Re: ASA 5506x VPN connection issue with AnyConnect SSL-Client

bjmcveety · ‎04-19-2019

First off, I am NOT a security guy. I purchased an ASA 5506x for the purpose of remote access to my home network. I applied a basic config and have been trying to setup AnyConnect through the CLI.

I am currently able to VPN, I receive an IP address from the proper pool BUT I am unable to get to my devices on my home network. Any help or direction would be GREATLY appreciated!!

Attached is my config (with sensitive variables changed).

Thank you!

hostname ciscoasa
enable password weW74091009jkla8nk encrypted
names
ip local pool ANYCONNECT-POOL 192.168.100.100-192.168.100.125 mask 255.255.255.0
!
interface GigabitEthernet1/1
description ISP_CONNECTION
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
!
interface GigabitEthernet1/8
nameif NETWORK_2
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
banner login You are accessing a protected network. All connections are monitored and logged. Unauthorized access is strictly prohibited
banner asdm You are accessing a protected network. All connections are monitored and logged. Unauthorized access is strictly prohibited
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
object network NETWORK_2
subnet 172.16.1.0 255.255.255.0
object network NETWORK_1
subnet 172.16.0.0 255.255.255.0
object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.100.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 19.10.1.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 19.30.1.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 19.10.0.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 19.20.0.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 19.70.67.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 172.16.1.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 19.0.0.0 255.0.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 524288
logging buffered notifications
logging asdm notifications
logging flash-bufferwrap
logging flash-minimum-free 8192
logging flash-maximum-allocation 65536
mtu outside 1500
mtu inside 1500
mtu NETWORK_2 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_2 NETWORK_2 destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_1 NETWORK_1 destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!
object network NETWORK_2
nat (NETWORK_2,outside) dynamic interface
object network NETWORK_1
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
nat (NETWORK_2,outside) after-auto source dynamic any interface
route NETWORK_2 10.1.1.0 255.255.255.0 172.16.1.2 1
route NETWORK_2 10.3.1.0 255.255.255.0 172.16.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authorization exec authentication-server auto-enable
http server enable
http server session-timeout 60
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
fragment chain 1 outside
fragment chain 1 inside
sysopt noproxyarp inside
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0

dhcpd dns 8.8.8.8 4.4.2.2
dhcpd lease 10800
dhcpd ping_timeout 20
dhcpd domain NETWORK_2_local.com
dhcpd option 3 ip 172.16.0.1
!
dhcpd address 172.16.0.100-172.16.0.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 8.8.8.8 prefer
ntp server 8.8.4.4
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.7.01076-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
wins-server none
dns-server value 8.8.8.8 4.4.2.2
vpn-idle-timeout 86400
vpn-session-timeout 86400
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value AnyConnect.com
webvpn
anyconnect mtu 1200
anyconnect ssl keepalive 20
anyconnect ask enable default anyconnect
dynamic-access-policy-record DfltAccessPolicy
username USERNAME password /kC70KN219ainknasud encrypted privilege 15
username USERNAME attributes
vpn-simultaneous-logins 1
service-type remote-access
username ADMIN password zQXfTinnqwe89qg0Vm encrypted privilege 15
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
address-pool ANYCONNECT-POOL
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile NETWORK_2TAC-1
no active
destination address http https://tools.NETWORK_2.com/its/service/oddce/services/DDCEService
destination address email callhome@NETWORK_2.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a49cdd4f9c2ae9c3711dc5b1306cf1c8
: end
NETWORK_2asa#
NETWORK_2asa#
NETWORK_2asa# conf t
NETWORK_2asa(config)# sysopt connection permit-vpn
NETWORK_2asa(config)#
NETWORK_2asa(config)#
NETWORK_2asa(config)# end
NETWORK_2asa#
The network connection was aborted by the local system.

You are accessing a protected network. All connections are monitored and logged. Unauthorized access is strictly prohibited
Type help or '?' for a list of available commands.
NETWORK_2asa# show run
: Saved

:
: Serial Number: JAD20030DYS
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(2)
!
hostname NETWORK_2asa
enable password weW74A6kS2P7PcuV encrypted
names
ip local pool ANYCONNECT-POOL 192.168.100.100-192.168.100.125 mask 255.255.255.0
!
interface GigabitEthernet1/1
description ISP_CONNECTION
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
description NETWORK_1_NETWORK
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
!
interface GigabitEthernet1/8
description NETWORK_2_NETWORK
nameif NETWORK_2
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
banner login You are accessing a protected network. All connections are monitored and logged. Unauthorized access is strictly prohibited
banner asdm You are accessing a protected network. All connections are monitored and logged. Unauthorized access is strictly prohibited
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
object network NETWORK_2
subnet 172.16.1.0 255.255.255.0
object network NETWORK_1
subnet 172.16.0.0 255.255.255.0
object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.100.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 19.10.1.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 19.30.1.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 19.10.0.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 19.20.0.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 19.70.67.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 172.16.1.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 19.0.0.0 255.0.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 524288
logging buffered notifications
logging asdm notifications
logging flash-bufferwrap
logging flash-minimum-free 8192
logging flash-maximum-allocation 65536
mtu outside 1500
mtu inside 1500
mtu NETWORK_2 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_2 NETWORK_2 destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_1 NETWORK_1 destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!
object network NETWORK_2
nat (NETWORK_2,outside) dynamic interface
object network NETWORK_1
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
nat (NETWORK_2,outside) after-auto source dynamic any interface
route NETWORK_2 19.10.1.0 255.255.255.0 172.16.1.2 1
route NETWORK_2 19.30.1.0 255.255.255.0 172.16.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authorization exec authentication-server auto-enable
http server enable
http server session-timeout 60
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
fragment chain 1 outside
fragment chain 1 inside
sysopt noproxyarp inside
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0

dhcpd dns 8.8.8.8 4.4.2.2
dhcpd lease 10800
dhcpd ping_timeout 20
dhcpd domain NETWORK_2_local.com
dhcpd option 3 ip 172.16.0.1
!
dhcpd address 172.16.0.100-172.16.0.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 8.8.8.8 prefer
ntp server 8.8.4.4
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.7.01076-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
wins-server none
dns-server value 8.8.8.8 4.4.2.2
vpn-idle-timeout 86400
vpn-session-timeout 86400
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value AnyConnect.com
webvpn
anyconnect mtu 1200
anyconnect ssl keepalive 20
anyconnect ask enable default anyconnect
dynamic-access-policy-record DfltAccessPolicy
username ratdog69 password /kC70KN2taDv01gQ encrypted privilege 15
username ratdog69 attributes
vpn-simultaneous-logins 1
service-type remote-access
username netech password zQXfTzhaopSxg0Vm encrypted privilege 15
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
address-pool ANYCONNECT-POOL
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile NETWORK_2TAC-1
no active
destination address http https://tools.NETWORK_2.com/its/service/oddce/services/DDCEService
destination address email callhome@NETWORK_2.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

Rob Ingram · ‎04-20-2019

Hi,

To access your local home network whilst connected to a VPN you would need to modify your split-tunnel configuration.

You need to modify AnyConnect XML file and change <LocalLanAccess UserControllable=”true”>true</LocalLanAccess>

Create an ACL permitting from host to 0.0.0.0 and reference in your GP.

access-list SPLIT-TUNNEL permit host 0.0.0.0

group-policy GP-1 attributes
split-tunnel-policy excludespecified
split-tunnel-network-list value SPLIT-TUNNEL

Here is another example
HTH

bjmcveety · ‎04-21-2019

Thank you so much for the direction.

I made some changes to my environment, along with the changes you suggested. I am now able to get to my LAN via VPN! However it does not seem that the split tunnel is working properly. I can remote to all devices but am unable to surf to the internet while VPN'd.

I have attached my latest config.

hostname ciscoasa
enable password weW74A6k98kjsaojV encrypted
names
ip local pool ANYCONNECT-POOL 172.16.20.100-172.16.20.125 mask 255.255.255.0
!
interface GigabitEthernet1/1
description ISP_CONNECTION
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
description DMZ_NETWORK
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/8
description inside_NETWORK
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
banner login You are accessing a protected network. All connections are monitored and logged. Unauthorized access is strictly prohibited
banner asdm You are accessing a protected network. All connections are monitored and logged. Unauthorized access is strictly prohibited
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
object network inside
subnet 10.1.1.0 255.255.255.0
object network DMZ
subnet 192.168.1.0 255.255.255.0
object network OBJ-ANYCONNECT-SUBNET
subnet 172.16.20.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit host 0.0.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 524288
logging buffered notifications
logging asdm notifications
logging flash-bufferwrap
logging flash-minimum-free 8192
logging flash-maximum-allocation 65536
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!
object network inside
nat (inside,outside) dynamic interface
object network DMZ
nat (DMZ,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
nat (DMZ,outside) after-auto source dynamic any interface
route inside 10.0.0.0 255.0.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authorization exec authentication-server auto-enable
http server enable
http server session-timeout 60
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
fragment chain 1 outside
fragment chain 1 inside
sysopt noproxyarp inside
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0

dhcpd dns 8.8.8.8 4.4.2.2
dhcpd lease 10800
dhcpd ping_timeout 20
dhcpd domain DMZ_local.com
dhcpd option 3 ip 192.168.1.1
!
dhcpd address 192.168.1.100-192.168.1.254 DMZ
dhcpd enable DMZ
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 8.8.8.8 prefer
ntp server 8.8.4.4
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.7.01076-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
wins-server none
dns-server value 8.8.8.8 4.4.2.2
vpn-idle-timeout 86400
vpn-session-timeout 86400
vpn-tunnel-protocol ssl-client
split-tunnel-policy excludespecified
default-domain value AnyConnect.com
webvpn
anyconnect mtu 1200
anyconnect ssl keepalive 20
anyconnect ask enable default anyconnect
dynamic-access-policy-record DfltAccessPolicy
username USERNAME2 password /kC70AJJAoa8d01gQ encrypted privilege 15
username USERNAME2 attributes
vpn-simultaneous-logins 1
service-type remote-access
username USERNAME password zQXfkniunhjbmxg0Vm encrypted privilege 15
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
address-pool ANYCONNECT-POOL
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

SteveNode03 · ‎04-21-2019

For me I had to do this. SSH into the ASA. Ping my core switch. good? Show Route. Are routes there? from the core are the routes going back to the ASA. Also build a route from the core back to the ASA for the VPN subnet.

I was missing my route from the core switch back to the VPN subnet.

Another thing you can do is filter the traffic with the node that logs on to the ASA VPN.

Logon on to your Cisco ASDM for the ASA, go to monitoring>Logging>click View. Download the iPhone anyconnect app> authenticate to the ASA> enter the private address under the filter and see if you get any packets passing through.