Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
251
Views
0
Helpful
1
Replies

AnyConnect Vpn problemss

emil_jonasson
Level 1
Level 1

‎07-18-2015 01:20 AM - edited ‎02-21-2020 08:20 PM

Hi!

Im having an issue with a new anyconnect vpn. The VPN works but i cant get anywhere after i connect. Im able to ping the inside interface but thats probably only because i have "management interface inside". I just used the AnyConnect vpn wizard. 

 

 

 

 

 

ASA Version 9.0(1) 
!
hostname ASA1
domain-name domain.name.local
enable password XXXXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXX encrypted
names
ip local pool AnyRemote_Pool 10.5.0.10-10.5.0.20 mask 255.255.255.0
ip local pool AnyConnect 10.10.115.10-10.10.115.20 mask 255.255.255.0
ip local pool test 10.10.127.3-10.10.127.4 mask 255.255.255.248
!
interface Ethernet0/0
 speed 1000
 nameif inside
 security-level 100
 ip address 10.10.127.1 255.255.255.248 
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 10.9.192.3 255.255.224.0 
!
interface Ethernet0/2
 shutdown
 nameif Inside2
 security-level 100
 ip address 10.5.0.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
banner asdm NOTICE TO USERS
banner asdm 
banner asdm THIS IS A PRIVATE COMPUTER SYSTEM. It is for authorized use only.
banner asdm Users (authorized or unauthorized) have no explicit or implicit
banner asdm expectation of privacy.
banner asdm 
banner asdm Any or all uses of this system and all files on this system may
banner asdm be intercepted, monitored, recorded, copied, audited, inspected,
banner asdm and disclosed to authorized site and law enforcement personnel,
banner asdm as well as authorized officials of other agencies, both domestic
banner asdm and foreign.  By using this system, the user consents to such
banner asdm interception, monitoring, recording, copying, auditing, inspection,
banner asdm and disclosure at the discretion of authorized site personnel.
banner asdm 
banner asdm Unauthorized or improper use of this system may result in
banner asdm administrative disciplinary action and civil and criminal penalties.
banner asdm By continuing to use this system you indicate your awareness of and
banner asdm consent to these terms and conditions of use.   LOG OFF IMMEDIATELY
banner asdm if you do not agree to the conditions stated in this warning.
boot system disk0:/asa901-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 name-server 10.10.110.11
 domain-name staden.oringen.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Staden
 subnet 10.10.0.0 255.255.0.0
object network STENEN
 host 10.10.255.2
object network NETWORK_OBJ_10.10.115.0_24
 subnet 10.10.115.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
object network Management
 subnet 10.10.99.0 255.255.255.0
 description Management nätet
object network Pressnätet
 subnet 10.10.30.0 255.255.255.0
object network Gästnätet
 subnet 10.10.128.0 255.255.128.0
 description Gästnätet
object network Funktionärsnätet
 subnet 10.10.40.0 255.255.254.0
object network NETWORK_OBJ_10.10.0.0_16
 subnet 10.10.0.0 255.255.0.0
object network Servernätet
 subnet 10.10.110.0 255.255.255.0
object network JTH
 subnet 10.30.0.0 255.255.0.0
object service hakan_5000_5010
 service tcp source range 5000 5010 destination range 5000 5010 
object network NETWORK_OBJ_10.20.0.0_16
 subnet 10.20.0.0 255.255.0.0
object network BS-DHCP
 subnet 10.9.192.0 255.255.224.0
 description DHCPnet
object network NS1
 host 10.10.110.11
object network NS2
 host 10.10.110.12
object network Arena
 subnet 10.20.0.0 255.255.0.0
object network WEB-Server
 host 10.10.110.25
object network NETWORK_OBJ_10.5.0.0_24
 subnet 10.5.0.0 255.255.255.0
object network NETWORK_OBJ_10.5.0.0_27
 subnet 10.5.0.0 255.255.255.224
object network NETWORK_OBJ_10.10.115.0_27
 subnet 10.10.115.0 255.255.255.224
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_1
 network-object object NS1
 network-object object NS2
access-list Inside_access_in extended permit ip object Staden any4 log disable 
access-list outside_cryptomap extended permit ip 10.10.0.0 255.255.0.0 object JTH 
access-list Outside_cryptomap extended permit ip object Staden object JTH 
access-list Splu-Tunnel standard permit 10.10.115.0 255.255.255.0 
access-list Splu2-tunnel standard permit 10.10.0.0 255.255.0.0 
access-list Outside_access extended deny ip any any 
access-list Outside_cryptomap_1 extended permit ip object Staden 10.20.0.0 255.255.0.0 
access-list global_mpc_1 extended permit ip any any 
access-list outside_access_in extended permit tcp object BS-DHCP object WEB-Server eq www 
access-list outside_access_in extended permit object-group TCPUDP object BS-DHCP object-group DM_INLINE_NETWORK_1 eq domain 
access-list outside_cryptomap_1 extended permit ip object Staden object Arena 
access-list SPLIT-TUNNEL standard permit 10.10.115.0 255.255.255.0 
access-list inside_access_in extended permit ip any any 
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm debugging
logging host inside 10.10.110.34
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 10.10.110.35 9996
flow-export template timeout-rate 1
flow-export delay flow-create 1
mtu inside 1500
mtu outside 1500
mtu Inside2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_10.10.0.0_16 NETWORK_OBJ_10.10.0.0_16 destination static BS-DHCP BS-DHCP no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.10.0.0_16 NETWORK_OBJ_10.10.0.0_16 destination static JTH JTH no-proxy-arp route-lookup
nat (inside,outside) source static Staden Staden destination static Arena Arena no-proxy-arp route-lookup
nat (inside,outside) source static Staden Staden destination static NETWORK_OBJ_10.10.115.0_27 NETWORK_OBJ_10.10.115.0_27 no-proxy-arp route-lookup
nat (inside,outside) source dynamic Staden interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.9.192.1 1
route inside 10.10.0.0 255.255.0.0 10.10.127.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http server idle-timeout 1000
http 10.10.99.0 255.255.255.0 inside
http 10.20.99.0 255.255.255.0 inside
snmp-server host inside 10.10.110.34 community ***** version 2c
snmp-server location XXXX
snmp-server contact XXXXX
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 193.10.29.20 
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA
crypto map Outside_map 2 match address Outside_cryptomap_1
crypto map Outside_map 2 set peer 193.10.161.53 
crypto map Outside_map 2 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 193.10.29.20 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 192.165.102.120 
crypto map outside_map 2 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.10.99.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcprelay timeout 60
threat-detection basic-threat
no threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.10.110.32
ntp server 10.10.110.31 prefer
ssl client-version tlsv1-only
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 default-domain value domain.name.local
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
 wins-server none
 dns-server value 10.10.110.11
 vpn-tunnel-protocol ssl-client 
 default-domain value staden.oringen.local
group-policy GroupPolicy_<VPN IP> internal
group-policy GroupPolicy_<VPN IP> attributes
 vpn-tunnel-protocol ikev1 
group-policy GroupPolicy_<VPN IP> internal
group-policy GroupPolicy_<VPN IP> attributes
 vpn-tunnel-protocol ikev1 
group-policy GroupPolicy_<VPN IP> internal
group-policy GroupPolicy_<VPN IP> attributes
 vpn-tunnel-protocol ikev1 
username Emil password ERGY6YisJ8JfW7hf encrypted privilege 15
username Christoffer password FxCsYXtnkKlWaAWO encrypted privilege 15
username mats@matstroen.se password .mmPln3tGmJEr.GJ encrypted
username Jesper password lYHXMeOo4nxxYkQZ encrypted privilege 15
tunnel-group <VPN IP> type ipsec-l2l
tunnel-group <VPN IP> general-attributes
 default-group-policy GroupPolicy_<VPN IP>
tunnel-group <VPN IP> ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
 address-pool AnyConnect
 default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
 group-alias AnyConnect enable
tunnel-group <VPN IP> type ipsec-l2l
tunnel-group <VPN IP> general-attributes
 default-group-policy GroupPolicy_<VPN IP>
tunnel-group <VPN IP> ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group <VPN IP> type ipsec-l2l
tunnel-group 1<VPN IP> general-attributes
 default-group-policy GroupPolicy_<VPN IP>
tunnel-group <VPN IP> ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
class-map Netflow-Class
 match access-list global_mpc_1
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 description OMGIcMP
 class inspection_default
  inspect dns preset_dns_map 
  inspect esmtp 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect icmp 
  inspect icmp error 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect sip  
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
 class Netflow-Class
  flow-export event-type all destination 10.10.110.35
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:0df863d608d0dc51a70870914e9f87b9
: end

Labels:
0 Helpful
1 Reply 1

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-19-2015 11:41 AM

Hi,

Please confirm these things for further analysis:-
 

1. Which tunnel group are you using for connection.
2. The IP that you are trying to reach behind ASA.


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Customers Also Viewed These Support Documents