AnyConnect VPN - Unable to utilize LAN resources

Jpadams23 · ‎01-22-2013

I have configured AnyConnect for remote VPN access and everything works fine minus the annoying warning the pops up when connecting. Users pull an IP address from the pool I created, but are unable to access any network resources on the LAN. I have an exempt rule in there to prevent NAT from happening, but i'm not sure it is actually working. Has anyone seen this before and if so how do you fix it?

Here is my current configuration.

hostname *****

domain-name *****

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool AnyConnect-Users 192.168.69.1-192.168.69.254 mask 255.255.255.0

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif TW_Interface

security-level 0

ip address X.X.X.X Y.Y.Y.Y

!

interface GigabitEthernet0/1

speed 100

duplex full

nameif DMZ

security-level 50

ip address 10.100.20.1 255.255.255.0

!

interface GigabitEthernet0/2

speed 100

duplex full

nameif ERS_Lan

security-level 100

ip address 10.100.10.3 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa911-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name ****

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.69.0_24

subnet 192.168.69.0 255.255.255.0

access-list ERS_Lan_access_in extended permit ip any object NETWORK_OBJ_192.168.69.0_24

access-list ERS_Lan_access_in extended permit ip any any

pager lines 24

logging asdm informational

mtu TW_Interface 1500

mtu DMZ 1500

mtu ERS_Lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (ERS_Lan,TW_Interface) source static any any destination static NETWORK_OBJ_192.168.69.0_24 NETWORK_OBJ_192.168.69.0_24 no-proxy-arp route-lookup

!

object network obj_any

nat (ERS_Lan,TW_Interface) dynamic interface

access-group ERS_Lan_access_in in interface ERS_Lan

route TW_Interface 0.0.0.0 0.0.0.0 X.X.X.X 1

route ERS_Lan 192.168.4.0 255.255.255.0 10.100.10.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server AnyConnect-VPN protocol radius

aaa-server AnyConnect-VPN (ERS_Lan) host 192.168.4.4

timeout 5

key *****

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.100.10.0 255.255.255.0 ERS_Lan

http X.X.X.X 255.255.255.255 TW_Interface

no snmp-server location

no snmp-server contact

no sysopt connection permit-vpn

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

enable TW_Interface

anyconnect-essentials

anyconnect image disk0:/anyconnect-linux-3.1.02026-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 2

anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 3

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_AnyConnect-VPN internal

group-policy GroupPolicy_AnyConnect-VPN attributes

wins-server none

dns-server value 192.168.4.4

vpn-tunnel-protocol ssl-client

default-domain value ERS2WAY.COM

tunnel-group AnyConnect-VPN type remote-access

tunnel-group AnyConnect-VPN general-attributes

address-pool AnyConnect-Users

authentication-server-group AnyConnect-VPN

default-group-policy GroupPolicy_AnyConnect-VPN

tunnel-group AnyConnect-VPN webvpn-attributes

group-alias AnyConnect-VPN enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:84b2580f961392f49d89ff767e867385

: end

Andrew Phirsov · ‎01-22-2013

Does internal network have a route back to pool, allocated to your vpn-clients?

Jpadams23 · ‎01-23-2013

The internal LAN uses the ASA as the default gateway. With it being configured like that would I not just use access lists to allow traffic between the two networks?