12-05-2012 02:13 AM - edited 02-21-2020 06:31 PM
Hi Everyone,
I have built a new AnyConnect VPN link which I need to get running ASAP.
The issue that I am having is that I can initially get the client to download the anyconnect software and connect, but it cannot ping the default gateway so therefore cannot access anything. I am new to VPN's, especially AnyConnect and could do with a little advise.
I have installed the config onto a 5510, with 8.4(4) software installed. When I installed it onto a spare 5505 that we have, which is also on 8.4(4) I found that it created a temporary interface that was used as the default gateway for the VPN but this does not seem to be the case for the 5510.
Would it be possible to look through my config and see if there is something amiss with it.
Thanks
group-policy besttelGP internal
group-policy besttelGP attributes
vpn-tunnel-protocol ssl-client
tunnel-group besttel_tun type remote-access
tunnel-group besttel_tun general attribules
exit
username XXXXX password XXXXX
username Besttel attributes
vpn-group-poilcy besttelGP
service-type remote-access
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.0.08057.k9.pkg
anyconnect enable
ip local pool besttel_pool 10.10.252.10-10.10.252.20 mask 255.255.255.0
group-policy besttelGP attributes
address-pools value besttel_pool
exit
access-list besttel_vpn_acl standard permit host 10.10.6.9
access-list besttel_vpn_acl standard permit host 10.10.6.10
access-list besttel_vpn_acl standard permit host 10.15.1.5
access-list besttel_vpn_acl standard deny any
sysopt connection permit-vpn
group-policy besttelGP attributes
vpn-filter value besttel_vpn_acl
crypto key generate rsa label BesttelVPN
crypto ca trustpoint BESTTELTRUST
enrollment self
keypair BesttelVPN
crypto ca enroll BESTTELTRUST nonconfirm
exit
ssl trustpoint BESTTELTRUST outisde
12-05-2012 03:50 AM
Sorry I forgot to mention. The 5510 does not seem to build an IP address into its table that the VPN client can use as its default gateway, so the anyconnect software builds, by default a default gateway of the 1st usable IP address with the given subnet, but this is pointing to nothing as the ASA does not have it configured. Do I have to manually configure this IP address or is it a command that I am misssing?
Thanks
Jake
12-05-2012 07:19 AM
I have fixed the issues now. I couldnt understand where the default route was pointing to as it did not come up on the ASA, but it seems to be able to access the ASA anyway. The issue was fixed by stopping the NAT translations for the VPN subnet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide