Anyconnect setup

CoryTrue1 · ‎03-09-2016

I am trying to setup a ASA5505 as a VPN gateway. The main traffic will be routed through the primary firewall, but want to use anyconnect to VPN into the network. I can get the connection to establish but am unable to access any internal resources (ping, RDP). From the internal network I am able to connect to the ASA. Looking at the statistics from anyconnect I see packets sent but none received. I did use ASDM to setup the anyconnect via the wizard.

Any advice would be greatly appreciated. Here is a copy of my running config, and I have been testing on it a few times.

Fire-4# sh run
: Saved
:
: Serial Number: JMX1844Z15R
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname Fire-4
domain-name Acompany.biz
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool test_Pool 192.168.112.190-192.168.112.198 mask 255.255.255.0
ip local pool ANYCONNECT-POOL 192.168.99.1-192.168.99.254 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 12
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.3.240 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 60.XX.XX.XX 255.255.255.252
!
interface Vlan12
nameif MGT
security-level 0
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup MGT
dns server-group DefaultDNS
name-server 10.10.3.4
name-server 192.168.111.4
domain-name Acompany.biz
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Router
host 60.xx.xx.x7
object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.99.0 255.255.255.0
object network NETWORK_OBJ_192.168.112.128_25
subnet 192.168.112.128 255.255.255.128
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list NAT-EXEMPT extended permit object-group DM_INLINE_PROTOCOL_3 10.10.3.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object OBJ-ANYCONNECT-SUBNET any
access-list SPLIT-TUNNEL standard permit 10.10.3.0 255.255.255.0
access-list global_access extended permit object-group DM_INLINE_PROTOCOL_2 object OBJ-ANYCONNECT-SUBNET any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu MGT 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.112.128_25 NETWORK_OBJ_192.168.112.128_25 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 68.235.255.77 1
route inside 10.10.1.0 255.255.255.0 10.10.3.1 1
route inside 10.10.2.0 255.255.255.0 10.10.3.1 1
route inside 10.10.10.0 255.255.255.0 10.10.3.1 1
route inside 10.10.11.0 255.255.255.0 10.10.3.1 1
route inside 10.10.12.0 255.255.255.0 10.10.3.1 1
route inside 10.10.14.0 255.255.255.0 10.10.3.1 1
route inside 10.10.15.0 255.255.255.0 10.10.3.1 1
route inside 10.10.16.0 255.255.255.0 10.10.3.1 1
route inside 10.10.17.0 255.255.255.0 10.10.3.1 1
route inside 172.16.0.0 255.255.255.0 10.10.3.1 1
route inside 192.168.111.0 255.255.255.0 10.10.3.253 1
route inside 192.168.120.0 255.255.255.0 10.10.3.1 1
route inside 0.0.0.0 0.0.0.0 10.10.3.1 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl NAT-EXEMPT
network-acl global_access
network-acl outside_access_in
webvpn
file-browsing enable
file-entry enable
http-proxy enable
url-entry enable
svc ask none default svc
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 MGT
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime kilobytes unlimited
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint CO_VPN_TC
enrollment self
subject-name CN=ciscoasa
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASA_CO2
enrollment terminal
subject-name CN=AR-Fire4
crl configure
crypto ca trustpoint AR_IP2
enrollment self
subject-name CN=AR-Fire4
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=Fire-4
crl configure
crypto ca trustpool policy
crypto ca certificate chain CO_VPN_TC
certificate 0ffcbd56
30820234 3082019d a0030201 0202040f fcbd5630 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 31363032 31363131 34353036
5a170d32 36303231 33313134 3530365a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100dc 12e80f50
3fb1980c b04e8a3c 0185c73f 570b5b79 06a34ba5 021d4753 106a3a19 2d30e8fd
f9769998 1333c5ea ba8f7a0b 660d670d d73936e3 14079920 eb613346 22b396ce
0855d645 274fdef0 661aa19d 2fd9dca2 fe075e1a a72828d2 557f820d 7a38c133
29704597 fdcb1dfc 6a55d5ac 19ad046a 5e561764 25216a84 0a250b02 03010001
a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04
04030201 86301f06 03551d23 04183016 8014b23f 3df17b7d d32246b1 27afbf1d
cb75adcd b593301d 0603551d 0e041604 14b23f3d f17b7dd3 2246b127 afbf1dcb
75adcdb5 93300d06 092a8648 86f70d01 01050500 03818100 138e033a 46d40c6e
4cde0f02 60405f72 5ac7110e 36fa54d5 1558e6dc a59f95cd 7c67082b 57c295e5
f971059a da68f88c 18359b5b ae3b8b07 473aa80d 29d33dc5 199db994 cd7ceaf1
0ad8b266 cffb3b3e a8efa425 c019d1e6 2ef681aa eca83f5c 4bc99319 3a738e42
60e63ef9 7e463d3a 132741e5 c0c98f14 7c4997e8 6871f6d8
quit
crypto ca certificate chain CO_IP2
certificate 10fcbd56
308201cf 30820138 a0030201 02020410 fcbd5630 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130841 522d4669 72653431 17301506 092a8648
86f70d01 09021608 41522d46 69726534 301e170d 31363032 31363132 30343232
5a170d32 36303231 33313230 3432325a 302c3111 300f0603 55040313 0841522d
46697265 34311730 1506092a 864886f7 0d010902 16084152 2d466972 65343081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100dc 12e80f50
3fb1980c b04e8a3c 0185c73f 570b5b79 06a34ba5 021d4753 106a3a19 2d30e8fd
f9769998 1333c5ea ba8f7a0b 660d670d d73936e3 14079920 eb613346 22b396ce
0855d645 274fdef0 661aa19d 2fd9dca2 fe075e1a a72828d2 557f820d 7a38c133
29704597 fdcb1dfc 6a55d5ac 19ad046a 5e561764 25216a84 0a250b02 03010001
300d0609 2a864886 f70d0101 05050003 81810040 012fa6b1 1e5f699d 04975d2b
eec72bf9 d09d9cb6 c29f4fdb d1b624b7 e56fb33f 7c63c4da ea70cdf2 77ab06e3
fc6bbce7 bb81b346 c6af7a7f 59e6fcd8 e3934a42 5cbe6f95 95e9ff95 0e4cb0d6
b1a2df48 24698e11 148101de 0faf0532 27d185b5 e5b5d247 2abb96b8 4c95715d
aa5d73c1 be8dad40 98f5ba5f 762a8900 e9bdfe
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 11fcbd56
308201d3 3082013c a0030201 02020411 fcbd5630 0d06092a 864886f7 0d010105
0500302e 31123010 06035504 03130941 522d4669 72652d34 31183016 06092a86
4886f70d 01090216 0941522d 46697265 2d34301e 170d3136 30323139 31373134
32315a17 0d323630 32313631 37313432 315a302e 31123010 06035504 03130941
522d4669 72652d34 31183016 06092a86 4886f70d 01090216 0941522d 46697265
2d343081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100dc
12e80f50 3fb1980c b04e8a3c 0185c73f 570b5b79 06a34ba5 021d4753 106a3a19
2d30e8fd f9769998 1333c5ea ba8f7a0b 660d670d d73936e3 14079920 eb613346
22b396ce 0855d645 274fdef0 661aa19d 2fd9dca2 fe075e1a a72828d2 557f820d
7a38c133 29704597 fdcb1dfc 6a55d5ac 19ad046a 5e561764 25216a84 0a250b02
03010001 300d0609 2a864886 f70d0101 05050003 818100a8 83c21f5e dc2f7f65
eeff1ee3 89644bd6 1c7d4716 addfabd1 6e4eb64c 61b30096 8bf3661a 4ebd9cf8
9ad5fdb1 30a00feb 3700aa80 27d5fc29 7fec302d 9a68616d db18829a 3680d481
c7c9d8b5 495f15e0 395a79cd a75d020a 7e5377cc 11caa3a1 77298a7c 0d5c5926
f17d3315 64a64b9a d7ac9f9f fc3a9b98 51ef7f16 dede95
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint AR_IP2
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 10

dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd dns 8.8.8.8 interface inside
!
dhcpd address 192.168.2.5-192.168.2.15 MGT
dhcpd dns 8.8.8.8 interface MGT
dhcpd update dns interface MGT
dhcpd enable MGT
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point AR_IP2 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.0.00048-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-3.1.05178-k9.pkg 2
anyconnect profiles CO_VPN_client_profile disk0:/CO_VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.10.3.4
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value AutomatedResults.biz
webvpn
anyconnect firewall-rule client-interface public value outside_access_in
anyconnect firewall-rule client-interface private value outside_access_in
group-policy GroupPolicy_CO_VPN internal
group-policy GroupPolicy_CO_VPN attributes
wins-server none
dns-server value 10.10.3.4 192.168.111.4
vpn-access-hours none
vpn-simultaneous-logins 4
vpn-session-timeout none
vpn-tunnel-protocol ikev2 ssl-client
group-lock value CO_VPN
split-tunnel-policy tunnelall
default-domain none
vlan none
address-pools value test_Pool
webvpn
anyconnect ssl rekey method ssl
anyconnect profiles value CO_VPN_client_profile type user
group-policy GroupPolicy_COtest2 internal
group-policy GroupPolicy_COtest2 attributes
wins-server none
dns-server value 10.10.3.4 192.168.111.4
vpn-tunnel-protocol ikev2 ssl-client
default-domain value Acompany.biz

tunnel-group CO_VPN type remote-access
tunnel-group CO_VPN general-attributes
address-pool test_Pool
tunnel-group CO_VPN webvpn-attributes
group-alias CO_VPN enable
tunnel-group COtest2 type remote-access
tunnel-group COtest2 general-attributes
address-pool CO_Pool
default-group-policy GroupPolicy_COtest2
tunnel-group COtest2 webvpn-attributes
group-alias COtest2 enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f17c5123430181094a033ea9af3cf842
: end
Fire-4#

Dinesh Moudgil · ‎03-10-2016

Hi,

I see that you have correct nat setup:

nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.112.128_25 NETWORK_OBJ_192.168.112.128_25 no-proxy-arp route-lookup

I hope you are aware that you are sending all the VPN traffic to the next hop with the route:
route inside 0.0.0.0 0.0.0.0 10.10.3.1 tunneled

I do not see any route for VPN subnets pointing to outside interface.
Can you please add this route and share the results:
route outside 192.168.112.128 255.255.255.128 68.235.255.77
route outside 192.168.99.0 255.255.255.0 68.235.255.77

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

CoryTrue1 · ‎03-11-2016

Dinesh,

That did not do it. I still get the same result.

Thanks,

Dinesh Moudgil · ‎03-11-2016

Please share which tunnel-group are you connecting to so that I can give you plan of action accordingly.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Marius Gunnerud · ‎03-13-2016

Both tunnel-groups are doing tunnel all.

I suggest doing the following:

establish an VPN connection using AnyConnect, then issue a packet-tracer

packet-tracer input inside tcp <server IP> 12345 <VPN client IP> 80

If the tracer completes successfully...make sure it hits the VPN...then do a packet capture on the inside interface and see if you are able to see traffic in both directions:

capture capin interface inside match ip host <server IP> host <VPN client IP> detail

show cap capin

Then try to access the server via ping, RDP, whatever and issue the show cap capin command.

(Remember to remove the capture configuration when done.)

If you see traffic from the client heading toward the Server but nothing in return. Then check routing on the inside network. Perhaps there is a static configured route on the server itself that is sending traffic in the wrong direction or perhaps there is a configuration fault for these VPN IPs elsewhere.

Also if you only see traffic from the client to the server it could also be the ACL configured on the inside interface that is dropping traffic...as the drop will happen before the capture.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts