06-30-2015 10:57 PM - edited 02-21-2020 08:19 PM
Hi Guys,
I have configured anyconnect on my ASA. The client pc is able to connect to the network with anyconnect client gets ip address but cannot ping or access anything. Here is the config:
DMZ1664 is outside interface
DMZ1070 is inside interface
interface GigabitEthernet0/0
nameif DMZ1664
security-level 0
ip address 202.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ1070
security-level 80
ip address 10.1.50.8 255.255.255.0
ip local pool JDE_VPN_Users 10.1.30.10-10.1.30.254 mask 255.255.255.0
object network JDE_VPN_Pool
subnet 10.1.30.0 255.255.255.0
object-group network JDE_subnets_main
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.255.0.0
access-list DMZ1070_access_in extended permit ip 10.1.30.0 255.255.255.0 object-group JDE_subnets_main
access-list DMZ1070_access_in extended permit ip object-group JDE_subnets_main 10.1.30.0 255.255.255.0
access-list JDE_VPN standard permit 10.0.0.0 255.0.0.0
access-list JDE_VPN standard permit 172.16.0.0 255.240.0.0
access-list Outside_access_in extended permit ip 10.1.30.0 255.255.255.0 any
access-list Outside_access_in extended permit icmp any any inactive
access-list Outside_nat0_outbound extended permit ip any any
access-group Outside_access_in in interface DMZ1664
access-group DMZ1070_access_in in interface DMZ1070
nat (DMZ1070,any) source static JDE_VPN_Pool JDE_VPN_Pool destination static JDE_subnets_main JDE_subnets_main no-proxy-arp
nat (any,DMZ1070) source static JDE_subnets_main JDE_subnets_main destination static JDE_VPN_Pool JDE_VPN_Pool no-proxy-arp
route DMZ1664 0.0.0.0 0.0.0.0 202.129.X.X
route DMZ1070 10.0.0.0 255.0.0.0 10.1.50.1 1
webvpn
enable DMZ1664
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.08009-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-3.1.08009-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-3.1.08009-k9.pkg 3
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_JDE_VPN internal
group-policy GroupPolicy_JDE_VPN attributes
wins-server none
dns-server value 10.1.8.1 10.1.8.2
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy excludespecified
split-tunnel-network-list value JDE_VPN
default-domain value jdeglobal.com
split-dns value jdeglobal.com
username admin password TOyVyM6G6TXcuQ5w encrypted
tunnel-group VPNUsers type remote-access
tunnel-group JDE_VPN type remote-access
tunnel-group JDE_VPN general-attributes
address-pool (DMZ1070) JDE_VPN_Users
address-pool JDE_VPN_Users
authentication-server-group JDE-Radius
default-group-policy GroupPolicy_JDE_VPN
tunnel-group JDE_VPN webvpn-attributes
group-alias JDE_VPN enable
# show run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp DMZ1664
no sysopt noproxyarp DMZ1070
no sysopt noproxyarp mgmt
Could someone please check the above config and let me know what the mistake is ?
Also do I need nat as I only want to access the internal network which is 10.0.0.0/8.
Thanks guys
07-02-2015 05:34 PM
Hi Kuldeep,
Your first NAT is incorrect, please remove it
no nat (DMZ1070,any) source static JDE_VPN_Pool JDE_VPN_Pool destination static JDE_subnets_main JDE_subnets_main no-proxy-arp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide