Solved: Anyconnect users cannot access internal network - Page 2

HampusAtea · ‎10-31-2012

Hi!

Just sat up a new Anyconnect VPN solution for a customer. It works almost perfect.

The anyconnect users cannot reach the internal network storage. The anyconnect users can reach the internet but nothing on the internal network.

(Have removed all passwords and public IP adresses)

ASA Version 8.4(4)1

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 213.80.98.2

name-server 213.80.101.3

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list NONAT extended permit ip 192.168.9.0 255.255.255.0 192.168.9.0 255.255.255.0

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

pager lines 24

logging enable

logging asdm debugging

mtu inside 1500

mtu outside 1500

ip local pool SSLClientPool 192.168.9.50-192.168.9.80 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.9.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.9.2-192.168.9.33 inside

dhcpd option 3 ip 192.168.9.1 interface inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.3046-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy SSLClitentPolicy internal

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value 192.168.9.5

vpn-tunnel-protocol ssl-client

address-pools value SSLClientPool

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

tunnel-group VPN type remote-access

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:6a58e90dc61dfbf7ba15e059e5931609

: end

HampusAtea · ‎11-01-2012

Hi!

Now it's working! Thank you!

paulchernoff · ‎09-29-2017

And I've been trying to fix this very problem for 2 days. This solved it.