cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1093
Views
0
Helpful
2
Replies

AnyConnect access to Inside IPs

Shawn Barrick
Level 1
Level 1

I'm having problems getting AnyConnect clients to reach a server (192.168.139.3) on the Inside interface of my ASA 5505.  Ideally, this would be accessible from the DfltAccessPolicy or another dedicated policy, but right now I'm happy with any access.  Everything else seems to be working as expected.  I've rebuilt this config a number of times without success.  I can ping the IP from the ASA itself.

Can anyone give me suggestions?

2 Replies 2

Shawn Barrick
Level 1
Level 1

I've cut down the config, disabling the IPSEC tunnel to ease troubleshooting:

: Saved
:
ASA Version 8.2(1) 
!
hostname asa-dal
domain-name dtainc.us
enable password LpOk82NJGblSbuos encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.239.0 anyconnect-vpn-dal
name 192.168.39.0 dmz-network
name 192.168.139.3 dalRumServer description dalRumServer
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.139.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 209.xxx.xxx.xxx 255.255.255.248 
!
interface Vlan5
 no forward interface Vlan1
 nameif dmz
 security-level 0
 ip address 192.168.39.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 5
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name dtainc.us
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
access-list inside_nat0_outbound extended permit ip 192.168.139.0 255.255.255.0 any 
access-list inside_nat0_outbound extended permit icmp any any 
access-list icmp_ping extended permit icmp any any echo-reply 
access-list icmp_ping extended permit ip 192.168.139.0 255.255.255.0 any 
access-list split-tunnel standard permit 192.168.139.0 255.255.255.0 
access-list 100 extended permit icmp any any echo-reply 
access-list 100 extended permit icmp any any time-exceeded 
access-list 100 extended permit icmp any any unreachable 
access-list NO_NAT extended permit ip anyconnect-vpn-dal 255.255.255.0 any 
access-list NONAT extended permit ip 192.168.139.0 255.255.255.0 anyconnect-vpn-dal 255.255.255.0 
access-list outside_access_in extended permit tcp any interface outside eq ssh 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in extended permit icmp any any unreachable 
pager lines 24
logging enable
logging asdm informational
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool AnyConnectDal 192.168.239.101-192.168.239.125 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group icmp_ping in interface inside
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
 network-acl inside_nat0_outbound
 network-acl NO_NAT
aaa authentication ssh console LOCAL 
http server enable
http 192.168.139.0 255.255.255.0 inside
http anyconnect-vpn-dal 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn vpn-dallas.xxx.xxx
 subject-name CN=dallas-vpn
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate b948614e
    308201eb 30820154 a0030201 020204b9 48614e30 0d06092a 864886f7 0d010104 
    0500303a 31133011 06035504 03130a64 616c6c61 732d7670 6e312330 2106092a 
    864886f7 0d010902 16147670 6e2d6461 6c6c6173 2e647461 696e632e 7573301e 
    170d3131 30393032 32313230 35375a17 0d323130 38333032 31323035 375a303a 
    31133011 06035504 03130a64 616c6c61 732d7670 6e312330 2106092a 864886f7 
    0d010902 16147670 6e2d6461 6c6c6173 2e647461 696e632e 75733081 9f300d06 
    092a8648 86f70d01 01010500 03818d00 30818902 81810091 27a70739 bb960ebf 
    28a9e2f1 99f832c5 075d4024 2b2e0faf dd05fe3e 10aed542 eace4100 b55ce871 
    b7b0cd05 07f0ba2f 4050f881 b70a9f88 131651b1 beecbb1c b810f09b 7efee750 
    210e0c36 fff115dc ff1d212c c941f13d b9fd3538 d9c7f07d 9e26bd5c d1c9c8fd 
    58b6d6fb 964f460e 2de4e380 17858b75 3cdc7a1c d43c5902 03010001 300d0609 
    2a864886 f70d0101 04050003 81810044 750fd8f8 95031536 bd2b2b0b 747e460d 
    94b9462b c773ac8e bcf47696 833ef1d6 134a80e5 02e87817 7c3614b7 181c146d 
    90191a9c 131bf1e0 1f6f5a7d 7b9e741e 02693ae8 6c323aa0 83fb6605 4bf420d1 
    dfa54549 15f6dda0 69650778 c681d596 0cbe6f3e 9ca57c91 f3d23c1f 608e2a7e 
    eef41a77 2e7ab2b2 08eb902c cdc017
  quit
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 22
telnet timeout 5
ssh 192.168.139.0 255.255.255.0 inside

ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
dhcpd address 192.168.139.101-192.168.139.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd lease 86400 interface inside
dhcpd domain dtainc.internal interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.29
ntp server 129.6.15.28 prefer
webvpn
 enable inside
 enable outside
 anyconnect-essentials
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol l2tp-ipsec svc webvpn
group-policy Dal-AnyConnect internal
group-policy Dal-AnyConnect attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel

tunnel-group DefaultRAGroup general-attributes
 strip-realm
 strip-group
tunnel-group AnyConnectClientProfile type remote-access
tunnel-group AnyConnectClientProfile general-attributes
 address-pool AnyConnectDal
 default-group-policy Dal-AnyConnect
tunnel-group AnyConnectClientProfile webvpn-attributes
 group-alias AnyConnectVPNClient enable
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect pptp 
  inspect icmp 
!
service-policy global-policy global
prompt hostname context 
Cryptochecksum:507852f675a4b501578fe5574a49c3ae
: end
asdm image disk0:/asdm-631.bin
asdm location dalRumServer 255.255.255.255 inside
no asdm history enable

Turns out it was a configuration issue with the device on the LAN.  Nothing to do with the ASA at all.