03-24-2013 01:21 PM - edited 02-21-2020 06:46 PM
I have strange behaviour on the when connecting over Anyconnect to the ASA. I can access some of the cisco equipment on the network like the core switch on 10.2.15.254.
I particularly can't see the 10.1.1.0 network...
any hints would be most welcome, bound to have done something silly.
ASA Version 8.6(1)2
!
hostname myasa01
domain-name company.internal
enable password encrypted
passwd encrypted
names
name 10.2.0.0 Data_Net
name 10.0.0.0 Voice_Net
name 10.1.1.58 jab.my-domain.com
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.30
vlan 30
nameif server
security-level 100
ip address 10.1.1.1 255.255.255.128
!
interface GigabitEthernet0/0.40
vlan 40
nameif manageNet
security-level 100
ip address 10.1.4.1 255.255.255.0
!
interface GigabitEthernet0/0.50
description DMZ VLAN
vlan 50
nameif DMZ
security-level 90
ip address 10.1.1.254 255.255.255.128
!
interface GigabitEthernet0/0.100
vlan 100
nameif data
security-level 100
ip address 10.2.0.1 255.255.240.0
!
interface GigabitEthernet0/0.101
vlan 101
nameif voice
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/0.108
vlan 108
nameif guestwifi
security-level 80
ip address 172.31.0.1 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4.88
description Public VLAN 88 2.2.2.0/28 to HKBN Router
vlan 88
nameif outside1
security-level 0
ip address 2.2.2.2 255.255.255.240
!
interface GigabitEthernet0/5
description To HGC Broadband
nameif outside2
security-level 0
ip address 3.3.3.3 255.255.255.240
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone HKST 8
dns domain-lookup server
dns server-group DefaultDNS
name-server 10.1.1.15
name-server 10.1.1.10
domain-name company.internal
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DMZ
subnet 2.2.2.0 255.255.255.240
object network data
subnet 10.2.0.0 255.255.240.0
object network server
subnet 10.1.1.0 255.255.255.128
object network voice
subnet 10.0.0.0 255.255.255.0
object network VPN_user
subnet 10.68.1.0 255.255.255.0
object network web_server
host 10.1.1.19
object network web_server_outside
host 2.2.2.3
object service http
service tcp source eq www destination eq www
object network mail_server
host 10.1.1.129
object service ssh
service tcp source eq ssh destination eq ssh
object service smtp
service tcp source eq smtp destination eq smtp
object service pop
service tcp source eq pop3 destination eq pop3
object service https
service tcp source eq https destination eq https
object service port465
service tcp source eq 465 destination eq 465
object service port587
service tcp source eq 587 destination eq 587
object service port993
service tcp source eq 993 destination eq 993
object network jabber_server
host 10.1.1.58
object network jabber_server_outside
host 2.2.2.4
object network mail_server_outside
host 2.2.2.5
object network vcse_server
host 10.1.1.193
object network vcse_server_outside
host 2.2.2.6
object network external_ip
host 2.2.2.7
object network NETWORK_OBJ_10.2.16.0_24
subnet 10.2.16.0 255.255.255.0
object-group service jabber
access-list split-tunnel standard permit 10.1.1.0 255.255.255.128
access-list split-tunnel standard permit 10.2.0.0 255.255.240.0
access-list 100 extended permit tcp 10.0.0.0 255.255.255.0 host 10.1.1.58 eq 2000
access-list outside_access_in extended permit tcp any object web_server eq www
access-list outside_access_in extended permit tcp any object mail_server eq www
access-list outside_access_in extended permit tcp any object mail_server eq ssh
access-list outside_access_in extended permit tcp any object mail_server eq smtp
access-list outside_access_in extended permit tcp any object mail_server eq pop3
access-list outside_access_in extended permit tcp any object mail_server eq https
access-list outside_access_in extended permit tcp any object mail_server eq 465
access-list outside_access_in extended permit tcp any object mail_server eq 587
access-list outside_access_in extended permit tcp any object mail_server eq 993
access-list outside_access_in extended permit udp any object jabber_server range 16384 32766
access-list outside_access_in extended permit tcp any object mail_server eq imap4
access-list outside_access_in extended permit tcp any object jabber_server eq www
access-list outside_access_in extended permit icmp any object jabber_server echo-reply
access-list outside_access_in extended permit icmp any object jabber_server time-exceeded
access-list outside_access_in extended permit udp any object jabber_server eq tftp
access-list outside_access_in extended permit tcp any object jabber_server eq sip
access-list outside_access_in extended permit tcp any object jabber_server eq ctiqbe
access-list outside_access_in extended permit tcp any object jabber_server eq ldap
access-list outside_access_in extended permit tcp any object jabber_server eq ldaps
access-list outside_access_in extended permit tcp any object jabber_server eq 3268
access-list outside_access_in extended permit tcp any object jabber_server eq 3269
access-list outside_access_in extended permit tcp any object jabber_server eq imap4
access-list outside_access_in extended permit tcp any object jabber_server eq 7993
access-list outside_access_in extended permit tcp any object jabber_server eq 8080
access-list outside_access_in extended permit tcp any object web_server eq https
access-list outside_access_in extended permit tcp any object jabber_server range 2000 2050
access-list outside_access_in extended permit icmp any object jabber_server unreachable
access-list outside_access_in extended permit ip any object jabber_server
access-list outside_access_in extended permit tcp any object web_server eq imap4
access-list outside_access_in extended permit tcp any object web_server eq 144
access-list outside_access_in extended permit tcp any object web_server eq 5800
access-list internal_access_out extended permit ip any any
access-list internal_access_out extended permit udp any any
access-list internal_access_out extended permit tcp any any
access-list internal_access_out extended permit icmp any any
pager lines 24
logging enable
logging buffer-size 512000
logging buffered informational
logging asdm informational
mtu server 1500
mtu manageNet 1500
mtu DMZ 1500
mtu data 1500
mtu voice 1500
mtu guestwifi 1500
mtu outside1 1500
mtu outside2 1500
mtu management 1500
ip local pool vpn_ip 10.2.16.0-10.2.16.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (data,outside2) source dynamic any interface
nat (server,outside2) source dynamic any interface
nat (DMZ,outside2) source dynamic any interface
nat (server,outside1) source dynamic any interface
nat (DMZ,outside1) source dynamic any interface
nat (guestwifi,outside1) source dynamic any interface
nat (data,outside1) source dynamic any interface
nat (data,outside1) source static any any destination static NETWORK_OBJ_10.2.16.0_24 NETWORK_OBJ_10.2.16.0_24 no-proxy-arp route-lookup
!
object network web_server
nat (server,outside1) static web_server_outside
object network mail_server
nat (DMZ,outside1) static mail_server_outside
object network jabber_server
nat (server,outside1) static jabber_server_outside
object network vcse_server
nat (DMZ,outside1) static vcse_server_outside
access-group internal_access_out out interface server
access-group internal_access_out out interface DMZ
access-group internal_access_out out interface data
access-group outside_access_in in interface outside1
access-group outside_access_in in interface outside2
route outside1 0.0.0.0 0.0.0.0 2.2.2.9 1 track 1
route outside2 0.0.0.0 0.0.0.0 3.3.3.4 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http Data_Net 255.255.240.0 data
http 10.1.1.0 255.255.255.128 server
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=myasa01
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 1c514351
: SNIP SNIP!
6f420613 87069234 595bb589 4d6dc051 1042dea0 94c2
quit
!
track 1 rtr 123 reachability
telnet Data_Net 255.255.240.0 data
telnet timeout 60
ssh 10.1.1.0 255.255.255.128 server
ssh Data_Net 255.255.240.0 data
ssh timeout 5
console timeout 0
management-access data
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 2
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.2.15.254
ssl encryption 3des-sha1 aes256-sha1 rc4-md5 rc4-sha1
ssl trust-point ASDM_TrustPoint0 outside1
webvpn
enable outside1
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 1
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 2
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.1.1.15 10.1.1.13
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
default-domain value company.internal
group-policy "GroupPolicy_company HK" internal
group-policy "GroupPolicy_company HK" attributes
wins-server none
dns-server value 10.1.1.15 10.1.1.10
vpn-tunnel-protocol ssl-client
default-domain value company.internal
username frances attributes
vpn-group-policy GroupPolicy_MH2
service-type admin
username admin password boooooooooooooo encrypted privilege 1
:
all user acount names have been deleted from this post.
:
tunnel-group MH2 type remote-access
tunnel-group MH1 type remote-access
tunnel-group "company" type remote-access
tunnel-group "company" general-attributes
address-pool vpn_ip
default-group-policy "GroupPolicy_company"
tunnel-group "company" webvpn-attributes
group-alias "company" enable
!
class-map mgcp_port
match access-list 100
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect mgcp voip
parameters
call-agent 10.1.1.57 1
call-agent jab.my-domain.com 2
gateway 10.0.0.2 1
command-queue 150
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect mgcp
inspect icmp
class class-default
user-statistics accounting
policy-map inbound_policy
class mgcp_port
inspect mgcp voip
!
service-policy global_policy global
service-policy inbound_policy interface server
service-policy inbound_policy interface voice
prompt hostname context
no call-home reporting anonymous
: end
Solved! Go to Solution.
03-24-2013 01:59 PM
Hi Albert,
Try this out:
nat (server,outside1) 1 source static any any destination static NETWORK_OBJ_10.2.16.0_24 NETWORK_OBJ_10.2.16.0_24 no-proxy-arp route-lookup
Let me know how it goes.
HTH.
Portu.
03-24-2013 01:59 PM
Hi Albert,
Try this out:
nat (server,outside1) 1 source static any any destination static NETWORK_OBJ_10.2.16.0_24 NETWORK_OBJ_10.2.16.0_24 no-proxy-arp route-lookup
Let me know how it goes.
HTH.
Portu.
04-17-2013 12:24 PM
that fixed it right of the bat... Why was the necessary...?
04-17-2013 12:28 PM
Hi,
You have configured majority of your NAT rules in Section 1 of the NAT
nat (data,outside2) source dynamic any interface
nat (server,outside2) source dynamic any interface
nat (DMZ,outside2) source dynamic any interface
nat (server,outside1) source dynamic any interface (This command was previously probably causing problems)
nat (DMZ,outside1) source dynamic any interface
nat (guestwifi,outside1) source dynamic any interface
nat (data,outside1) source dynamic any interface
What Javier suggested was to create the NAT rule at the very top of the NAT rules. Notice the number "1" which defines the order number for the NAT rule. This makes sure that the NAT for the VPN is always checked first instead of the long list of Dynamic NATs.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide