cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2245
Views
20
Helpful
9
Replies

Any Connect not working from outside

Wam83CA
Level 1
Level 1

Hi everyone,

 

I'm new in the Cisco community.

I have some problem for access of my VPN anyconnect from outside... All work in my LAN (Radius authentification, Web page for download my client) but nothing from outside... I have the same problem for access to my Terminal Server from outside...

During my test, all worked but from I have put my firewall in production yesterday nothing works. I think I have change a natting rules.

 

Here my configuration : 

 

!
interface Ethernet1/1
nameif outside
security-level 0
ip address 208.xx.xx.58 255.255.255.248
!
interface Ethernet1/2
description Interface LAN Serveur
nameif inside
security-level 100
ip address 172.18.0.1 255.255.240.0
!
interface Ethernet1/3
description Telephonie TELUS
nameif VOIP
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/10
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/11
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/12
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/13
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/14
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/15
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/16
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 192.168.45.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8 outside
name-server 1.1.1.1 outside
domain-name tank.lan
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network TANK-DC1
host 172.18.0.105
description Domaine controller principal
object network TANK-BCK1
host 172.18.0.106
description Serveur de sauvegarde
object network TANK-FILES55
host 172.18.0.107
description Serveur de fichier du 87 (Ancien 55)
object network TANK-FILES87
host 172.18.0.108
description Serveur de fichier du 55 (Ancien 87)
object network TANK-FTP1
host 172.18.0.118
description Serveur FTP
object network TANK-TS1
host 172.18.0.117
description Serveur TS (BAD)
object network TANK-FILESW12
host 172.18.0.116
description Serveur TS temporaire
object network DFORCIER_Private
host 172.18.0.35
description Poste perso de Diane Forcier
object network GTI_WAN_IPS
subnet 107.xxx.xxx.96 255.255.255.224
description IP Wan de GTI
object network GTI_WLAN
subnet 10.2.2.0 255.255.255.0
description Réseau Local WLAN de GTI
object network GTI_LAN
subnet 10.1.1.0 255.255.255.0
description Réseau LAN de GTI
object network MERLIN
host 172.18.0.20
description Serveur Mac Pro
object network PANASONIC
subnet 10.0.1.0 255.255.255.0
description Système Téléphonique
object network TANK-FM-Serveur
host 172.18.0.10
description Serveur FileMaker
object network TANK_Wan_IP59
host 208.xx.xx.59
description IP Publique Secondaire
object network TANK_Wan_IP61
host 208.xx.xx.61
description IP Publique Secondaire
object network TANK_Wan_IP60
host 208.71.9.60
description IP Publique Secondaire
object network Telephonie
range 10.0.1.1 10.0.1.254
description Range de la téléphonie
object network TANK_Wan_IP62
host 208.xx.xx.62
description IP Publique Secondaire
object network SSL_VPN_Range
range 192.168.168.100 192.168.168.175
description Range pour VPN SSL
object service DFORCIER_REMOTE
service tcp source eq 3435 destination eq 3435
description Port pour RDP dforcier
object service FileMaker_Administration
service tcp source eq 16001 destination eq 16000
description Administration FileMaker
object service IPSec_UDP
service udp source eq 4500 destination eq 4500
description VPN_Mac
object service L2TP_traffic
service udp source eq 1701 destination eq 1701
description VPN_Mac
object network TANK_Wan_IP58_Main
host 208.xx.xx.58
description Adresse IP Principal
object service IKE_KeyExchange
service udp source eq isakmp destination eq isakmp
description IKE pour VPN_Mac
object service FileMaker_Data
service tcp source eq 5003 destination eq 5003
description FileMaker
object service TS_TCP
service tcp destination eq 3389
description Port pour TS
object service TS_UDP
service udp destination eq 3389
description Port pour TS
object network Gateway_WAN
host 208.xx.xx.57
description Gateway Openface Tank
object network WAN_IP
host 107.xx.xx.108
object network Gateway_LAN
host 172.18.0.1
description Gateway reseau local
object network obj-172.18.0.118
host 172.18.0.118
object-group network GTI_LAN+Wifi
description Réseau Local GTI
network-object object GTI_WAN_IPS
network-object object GTI_WLAN
object-group service FileMaker_Services
description FileMaker
service-object object FileMaker_Administration
service-object object FileMaker_Data
object-group service Terminal_Service
description Services TS
service-object object TS_TCP
service-object object TS_UDP
object-group service VPN_L2TP_Merlin
description VPN Merlin
service-object esp
service-object object IKE_KeyExchange
service-object object IPSec_UDP
service-object object L2TP_traffic
service-object tcp destination eq pptp
access-list outside_access_in remark Accès à distance pour DForcier
access-list outside_access_in extended permit object DFORCIER_REMOTE any object TANK_Wan_IP60
access-list outside_access_in remark Services FileMaker
access-list outside_access_in extended permit object-group FileMaker_Services any object TANK_Wan_IP60
access-list outside_access_in remark VPN du Mac Pro
access-list outside_access_in extended permit object-group VPN_L2TP_Merlin any object TANK_Wan_IP60
access-list outside_access_in remark TS vers TANK-FILESW12 (TS Temporaire)
access-list outside_access_in extended permit object-group Terminal_Service any object TANK_Wan_IP60
access-list outside_access_in remark TS vers TANK-TS1 (TS Principal)
access-list outside_access_in extended permit object-group Terminal_Service any object TANK_Wan_IP58_Main
access-list LAN_Serveur_access_in extended permit ip any any
access-list VOIP_access_in extended permit ip any any
access-list VOIP_access_in extended deny ip any interface inside
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Local_Lan_Access standard permit host 0.0.0.0
access-list Local_Lan_Access standard permit 172.18.0.0 255.255.240.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu VOIP 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
!
object network obj_any
nat (any,outside) dynamic interface
object network TANK-FILESW12
nat (inside,outside) static interface service tcp 3389 3389
object network TANK-FM-Serveur
nat (inside,outside) static TANK_Wan_IP60 service tcp 5003 5003
object network obj-172.18.0.118
nat (inside,outside) static 208.71.9.60 service tcp 3389 3389
access-group outside_access_in in interface outside
access-group LAN_Serveur_access_in in interface inside
access-group VOIP_access_in in interface VOIP
route outside 0.0.0.0 0.0.0.0 208.71.9.57 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server TANK-Radius protocol radius
aaa-server TANK-Radius (inside) host 172.18.0.105
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.45.0 255.255.255.0 management
http 172.18.0.0 255.255.240.0 inside
ip-client outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.45.1,CN=TANK-FW1
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint vpn.tank.ca
enrollment terminal
subject-name CN=vpn.tank.ca
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 4432115c
308202d0 308201b8 a0030201 02020444 32115c30 0d06092a 864886f7 0d01010b
0
e9c59513 924d50d1 d1e03e0e 3b4dd53a c89db9f1
quit
crypto ca certificate chain vpn.tank.ca
certificate 00832746855ee2aeca
 
4640757e 18f0a390 05a1ddea d5463db2 92ad
quit
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0509
308205b7 3082039f a0030201 02020205 09300d06 092a8648 86f70d01 01050500
3
f1e3b1ef df918f54 2a0b25c1 2619c452 100565d5 8210eac2 31cd2e
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 172.18.0.0 255.255.240.0 inside
ssh 192.168.45.0 255.255.255.0 management
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd auto_config outside
!
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point vpn.tank.ca outside
ssl trust-point vpn.tank.ca inside
ssl trust-point vpn.tank.ca VOIP
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 management
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 management vpnlb-ip
webvpn
enable outside
enable inside
anyconnect image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.7.00136-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy GroupPolicy_SSLVPN internal
group-policy GroupPolicy_SSLVPN attributes
dns-server value 172.18.0.105
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_Lan_Access
default-domain value tank.lan
split-dns value tank.lan
intercept-dhcp enable
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol l2tp-ipsec
dynamic-access-policy-record DfltAccessPolicy
username gti password ***** pbkdf2
tunnel-group DefaultRAGroup general-attributes
address-pool SSLVPN
authentication-server-group TANK-Radius
default-group-policy GroupPolicy_SSLVPN
tunnel-group DefaultRAGroup webvpn-attributes
group-alias TANK-VPN enable
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool SSLVPN
authentication-server-group TANK-Radius
default-group-policy GroupPolicy_SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr support@tank.ca
source-interface outside
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
app-agent heartbeat interval 1000 retry-count 3
Cryptochecksum:5ec387a18f016d1c85495311f5e99f9c
: end
asdm image disk0:/asdm-7101.bin
no asdm history enable
 

2 Accepted Solutions

Accepted Solutions

if you have anyconnect client than

 

 

nat (any,outside) source static any any destin static NETWORK_OB_192.168.108_24  NETWORK_OB_192.168.108_24  no-proxy -arp route-lookup     |where 192.168.108/24 is my anyconnect pool.

 

 

 

nat (any,outside) source static any any destin static XXXX XXXX no-proxy -arp route-lookup

please do not forget to rate.

View solution in original post

there is no ip pool define in config for anyconnect. This Gentleman could confirm this sound like he try to connect via any connect. in that case he also need a standard access-list

 

access-list standard_anyconnect standard permit (your local/internet network access to allow)

 

also you need to match your anyconnect pool to

 

tunnel-group ANYCONNECT general-attributes

 address-pool anyconnect-pool

 

 

please do not forget to rate.

View solution in original post

9 Replies 9

Hi,
If your FQDN is vpn.tank.ca then it appears your public DNS entry is incorrect. This currently resolves to 208.*.*.60, your outside interface IP address is 208.*.*.58. I can connect to the ASA Webvpn page when i use the correct outside interface IP address ending .58

HTH

Hi RJI,

 

Thanks for your response. I was checking directly with IP address. Now I arrive to connect with my VPN but I have no access to my LAN (172.18.0.x). Only the gateway ping, All my server not respond after anyconnect connection. If I look the route detail from the parameter of anyconnect I see :

Non-secured routes
0.0.0.0/20

 

Secured Routes

172.18.0.0/20
172.18.0.105/32

 

Any Idea? 

And my different servers don't works online behind my natting route.

if you have anyconnect client than

 

 

nat (any,outside) source static any any destin static NETWORK_OB_192.168.108_24  NETWORK_OB_192.168.108_24  no-proxy -arp route-lookup     |where 192.168.108/24 is my anyconnect pool.

 

 

 

nat (any,outside) source static any any destin static XXXX XXXX no-proxy -arp route-lookup

please do not forget to rate.

Perfect!! That's works!!

 

Thanks a lot Radio_City

Kinldy please mark this post Answer so other can benefit it too.

 

Regards,

Radio_city

please do not forget to rate.

I don't see a VPN address pool defined. What IP address does the AnyConnect client recieve?
Do the servers have a route back to that VPN pool network? If the ASA is the default gateway then naturally traffic would be routed back to the ASA, but if it's not then you need to have a route from the local LAN to the ASA for the VPN pool. As well as a no-nat rule for the VPN Pool network.

there is no ip pool define in config for anyconnect. This Gentleman could confirm this sound like he try to connect via any connect. in that case he also need a standard access-list

 

access-list standard_anyconnect standard permit (your local/internet network access to allow)

 

also you need to match your anyconnect pool to

 

tunnel-group ANYCONNECT general-attributes

 address-pool anyconnect-pool

 

 

please do not forget to rate.

I have a range set-up in AnyConnect connfiguration (192.168.102.51-192.168.102.254) and I have make an object with this range (SSL_VPN_RANGE)
With the command :
nat (any,outside) source static any any destin static SSL_VPN_RANGE SSL_VPN_RANGE no-proxy - route-lookup
I can ping all my LAN network.
Last "problem", my server access are very slow (320K/s when i copy something on my server...). There are some bandwith restriction by default on the anyconnect configuration?

no restriction on anyconnect bandwidth.

please do not forget to rate.