09-14-2011 07:38 AM - edited 02-21-2020 05:35 PM
I'm having problems getting AnyConnect clients to reach a server (192.168.139.3) on the Inside interface of my ASA 5505. Ideally, this would be accessible from the DfltAccessPolicy or another dedicated policy, but right now I'm happy with any access. Everything else seems to be working as expected. I've rebuilt this config a number of times without success. I can ping the IP from the ASA itself.
Can anyone give me suggestions?
09-15-2011 03:15 PM
I've cut down the config, disabling the IPSEC tunnel to ease troubleshooting:
: Saved : ASA Version 8.2(1) ! hostname asa-dal domain-name dtainc.us enable password LpOk82NJGblSbuos encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 192.168.239.0 anyconnect-vpn-dal name 192.168.39.0 dmz-network name 192.168.139.3 dalRumServer description dalRumServer ! interface Vlan1 nameif inside security-level 100 ip address 192.168.139.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 209.xxx.xxx.xxx 255.255.255.248 ! interface Vlan5 no forward interface Vlan1 nameif dmz security-level 0 ip address 192.168.39.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport access vlan 5 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! boot system disk0:/asa821-k8.bin boot system disk0:/asa831-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns domain-lookup outside dns domain-lookup dmz dns server-group DefaultDNS name-server 8.8.8.8 name-server 8.8.4.4 domain-name dtainc.us same-security-traffic permit intra-interface object-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object icmp protocol-object udp protocol-object tcp access-list inside_nat0_outbound extended permit ip 192.168.139.0 255.255.255.0 any access-list inside_nat0_outbound extended permit icmp any any access-list icmp_ping extended permit icmp any any echo-reply access-list icmp_ping extended permit ip 192.168.139.0 255.255.255.0 any access-list split-tunnel standard permit 192.168.139.0 255.255.255.0 access-list 100 extended permit icmp any any echo-reply access-list 100 extended permit icmp any any time-exceeded access-list 100 extended permit icmp any any unreachable access-list NO_NAT extended permit ip anyconnect-vpn-dal 255.255.255.0 any access-list NONAT extended permit ip 192.168.139.0 255.255.255.0 anyconnect-vpn-dal 255.255.255.0 access-list outside_access_in extended permit tcp any interface outside eq ssh access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit icmp any any time-exceeded access-list outside_access_in extended permit icmp any any unreachable pager lines 24 logging enable logging asdm informational logging permit-hostdown mtu inside 1500 mtu outside 1500 mtu dmz 1500 ip local pool AnyConnectDal 192.168.239.101-192.168.239.125 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-631.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list NONAT nat (inside) 1 0.0.0.0 0.0.0.0 access-group icmp_ping in interface inside access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.xxx 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy network-acl inside_nat0_outbound network-acl NO_NAT aaa authentication ssh console LOCAL http server enable http 192.168.139.0 255.255.255.0 inside http anyconnect-vpn-dal 255.255.255.0 inside http redirect outside 80 no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto ca trustpoint ASDM_TrustPoint0 enrollment self fqdn vpn-dallas.xxx.xxx subject-name CN=dallas-vpn crl configure crypto ca certificate chain ASDM_TrustPoint0 certificate b948614e 308201eb 30820154 a0030201 020204b9 48614e30 0d06092a 864886f7 0d010104 0500303a 31133011 06035504 03130a64 616c6c61 732d7670 6e312330 2106092a 864886f7 0d010902 16147670 6e2d6461 6c6c6173 2e647461 696e632e 7573301e 170d3131 30393032 32313230 35375a17 0d323130 38333032 31323035 375a303a 31133011 06035504 03130a64 616c6c61 732d7670 6e312330 2106092a 864886f7 0d010902 16147670 6e2d6461 6c6c6173 2e647461 696e632e 75733081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 81810091 27a70739 bb960ebf 28a9e2f1 99f832c5 075d4024 2b2e0faf dd05fe3e 10aed542 eace4100 b55ce871 b7b0cd05 07f0ba2f 4050f881 b70a9f88 131651b1 beecbb1c b810f09b 7efee750 210e0c36 fff115dc ff1d212c c941f13d b9fd3538 d9c7f07d 9e26bd5c d1c9c8fd 58b6d6fb 964f460e 2de4e380 17858b75 3cdc7a1c d43c5902 03010001 300d0609 2a864886 f70d0101 04050003 81810044 750fd8f8 95031536 bd2b2b0b 747e460d 94b9462b c773ac8e bcf47696 833ef1d6 134a80e5 02e87817 7c3614b7 181c146d 90191a9c 131bf1e0 1f6f5a7d 7b9e741e 02693ae8 6c323aa0 83fb6605 4bf420d1 dfa54549 15f6dda0 69650778 c681d596 0cbe6f3e 9ca57c91 f3d23c1f 608e2a7e eef41a77 2e7ab2b2 08eb902c cdc017 quit crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 22 telnet timeout 5 ssh 192.168.139.0 255.255.255.0 inside ssh timeout 60 console timeout 0 management-access inside dhcpd dns 8.8.8.8 8.8.4.4 dhcpd auto_config outside ! dhcpd address 192.168.139.101-192.168.139.132 inside dhcpd dns 8.8.8.8 8.8.4.4 interface inside dhcpd lease 86400 interface inside dhcpd domain dtainc.internal interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 129.6.15.29 ntp server 129.6.15.28 prefer webvpn enable inside enable outside anyconnect-essentials svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1 svc enable tunnel-group-list enable group-policy DfltGrpPolicy attributes vpn-tunnel-protocol l2tp-ipsec svc webvpn group-policy Dal-AnyConnect internal group-policy Dal-AnyConnect attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel tunnel-group DefaultRAGroup general-attributes strip-realm strip-group tunnel-group AnyConnectClientProfile type remote-access tunnel-group AnyConnectClientProfile general-attributes address-pool AnyConnectDal default-group-policy Dal-AnyConnect tunnel-group AnyConnectClientProfile webvpn-attributes group-alias AnyConnectVPNClient enable ! class-map global-class match default-inspection-traffic ! ! policy-map global-policy class global-class inspect pptp inspect icmp ! service-policy global-policy global prompt hostname context Cryptochecksum:507852f675a4b501578fe5574a49c3ae : end asdm image disk0:/asdm-631.bin asdm location dalRumServer 255.255.255.255 inside no asdm history enable
09-15-2011 05:39 PM
Turns out it was a configuration issue with the device on the LAN. Nothing to do with the ASA at all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide