07-27-2018 11:26 AM - modifié 07-27-2018 11:32 AM
Dear Community,
I am struggling to get get an connection from the AnyConnect clients to the inernal as well as the Site to Site VPN.
Anyconnect Network 10.10.200.0 --> ASA with internal network 10.10.100.0 connected --> remote l2l site 192.168.1.1
If I try to ping from the anyconnect client I can see on the asa debug that the ping reaches the asa. If I simulate the ping via packet tracer I get the following output for pings to Internal and Remote Site but only if anyconnect clients are connected and the 10.10.200.0 network is recognized as directly connected. If no anyconnect client is connected the packet tracer succeeds in establishing the connection:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
I tried with a permit any any acls but that doesn;t change a thing.
Thanks for your input
Résolu ! Accéder à la solution.
le 12-19-2018 05:37 PM
The access lists on local and remote vpn devices must be mirror images of each other. The acl you removed was part of your site to site cryptomap. You must have had an extra acl that the remote end did not have, thus VPN would not have worked.
le 07-27-2018 11:36 AM
Can you show us your configuration and more logs on the client side.
BB
le 07-27-2018 03:49 PM
The logs on the client only tell the VPN client version and the remote IP no errors.
I can ping the outside interface of the ASA so the connection via AnyConnect works I guess.
Please check below for the webvpn config on the ASA
le 07-27-2018 01:36 PM
Do the S2S VPN and the remote access VPN terminate on the same ASA? Is it a full tunnel for the RA VPN? Running configuration would be good.
le 07-27-2018 03:45 PM
Yes the RA and StS VPN terminate on the same ASA. Please let me know if you need further config.
I globally set permit any any in and out ACLs
group-policy GroupPolicy_users attributes wins-server none dns-server value 208.67.222.222 vpn-filter value users_Intern vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value TestVPNAcl default-domain none address-pools value trustedVPN webvpn anyconnect profiles value UsersIntern_client_profile type user tunnel-group UsersIntern type remote-access tunnel-group UsersIntern general-attributes address-pool testvpn default-group-policy GroupPolicy_users tunnel-group UsersIntern webvpn-attributes group-alias UsersIntern enable username user attributes vpn-group-policy GroupPolicy_users anyconnect enable tunnel-group-list enable access-list TestVPNAcl standard permit 10.10.100.0 255.255.255.0 access-list TestVPNAcl standard permit 192.168.1.0 255.255.255.0 access-list users_Intern extended permit ip any any access-list user_Intern extended permit tcp any any access-list users_Intern extended permit udp any any access-list users_Intern extended permit icmp any any UsersIntern_client_profile.xml <?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"> <ServerList> <HostEntry> <HostName>prime (IPsec) IPv4</HostName> <HostAddress>12.12.12.12</HostAddress> <PrimaryProtocol>IPsec</PrimaryProtocol> </HostEntry> </ServerList> </AnyConnectProfile>
le 07-28-2018 02:45 PM
So the connection via AnnyConnect to the local network behind the ASA works. But Packetracer still shows that the package is dropped for the very same icmp echo request. Anybody can explain why?
le 07-31-2018 10:04 PM
-First off I'd like to let you know what you are doing is called hair-pinning also known as u-turning
.I see your using an ASA so the guide below may help you a bit.
-Second don't base your sole troubleshooting on Packet tracer as its output is often misleading for example "dropped by acl" when in reality the problem could be with nat.
In your case once you connect with anyconnect and use that same ip for a packet tracer it will drop it. Using an unused ip in the anyconnect pool range will be more beneficial.
Since there are two parts to your adventure I would suggest breaking it into two parts
1-Being able to connect to anyconnect and ping ip on inside of network successfully (not the asa inside interface ip).
2-Get your tunnel up and be able to pass traffic across the tunnel
once these two parts are done you can start your outside,outside nat and "
same-security-traffic permit intra-interface
When you ping from the Anyconenct client to your internal network do you get a response? (again dont ping your inside interface ip this is not a valid test)
If you are not receiving a response back you can use an asp capture, its a good idea to also add a buffer so your asa does not crash
run a continuous ping on the anyconnect client
then on the asa
"cap cap type asp-drop buffer 500000"
then do a "show cap cap | i (anyconnect client ip)" to see whats happening to the traffic
remove the capture after with "no cap cap"
You can also do captures on the inside and outside interface to see how far the packet is making it.
Some info on captures
le 08-24-2018 07:19 AM
Thank you very much for your detailed answer and troubleshooting guide.
I will dig into this again in a couple of days and try it out
le 08-29-2018 07:01 AM
Hallo again,
The connection via Cisco Anyconnect to the internal Network now works fine.
Although I am still not able to ping to the remote SiteToSite VPN
If I ping from an Cisco Anyconnect client the Asa in the middle of the remote Site and the cisco Anyconnect client doesnt show any debug for the icmp packages.
I didn't configure split dns and on the Windows client I get the entry in the routing table
0.0.0.0 0.0.0.0 10.10.200.1 10.10.200.2 2
So everything should go to the Asa.
For every other network I ping even not existing private IPs I get an icmp debug on the ASA except for the 192.168.1.0/24 network which is the remote site private network connected threw VPN tunnel on the ASA which terminates the anyconnect client connection.
Any ideas why the icmp for only this specific network isn't shown on the ASA icmp debug?
Thanks
le 08-29-2018 07:24 AM
Seems that the packets gets dropped by the acls.
Not sure why because I have an global acl in place gobally permitting everything for my VPN client network 10.10.200.0/24
le 09-13-2018 10:06 AM
Can you please provide the output from packet tracer ?
le 09-14-2018 03:27 AM
Hallo Roy,
glad that you are interested in my little Problem
The connection from the Anyconnect clients to the 10.10.110 Network works fine
Also the Tunnel from the 10.10.110.0 Network to 192.168.1.1 Network works fine
The packets from the Anyconnect network get dropped by the firewall before it even reaches the icmp debug output on the asa if I try to ping the remote l2l site
802.1Q vlan#100 P0 10.10.200.2 > 192.168.1.90: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
Packet tracer output for the same traffic:
packet-tracer input outside icmp 10.10.200.4 8 0 192.168.1.9$
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.1.90/0 to 192.168.1.90/0
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internetOut in interface outside
access-list internetOut extended permit icmp any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fbe11341bd0, priority=13, domain=permit, deny=false
hits=16, user_data=0x7fbe09f39180, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp
Additional Information:
Static translate 10.10.200.4/0 to 10.10.200.4/0
Forward Flow based lookup yields rule:
in id=0x7fbe109ff450, priority=6, domain=nat, deny=false
hits=7022, user_data=0x7fbe10799630, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.10.200.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fbe0f8dbd40, priority=0, domain=nat-per-session, deny=true
hits=248529, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fbe10576490, priority=0, domain=inspect-ip-options, deny=true
hits=276998, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fbe13da5cf0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=270, user_data=0x0, cs_id=0x7fbe11308520, reverse, flags=0x0, protocol=0
src ip/id=10.10.200.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I have a global rule in place to permit all traffic from the Anyconnect VPN named Net_TrustedVPN
even if I put a global permit any any of all traffic the icmp packets get still dropped by the firewall.
further I added the rules for the SitetoSite Tunnel on the ASA
access-list l2l_list extended permit ip object Net_TrustedVPN object Net_DC
nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp
i cleared the ca but the acl entry doesn't show up?
show crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 10.10.100.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.200.2/255.255.255.255/0/0)
current_peer: XXXXXXXX, username: aaaaa
dynamic allocated peer ip: 10.10.200.2
dynamic allocated peer ip(ipv6): 0.0.0.0
local crypto endpt.: 10.10.100.1/4500, remote crypto endpt.: XXXXXXX/63481
Crypto map tag: map_crypto_l2l, seq num: 1, local addr: 10.10.100.1
access-list l2l_list extended permit ip 10.10.110.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.110.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: XXXXXXXX
I kindly appreciate any comments on this topic
le 09-14-2018 08:08 AM
Are you able to attach the full show run and x out the first 3 octets of any public ips ?
le 09-14-2018 09:00 AM
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname asa
enable password
names
ip local pool trustedVPN 10.10.200.1-10.10.200.250 mask 255.255.255.0
!
interface GigabitEthernet1/1
no nameif
security-level 0
no ip address
!
interface GigabitEthernet1/1.100
vlan 100
nameif outside
security-level 100
ip address 10.10.100.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside_1
security-level 100
no ip address
!
interface GigabitEthernet1/2.100
vlan 10
nameif TrustedIf
security-level 100
ip address 10.10.110.254 255.255.255.0
!
interface GigabitEthernet1/2.200
vlan 20
nameif InternIf
security-level 80
ip address 10.10.120.254 255.255.255.0
!
interface GigabitEthernet1/2.300
vlan 30
nameif ServerIf
security-level 80
ip address 10.10.130.254 255.255.255.0
!
interface GigabitEthernet1/2.400
vlan 40
nameif RestrictedIf
security-level 50
ip address 10.10.140.254 255.255.255.0
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif dings
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 10.10.99.1 255.255.255.0
!
interface BVI1
no nameif
security-level 100
no ip address
!
interface BVI10
no nameif
no security-level
no ip address
!
interface BVI99
no nameif
no security-level
no ip address
!
interface vni99
no nameif
no security-level
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network Net_DC
subnet 192.168.1.0 255.255.255.0
object network Net_Trusted
subnet 10.10.110.0 255.255.255.0
object network Net_Management
subnet 10.10.99.0 255.255.255.0
object network NETWORK_OBJ_10.10.11.0_24
subnet 10.10.11.0 255.255.255.0
object network NETWORK_OBJ_10.10.110.192_26
subnet 10.10.110.192 255.255.255.192
object network Net_TrustedVPN
subnet 10.10.200.0 255.255.255.0
description VPN Client Employees Intern
object network Net_Aprol
subnet 10.10.130.0 255.255.255.0
object network Net_Outside
subnet 10.10.100.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
access-list l2l_list extended permit ip object Net_Trusted object Net_DC
access-list l2l_list extended permit ip object Net_DC object Net_Trusted
access-list l2l_list extended permit ip object Net_Management object Net_DC
access-list l2l_list extended permit ip object Net_DC object Net_Management
access-list l2l_list extended permit ip object Net_TrustedVPN object Net_DC
access-list l2l_list extended permit ip object Net_DC object Net_TrustedVPN
access-list internetOut extended permit ip object Net_Trusted any
access-list internetOut extended permit icmp any any
access-list internetOut extended permit ip any 10.10.120.0 255.255.255.0 inactive
access-list internetOut extended permit ip object Net_Trusted 10.10.120.0 255.255.255.0
access-list internetOut extended permit ip object Net_Trusted object Net_Aprol
access-list internetOut extended permit ip object Net_TrustedVPN any
access-list internetOut extended permit ip object Net_TrustedVPN object Net_DC
access-list internetOut extended permit ip object Net_DC object Net_TrustedVPN
access-list internetOut extended permit ip object Net_TrustedVPN object Net_TrustedVPN
access-list internetOut extended permit ip any any inactive
access-list inetACL extended permit ip object Net_Trusted any
access-list InternIf_access_in_1 extended permit icmp any any
access-list InternIf_access_in_1 extended permit tcp any any eq telnet inactive
access-list InternIf_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any any inactive
access-list TrustedIf_access_in extended permit icmp any any
access-list InternIf_access_out extended permit ip any object Net_Trusted inactive
access-list InternIf_access_out extended permit ip object Net_Trusted 10.10.120.0 255.255.255.0
access-list InternIf_access_out extended permit ip object Net_TrustedVPN 10.10.120.0 255.255.255.0
access-list TestVPNAcl standard permit 10.10.110.0 255.255.255.0
access-list TestVPNAcl standard permit 192.168.1.0 255.255.255.0
access-list TestVPNAcl standard permit 10.10.120.0 255.255.255.0
access-list TestVPNAcl standard permit 10.10.100.0 255.255.255.0
access-list TestVPNAcl standard permit 10.10.130.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list User_Intern extended permit ip any any
access-list User_Intern extended permit tcp any any
access-list User_Intern extended permit udp any any
access-list User_Intern extended permit icmp any any
access-list nothing standard permit host 0.0.0.0
access-list ServerIf_access_in extended permit ip object Net_Trusted object Net_Aprol
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu TrustedIf 1500
mtu InternIf 1500
mtu ServerIf 1500
mtu RestrictedIf 1500
mtu inside_2 1500
mtu dings 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (TrustedIf,outside) source static Net_Trusted Net_Trusted destination static Net_DC Net_DC no-proxy-arp
nat (outside,TrustedIf) source static Net_DC Net_DC destination static Net_Trusted Net_Trusted no-proxy-arp
nat (InternIf,outside) source static any any destination static NETWORK_OBJ_10.10.11.0_24 NETWORK_OBJ_10.10.11.0_24 no-proxy-arp route-lookup
nat (TrustedIf,outside) source static Net_Trusted Net_Trusted destination static NETWORK_OBJ_10.10.110.192_26 NETWORK_OBJ_10.10.110.192_26 no-proxy-arp route-lookup
nat (outside,TrustedIf) source static Net_TrustedVPN Net_TrustedVPN destination static Net_Trusted Net_Trusted no-proxy-arp
nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_DC Net_DC no-proxy-arp route-lookup
nat (outside,outside) source static Net_TrustedVPN Net_TrustedVPN destination static Net_TrustedVPN Net_TrustedVPN
nat (outside,outside) source static Net_DC Net_DC destination static Net_TrustedVPN Net_TrustedVPN no-proxy-arp route-lookup
!
object network Net_TrustedVPN
nat (outside,outside) dynamic interface
access-group internetOut in interface outside
access-group TrustedIf_access_in in interface TrustedIf
access-group internetOut out interface TrustedIf
access-group InternIf_access_in_1 in interface InternIf
access-group InternIf_access_out out interface InternIf
access-group ServerIf_access_in in interface ServerIf
access-group internetOut global
route outside 0.0.0.0 0.0.0.0 10.10.100.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 10
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 dings
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
http 10.10.10.0 255.255.255.0 dings
http 10.10.10.0 255.255.255.0 inside_2
http 10.10.99.0 255.255.255.0 management
http XXX.XXX.XXX224 255.255.255.248 outside
http 10.10.110.0 255.255.255.0 TrustedIf
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set SetDC esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map map_crypto_l2l 1 match address l2l_list
crypto map map_crypto_l2l 1 set pfs
crypto map map_crypto_l2l 1 set peer XXX.XXX.XXX.230
crypto map map_crypto_l2l 1 set ikev1 transform-set SetDC
crypto map map_crypto_l2l 1 set ikev2 ipsec-proposal secure
crypto map map_crypto_l2l 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map map_crypto_l2l interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=asa
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 3600
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh stricthostkeycheck
ssh XXX.XXX.XXX224 255.255.255.248 outside
ssh XXX.XXX.XXX.230 255.255.255.255 outside
ssh timeout 20
ssh version 2
ssh cipher encryption high
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1
console timeout 0
dhcpd dns 208.67.222.222 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 10.10.110.11-10.10.110.200 TrustedIf
dhcpd option 3 ip 10.10.110.254 interface TrustedIf
dhcpd enable TrustedIf
!
dhcpd address 10.10.120.11-10.10.120.240 InternIf
dhcpd option 3 ip 10.10.120.254 interface InternIf
dhcpd enable InternIf
!
dhcpd address 10.10.130.100-10.10.130.200 ServerIf
dhcpd option 3 ip 10.10.130.254 interface ServerIf
dhcpd enable ServerIf
!
dhcpd address 10.10.140.11-10.10.140.240 RestrictedIf
dhcpd option 3 ip 10.10.140.254 interface RestrictedIf
dhcpd enable RestrictedIf
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside_1
ssl trust-point ASDM_TrustPoint0 TrustedIf
ssl trust-point ASDM_TrustPoint0 InternIf
ssl trust-point ASDM_TrustPoint0 ServerIf
ssl trust-point ASDM_TrustPoint0 RestrictedIf
ssl trust-point ASDM_TrustPoint0 inside_2
ssl trust-point ASDM_TrustPoint0 dings
ssl trust-point ASDM_TrustPoint0 inside_4
ssl trust-point ASDM_TrustPoint0 inside_5
ssl trust-point ASDM_TrustPoint0 inside_6
ssl trust-point ASDM_TrustPoint0 inside_7
webvpn
port 555
enable outside
dtls port 556
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3
anyconnect profiles UserIntern_client_profile disk0:/UserIntern_client_profile.xml
anyconnect profiles remoteUsersTest disk0:/remoteUsersTest_client_profile.xml
anyconnect profiles remoteUsersTest_client_profile disk0:/remoteUsersTest_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_UserIntern internal
group-policy GroupPolicy_UserIntern attributes
wins-server none
dns-server value 208.67.222.222
vpn-filter none
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
address-pools value trustedVPN
client-firewall none
client-access-rule none
webvpn
anyconnect profiles value UserIntern_client_profile type user
group-policy GroupPolicy_remoteUsersTest internal
group-policy GroupPolicy_remoteUsersTest attributes
wins-server none
dns-server value 208.67.222.222 208.67.222.220
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy excludespecified
split-tunnel-network-list value TestVPNAcl
default-domain none
split-dns value 8.8.8.8
address-pools value trustedVPN
webvpn
anyconnect profiles value remoteUsersTest_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username User1 password
username User1 attributes
vpn-group-policy GroupPolicy_UserIntern
service-type remote-access
username vpntest password
username vpntest attributes
service-type remote-access
username vpnuser password privilege 0
username cisco password privilege 15
username corpadmin password privilege 15
username User password
username User attributes
vpn-group-policy GroupPolicy_UserIntern
service-type remote-access
tunnel-group XXX.XXX.XXX.230 type ipsec-l2l
tunnel-group XXX.XXX.XXX.230 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group remoteUsersTest type remote-access
tunnel-group remoteUsersTest general-attributes
default-group-policy GroupPolicy_remoteUsersTest
tunnel-group remoteUsersTest webvpn-attributes
group-alias remoteUsersTest enable
tunnel-group UserIntern type remote-access
tunnel-group UserIntern general-attributes
address-pool trustedVPN
default-group-policy GroupPolicy_UserIntern
tunnel-group UserIntern webvpn-attributes
group-alias UserIntern enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
le 09-17-2018 11:59 PM
Removing this acl entry from the config solved the problem:
access-list l2l_list extended permit ip object Net_DC object Net_TrustedVPN
I would very much appreciate if somebody could explain why.
Découvrez et enregistrez vos notes préférées. Revenez pour trouver les réponses d'experts, des guides étape par étape, des sujets récents et bien plus encore.
Êtes-vous nouveau ici? Commencez par ces conseils. Comment utiliser la communauté Guide pour les nouveaux membres