07-27-2018 11:26 AM - edited 07-27-2018 11:32 AM
Dear Community,
I am struggling to get get an connection from the AnyConnect clients to the inernal as well as the Site to Site VPN.
Anyconnect Network 10.10.200.0 --> ASA with internal network 10.10.100.0 connected --> remote l2l site 192.168.1.1
If I try to ping from the anyconnect client I can see on the asa debug that the ping reaches the asa. If I simulate the ping via packet tracer I get the following output for pings to Internal and Remote Site but only if anyconnect clients are connected and the 10.10.200.0 network is recognized as directly connected. If no anyconnect client is connected the packet tracer succeeds in establishing the connection:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
I tried with a permit any any acls but that doesn;t change a thing.
Thanks for your input
Solved! Go to Solution.
12-19-2018 05:37 PM
The access lists on local and remote vpn devices must be mirror images of each other. The acl you removed was part of your site to site cryptomap. You must have had an extra acl that the remote end did not have, thus VPN would not have worked.
07-27-2018 11:36 AM
Can you show us your configuration and more logs on the client side.
BB
07-27-2018 03:49 PM
The logs on the client only tell the VPN client version and the remote IP no errors.
I can ping the outside interface of the ASA so the connection via AnyConnect works I guess.
Please check below for the webvpn config on the ASA
07-27-2018 01:36 PM
Do the S2S VPN and the remote access VPN terminate on the same ASA? Is it a full tunnel for the RA VPN? Running configuration would be good.
07-27-2018 03:45 PM
Yes the RA and StS VPN terminate on the same ASA. Please let me know if you need further config.
I globally set permit any any in and out ACLs
group-policy GroupPolicy_users attributes wins-server none dns-server value 208.67.222.222 vpn-filter value users_Intern vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value TestVPNAcl default-domain none address-pools value trustedVPN webvpn anyconnect profiles value UsersIntern_client_profile type user tunnel-group UsersIntern type remote-access tunnel-group UsersIntern general-attributes address-pool testvpn default-group-policy GroupPolicy_users tunnel-group UsersIntern webvpn-attributes group-alias UsersIntern enable username user attributes vpn-group-policy GroupPolicy_users anyconnect enable tunnel-group-list enable access-list TestVPNAcl standard permit 10.10.100.0 255.255.255.0 access-list TestVPNAcl standard permit 192.168.1.0 255.255.255.0 access-list users_Intern extended permit ip any any access-list user_Intern extended permit tcp any any access-list users_Intern extended permit udp any any access-list users_Intern extended permit icmp any any UsersIntern_client_profile.xml <?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"> <ServerList> <HostEntry> <HostName>prime (IPsec) IPv4</HostName> <HostAddress>12.12.12.12</HostAddress> <PrimaryProtocol>IPsec</PrimaryProtocol> </HostEntry> </ServerList> </AnyConnectProfile>
07-28-2018 02:45 PM
So the connection via AnnyConnect to the local network behind the ASA works. But Packetracer still shows that the package is dropped for the very same icmp echo request. Anybody can explain why?
07-31-2018 10:04 PM
-First off I'd like to let you know what you are doing is called hair-pinning also known as u-turning
.I see your using an ASA so the guide below may help you a bit.
-Second don't base your sole troubleshooting on Packet tracer as its output is often misleading for example "dropped by acl" when in reality the problem could be with nat.
In your case once you connect with anyconnect and use that same ip for a packet tracer it will drop it. Using an unused ip in the anyconnect pool range will be more beneficial.
Since there are two parts to your adventure I would suggest breaking it into two parts
1-Being able to connect to anyconnect and ping ip on inside of network successfully (not the asa inside interface ip).
2-Get your tunnel up and be able to pass traffic across the tunnel
once these two parts are done you can start your outside,outside nat and "
same-security-traffic permit intra-interface
When you ping from the Anyconenct client to your internal network do you get a response? (again dont ping your inside interface ip this is not a valid test)
If you are not receiving a response back you can use an asp capture, its a good idea to also add a buffer so your asa does not crash
run a continuous ping on the anyconnect client
then on the asa
"cap cap type asp-drop buffer 500000"
then do a "show cap cap | i (anyconnect client ip)" to see whats happening to the traffic
remove the capture after with "no cap cap"
You can also do captures on the inside and outside interface to see how far the packet is making it.
Some info on captures
08-24-2018 07:19 AM
Thank you very much for your detailed answer and troubleshooting guide.
I will dig into this again in a couple of days and try it out
08-29-2018 07:01 AM
Hallo again,
The connection via Cisco Anyconnect to the internal Network now works fine.
Although I am still not able to ping to the remote SiteToSite VPN
If I ping from an Cisco Anyconnect client the Asa in the middle of the remote Site and the cisco Anyconnect client doesnt show any debug for the icmp packages.
I didn't configure split dns and on the Windows client I get the entry in the routing table
0.0.0.0 0.0.0.0 10.10.200.1 10.10.200.2 2
So everything should go to the Asa.
For every other network I ping even not existing private IPs I get an icmp debug on the ASA except for the 192.168.1.0/24 network which is the remote site private network connected threw VPN tunnel on the ASA which terminates the anyconnect client connection.
Any ideas why the icmp for only this specific network isn't shown on the ASA icmp debug?
Thanks
08-29-2018 07:24 AM
Seems that the packets gets dropped by the acls.
Not sure why because I have an global acl in place gobally permitting everything for my VPN client network 10.10.200.0/24
09-13-2018 10:06 AM
Can you please provide the output from packet tracer ?
09-14-2018 03:27 AM
Hallo Roy,
glad that you are interested in my little Problem
The connection from the Anyconnect clients to the 10.10.110 Network works fine
Also the Tunnel from the 10.10.110.0 Network to 192.168.1.1 Network works fine
The packets from the Anyconnect network get dropped by the firewall before it even reaches the icmp debug output on the asa if I try to ping the remote l2l site
802.1Q vlan#100 P0 10.10.200.2 > 192.168.1.90: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
Packet tracer output for the same traffic:
packet-tracer input outside icmp 10.10.200.4 8 0 192.168.1.9$ Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp Additional Information: NAT divert to egress interface outside Untranslate 192.168.1.90/0 to 192.168.1.90/0 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group internetOut in interface outside access-list internetOut extended permit icmp any any Additional Information: Forward Flow based lookup yields rule: in id=0x7fbe11341bd0, priority=13, domain=permit, deny=false hits=16, user_data=0x7fbe09f39180, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp Additional Information: Static translate 10.10.200.4/0 to 10.10.200.4/0 Forward Flow based lookup yields rule: in id=0x7fbe109ff450, priority=6, domain=nat, deny=false hits=7022, user_data=0x7fbe10799630, cs_id=0x0, flags=0x0, protocol=0 src ip/id=10.10.200.0, mask=255.255.255.0, port=0, tag=any dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=outside Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fbe0f8dbd40, priority=0, domain=nat-per-session, deny=true hits=248529, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fbe10576490, priority=0, domain=inspect-ip-options, deny=true hits=276998, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 6 Type: VPN Subtype: ipsec-tunnel-flow Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fbe13da5cf0, priority=70, domain=ipsec-tunnel-flow, deny=false hits=270, user_data=0x0, cs_id=0x7fbe11308520, reverse, flags=0x0, protocol=0 src ip/id=10.10.200.0, mask=255.255.255.0, port=0, tag=any dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
I have a global rule in place to permit all traffic from the Anyconnect VPN named Net_TrustedVPN
even if I put a global permit any any of all traffic the icmp packets get still dropped by the firewall.
further I added the rules for the SitetoSite Tunnel on the ASA
access-list l2l_list extended permit ip object Net_TrustedVPN object Net_DC
nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp
i cleared the ca but the acl entry doesn't show up?
show crypto ipsec sa interface: outside Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 10.10.100.1 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.10.200.2/255.255.255.255/0/0) current_peer: XXXXXXXX, username: aaaaa dynamic allocated peer ip: 10.10.200.2 dynamic allocated peer ip(ipv6): 0.0.0.0 local crypto endpt.: 10.10.100.1/4500, remote crypto endpt.: XXXXXXX/63481 Crypto map tag: map_crypto_l2l, seq num: 1, local addr: 10.10.100.1 access-list l2l_list extended permit ip 10.10.110.0 255.255.255.0 192.168.1.0 255.255.255.0 local ident (addr/mask/prot/port): (10.10.110.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer: XXXXXXXX
I kindly appreciate any comments on this topic
09-14-2018 08:08 AM
Are you able to attach the full show run and x out the first 3 octets of any public ips ?
09-14-2018 09:00 AM
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.8(2) ! hostname asa enable password names ip local pool trustedVPN 10.10.200.1-10.10.200.250 mask 255.255.255.0 ! interface GigabitEthernet1/1 no nameif security-level 0 no ip address ! interface GigabitEthernet1/1.100 vlan 100 nameif outside security-level 100 ip address 10.10.100.1 255.255.255.0 ! interface GigabitEthernet1/2 nameif inside_1 security-level 100 no ip address ! interface GigabitEthernet1/2.100 vlan 10 nameif TrustedIf security-level 100 ip address 10.10.110.254 255.255.255.0 ! interface GigabitEthernet1/2.200 vlan 20 nameif InternIf security-level 80 ip address 10.10.120.254 255.255.255.0 ! interface GigabitEthernet1/2.300 vlan 30 nameif ServerIf security-level 80 ip address 10.10.130.254 255.255.255.0 ! interface GigabitEthernet1/2.400 vlan 40 nameif RestrictedIf security-level 50 ip address 10.10.140.254 255.255.255.0 ! interface GigabitEthernet1/3 bridge-group 1 nameif inside_2 security-level 100 ! interface GigabitEthernet1/4 bridge-group 1 nameif dings security-level 100 ! interface GigabitEthernet1/5 bridge-group 1 nameif inside_4 security-level 100 ! interface GigabitEthernet1/6 bridge-group 1 nameif inside_5 security-level 100 ! interface GigabitEthernet1/7 bridge-group 1 nameif inside_6 security-level 100 ! interface GigabitEthernet1/8 bridge-group 1 nameif inside_7 security-level 100 ! interface Management1/1 management-only nameif management security-level 100 ip address 10.10.99.1 255.255.255.0 ! interface BVI1 no nameif security-level 100 no ip address ! interface BVI10 no nameif no security-level no ip address ! interface BVI99 no nameif no security-level no ip address ! interface vni99 no nameif no security-level ! ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any1 subnet 0.0.0.0 0.0.0.0 object network obj_any2 subnet 0.0.0.0 0.0.0.0 object network obj_any3 subnet 0.0.0.0 0.0.0.0 object network obj_any4 subnet 0.0.0.0 0.0.0.0 object network obj_any5 subnet 0.0.0.0 0.0.0.0 object network obj_any6 subnet 0.0.0.0 0.0.0.0 object network obj_any7 subnet 0.0.0.0 0.0.0.0 object network Net_DC subnet 192.168.1.0 255.255.255.0 object network Net_Trusted subnet 10.10.110.0 255.255.255.0 object network Net_Management subnet 10.10.99.0 255.255.255.0 object network NETWORK_OBJ_10.10.11.0_24 subnet 10.10.11.0 255.255.255.0 object network NETWORK_OBJ_10.10.110.192_26 subnet 10.10.110.192 255.255.255.192 object network Net_TrustedVPN subnet 10.10.200.0 255.255.255.0 description VPN Client Employees Intern object network Net_Aprol subnet 10.10.130.0 255.255.255.0 object network Net_Outside subnet 10.10.100.0 255.255.255.0 object-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object udp protocol-object tcp access-list l2l_list extended permit ip object Net_Trusted object Net_DC access-list l2l_list extended permit ip object Net_DC object Net_Trusted access-list l2l_list extended permit ip object Net_Management object Net_DC access-list l2l_list extended permit ip object Net_DC object Net_Management access-list l2l_list extended permit ip object Net_TrustedVPN object Net_DC access-list l2l_list extended permit ip object Net_DC object Net_TrustedVPN access-list internetOut extended permit ip object Net_Trusted any access-list internetOut extended permit icmp any any access-list internetOut extended permit ip any 10.10.120.0 255.255.255.0 inactive access-list internetOut extended permit ip object Net_Trusted 10.10.120.0 255.255.255.0 access-list internetOut extended permit ip object Net_Trusted object Net_Aprol access-list internetOut extended permit ip object Net_TrustedVPN any access-list internetOut extended permit ip object Net_TrustedVPN object Net_DC access-list internetOut extended permit ip object Net_DC object Net_TrustedVPN access-list internetOut extended permit ip object Net_TrustedVPN object Net_TrustedVPN access-list internetOut extended permit ip any any inactive access-list inetACL extended permit ip object Net_Trusted any access-list InternIf_access_in_1 extended permit icmp any any access-list InternIf_access_in_1 extended permit tcp any any eq telnet inactive access-list InternIf_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any any inactive access-list TrustedIf_access_in extended permit icmp any any access-list InternIf_access_out extended permit ip any object Net_Trusted inactive access-list InternIf_access_out extended permit ip object Net_Trusted 10.10.120.0 255.255.255.0 access-list InternIf_access_out extended permit ip object Net_TrustedVPN 10.10.120.0 255.255.255.0 access-list TestVPNAcl standard permit 10.10.110.0 255.255.255.0 access-list TestVPNAcl standard permit 192.168.1.0 255.255.255.0 access-list TestVPNAcl standard permit 10.10.120.0 255.255.255.0 access-list TestVPNAcl standard permit 10.10.100.0 255.255.255.0 access-list TestVPNAcl standard permit 10.10.130.0 255.255.255.0 access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns access-list User_Intern extended permit ip any any access-list User_Intern extended permit tcp any any access-list User_Intern extended permit udp any any access-list User_Intern extended permit icmp any any access-list nothing standard permit host 0.0.0.0 access-list ServerIf_access_in extended permit ip object Net_Trusted object Net_Aprol pager lines 24 logging asdm informational mtu outside 1500 mtu inside_1 1500 mtu TrustedIf 1500 mtu InternIf 1500 mtu ServerIf 1500 mtu RestrictedIf 1500 mtu inside_2 1500 mtu dings 1500 mtu inside_4 1500 mtu inside_5 1500 mtu inside_6 1500 mtu inside_7 1500 mtu management 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (TrustedIf,outside) source static Net_Trusted Net_Trusted destination static Net_DC Net_DC no-proxy-arp nat (outside,TrustedIf) source static Net_DC Net_DC destination static Net_Trusted Net_Trusted no-proxy-arp nat (InternIf,outside) source static any any destination static NETWORK_OBJ_10.10.11.0_24 NETWORK_OBJ_10.10.11.0_24 no-proxy-arp route-lookup nat (TrustedIf,outside) source static Net_Trusted Net_Trusted destination static NETWORK_OBJ_10.10.110.192_26 NETWORK_OBJ_10.10.110.192_26 no-proxy-arp route-lookup nat (outside,TrustedIf) source static Net_TrustedVPN Net_TrustedVPN destination static Net_Trusted Net_Trusted no-proxy-arp nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp route-lookup nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_TrustedVPN Net_TrustedVPN nat (outside,outside) source static Net_DC Net_DC destination static Net_TrustedVPN Net_TrustedVPN no-proxy-arp route-lookup ! object network Net_TrustedVPN nat (outside,outside) dynamic interface access-group internetOut in interface outside access-group TrustedIf_access_in in interface TrustedIf access-group internetOut out interface TrustedIf access-group InternIf_access_in_1 in interface InternIf access-group InternIf_access_out out interface InternIf access-group ServerIf_access_in in interface ServerIf access-group internetOut global route outside 0.0.0.0 0.0.0.0 10.10.100.2 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication enable console LOCAL aaa authentication ssh console LOCAL aaa local authentication attempts max-fail 10 aaa authentication login-history http server enable http 192.168.1.0 255.255.255.0 inside_2 http 192.168.1.0 255.255.255.0 dings http 192.168.1.0 255.255.255.0 inside_4 http 192.168.1.0 255.255.255.0 inside_5 http 192.168.1.0 255.255.255.0 inside_6 http 192.168.1.0 255.255.255.0 inside_7 http 10.10.10.0 255.255.255.0 dings http 10.10.10.0 255.255.255.0 inside_2 http 10.10.99.0 255.255.255.0 management http XXX.XXX.XXX224 255.255.255.248 outside http 10.10.110.0 255.255.255.0 TrustedIf no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev1 transform-set SetDC esp-aes-256 esp-sha-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal secure protocol esp encryption aes-256 protocol esp integrity sha-1 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map map_crypto_l2l 1 match address l2l_list crypto map map_crypto_l2l 1 set pfs crypto map map_crypto_l2l 1 set peer XXX.XXX.XXX.230 crypto map map_crypto_l2l 1 set ikev1 transform-set SetDC crypto map map_crypto_l2l 1 set ikev2 ipsec-proposal secure crypto map map_crypto_l2l 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map map_crypto_l2l interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=asa crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 certificate quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 2 prf sha lifetime seconds 3600 crypto ikev2 enable outside client-services port 443 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800 telnet timeout 5 ssh stricthostkeycheck ssh XXX.XXX.XXX224 255.255.255.248 outside ssh XXX.XXX.XXX.230 255.255.255.255 outside ssh timeout 20 ssh version 2 ssh cipher encryption high ssh cipher integrity high ssh key-exchange group dh-group14-sha1 console timeout 0 dhcpd dns 208.67.222.222 8.8.8.8 dhcpd auto_config outside ! dhcpd address 10.10.110.11-10.10.110.200 TrustedIf dhcpd option 3 ip 10.10.110.254 interface TrustedIf dhcpd enable TrustedIf ! dhcpd address 10.10.120.11-10.10.120.240 InternIf dhcpd option 3 ip 10.10.120.254 interface InternIf dhcpd enable InternIf ! dhcpd address 10.10.130.100-10.10.130.200 ServerIf dhcpd option 3 ip 10.10.130.254 interface ServerIf dhcpd enable ServerIf ! dhcpd address 10.10.140.11-10.10.140.240 RestrictedIf dhcpd option 3 ip 10.10.140.254 interface RestrictedIf dhcpd enable RestrictedIf ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl trust-point ASDM_TrustPoint0 outside ssl trust-point ASDM_TrustPoint0 inside_1 ssl trust-point ASDM_TrustPoint0 TrustedIf ssl trust-point ASDM_TrustPoint0 InternIf ssl trust-point ASDM_TrustPoint0 ServerIf ssl trust-point ASDM_TrustPoint0 RestrictedIf ssl trust-point ASDM_TrustPoint0 inside_2 ssl trust-point ASDM_TrustPoint0 dings ssl trust-point ASDM_TrustPoint0 inside_4 ssl trust-point ASDM_TrustPoint0 inside_5 ssl trust-point ASDM_TrustPoint0 inside_6 ssl trust-point ASDM_TrustPoint0 inside_7 webvpn port 555 enable outside dtls port 556 anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1 anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 2 anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3 anyconnect profiles UserIntern_client_profile disk0:/UserIntern_client_profile.xml anyconnect profiles remoteUsersTest disk0:/remoteUsersTest_client_profile.xml anyconnect profiles remoteUsersTest_client_profile disk0:/remoteUsersTest_client_profile.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy GroupPolicy_UserIntern internal group-policy GroupPolicy_UserIntern attributes wins-server none dns-server value 208.67.222.222 vpn-filter none vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none address-pools value trustedVPN client-firewall none client-access-rule none webvpn anyconnect profiles value UserIntern_client_profile type user group-policy GroupPolicy_remoteUsersTest internal group-policy GroupPolicy_remoteUsersTest attributes wins-server none dns-server value 208.67.222.222 208.67.222.220 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy excludespecified split-tunnel-network-list value TestVPNAcl default-domain none split-dns value 8.8.8.8 address-pools value trustedVPN webvpn anyconnect profiles value remoteUsersTest_client_profile type user dynamic-access-policy-record DfltAccessPolicy username User1 password username User1 attributes vpn-group-policy GroupPolicy_UserIntern service-type remote-access username vpntest password username vpntest attributes service-type remote-access username vpnuser password privilege 0 username cisco password privilege 15 username corpadmin password privilege 15 username User password username User attributes vpn-group-policy GroupPolicy_UserIntern service-type remote-access tunnel-group XXX.XXX.XXX.230 type ipsec-l2l tunnel-group XXX.XXX.XXX.230 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group remoteUsersTest type remote-access tunnel-group remoteUsersTest general-attributes default-group-policy GroupPolicy_remoteUsersTest tunnel-group remoteUsersTest webvpn-attributes group-alias remoteUsersTest enable tunnel-group UserIntern type remote-access tunnel-group UserIntern general-attributes address-pool trustedVPN default-group-policy GroupPolicy_UserIntern tunnel-group UserIntern webvpn-attributes group-alias UserIntern enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous
09-17-2018 11:59 PM
Removing this acl entry from the config solved the problem:
access-list l2l_list extended permit ip object Net_DC object Net_TrustedVPN
I would very much appreciate if somebody could explain why.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide