10-08-2014 11:04 AM - edited 02-21-2020 07:52 PM
I have a ASA5512X base license. Running though the Wizard to setup AnyConnect. When it applies the config I get. .
I've tried about a dozen ways to get this command to take.. and am getting no where. I setup new interfaces with unused IP's, I changed port numbers, to moved ASDM off 443, I ran the above command on different port numbers.. no matter what I do, I get the same message. Any idea what I am doing wrong?
config is below..
ASA Version 9.1(1)
!
ip local pool VPN_pool 192.168.252.10-192.168.252.50 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif Inside
security-level 100
ip address 192.168.2.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif ComcastMetroE
security-level 1
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/2
nameif VPN
security-level 100
ip address 192.168.252.2 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.250.2 255.255.255.0
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name messicks.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network public_range
subnet x.x.x.x 255.255.255.240
object network web_server_177
host x.x.x.x
object network web_server_inside
host x.x.x
object network voice
subnet 192.168.4.0 255.255.255.0
object network All192
subnet 192.168.0.0 255.255.0.0
object network Exchange
host 192.168.2.5
object network Exchange_public
host x.x.x
object network NETWORK_OBJ_192.168.252.0_24
subnet 192.168.252.0 255.255.255.0
object network NETWORK_OBJ_192.168.252.0_26
subnet 192.168.252.0 255.255.255.192
object network AS400
host 192.168.2.201
object network AS400_public_179
host x.x.x
object network AMAX_WAN
host x.x.x
object network SpamTitan
host 192.168.2.10
object network SpamTitan_public_180
host x.x.x
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list ComcastMetroE_access extended permit tcp any4 object SpamTitan eq smtp
access-list ComcastMetroE_access remark allow AMAX WAN to AS400 FTP
access-list ComcastMetroE_access extended permit tcp any4 object AS400 eq ftp
access-list ComcastMetroE_access extended permit tcp any4 object Exchange object-group DM_INLINE_TCP_1
access-list ComcastMetroE_access extended permit tcp any4 object web_server_inside object-group DM_INLINE_TCP_0
access-list tcp_bypass extended permit tcp 192.168.2.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu ComcastMetroE 1500
mtu Inside 1500
mtu DMZ 1500
mtu VPN 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network web_server_inside
nat (Inside,ComcastMetroE) static web_server_177
object network Exchange
nat (Inside,ComcastMetroE) static Exchange_public
object network AS400
nat (Inside,ComcastMetroE) static AS400_public_179
object network SpamTitan
nat (Inside,ComcastMetroE) static SpamTitan_public_180
!
nat (Inside,ComcastMetroE) after-auto source dynamic any interface
access-group ComcastMetroE_access in interface ComcastMetroE
!
router rip
network 192.168.250.0
version 2
!
router eigrp 1
eigrp stub connected
network 192.168.250.0 255.255.255.0
passive-interface ComcastMetroE
!
route ComcastMetroE 0.0.0.0 0.0.0.0 x.x.x 1
route Inside 192.168.0.0 255.255.0.0 192.168.2.1 1
route management 192.168.2.0 255.255.255.0 192.168.250.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 management
http 192.168.250.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
sysopt noproxyarp ComcastMetroE
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2
56 AES192 AES 3DES DES
crypto map ComcastMetroE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MA
P
crypto map ComcastMetroE_map interface ComcastMetroE
crypto map VPN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VPN_map interface VPN
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
subject-name CN=192.168.2.4,CN=ASA5512X
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_2
enrollment self
subject-name CN=192.168.250.2,CN=ASA5512X
crl configure
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
telnet 192.168.2.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
management-access management
vpn-addr-assign local reuse-delay 180
dhcpd dns 192.168.2.17 192.168.2.5
dhcpd domain messicks.local
!
dhcpd dns 192.168.2.17 192.168.2.5 interface VPN
dhcpd domain messicks.local interface VPN
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 VPN
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 ComcastMetroE
ssl trust-point ASDM_Launcher_Access_TrustPoint_2 management vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_2 management
webvpn
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 regex "Intel M
ac OS X"
xxxx
!
class-map ComcastMetroE-class
match any
class-map inspection_default
match default-inspection-traffic
class-map tcp_bypass
match access-list tcp_bypass
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map ComcastMetroE-policy
class ComcastMetroE-class
police input 26214000 13104
police output 26214000 13104
user-statistics accounting
policy-map tcp_bypass
class tcp_bypass
set connection timeout idle 0:10:00
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
service-policy ComcastMetroE-policy interface ComcastMetroE
service-policy tcp_bypass interface Inside
prompt hostname context
no call-home reporting anonymous
ASA5512X#
10-14-2014 11:08 AM
It seems to be a problem with NAT ,
Can you please try the following command "clear xlate" and try the config again.
WARNING! If this on a production environment , clear the translations will kill the sessions for a few seconds , if you wants to avoid this run the command after hours.
Tho check how many people is using the translations you can use the command "Show xlate"
Hope this helps
Do not forget to rate helpful posts
- Randy-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide