cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2735
Views
0
Helpful
15
Replies

AnyConnect - No access to LAN

jcorbett1
Level 1
Level 1

I've been chasing this around for a week. The last firewall I configured was a PIX a hundred years ago and needless to say things have changed. Yesterday everything was working great. Our contractor was connecting from Florida. Today nothing. No access to the Office LAN. I've messed with the config and cannot figure out what the problem is. I've used sysopt connection permit-vpn with no joy. Here's my config.

: Saved
:
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
!
ASA Version 9.1(6)
!
hostname owgasa

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

names
ip local pool OfficeVPN 10.10.4.200-10.10.4.225 mask 255.255.252.0
!
interface Ethernet0/0
description CC Internet
speed 100
duplex full
nameif CC_Internet
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
description BKP network
speed 100
duplex full
nameif BKP
security-level 100
ip address 192.168.1.4 255.255.255.0
!
interface Ethernet0/2
description Office network
nameif Office
security-level 100
ip address 10.10.3.254 255.255.252.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 172.16.1.1 255.255.255.0
!
boot system disk0:/asa916-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup CC_Internet
dns server-group DefaultDNS
name-server 8.8.4.4
name-server 8.8.8.8
domain-name xxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Office_Network
subnet 10.10.0.0 255.255.252.0
object network BKP_Network
subnet 192.168.1.0 255.255.255.0
object network MobiServ-Inside
host 10.10.2.9
object network Public_IP_Address_xxx
host x.x.x.x
description Used as termination point for inbound access from outside
object network obj-10.10.2.35
host 10.10.2.35
object network obj-10.10.2.112
host 10.10.2.112
object network obj-10.10.2.102
host 10.10.2.102
object network obj-10.10.2.11
host 10.10.2.11
object network obj-10.10.2.195
host 10.10.2.195
object network obj-10.10.2.245
host 10.10.2.245
object network obj-10.10.2.176
host 10.10.2.176
object network obj-10.10.0.199
host 10.10.0.199
object network obj-10.10.2.104
host 10.10.2.104
object network obj-10.10.0.3
host 10.10.0.3
object network obj-10.10.2.144
host 10.10.2.144
object network obj-10.10.2.204
host 10.10.2.204
object network obj-10.10.2.23
host 10.10.2.23
object network obj-10.10.2.212
host 10.10.2.212
object network obj-10.10.2.114
host 10.10.2.114
object network obj-10.10.2.9
host 10.10.2.9
object service MobiServ_ports
service tcp source range 10610 10620
object network NCR_Remote_Net
subnet 192.168.185.0 255.255.255.0
object service Mobiserv_https
service tcp source eq https
object network obj-10.10.3.0
subnet 10.10.3.0 255.255.255.0
object network obj-10.10.0.0
subnet 10.10.0.0 255.255.255.0
object network NETWORK_OBJ_172.16.0.0_24
subnet 172.16.0.0 255.255.255.0
object network NETWORK_OBJ_10.10.0.0_24
subnet 10.10.0.0 255.255.255.0
object network NETWORK_OBJ_10.10.0.0_22
subnet 10.10.0.0 255.255.252.0
object network NETWORK_OBJ_10.10.1.240_28
subnet 10.10.1.240 255.255.255.240
object network NETWORK_OBJ_10.10.1.240_29
subnet 10.10.1.240 255.255.255.248
object network NETWORK_OBJ_10.10.1.224_27
subnet 10.10.1.224 255.255.255.224
object network obj-AnyConnectPool
range 10.10.4.200 10.10.4.225
description Nat statement for AnyConnect Split-Tunnel
object-group service IBM_iAccess tcp
description Ports to allow iAccess software communications
port-object eq 2001
port-object eq 2010
port-object eq 3000
port-object eq 397
port-object range 445 447
port-object eq 448
port-object eq 449
port-object eq 5010
port-object eq 5544
port-object eq 5555
port-object eq 5566
port-object eq 5577
port-object range 8470 8476
port-object eq 8480
port-object eq 942
port-object range 9470 9476
port-object eq 9480
port-object eq 992
port-object eq exec
port-object eq netbios-ssn
port-object eq telnet
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SecCam tcp
description Security Cameras for Corp Stores
port-object eq 6800
port-object eq 7100
port-object eq 6801
object-group service RDP tcp
description Remote Desktop Protocol
port-object range 3380 3389
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq domain
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object tcp destination eq imap4
service-object icmp
service-object tcp destination range 8288 8289
service-object tcp destination range 9901 9903
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq domain
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object icmp
service-object tcp destination eq 465
service-object tcp destination eq 587
service-object tcp destination eq 993
service-object tcp destination eq 6800
service-object tcp destination eq 7100
service-object tcp destination eq 6801
service-object tcp destination eq 9901
service-object tcp destination eq 36617
service-object tcp destination eq 47460
service-object tcp destination eq 8100
service-object tcp destination eq 2083
service-object tcp destination eq telnet
object-group network DM_INLINE_NETWORK_1
network-object object Office_Network
network-object object BKP_Network
object-group service DM_INLINE_UDP_1 udp
port-object eq 443
port-object eq www
object-group service DM_INLINE_UDP_2 udp
port-object eq 443
port-object eq www
object-group service DM_INLINE_UDP_3 udp
port-object eq 443
port-object eq www
object-group service BKPPAY tcp

port-object range 8288 8289
port-object range 9901 9903
object-group service SSL tcp
description SSL Ports
port-object eq 465
port-object eq 587
port-object eq 993
object-group network NCR_Network
network-object 172.16.0.0 255.255.255.0
object-group service CPS tcp

port-object eq 36617
port-object eq 47460
object-group service IDT tcp

port-object eq 8100
object-group service GoDaddy tcp
description Management port
port-object eq 2083
object-group service PrintNetEnt tcp-udp
description Ports for PrintNet Enterprise
port-object eq 1030
port-object eq 135
port-object eq 389
port-object eq domain
access-list inside_access_in remark Limits access from BKP Network to Office network except for protocols in preceeding rule
access-list inside_access_in extended deny ip 192.168.1.0 255.255.255.0 10.10.0.0 255.255.252.0
access-list inside_access_in remark Default allowed protocols from BKP network to Internet
access-list inside_access_in remark Default allowed protocols from inside network to Internet
access-list inside_access_in remark Enables use of Google QUIC protocol
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_UDP_3
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.1.0 255.255.255.0 any
access-list inside_access_in remark Deny any other traffic
access-list inside_access_in extended deny ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in remark Deny any other traffic
access-list inside2_access_in remark No access from Office Network to BKP
access-list inside2_access_in extended deny ip 10.10.0.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list inside2_access_in remark Default allowed protocols from Office network to Internet
access-list inside2_access_in remark Default allowed protocols from BKP network to Internet
access-list inside2_access_in extended permit object-group DM_INLINE_SERVICE_2 10.10.0.0 255.255.252.0 any log disable
access-list inside2_access_in remark Enable use of Google QUIC protocol
access-list inside2_access_in extended permit udp 10.10.0.0 255.255.252.0 any object-group DM_INLINE_UDP_2
access-list inside2_access_in extended permit udp 10.10.0.0 255.255.252.0 any eq ntp
access-list inside2_access_in extended permit tcp 10.10.0.0 255.255.252.0 any object-group IBM_iAccess
access-list inside2_access_in remark Deny all other traffic
access-list inside2_access_in extended deny ip 10.10.0.0 255.255.252.0 any
access-list inside2_access_in remark Default allowed protocols from BKP network to Internet
access-list inside2_access_in remark Deny all other traffic
access-list CC_Internet_access_in remark Enables inbound Google QUIC protocol
access-list CC_Internet_access_in extended permit udp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_UDP_1
access-list CC_Internet_access_in remark MobiServ access
access-list CC_Internet_access_in extended permit tcp any object MobiServ-Inside eq https
access-list CC_Internet_access_in remark MobiServ access
access-list CC_Internet_access_in extended permit tcp any object MobiServ-Inside range 10610 10620
access-list CC_Internet_access_in remark MobiServ access
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.114 eq 21591
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.212 eq 21590
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.23 eq 21589
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.204 eq 21588
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.144 eq 21587
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.0.3 eq 23389
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.104 eq 19182
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.0.199 eq 18172
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.176 eq 3384
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.245 eq 3378
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.195 eq 3379
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.11 eq 3380
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.102 eq 3385
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.112 eq 3388
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.35 eq 1587
access-list CC_Internet_access_in extended permit tcp any object obj-AnyConnectPool object-group IBM_iAccess inactive
access-list CC_Internet_access_in remark Denys all inbound connections from the Internet
access-list CC_Internet_access_in extended deny ip any any
access-list CC_Internet_cryptomap extended permit ip object Office_Network 172.16.0.0 255.255.255.0
access-list NCRVPN extended permit ip 10.10.0.0 255.255.252.0 172.16.0.0 255.255.255.0
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list split-tunnel remark Local Office Network
access-list split-tunnel standard permit 10.10.0.0 255.255.252.0
pager lines 50
logging enable
logging asdm informational
logging from-address xxx@xxxxx.com
logging recipient-address xxx@xxxxx.com level alerts
logging host Office 10.10.0.199 17/1514
logging class auth trap informational
mtu CC_Internet 1500
mtu BKP 1500
mtu Office 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (BKP,CC_Internet) source dynamic BKP_Network interface description Dynamic NAT (PAT) for general outside access
nat (Office,CC_Internet) source static Office_Network Office_Network destination static obj-AnyConnectPool obj-AnyConnectPool
nat (Office,CC_Internet) source static MobiServ-Inside Public_IP_Address_xxx service MobiServ_ports MobiServ_ports description PAT settings for Mobiserv ports
nat (Office,CC_Internet) source static obj-AnyConnectPool interface inactive description PAT settings for AnyConnect
nat (Office,CC_Internet) source static MobiServ-Inside Public_IP_Address_188 service Mobiserv_https Mobiserv_https description PAT settings for Mobiserv ports
nat (Office,CC_Internet) source static Office_Network Office_Network destination static NETWORK_OBJ_172.16.0.0_24 NETWORK_OBJ_172.16.0.0_24 no-proxy-arp route-lookup
nat (Office,CC_Internet) source dynamic any interface description Dynamic NAT (PAT) for general outside access
nat (Office,CC_Internet) source static NETWORK_OBJ_10.10.0.0_22 NETWORK_OBJ_10.10.0.0_22 destination static NETWORK_OBJ_10.10.1.240_28 NETWORK_OBJ_10.10.1.240_28 no-proxy-arp route-lookup inactive
nat (Office,CC_Internet) source static Office_Network Office_Network destination static NETWORK_OBJ_10.10.1.240_28 NETWORK_OBJ_10.10.1.240_28 no-proxy-arp route-lookup inactive
nat (Office,CC_Internet) source static Office_Network Office_Network destination static NETWORK_OBJ_10.10.1.240_29 NETWORK_OBJ_10.10.1.240_29 no-proxy-arp route-lookup inactive
nat (Office,CC_Internet) source static NETWORK_OBJ_10.10.0.0_22 NETWORK_OBJ_10.10.0.0_22 destination static NETWORK_OBJ_10.10.1.224_27 NETWORK_OBJ_10.10.1.224_27 no-proxy-arp route-lookup inactive
!
object network obj-10.10.2.35
nat (Office,CC_Internet) static x.x.x.x service tcp 1587 1587
object network obj-10.10.2.112
nat (Office,CC_Internet) static x.x.x.x service tcp 3388 3388
object network obj-10.10.2.102
nat (Office,CC_Internet) static x.x.x.x service tcp 3385 3385
object network obj-10.10.2.11
nat (Office,CC_Internet) static x.x.x.x service tcp 3380 3380
object network obj-10.10.2.195
nat (Office,CC_Internet) static x.x.x.x service tcp 3379 3379
object network obj-10.10.2.245
nat (Office,CC_Internet) static x.x.x.x service tcp 3378 3378
object network obj-10.10.2.176
nat (Office,CC_Internet) static x.x.x.x service tcp 3384 3384
object network obj-10.10.0.199
nat (Office,CC_Internet) static x.x.x.x service tcp 18172 18172
object network obj-10.10.2.104
nat (Office,CC_Internet) static x.x.x.x service tcp 19182 19182
object network obj-10.10.0.3
nat (Office,CC_Internet) static x.x.x.x service tcp 23389 23389
object network obj-10.10.2.144
nat (Office,CC_Internet) static x.x.x.x service tcp 21587 21587
object network obj-10.10.2.204
nat (Office,CC_Internet) static x.x.x.x service tcp 21588 21588
object network obj-10.10.2.23
nat (Office,CC_Internet) static x.x.x.x service tcp 21589 21589
object network obj-10.10.2.212
nat (Office,CC_Internet) static x.x.x.x service tcp 21590 21590
object network obj-10.10.2.114
nat (Office,CC_Internet) static x.x.x.x service tcp 21591 21591
object network obj-10.10.2.9
nat (Office,CC_Internet) static x.x.x.x service tcp 10620 10620
access-group CC_Internet_access_in in interface CC_Internet
access-group inside_access_in in interface BKP
access-group inside2_access_in in interface Office
route CC_Internet 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 8
http server enable
http 10.10.0.0 255.255.252.0 Office
http 172.16.1.0 255.255.255.0 management
http 10.10.4.0 255.255.252.0 Office
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map CC_Internet_map 1 match address CC_Internet_cryptomap
crypto map CC_Internet_map 1 set peer x.x.x.x
crypto map CC_Internet_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map CC_Internet_map interface CC_Internet
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable CC_Internet
crypto ikev1 enable CC_Internet
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.10.0.0 255.255.252.0 Office
telnet 172.16.0.0 255.255.255.0 management
telnet timeout 5
ssh stricthostkeycheck
ssh x.x.x.x 255.255.255.0 CC_Internet
ssh x.x.x.x 255.255.255.255 CC_Internet
ssh 10.10.0.0 255.255.252.0 Office
ssh 0.0.0.0 0.0.0.0 Office
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Office
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 131.107.13.100 source CC_Internet
webvpn
enable CC_Internet
anyconnect image disk0:/anyconnect-win-4.4.00243-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.4.4 8.8.8.8
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
default-domain value xxx.xxx.com
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 8.8.4.4 10.10.2.7
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value xxx.xxxxxx.com
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
username xxxxxxxxxx password xxxxxxxxxxxxxxxx encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool OfficeVPN
default-group-policy GroupPolicy_AnyConnect
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GroupPolicy_x.x.x.x
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key xxxxxxx
ikev2 remote-authentication pre-shared-key xxxxxxx
ikev2 local-authentication pre-shared-key xxxxxxx
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool OfficeVPN
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ftp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxx
: end

1 Accepted Solution

Accepted Solutions

When accessing the shared folders are you accessing it via the IP of Power7 or the FQDN?

If using FQDN you will need to change the group-policy configuration so that 10.10.2.7 comes first.  First configured DNS server is prefered.  While connected to AnyConnect, if you issue an ipconfig /all command from command prompt you should see that 8.8.4.4 is listed first and 10.10.2.7 is second.

group-policy GroupPolicy_AnyConnect attributes

  dns-server value 8.8.4.4 10.10.2.7

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

15 Replies 15

Rahul Govindan
VIP Alumni
VIP Alumni

Quickly looking through your config, I could not see anything that stood out as an issue.  What was the user not able to access in the 10.10.0.0/22 network? A few things we can do to get to the bottom of this:

Apply capture on the Office interface for the Anyconnect assigned ip address. This way we can see if packets are being sent out through the Office interface.

Run a packet-tracer on interface outside with source Anyconnect IP and destination internal ip address.

If this issue was only seen on one user, could be a client side issue. Check the client routing table to see if the right split tunnel network is added.

I wiped out the AnyConnect configuration that I had and recreated the setup through the wizard then setup split tunneling through the following example. Now I have no internet access or lan access while connected to the vpn.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html#anc14

Could you paste the new config here? No internet access means your split-tunnel is not configured correctly. Your previous config had it configured for 10.10.0.0/22 network.

Split tunnel back up after following this example.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

Pulling personal data from config now to repost.

I ran packet tracer on the outside interface with a source address from the VPN Pool and destination address on the lan using port Telnet.

INT: CC_Internet

SRC: 10.10.4.201      SRC PORT: telnet

DEST: 10.10.0.1       SRC PORT: telnet

I get the result : SRC PORT: access-group CC_Internet_access_in in interface CC_Internet

access-list CC_Internet_access_in extended deny ip any any

Your previous config was fine you did not have to wipe it. Just a couple of extra things that needed to be added.  So I hope you have a backup of your old config and put that back in.

Packet tracer will not work to test this connection as you can not simulate an encrypted packet coming in the CC_Internet interface.

There are a couple things wrong with you config.

  1. First of all your AnyConnect pool of 10.10.40.200-225/22 is not included in your Office_Network group object of 10.10.0.0/22.  This only includes up to 10.10.3.255. So the NAT exempt you have configured for the office will not include the AnyConnect IPs and you do not have any other nat exempt configured for the AnyConnect clients...that I could find at least.
  2. Your split tunnel only allows traffic to 10.10.0.0/22 network, You need to add 172.16.0.0/24 to this list.

That is what I have spotted so for.  I think that once you get your NAT added for traffic from AnyConnect to 172.16.0.0/24 and add 10.10.4.0/22 or the range 10.10.4.200-225 for that matter to the crypto ACL you will be in business.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Keep in mind that your NAT statment should be from CC_Internet to CC_Internet.

nat (CC_Internet,CC_Internet) source static obj-AnyConnectPool obj-AnyConnectPool destination static NETWORK_OBJ_172.16.0.0_24 NETWORK_OBJ_172.16.0.0_24 no-proxy-arp route-lookup

access-list split-tunnel standard permit 172.16.0.0 255.255.255.0

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

I also forgot to mention that the remote site needs to have the 10.10.4.0/22 subnet (or just the range 10.10.4.200-225) added to its crypto ACL also as destination addresses

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marius.


I'm sorry but it appears you are trying to connect my AnyConnect clients to our site to site vpn tunnel. This is not the goal. The site to site is up and running without issue. The site to site is a completely separate entity. Not for use with AnyConnect.

Ok, so I have misunderstood the goal.  Could you clarify what your goal is?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

I want my AnyConnect clients in pool 10.10.4.200 - 225/22 to have LAN access to the Office Network on 10.10.0.0/22 with internet access.

Try adding route-lookup to the NAT exempt statement and then test.

--

Please remember to select a correct answer and rate helpful posts 

--
Please remember to select a correct answer and rate helpful posts

That is complete but no change. It's weird. I can access our web filter and printers through a browser and RDP into systems all over the network through the VPN but cannot access our IBM Power7 or any network shares. Maddening.

Edit: I also have Internet access through the split tunnel.

Also I have just discovered that I can access our Power7 via a Windows command prompt using telnet 10.10.0.1.

I can run SQL commands against our Power7...

When accessing the shared folders are you accessing it via the IP of Power7 or the FQDN?

If using FQDN you will need to change the group-policy configuration so that 10.10.2.7 comes first.  First configured DNS server is prefered.  While connected to AnyConnect, if you issue an ipconfig /all command from command prompt you should see that 8.8.4.4 is listed first and 10.10.2.7 is second.

group-policy GroupPolicy_AnyConnect attributes

  dns-server value 8.8.4.4 10.10.2.7

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts