03-19-2024 08:09 AM
Hi Guys,
Managed to get our VPN connection to login and work. I can access anything locally on the office network such as file servers etc but we have no internet access. We don't want to split tunnel as all traffic needs to go through the office ASA for IP restricted servers, websites etc.
What are we missing? Here is our config albeit with some bits committed mainly objects and certificates:
Result of the command: "show running-config"
: Saved
:
: Serial Number: JAD27200585
: Hardware: FPR-1010, 7204 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
:
ASA Version 9.16(2)3
!
hostname ciscoasa
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
!
license smart
feature tier standard
names
no mac-address auto
ip local pool VPN-IP-Range 10.0.100.15-10.0.100.20 mask 255.255.255.0
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.100.1 255.255.255.0
!
interface Ethernet1/1
no switchport
nameif outside
security-level 0
pppoe client vpdn group EHS
ip address pppoe setroute
!
interface Ethernet1/2
switchport
!
interface Ethernet1/3
switchport
!
interface Ethernet1/4
switchport
!
interface Ethernet1/5
switchport
!
interface Ethernet1/6
switchport
!
interface Ethernet1/7
switchport
power inline auto
!
interface Ethernet1/8
switchport
power inline auto
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 192.168.45.1 255.255.255.0
!
interface BVI1
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222 outside
name-server 208.67.220.220 outside
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
host EXTERNALIP
object service PPTP-srv
service tcp source eq pptp
object service https
service tcp source eq https
object service http
service tcp source eq www
object service ESET
service tcp source eq 2222
object service SVN
service tcp source eq 8443
object service MPWEB
service tcp source eq 8444
access-list outside_access_in remark EHS VPN Connection
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object EHS_VPN_SERVER
access-list outside_access_in extended permit tcp any object-group Development_Agent_Servers object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object EHSDEVAPP01 object-group SVN_Connection
access-list outside_access_in remark ESET Management Server incoming connections
access-list outside_access_in extended permit tcp any object EHS_ESET_SERVER object-group ESET_Server
access-list outside_access_in extended permit tcp any object EHSDEVAPP01 object-group Dev_MPWeb_External
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit tcp any eq pptp any
access-list outside_cryptomap extended permit ip 10.0.100.0 255.255.255.0 object UK_HOSTED_NETWORK
access-list VPN_Filter extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_3
access-list VPN_Filter extended permit ip object USA_HOSTED_DC_CONTROLLER object-group DM_INLINE_NETWORK_4
access-list VPN_Filter extended permit ip object CANADA_DOMAIN_CONTROLLER object-group DM_INLINE_NETWORK_5
access-list VPN_Filter extended permit ip object EA_DOMAIN_CONTROLLER object-group DM_INLINE_NETWORK_6
access-list outside_cryptomap_1 extended permit ip 10.0.100.0 255.255.255.0 object USA_Network
access-list outside_cryptomap_2 extended permit ip 10.0.100.0 255.255.255.0 object CANADA_INSIDE_NETWORK
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging timestamp
logging console debugging
logging trap warnings
logging asdm debugging
logging class auth console debugging asdm debugging
logging class session asdm debugging
logging class sys asdm debugging
logging class vpn console debugging asdm debugging
logging class vpnc console debugging asdm debugging
logging class webvpn console debugging asdm debugging
logging class svc console debugging asdm debugging
logging class dap console debugging asdm debugging
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static UK_HOSTED_NETWORK UK_HOSTED_NETWORK no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static USA_Network USA_Network no-proxy-arp route-lookup
nat (any,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static CANADA_INSIDE_NETWORK CANADA_INSIDE_NETWORK no-proxy-arp route-lookup
nat (inside,outside) source static EHS_VPN_SERVER interface service PPTP-srv PPTP-srv
nat (inside,outside) source static DM_INLINE_NETWORK_1 interface service https https
nat (inside,outside) source static DM_INLINE_NETWORK_2 interface service http http
nat (inside,outside) source static EHS_ESET_SERVER interface service ESET ESET
nat (inside,outside) source static EHSDEVAPP01 interface service SVN SVN
nat (inside,outside) source static EHSDEVAPP01 interface service MPWEB MPWEB
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static NETWORK_OBJ_10.0.100.0_27 NETWORK_OBJ_10.0.100.0_27 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server EHSRADIUS protocol radius
aaa-server EHSRADIUS (inside) host 10.0.100.80
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.45.0 255.255.255.0 management
http 10.0.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal AES-256-SHA-512
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES AZURE-PROPOSAL
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer X.X.X.X
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-DES-SHA
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer X.X.X.X
crypto map outside_map 3 set ikev2 ipsec-proposal AES-256-SHA-512
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA2
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=10.0.100.1,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
auto-import
-- OMMITTED CERTIFICATE DETAILS --
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha512
group 21
prf sha512
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 40
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 14
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 14
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
vpdn group EHS request dialout pppoe
vpdn group EHS localname m594672@X.X.X.X
vpdn group EHS ppp authentication chap
vpdn username X.X.X.Xpassword *****
dhcpd auto_config outside
!
dhcpd address 192.168.45.10-192.168.45.12 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
webvpn
port 4433
enable outside
dtls port 4433
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.9.04043-webdeploy-k9.pkg 1
anyconnect profiles EHS disk0:/ehs.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_EHSVPN internal
group-policy GroupPolicy_EHSVPN attributes
wins-server none
dns-server value 10.0.100.200 8.8.8.8
vpn-access-hours none
vpn-simultaneous-logins 15
vpn-idle-timeout 60
vpn-session-timeout none
vpn-filter value inside_access_in
vpn-tunnel-protocol ssl-client
group-lock value EHSVPN
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value EHS
split-tunnel-all-dns enable
vlan none
security-group-tag none
webvpn
anyconnect profiles value EHS type user
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-filter value VPN_Filter
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-filter value VPN_Filter
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask none default svc
username admin password ***** pbkdf2 privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
ikev2 remote-authentication eap query-identity
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group X.X.X.Xtype ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group EHSVPN type remote-access
tunnel-group EHSVPN general-attributes
address-pool VPN-IP-Range
authentication-server-group EHSRADIUS
default-group-policy GroupPolicy_EHSVPN
tunnel-group EHSVPN webvpn-attributes
group-alias EHSVPN enable
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect pptp
inspect icmp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:ea62db802051e27e24b2f9a4d537a0e0
: end
Thanks,
Dave
Solved! Go to Solution.
03-19-2024 09:28 AM
@Rob Ingram sorry my bad!
03-19-2024 09:01 AM
same-security-traffic permit inter-interface
Use inter additional to intra
MHM
03-19-2024 09:05 AM
Hi @MHM Cisco World
No luck with that I'm afraid.
same-security-traffic permit inter-interface
03-19-2024 09:09 AM
Do
Show asp drop
Show access-list <- check if one acl hit and asp drop increase with each attempt
03-19-2024 09:15 AM
Show asp drop:
Result of the command: "Show asp drop"
Frame drop:
NAT-T keepalive message (natt-keepalive) 2
IPSEC tunnel is down (ipsec-tun-down) 9
SVC Module does not have a channel for reinjection (mp-svc-no-channel) 21
SVC Module does not have a session (mp-svc-no-session) 27
SVC Module is in flow control (mp-svc-flow-control) 346
Unsupported IP version (unsupported-ip-version) 5
Invalid IP length (invalid-ip-length) 17
Invalid TCP Length (invalid-tcp-hdr-length) 3
No valid adjacency (no-adjacency) 853
No route to host (no-route) 982060
Reverse-path verify failed (rpf-violated) 12278
Flow is denied by configured rule (acl-drop) 11045682
Flow denied due to resource limitation (unable-to-create-flow) 1
First TCP packet not SYN (tcp-not-syn) 437384
TCP failed 3 way handshake (tcp-3whs-failed) 8030
TCP RST/FIN out of order (tcp-rstfin-ooo) 306747
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 118568
TCP SYNACK on established conn (tcp-synack-ooo) 96
TCP packet SEQ past window (tcp-seq-past-win) 7575
TCP invalid ACK (tcp-invalid-ack) 327584
TCP Out-of-Order packet buffer full (tcp-buffer-full) 31
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 11
TCP RST/SYN in window (tcp-rst-syn-in-win) 1947
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 54
TCP packet failed PAWS test (tcp-paws-fail) 67
CTM returned error (ctm-error) 2
Slowpath security checks failed (sp-security-failed) 2319957
IP option drop (invalid-ip-option) 200
Expired flow (flow-expired) 1
ICMP Inspect bad icmp code (inspect-icmp-bad-code) 16
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 7
FP L2 rule drop (l2_acl) 1525918
FP punt action drop (punt_action) 6178
Interface is down (interface-down) 38199
Dropped pending packets in a closed socket (np-socket-closed) 1993
IKE new SA limit exceeded (ike-sa-rate-limit) 5998
Interface not configured for CMD packets (ifc-not-cmd-enabled) 1
Fragment reassembly failed (fragment-reassembly-failed) 72
Egress fragmentation needed (df-bit-set) 5
Last clearing: Never
Flow drop:
Need to start IKE negotiation (need-ike) 15316
SVC replacement connection established (svc-replacement-conn) 1
VPN decryption missing (vpn-missing-decrypt) 146
Flow is denied by access rule (acl-drop) 1613788
NAT reverse path failed (nat-rpf-failed) 69634
Inspection failure (inspect-fail) 14042
SSL bad record detected (ssl-bad-record-detect) 152
SSL handshake failed (ssl-handshake-failed) 888
DTLS hello processed and closed (dtls-hello-close) 28
Last clearing: Never
Show access-list:
Result of the command: "Show asp drop"
Frame drop:
NAT-T keepalive message (natt-keepalive) 2
IPSEC tunnel is down (ipsec-tun-down) 9
SVC Module does not have a channel for reinjection (mp-svc-no-channel) 21
SVC Module does not have a session (mp-svc-no-session) 27
SVC Module is in flow control (mp-svc-flow-control) 346
Unsupported IP version (unsupported-ip-version) 5
Invalid IP length (invalid-ip-length) 17
Invalid TCP Length (invalid-tcp-hdr-length) 3
No valid adjacency (no-adjacency) 853
No route to host (no-route) 982060
Reverse-path verify failed (rpf-violated) 12278
Flow is denied by configured rule (acl-drop) 11045682
Flow denied due to resource limitation (unable-to-create-flow) 1
First TCP packet not SYN (tcp-not-syn) 437384
TCP failed 3 way handshake (tcp-3whs-failed) 8030
TCP RST/FIN out of order (tcp-rstfin-ooo) 306747
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 118568
TCP SYNACK on established conn (tcp-synack-ooo) 96
TCP packet SEQ past window (tcp-seq-past-win) 7575
TCP invalid ACK (tcp-invalid-ack) 327584
TCP Out-of-Order packet buffer full (tcp-buffer-full) 31
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 11
TCP RST/SYN in window (tcp-rst-syn-in-win) 1947
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 54
TCP packet failed PAWS test (tcp-paws-fail) 67
CTM returned error (ctm-error) 2
Slowpath security checks failed (sp-security-failed) 2319957
IP option drop (invalid-ip-option) 200
Expired flow (flow-expired) 1
ICMP Inspect bad icmp code (inspect-icmp-bad-code) 16
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 7
FP L2 rule drop (l2_acl) 1525918
FP punt action drop (punt_action) 6178
Interface is down (interface-down) 38199
Dropped pending packets in a closed socket (np-socket-closed) 1993
IKE new SA limit exceeded (ike-sa-rate-limit) 5998
Interface not configured for CMD packets (ifc-not-cmd-enabled) 1
Fragment reassembly failed (fragment-reassembly-failed) 72
Egress fragmentation needed (df-bit-set) 5
Last clearing: Never
Flow drop:
Need to start IKE negotiation (need-ike) 15316
SVC replacement connection established (svc-replacement-conn) 1
VPN decryption missing (vpn-missing-decrypt) 146
Flow is denied by access rule (acl-drop) 1613788
NAT reverse path failed (nat-rpf-failed) 69634
Inspection failure (inspect-fail) 14042
SSL bad record detected (ssl-bad-record-detect) 152
SSL handshake failed (ssl-handshake-failed) 888
DTLS hello processed and closed (dtls-hello-close) 28
Last clearing: Never
Result of the command: "Show access-list"
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 25 elements; name hash: 0x6892a938
access-list outside_access_in line 1 remark EHS VPN Connection
access-list outside_access_in line 2 extended permit object-group DM_INLINE_SERVICE_2 any object EHS_VPN_SERVER (hitcnt=2047) 0x5e46b928
access-list outside_access_in line 2 extended permit gre any host 10.0.100.204 (hitcnt=9) 0x1c0a8f85
access-list outside_access_in line 2 extended permit tcp any host 10.0.100.204 eq https (hitcnt=0) 0x6bd8e896
access-list outside_access_in line 2 extended permit tcp any host 10.0.100.204 eq pptp (hitcnt=2038) 0xe1225c3d
access-list outside_access_in line 3 extended permit tcp any object-group Development_Agent_Servers object-group DM_INLINE_TCP_1 (hitcnt=11402) 0xf43e7c20
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.47 eq www (hitcnt=8470) 0x883e6a18
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.47 eq https (hitcnt=2932) 0xa21cb10c
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.64 eq www (hitcnt=0) 0x2d12a27d
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.64 eq https (hitcnt=0) 0x4dbec0ff
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.65 eq www (hitcnt=0) 0x5c19a1a1
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.65 eq https (hitcnt=0) 0x4775ff95
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.43 eq www (hitcnt=0) 0x0b5cde77
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.43 eq https (hitcnt=0) 0xe898f62d
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.208 eq www (hitcnt=0) 0x968c7e6a
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.208 eq https (hitcnt=0) 0xbe6afd58
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.90 eq www (hitcnt=0) 0x2d57932e
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.90 eq https (hitcnt=0) 0xb4c6aa5d
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.96 eq www (hitcnt=0) 0x02aa0633
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.96 eq https (hitcnt=0) 0x2be27b77
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.210 eq www (hitcnt=0) 0xe135c6c1
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.210 eq https (hitcnt=0) 0xe38a9563
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.55 eq www (hitcnt=0) 0x02667c3c
access-list outside_access_in line 3 extended permit tcp any host 10.0.100.55 eq https (hitcnt=0) 0xe4a987a3
access-list outside_access_in line 4 extended permit tcp any object EHSDEVAPP01 object-group SVN_Connection (hitcnt=294237) 0xc14c9c39
access-list outside_access_in line 4 extended permit tcp any host 10.0.100.208 eq 8443 (hitcnt=294237) 0xece4108b
access-list outside_access_in line 5 remark ESET Management Server incoming connections
access-list outside_access_in line 6 extended permit tcp any object EHS_ESET_SERVER object-group ESET_Server (hitcnt=5779) 0x95133119
access-list outside_access_in line 6 extended permit tcp any host 10.0.100.220 eq 2222 (hitcnt=5779) 0x71fe50ea
access-list outside_access_in line 7 extended permit tcp any object EHSDEVAPP01 object-group Dev_MPWeb_External (hitcnt=1677) 0x3ca2d5d3
access-list outside_access_in line 7 extended permit tcp any host 10.0.100.208 eq 8444 (hitcnt=1677) 0x66653b4d
access-list outside_access_in line 8 extended permit icmp any any (hitcnt=725158) 0x71af81e1
access-list inside_access_in; 3 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit ip any any (hitcnt=12971259) 0xa925365e
access-list inside_access_in line 2 extended permit gre any any (hitcnt=0) 0x557909e7
access-list inside_access_in line 3 extended permit tcp any eq pptp any (hitcnt=0) 0x155b7c5f
access-list outside_cryptomap; 1 elements; name hash: 0x39bea18f
access-list outside_cryptomap line 1 extended permit ip 10.0.100.0 255.255.255.0 object UK_HOSTED_NETWORK (hitcnt=568) 0x737d0193
access-list outside_cryptomap line 1 extended permit ip 10.0.100.0 255.255.255.0 10.0.1.0 255.255.255.0 (hitcnt=568) 0x737d0193
access-list VPN_Filter; 10 elements; name hash: 0x76c85b80
access-list VPN_Filter line 1 extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_3 (hitcnt=2526) 0x32af4de5
access-list VPN_Filter line 1 extended permit ip host 10.0.1.31 host 10.0.100.200 (hitcnt=56) 0xbc9f6974
access-list VPN_Filter line 1 extended permit ip host 10.0.1.31 host 10.0.100.219 (hitcnt=155) 0x8963f6ab
access-list VPN_Filter line 1 extended permit ip host 10.0.1.19 host 10.0.100.200 (hitcnt=2150) 0xc0089cfa
access-list VPN_Filter line 1 extended permit ip host 10.0.1.19 host 10.0.100.219 (hitcnt=165) 0xc384294f
access-list VPN_Filter line 2 extended permit ip object USA_HOSTED_DC_CONTROLLER object-group DM_INLINE_NETWORK_4 (hitcnt=7679) 0x47c12dbd
access-list VPN_Filter line 2 extended permit ip host 192.168.1.6 host 10.0.100.200 (hitcnt=5241) 0xcf501065
access-list VPN_Filter line 2 extended permit ip host 192.168.1.6 host 10.0.100.219 (hitcnt=5417) 0xdeacb5bc
access-list VPN_Filter line 3 extended permit ip object CANADA_DOMAIN_CONTROLLER object-group DM_INLINE_NETWORK_5 (hitcnt=0) 0xea17d86a
access-list VPN_Filter line 3 extended permit ip host 10.0.101.10 host 10.0.100.200 (hitcnt=0) 0x19ee3010
access-list VPN_Filter line 3 extended permit ip host 10.0.101.10 host 10.0.100.219 (hitcnt=0) 0xf8548b37
access-list VPN_Filter line 4 extended permit ip object EA_DOMAIN_CONTROLLER object-group DM_INLINE_NETWORK_6 (hitcnt=20009) 0xf763ccc9
access-list VPN_Filter line 4 extended permit ip host 10.0.1.5 host 10.0.100.200 (hitcnt=19921) 0x6a12bd55
access-list VPN_Filter line 4 extended permit ip host 10.0.1.5 host 10.0.100.219 (hitcnt=112) 0x0dc1a2d8
access-list outside_cryptomap_1; 1 elements; name hash: 0x759febfa
access-list outside_cryptomap_1 line 1 extended permit ip 10.0.100.0 255.255.255.0 object USA_Network (hitcnt=11209) 0xd8a321df
access-list outside_cryptomap_1 line 1 extended permit ip 10.0.100.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=11209) 0xd8a321df
access-list outside_cryptomap_2; 1 elements; name hash: 0x4e1c27f3
access-list outside_cryptomap_2 line 1 extended permit ip 10.0.100.0 255.255.255.0 object CANADA_INSIDE_NETWORK (hitcnt=749) 0x6ee6049c
access-list outside_cryptomap_2 line 1 extended permit ip 10.0.100.0 255.255.255.0 10.0.101.0 255.255.255.0 (hitcnt=749) 0x6ee6049c
access-list AnyConnect_Client_Local_Print; 8 elements; name hash: 0xe76ce9d1
access-list AnyConnect_Client_Local_Print line 1 extended deny ip any4 any4 (hitcnt=86) 0x1431053a
access-list AnyConnect_Client_Local_Print line 2 extended permit tcp any4 any4 eq lpd (hitcnt=0) 0xf431783b
access-list AnyConnect_Client_Local_Print line 3 remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print line 4 extended permit tcp any4 any4 eq 631 (hitcnt=0) 0x0a055e45
access-list AnyConnect_Client_Local_Print line 5 remark Windows' printing port
access-list AnyConnect_Client_Local_Print line 6 extended permit tcp any4 any4 eq 9100 (hitcnt=0) 0x077d9659
access-list AnyConnect_Client_Local_Print line 7 remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print line 8 extended permit udp any4 host 224.0.0.251 eq 5353 (hitcnt=0) 0xaad2a11b
access-list AnyConnect_Client_Local_Print line 9 remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print line 10 extended permit udp any4 host 224.0.0.252 eq 5355 (hitcnt=0) 0xbf7a7137
access-list AnyConnect_Client_Local_Print line 11 remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print line 12 extended permit tcp any4 any4 eq 137 (hitcnt=0) 0xe657df61
access-list AnyConnect_Client_Local_Print line 13 extended permit udp any4 any4 eq netbios-ns (hitcnt=0) 0x3094a846
03-19-2024 09:37 AM
@Rob Ingram sorry my bad!
03-19-2024 01:33 PM
10.0.101.x <<- this new Anyconnect POOL subnet.
the OUTSIDE have many ACL line permit Inbound but not this new subnet
even so you config intra and inter same security permit
you need to allow traffic via ACL
this LAB show how ACL drop the traffic even so I use intra and inter
MHM
03-20-2024 05:02 AM
Hi @MHM Cisco World @Rob Ingram
I've created the following ACL highlighted in yellow:
I've set the VPN to use this filter:
But still no luck unfortunately
03-20-2024 07:56 AM
no need VPN filter, if VPN filter is drop the packet then at least we must see that in packet tracer
what drop traffic is the ACL apply to OUTside interface.
can you add ACL
permit VPN (new Pool Subnet) host 8.8.8.8
apply this ACL IN direction to OUTside interface
then ping
MHM
03-20-2024 08:28 AM
I believe I've done that @MHM Cisco World
Packet tracer output:
Latest run config:
Result of the command: "show running-config"
: Saved
:
: Serial Number: JAD27200585
: Hardware: FPR-1010, 7204 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
:
ASA Version 9.16(2)3
!
hostname ciscoasa
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
!
license smart
feature tier standard
names
no mac-address auto
ip local pool VPN-IP-Range 10.0.101.100-10.0.101.200 mask 255.255.255.0
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.100.1 255.255.255.0
!
interface Ethernet1/1
no switchport
nameif outside
security-level 0
pppoe client vpdn group EHS
ip address pppoe setroute
!
interface Ethernet1/2
switchport
!
interface Ethernet1/3
switchport
!
interface Ethernet1/4
switchport
!
interface Ethernet1/5
switchport
!
interface Ethernet1/6
switchport
!
interface Ethernet1/7
switchport
power inline auto
!
interface Ethernet1/8
switchport
power inline auto
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 192.168.45.1 255.255.255.0
!
interface BVI1
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222 outside
name-server 208.67.220.220 outside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network EHSDEVHWN01
host 10.0.100.207
object network EHS_BASELINE_VM
host 10.0.100.212
object network EHS_DEV_AUTOBUILD_VM
host 10.0.100.55
object network EHSDEVAPP01
host 10.0.100.208
object network EHSDEVAPP02
host 10.0.100.90
object network EHSDEVAPP03
host 10.0.100.96
object network EHSDEVSQL01
host 10.0.100.209
object network EHSDEVWEB01
host 10.0.100.210
object network STU_BUILD_VM
host 10.0.100.240
object network EHS_HYPERV_NODE
host 10.0.100.201
object network EHS_BACKUP_SERVER
host 10.0.100.203
object network EHS_PRIMARY_DC
host 10.0.100.200
object network EHS_SECONDARY_DC
host 10.0.100.219
object network EHS_VPN_SERVER
host 10.0.100.204
object network EHS_FILE_SERVER
host 10.0.100.205
object network EHS_ESET_SERVER
host 10.0.100.220
object network EHS_SQL_VM
host 10.0.100.66
object network DEVAGENT_01
host 10.0.100.47
object network DEVAGENT_02
host 10.0.100.64
object network DEVAGENT_03
host 10.0.100.65
object network DEVAGENT_04
host 10.0.100.43
object network ROUTER
host 10.0.100.1
object network EXTERNAL_IP
host OFFICEIP
object service PPTP-srv
service tcp source eq pptp
object service https
service tcp source eq https
object service http
service tcp source eq www
object service ESET
service tcp source eq 2222
object service SVN
service tcp source eq 8443
object service MPWEB
service tcp source eq 8444
object network USA_CISCO_FIREWALL
host REMOTEFWIP
object network UK_CISCO_FIREWALL
host REMOTEFWIP
object network CANADA_CISCO_FIREWALL
host 162.252.169.71
object network USA_Network
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.0.100.0_24
subnet 10.0.100.0 255.255.255.0
object network UK_HOSTED_NETWORK
subnet 10.0.1.0 255.255.255.0
object network UK_HOSTED_DC_CONTROLLER
host 10.0.1.19
object service RDP
service tcp source eq 3389
object network USA_HOSTED_DC_CONTROLLER
host 192.168.1.6
object network CANADA_INSIDE_NETWORK
subnet 10.0.101.0 255.255.255.0
object network CANADA_DOMAIN_CONTROLLER
host 10.0.101.10
object network EA_DOMAIN_CONTROLLER
host 10.0.1.5
object network UK_HOST_4
host 10.0.1.27
object network EHSUK_DATA_TRANSFER
host 10.0.1.31
object network NETWORK_OBJ_10.0.100.0_27
subnet 10.0.100.0 255.255.255.224
object network VPN_Pool
subnet 10.0.101.0 255.255.255.0
object-group network Development_Servers
network-object object EHSDEVAPP01
network-object object EHSDEVAPP02
network-object object EHSDEVAPP03
network-object object EHSDEVHWN01
network-object object EHSDEVSQL01
network-object object EHSDEVWEB01
network-object object EHS_BASELINE_VM
network-object object EHS_DEV_AUTOBUILD_VM
network-object object EHS_HYPERV_NODE
network-object object STU_BUILD_VM
network-object object DEVAGENT_01
network-object object DEVAGENT_02
network-object object DEVAGENT_03
network-object object DEVAGENT_04
object-group network Operational_Servers
network-object object EHS_BACKUP_SERVER
network-object object EHS_ESET_SERVER
network-object object EHS_HYPERV_NODE
network-object object EHS_PRIMARY_DC
network-object object EHS_SECONDARY_DC
network-object object EHS_VPN_SERVER
network-object object EHS_SQL_VM
object-group network Development_Agent_Servers
network-object object DEVAGENT_01
network-object object DEVAGENT_02
network-object object DEVAGENT_03
network-object object DEVAGENT_04
network-object object EHSDEVAPP01
network-object object EHSDEVAPP02
network-object object EHSDEVAPP03
network-object object EHSDEVWEB01
network-object object EHS_DEV_AUTOBUILD_VM
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service ESET_Server tcp
port-object eq 2222
object-group service SVN_Connection tcp
port-object eq 8443
object-group service Dev_MPWeb_External tcp
port-object eq 8444
object-group service DM_INLINE_SERVICE_3
service-object gre
service-object tcp
service-object tcp destination eq pptp
object-group network DM_INLINE_NETWORK_1
group-object Development_Agent_Servers
group-object Development_Servers
object-group network All_Internal_Networks
network-object 10.0.100.0 255.255.255.0
object-group service DM_INLINE_SERVICE_2
service-object gre
service-object tcp destination eq https
service-object tcp destination eq pptp
object-group network DM_INLINE_NETWORK_2
group-object Development_Agent_Servers
group-object Development_Servers
object-group network DM_INLINE_NETWORK_3
network-object object EHS_PRIMARY_DC
network-object object EHS_SECONDARY_DC
object-group network DM_INLINE_NETWORK_4
network-object object EHS_PRIMARY_DC
network-object object EHS_SECONDARY_DC
object-group network DM_INLINE_NETWORK_5
network-object object EHS_PRIMARY_DC
network-object object EHS_SECONDARY_DC
object-group network DM_INLINE_NETWORK_6
network-object object EHS_PRIMARY_DC
network-object object EHS_SECONDARY_DC
object-group service RADIUS tcp
port-object eq 1812
port-object eq 1813
object-group network DM_INLINE_NETWORK_7
network-object object EHSUK_DATA_TRANSFER
network-object object UK_HOSTED_DC_CONTROLLER
access-list outside_access_in remark EHS VPN Connection
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object EHS_VPN_SERVER
access-list outside_access_in extended permit tcp any object-group Development_Agent_Servers object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object EHSDEVAPP01 object-group SVN_Connection
access-list outside_access_in remark ESET Management Server incoming connections
access-list outside_access_in extended permit tcp any object EHS_ESET_SERVER object-group ESET_Server
access-list outside_access_in extended permit tcp any object EHSDEVAPP01 object-group Dev_MPWeb_External
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip object VPN_Pool interface outside
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit tcp any eq pptp any
access-list outside_cryptomap extended permit ip 10.0.100.0 255.255.255.0 object UK_HOSTED_NETWORK
access-list VPN_Filter extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_3
access-list VPN_Filter extended permit ip object USA_HOSTED_DC_CONTROLLER object-group DM_INLINE_NETWORK_4
access-list VPN_Filter extended permit ip object CANADA_DOMAIN_CONTROLLER object-group DM_INLINE_NETWORK_5
access-list VPN_Filter extended permit ip object EA_DOMAIN_CONTROLLER object-group DM_INLINE_NETWORK_6
access-list outside_cryptomap_1 extended permit ip 10.0.100.0 255.255.255.0 object USA_Network
access-list outside_cryptomap_2 extended permit ip 10.0.100.0 255.255.255.0 object CANADA_INSIDE_NETWORK
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging timestamp
logging console debugging
logging trap warnings
logging asdm debugging
logging class auth console debugging asdm debugging
logging class session asdm debugging
logging class sys asdm debugging
logging class vpn console debugging asdm debugging
logging class vpnc console debugging asdm debugging
logging class webvpn console debugging asdm debugging
logging class svc console debugging asdm debugging
logging class dap console debugging asdm debugging
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static UK_HOSTED_NETWORK UK_HOSTED_NETWORK no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static USA_Network USA_Network no-proxy-arp route-lookup
nat (any,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static CANADA_INSIDE_NETWORK CANADA_INSIDE_NETWORK no-proxy-arp route-lookup
nat (inside,outside) source static EHS_VPN_SERVER interface service PPTP-srv PPTP-srv
nat (inside,outside) source static DM_INLINE_NETWORK_1 interface service https https
nat (inside,outside) source static DM_INLINE_NETWORK_2 interface service http http
nat (inside,outside) source static EHS_ESET_SERVER interface service ESET ESET
nat (inside,outside) source static EHSDEVAPP01 interface service SVN SVN
nat (inside,outside) source static EHSDEVAPP01 interface service MPWEB MPWEB
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static NETWORK_OBJ_10.0.100.0_27 NETWORK_OBJ_10.0.100.0_27 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
object network VPN_Pool
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server EHSRADIUS protocol radius
aaa-server EHSRADIUS (inside) host 10.0.100.80
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.45.0 255.255.255.0 management
http 10.0.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal AES-256-SHA-512
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer REMOTEFWIP
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES AZURE-PROPOSAL
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer REMOTEFWIP
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-DES-SHA
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer REMOTEFWIP
crypto map outside_map 3 set ikev2 ipsec-proposal AES-256-SHA-512
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA2
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=10.0.100.1,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
--OMMITED CERTS--
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha512
group 21
prf sha512
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 40
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 14
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 14
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
vpdn group EHS request dialout pppoe
vpdn group EHS localname m594672@hg70.btclick.com
vpdn group EHS ppp authentication chap
vpdn username m594672@hg70.btclick.com password *****
dhcpd auto_config outside
!
dhcpd address 192.168.45.10-192.168.45.12 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
webvpn
port 4433
enable outside
dtls port 4433
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.9.04043-webdeploy-k9.pkg 1
anyconnect profiles EHS disk0:/ehs.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_EHSVPN internal
group-policy GroupPolicy_EHSVPN attributes
wins-server none
dns-server value 10.0.100.200 8.8.8.8
vpn-simultaneous-logins 15
vpn-idle-timeout 60
vpn-session-timeout none
vpn-tunnel-protocol ikev2 ssl-client
group-lock value EHSVPN
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value EHS
split-tunnel-all-dns enable
security-group-tag none
webvpn
anyconnect profiles value EHS type user
group-policy GroupPolicy_REMOTEFWIP internal
group-policy GroupPolicy_REMOTEFWIP attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_REMOTEFWIP internal
group-policy GroupPolicy_REMOTEFWIP attributes
vpn-filter value VPN_Filter
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_REMOTEFWIP internal
group-policy GroupPolicy_REMOTEFWIP attributes
vpn-filter value VPN_Filter
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask none default svc
username admin password ***** pbkdf2 privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
ikev2 remote-authentication eap query-identity
tunnel-group REMOTEFWIP type ipsec-l2l
tunnel-group REMOTEFWIP general-attributes
default-group-policy GroupPolicy_REMOTEFWIP
tunnel-group REMOTEFWIP ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group REMOTEFWIP type ipsec-l2l
tunnel-group REMOTEFWIP general-attributes
default-group-policy GroupPolicy_REMOTEFWIP
tunnel-group REMOTEFWIP ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group REMOTEFWIP type ipsec-l2l
tunnel-group REMOTEFWIP general-attributes
default-group-policy GroupPolicy_REMOTEFWIP
tunnel-group REMOTEFWIP ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group EHSVPN type remote-access
tunnel-group EHSVPN general-attributes
address-pool VPN-IP-Range
authentication-server-group EHSRADIUS
default-group-policy GroupPolicy_EHSVPN
tunnel-group EHSVPN webvpn-attributes
group-alias EHSVPN enable
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect pptp
inspect icmp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:5897d34d95b73c851b38793444516795
: end
03-20-2024 09:11 AM - edited 03-20-2024 09:12 AM
ADD new ACL IN
access-list outside_access_in extended permit ip object VPN_Pool ANY <<- this object will have new subnet IP? correct
after you add this do packet-tracer again
MHM
03-20-2024 09:33 AM
Hi @MHM Cisco World
Packet trace result:
03-20-2024 12:46 PM
NAT(outside,outside) is missing ? did you remove this NAT ?
MHM
03-20-2024 02:01 PM
Hi @MHM Cisco World
Believe I've put it back in now:
Packet tracer:
03-20-2024 02:40 PM
If you return to my first comment I mention that that NAT(outside, outside) and NAT(any, outside) conflict, you need to remove NAT(Any, outside) and use for traffic from Inside NAT(inside, outside) <<-I assume you use Inside nameif interface
MHM
nat (any,outside) dynamic interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide