I'm trying to set up an anyconnect vpn that's supposed to work by supplying access to a single remote local subnet where a couple of servers exist. I have the issue that there is no connection on the subnet. I connect with the VPN and get an IP but I can't ping anything and the log throws this description:
| 6 |
Nov 24 2015 |
12:56:09 |
110002 |
10.5.x.123 |
1 |
|
|
Failed to locate egress interface for ICMP from Outside:10.5.x.123/1 to 10.5.x.1/0 |
I'm thinking it's either ACL or NAT missing or misconfiguration. Anyone with some more experience or knowledge able to find my mistake?
ASA Version 9.1(5)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool ElevNet 10.5.x.100-10.5.x.150 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan y
!
interface Ethernet0/1
switchport access vlan x
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
description WAN
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif Outside
security-level 0
ip address 1x.2x.1.2x 255.255.255.248
!
interface Vlan y
management-only
nameif Management
security-level 100
ip address 10.x.10.x 255.255.255.0
!
interface Vlan x
nameif ElevInside
security-level 100
ip address 10.5.x.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.5.x.0_24
subnet 10.5.x.0 255.255.255.0
object network ElevNet
subnet 0.0.0.0 0.0.0.0
access-list Elev extended permit ip 10.5.x.0 255.255.255.0 1x.2x.1.2x 255.255.255.248
access-list Split_Tunnel remark Local_Elev_Lan
access-list Split_Tunnel standard permit 10.5.x.0 255.255.255.0
access-list Local_Lan_Access standard permit 10.5.x.0 255.255.255.0
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list ElevInside_access_in extended permit ip any any
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751-112.bin
no asdm history enable
nat (ElevInside,Outside) source dynamic any interface
access-group ElevInside_access_in in interface ElevInside
route Outside 0.0.0.0 0.0.0.0 1x.2x.1.2x 1
dynamic-access-policy-record DfltAccessPolicy
network-acl Elev
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.x.10.x 255.255.255.0 Management
http 10.5.x.0 255.255.255.0 Management
telnet 10.x.10.x 255.255.255.0 Management
vpn-addr-assign local reuse-delay 60
!
dhcpd address 10.5.x.100-10.5.x.150 ElevInside
dhcpd dns 8.8.8.8 8.8.4.4 interface ElevInside
dhcpd enable ElevInside
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 ElevInside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Management
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Management vpnlb-ip
webvpn
enable Outside
enable ElevInside
anyconnect image disk0:/anyconnect-win-3.1.12020-k9.pkg 2
anyconnect profiles ElevVirker_client_profile disk0:/ElevVirker_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_ElevVirker internal
group-policy GroupPolicy_ElevVirker attributes
wins-server none
dns-server none
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_Lan_Access
default-domain none
address-pools value ElevNet
webvpn
anyconnect profiles value ElevVirker_client_profile type user
vpn-group-policy GroupPolicy_ElevVirker
tunnel-group ElevVirker type remote-access
tunnel-group ElevVirker general-attributes
address-pool ElevNet
default-group-policy GroupPolicy_ElevVirker
tunnel-group ElevVirker webvpn-attributes
group-alias ElevVirker enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
