cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1913
Views
0
Helpful
3
Replies

ASA 5505 SSL Vpn Issue

bgibson.PT
Level 1
Level 1

Here is the problem I have. I can connect to the ssl vpn with Any Connect just fine. Split tunnel also seems to be working. I can ping the inside interface of the ASA unit. I however can not ping or access any other way hosts on the inside network only the asa's inside interface. I included a copy of my config. If someone could help me figure out what i'm missing it would be greatly appreciated.


ASA Version 8.2(3)
!
hostname asa5505
domain-name "inside domain"
enable password "password" encrypted
passwd "password" encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1a
nameif inside
security-level 100
ip address 10.10.80.239 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa823-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.80.241
name-server 10.14.80.240
domain-name "inside domain"
access-list inside_nat0_outbound extended permit ip 10.99.99.0 255.255.255.0 any
access-list split-tunnel standard permit 10.10.80.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnaccess 10.99.99.2-10.99.99.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.80.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 10.10.80.2-10.10.80.20 inside
dhcpd dns 204.174.16.4 204.174.18.2 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 10.10.80.241
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
split-dns value "inside domain"
address-pools value vpnaccess
username admin password "password" encrypted privilege 15
username admin attributes
vpn-group-policy DfltGrpPolicy
username Interact password "password" encrypted privilege 0
username Interact attributes
vpn-group-policy DfltGrpPolicy
username wyoming password "password" encrypted privilege 0
username wyoming attributes
vpn-group-policy DfltGrpPolicy
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpnaccess
!
!
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c5cfa2db3651c80e5e77e0f99f6f849f
: end

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

Sure, your NAT exemption access-list is incorrect.

Instead of:

access-list inside_nat0_outbound extended permit ip 10.99.99.0 255.255.255.0 any

It should be:

access-list inside_nat0_outbound extended permit ip 10.10.80.0 255.255.255.0  10.99.99.0 255.255.255.0

Then pls remember to "clear xlate" after the above changes.

Hope that resolves the issue.

Mad the changes put i still can only ping the inside interface

of the ASA. Any other ideas?

What are you trying to ping? Pls make sure that the host doesn't have any windows personal firewall enabled as that normally blocks incoming connection from a different subnet.