Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
0
Helpful
0
Replies

Anyconnect vpn user of ASAs cannot access inside network

Sertuon
Level 1
Level 1

‎10-22-2021 12:31 AM - edited ‎10-30-2021 05:11 AM

Hello,

Can anyone help to configure device ASA 5515x, please ? :

Cisco Adaptive Security Appliance Software Version 9.12(4)24
SSP Operating System Version 2.6(1.230)
Device Manager Version 7.16(1)

==========================

 

Please help to find mistake in configuration :

 

Here is what I try to configure:

1)Created only certificate based vpn connection to ASA and add several splitted-tunnel to local network - cam, sip, intranet

 

2)connection to vpn net from local pool "intranet" by vpn client is ok and vpn client shows available route in it 

 

routes.jpg

connection to inside ASA network "cam" or "sip" failed and can't find the reason

 

Here is sh runinng-config

service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto
ip local pool intra 172.16.54.220-172.16.54.250 mask 255.255.255.224

!
interface GigabitEthernet0/0
description internet
nameif internet
security-level 0
ip address 222.222.22.22 255.255.255.0
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.11
vlan 11
nameif mgm11
security-level 100
ip address 10.0.11.140 255.255.255.0
!
interface GigabitEthernet0/1.31
vlan 31
nameif sip
security-level 100
ip address 192.168.31.140 255.255.255.0
!
interface GigabitEthernet0/1.45
vlan 45
nameif cam
security-level 100
ip address 192.168.45.140 255.255.255.0
!
interface GigabitEthernet0/1.54
vlan 54
nameif intranet
security-level 100
ip address 172.16.54.140 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif manage
security-level 100
ip address 192.168.2.30 255.255.255.0
!
boot system disk0:/asa912-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name asa.lumico.work
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 192.168.31.0
object network cam-obj
subnet 192.168.45.0 255.255.255.0
object network intranet-obj
subnet 172.16.54.0 255.255.255.0
object network sip-obj
subnet 192.168.31.0 255.255.255.0
object network inranet-obj
object network vpn-obj
range 172.16.54.220 172.16.54.250
description vpn ip pool
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network office
network-object object cam-obj
network-object object intranet-obj
network-object object sip-obj
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list split-acl-intra extended permit object-group DM_INLINE_PROTOCOL_5 object-group office any4
access-list internet_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any4 any inactive
pager lines 24
logging enable
logging asdm informational
mtu internet 1500
mtu manage 1500
mtu mgm11 1500
mtu sip 1500
mtu cam 1500
mtu intranet 1500
no failover
no failover wait-disable
no monitor-interface mgm11
no monitor-interface sip
no monitor-interface cam
no monitor-interface intranet
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7161.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (internet,cam) source static intranet-obj intranet-obj destination static intranet-obj intranet-obj no-proxy-arp route-lookup
access-group internet_access_in in interface internet
route internet 0.0.0.0 0.0.0.0222.222.22.1 1
route manage 192.168.2.0 255.255.255.255 192.168.2.100 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable 8443
http 0.0.0.0 0.0.0.0 manage
no snmp-server location
no snmp-server contact

lifetime seconds 86400
crypto ikev2 enable internet client-services port 443
crypto ikev2 remote-access trustpoint ASA-VPN
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh cipher encryption all
ssh cipher integrity all
ssh key-exchange group dh-group14-sha1
ssh 192.168.2.0 255.255.255.0 manage
management-access manage
dhcpd dns 8.8.8.8
!
!
tls-proxy maximum-session 500
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASA-VPN
ssl trust-point ASA-VPN internet
ssl trust-point ASA-VPN mgm11
ssl trust-point ASA-VPN sip
ssl trust-point ASA-VPN cam
ssl trust-point ASA-VPN intranet
ssl trust-point ASA-VPN internet vpnlb-ip
webvpn
enable internet
hsts
enable
max-age 31536000
include-sub-domains
no preload
http-headers
x-content-type-options
x-xss-protection
content-security-policy
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect profiles Anyconnectk9 disk0:/anyconnectk9.xml
anyconnect profiles VPN-ASA_client_profile disk0:/VPN-ASA_client_profile.xml
anyconnect profiles asa-vpn_client_profile disk0:/asa-vpn_client_profile.xml
anyconnect profiles vpn-cert_client_profile disk0:/vpn-cert_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_VPN-ASA internal
group-policy GroupPolicy_VPN-ASA attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl-intra
default-domain value asa.lumico.work
split-tunnel-all-dns enable
webvpn
anyconnect profiles value VPN-ASA_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
tunnel-group VPN-ASA type remote-access
tunnel-group VPN-ASA general-attributes
address-pool intra
default-group-policy GroupPolicy_VPN-ASA
tunnel-group VPN-ASA webvpn-attributes
authentication certificate
group-alias VPN-ASA enable
!
class-map inspection-default
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 18
subscribe-to-alert-group configuration periodic monthly 18
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9ab42c3049b67a5caa28a1eaca2ad55c
: end

  ==================

packet-tracer test

 

# packet-tracer input internet rawip 172.16.54.232 6 192.168$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.45.5 using egress ifc cam

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8049837980, priority=501, domain=permit, deny=true
hits=16, user_data=0x8, cs_id=0x0, reverse, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=internet, output_ifc=any

Result:
input-interface: internet
input-status: up
input-line-status: up
output-interface: cam
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents