ad8954f 5392790b 4ded225c
c3128cba 8d3ee07b f9fd2208 34b1956c be0a774a d054a290 14316cc0 1670bdea
f04c828b 7f9483fb 409fa707 fbe5a257 33597fed ca790881 b1d4d3dc b0e1095e
bf04014e 19c5cfeb f74aac57 ee39cd6e 7389cdd1 8b9421fa ee2b99ae df07fba1
0b506cd8 ea9f64c5 dd9169ad 157fcdb7 f6cfff02 03010001 300d0609 2a864886
f70d0101 05050003 82010100 00089cd3 d0f65c5e 91f7ee15 bbd98446 35639ef9
a3a30b63 92471cb7 45b64956 f146234c 472b52e6 f2647ced a109cb6b 52bf5f5d
052ac212 c6027535 16e42908 ea37c39a 4d203be9 40935057 8c4ed8cd 3fe8a537
a837c75c feff4dcc 1b2fd276 257f0b46 8fcd2a5c cbdcacec cd14ee46 be136ae7
7cd4ae0d aace54fe 5187ea57 40d2af87 cded3085 27d6f5d8 1c15ef98 f95cc90e
485049a4 63406609 805efa8f a663db53 06b94e53 07c1c808 61eadcdb 2c952bee
74a0b3dd ae262d84 40b85ec5 a89179b2 7e41648e 93f0e419 3c482b29 e482d344
d756d450 8f0d9302 d023ac43 a31469a4 105c8a0c b1418907 693c558c 08f499ef
364bc8ba 4543297a a17735a0
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint Anyconnect_Self_Signed_Cert
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd dns 192.168.10.254 8.8.8.8
dhcpd lease 43200
!
dhcpd address 192.168.10.1-192.168.10.100 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server AAA.BBB.CCC.DDD source outside prefer
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.2.00096-k9.pkg 1
anyconnect profiles Anyconnect_client_profile disk0:/Anyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DefaultRAGroup_2 internal
group-policy DefaultRAGroup_2 attributes
dns-server value AAA.BBB.CCC.DDD AAA.BBB.CCC.DDD
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelspecified
group-policy GroupPolicy_Anyconnect internal
group-policy GroupPolicy_Anyconnect attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy excludespecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1
default-domain none
split-tunnel-all-dns enable
ipv6-address-pools none
webvpn
anyconnect profiles value Anyconnect_client_profile type user
username XXXXXXX password XXXXXXXXXXXXXXX encrypted privilege 15
username XXXXXXX password XXXXXXXXXXXXXXX encrypted privilege 15
username XXXXXXX attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-Pool
default-group-policy DefaultRAGroup_2
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key XXXXXXXXX
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
address-pool VPN-Pool
default-group-policy GroupPolicy_Anyconnect
nat-assigned-to-public-ip inside
tunnel-group Anyconnect webvpn-attributes
group-alias Anyconnect enable
tunnel-group Anyconnect ppp-attributes
authentication ms-chap-v2
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:24991680b66624113beb31d230c593bb
: end
Solved! Go to Solution.
- Labels:
-
AnyConnect
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2016 04:51 PM
Hi cwhlaw2009,
You need to configure a Split-tunnel policy, if you want to be able to access the internal and local network at the same time.
Hope it helps
-Randy-
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2016 04:51 PM
Hi cwhlaw2009,
You need to configure a Split-tunnel policy, if you want to be able to access the internal and local network at the same time.
Hope it helps
-Randy-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide