01-11-2019 05:25 AM
Hi everyone,
I'm new in the Cisco community.
I have some problem for access of my VPN anyconnect from outside... All work in my LAN (Radius authentification, Web page for download my client) but nothing from outside... I have the same problem for access to my Terminal Server from outside...
During my test, all worked but from I have put my firewall in production yesterday nothing works. I think I have change a natting rules.
Here my configuration :
!
interface Ethernet1/1
nameif outside
security-level 0
ip address 208.xx.xx.58 255.255.255.248
!
interface Ethernet1/2
description Interface LAN Serveur
nameif inside
security-level 100
ip address 172.18.0.1 255.255.240.0
!
interface Ethernet1/3
description Telephonie TELUS
nameif VOIP
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/10
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/11
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/12
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/13
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/14
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/15
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/16
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 192.168.45.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8 outside
name-server 1.1.1.1 outside
domain-name tank.lan
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network TANK-DC1
host 172.18.0.105
description Domaine controller principal
object network TANK-BCK1
host 172.18.0.106
description Serveur de sauvegarde
object network TANK-FILES55
host 172.18.0.107
description Serveur de fichier du 87 (Ancien 55)
object network TANK-FILES87
host 172.18.0.108
description Serveur de fichier du 55 (Ancien 87)
object network TANK-FTP1
host 172.18.0.118
description Serveur FTP
object network TANK-TS1
host 172.18.0.117
description Serveur TS (BAD)
object network TANK-FILESW12
host 172.18.0.116
description Serveur TS temporaire
object network DFORCIER_Private
host 172.18.0.35
description Poste perso de Diane Forcier
object network GTI_WAN_IPS
subnet 107.xxx.xxx.96 255.255.255.224
description IP Wan de GTI
object network GTI_WLAN
subnet 10.2.2.0 255.255.255.0
description Réseau Local WLAN de GTI
object network GTI_LAN
subnet 10.1.1.0 255.255.255.0
description Réseau LAN de GTI
object network MERLIN
host 172.18.0.20
description Serveur Mac Pro
object network PANASONIC
subnet 10.0.1.0 255.255.255.0
description Système Téléphonique
object network TANK-FM-Serveur
host 172.18.0.10
description Serveur FileMaker
object network TANK_Wan_IP59
host 208.xx.xx.59
description IP Publique Secondaire
object network TANK_Wan_IP61
host 208.xx.xx.61
description IP Publique Secondaire
object network TANK_Wan_IP60
host 208.71.9.60
description IP Publique Secondaire
object network Telephonie
range 10.0.1.1 10.0.1.254
description Range de la téléphonie
object network TANK_Wan_IP62
host 208.xx.xx.62
description IP Publique Secondaire
object network SSL_VPN_Range
range 192.168.168.100 192.168.168.175
description Range pour VPN SSL
object service DFORCIER_REMOTE
service tcp source eq 3435 destination eq 3435
description Port pour RDP dforcier
object service FileMaker_Administration
service tcp source eq 16001 destination eq 16000
description Administration FileMaker
object service IPSec_UDP
service udp source eq 4500 destination eq 4500
description VPN_Mac
object service L2TP_traffic
service udp source eq 1701 destination eq 1701
description VPN_Mac
object network TANK_Wan_IP58_Main
host 208.xx.xx.58
description Adresse IP Principal
object service IKE_KeyExchange
service udp source eq isakmp destination eq isakmp
description IKE pour VPN_Mac
object service FileMaker_Data
service tcp source eq 5003 destination eq 5003
description FileMaker
object service TS_TCP
service tcp destination eq 3389
description Port pour TS
object service TS_UDP
service udp destination eq 3389
description Port pour TS
object network Gateway_WAN
host 208.xx.xx.57
description Gateway Openface Tank
object network WAN_IP
host 107.xx.xx.108
object network Gateway_LAN
host 172.18.0.1
description Gateway reseau local
object network obj-172.18.0.118
host 172.18.0.118
object-group network GTI_LAN+Wifi
description Réseau Local GTI
network-object object GTI_WAN_IPS
network-object object GTI_WLAN
object-group service FileMaker_Services
description FileMaker
service-object object FileMaker_Administration
service-object object FileMaker_Data
object-group service Terminal_Service
description Services TS
service-object object TS_TCP
service-object object TS_UDP
object-group service VPN_L2TP_Merlin
description VPN Merlin
service-object esp
service-object object IKE_KeyExchange
service-object object IPSec_UDP
service-object object L2TP_traffic
service-object tcp destination eq pptp
access-list outside_access_in remark Accès à distance pour DForcier
access-list outside_access_in extended permit object DFORCIER_REMOTE any object TANK_Wan_IP60
access-list outside_access_in remark Services FileMaker
access-list outside_access_in extended permit object-group FileMaker_Services any object TANK_Wan_IP60
access-list outside_access_in remark VPN du Mac Pro
access-list outside_access_in extended permit object-group VPN_L2TP_Merlin any object TANK_Wan_IP60
access-list outside_access_in remark TS vers TANK-FILESW12 (TS Temporaire)
access-list outside_access_in extended permit object-group Terminal_Service any object TANK_Wan_IP60
access-list outside_access_in remark TS vers TANK-TS1 (TS Principal)
access-list outside_access_in extended permit object-group Terminal_Service any object TANK_Wan_IP58_Main
access-list LAN_Serveur_access_in extended permit ip any any
access-list VOIP_access_in extended permit ip any any
access-list VOIP_access_in extended deny ip any interface inside
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Local_Lan_Access standard permit host 0.0.0.0
access-list Local_Lan_Access standard permit 172.18.0.0 255.255.240.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu VOIP 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
!
object network obj_any
nat (any,outside) dynamic interface
object network TANK-FILESW12
nat (inside,outside) static interface service tcp 3389 3389
object network TANK-FM-Serveur
nat (inside,outside) static TANK_Wan_IP60 service tcp 5003 5003
object network obj-172.18.0.118
nat (inside,outside) static 208.71.9.60 service tcp 3389 3389
access-group outside_access_in in interface outside
access-group LAN_Serveur_access_in in interface inside
access-group VOIP_access_in in interface VOIP
route outside 0.0.0.0 0.0.0.0 208.71.9.57 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server TANK-Radius protocol radius
aaa-server TANK-Radius (inside) host 172.18.0.105
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.45.0 255.255.255.0 management
http 172.18.0.0 255.255.240.0 inside
ip-client outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.45.1,CN=TANK-FW1
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint vpn.tank.ca
enrollment terminal
subject-name CN=vpn.tank.ca
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 4432115c
308202d0 308201b8 a0030201 02020444 32115c30 0d06092a 864886f7 0d01010b
0
e9c59513 924d50d1 d1e03e0e 3b4dd53a c89db9f1
quit
crypto ca certificate chain vpn.tank.ca
certificate 00832746855ee2aeca
4640757e 18f0a390 05a1ddea d5463db2 92ad
quit
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0509
308205b7 3082039f a0030201 02020205 09300d06 092a8648 86f70d01 01050500
3
f1e3b1ef df918f54 2a0b25c1 2619c452 100565d5 8210eac2 31cd2e
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 172.18.0.0 255.255.240.0 inside
ssh 192.168.45.0 255.255.255.0 management
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd auto_config outside
!
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point vpn.tank.ca outside
ssl trust-point vpn.tank.ca inside
ssl trust-point vpn.tank.ca VOIP
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 management
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 management vpnlb-ip
webvpn
enable outside
enable inside
anyconnect image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.7.00136-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy GroupPolicy_SSLVPN internal
group-policy GroupPolicy_SSLVPN attributes
dns-server value 172.18.0.105
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_Lan_Access
default-domain value tank.lan
split-dns value tank.lan
intercept-dhcp enable
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol l2tp-ipsec
dynamic-access-policy-record DfltAccessPolicy
username gti password ***** pbkdf2
tunnel-group DefaultRAGroup general-attributes
address-pool SSLVPN
authentication-server-group TANK-Radius
default-group-policy GroupPolicy_SSLVPN
tunnel-group DefaultRAGroup webvpn-attributes
group-alias TANK-VPN enable
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool SSLVPN
authentication-server-group TANK-Radius
default-group-policy GroupPolicy_SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr support@tank.ca
source-interface outside
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
app-agent heartbeat interval 1000 retry-count 3
Cryptochecksum:5ec387a18f016d1c85495311f5e99f9c
: end
asdm image disk0:/asdm-7101.bin
no asdm history enable
Solved! Go to Solution.
01-11-2019 05:52 AM - edited 01-11-2019 05:56 AM
if you have anyconnect client than
nat (any,outside) source static any any destin static NETWORK_OB_192.168.108_24 NETWORK_OB_192.168.108_24 no-proxy -arp route-lookup |where 192.168.108/24 is my anyconnect pool.
nat (any,outside) source static any any destin static XXXX XXXX no-proxy -arp route-lookup
01-11-2019 06:12 AM
there is no ip pool define in config for anyconnect. This Gentleman could confirm this sound like he try to connect via any connect. in that case he also need a standard access-list
access-list standard_anyconnect standard permit (your local/internet network access to allow)
also you need to match your anyconnect pool to
tunnel-group ANYCONNECT general-attributes
address-pool anyconnect-pool
01-11-2019 05:36 AM
01-11-2019 05:45 AM
Hi RJI,
Thanks for your response. I was checking directly with IP address. Now I arrive to connect with my VPN but I have no access to my LAN (172.18.0.x). Only the gateway ping, All my server not respond after anyconnect connection. If I look the route detail from the parameter of anyconnect I see :
Non-secured routes
0.0.0.0/20
Secured Routes
172.18.0.0/20
172.18.0.105/32
Any Idea?
And my different servers don't works online behind my natting route.
01-11-2019 05:52 AM - edited 01-11-2019 05:56 AM
if you have anyconnect client than
nat (any,outside) source static any any destin static NETWORK_OB_192.168.108_24 NETWORK_OB_192.168.108_24 no-proxy -arp route-lookup |where 192.168.108/24 is my anyconnect pool.
nat (any,outside) source static any any destin static XXXX XXXX no-proxy -arp route-lookup
01-11-2019 06:15 AM
Perfect!! That's works!!
Thanks a lot Radio_City
01-11-2019 06:16 AM
Kinldy please mark this post Answer so other can benefit it too.
Regards,
Radio_city
01-11-2019 06:05 AM
01-11-2019 06:12 AM
there is no ip pool define in config for anyconnect. This Gentleman could confirm this sound like he try to connect via any connect. in that case he also need a standard access-list
access-list standard_anyconnect standard permit (your local/internet network access to allow)
also you need to match your anyconnect pool to
tunnel-group ANYCONNECT general-attributes
address-pool anyconnect-pool
01-11-2019 06:22 AM
01-11-2019 06:23 AM
no restriction on anyconnect bandwidth.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide