ā06-27-2020 07:35 PM
Hello, I am a new bee of this and I have pulling my hair for a week now, could not find solution. I setup SSL VPN by using Anyconnect VPN winzard, after then , I run my anyconnect client, get in and being signed IP within the VPN LAN pool, but I can not access any internal LAN resource such as ping, RDP etc to any host in the LAN. not even ping LAN gateway. any help will be great appreciate!. below is my configuration.
: Saved : ASA Version 9.1(5) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd 2KFQnbNIdI.2KYOU encrypted names dns-guard ip local pool VPN_ADD_POOL 10.10.20.2-10.10.20.5 mask 255.255.255.0 ip local pool VPN_SSL_POOL1 10.10.10.10-10.10.10.20 mask 255.255.255.0 ! interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.0.201 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! boot system disk0:/asa915-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring object network OBJ-GENERIC-ALL subnet 0.0.0.0 0.0.0.0 object network OBJ-SPECIFIC-192_168_100_0 subnet 192.168.100.0 255.255.255.0 description LAN of RV110W behind inside object network OBJ-192.168.0.1 host 192.168.0.1 description Rogers Gateway and Modem IP object network OBJ-DNS-GOOGLE host 8.8.8.8 description Google DNS server IP object network NETWORK_OBJ_10.10.20.0_29 subnet 10.10.20.0 255.255.255.248 object network NETWORK_OBJ_10.10.10.0_27 subnet 10.10.10.0 255.255.255.224 object network RV110W host 10.10.10.254 object-group protocol DM_INLINE_PROTOCOL_1 protocol-object icmp access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns access-list AnyConnect_Client_Local_Print extended permit object-group DM_INLINE_PROTOCOL_1 interface inside object OBJ-SPECIFIC-192_168_100_0 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-761.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source dynamic OBJ-GENERIC-ALL interface nat (inside,outside) source dynamic OBJ-SPECIFIC-192_168_100_0 OBJ-192.168.0.1 nat (inside,inside) source static OBJ-SPECIFIC-192_168_100_0 OBJ-SPECIFIC-192_168_100_0 destination static NETWORK_OBJ_10.10.20.0_29 NETWORK_OBJ_10.10.20.0_29 no-proxy-arp route-lookup nat (inside,outside) source static OBJ-SPECIFIC-192_168_100_0 OBJ-SPECIFIC-192_168_100_0 destination static NETWORK_OBJ_10.10.20.0_29 NETWORK_OBJ_10.10.20.0_29 no-proxy-arp route-lookup nat (inside,outside) source static OBJ-SPECIFIC-192_168_100_0 OBJ-SPECIFIC-192_168_100_0 destination static NETWORK_OBJ_10.10.10.0_27 NETWORK_OBJ_10.10.10.0_27 no-proxy-arp route-lookup nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.20.0_29 NETWORK_OBJ_10.10.20.0_29 no-proxy-arp route-lookup route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 route inside 0.0.0.0 0.0.0.0 10.10.10.254 tunneled timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 management http 10.10.10.0 255.255.255.0 inside no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint ASDM_LRZ_Trustpoint01 enrollment self subject-name CN=ciscoasa keypair MyHomeVPNSSL_LRZ crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_LRZ_Trustpoint01 certificate 9d04f65e 308202d4 308201bc a0030201 0202049d 04f65e30 0d06092a 864886f7 0d010105 0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648 86f70d01 09021608 63697363 6f617361 301e170d 32303036 32363135 30343035 5a170d33 30303632 34313530 3430355a 302c3111 300f0603 55040313 08636973 636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100ea 297574c1 54f5592c 8a86ab2d e89b728c 9e91b8d9 13da19b6 01507e83 468628d1 648afea7 b275323d 65e1ae49 7df1d8cc 0322d345 98c13cb2 d8856119 5b8d1245 25402122 5d3dcfe2 2dcf8d91 6adb80e3 040e10a7 39efe052 5ad96948 c2e2322f 543f4424 05f2ae4f 33ceaf21 c5cccd34 0cd990ca f218bc5f f91bc75b aff02a2f df3f9681 8c95cdc4 c562d7a3 edc42b52 071e7831 443db853 afb25526 91b46953 3cbfc672 8536bedb 393ed65a c530586e d434964d 4ca8217d 436d17b4 cf3e60be dce6c41c 2f4b688d 1c0705de 24be731e 22fdbf8b 21eb7669 b61327ce e65dd5e7 1214db8d dea23301 2a890983 70b7e83f 5aa11b19 b4164b72 d12630c3 d604b702 03010001 300d0609 2a864886 f70d0101 05050003 82010100 8213f7bd 143a6c37 e88465ea c3132e9a f53ef7ef 9bf0ff68 f6bad438 265d3cad 370ec06f 102ce5b4 398dee8c 75c87856 197ce5f6 408cdcf7 dfdb0ac7 ff9c8014 ff3e262c e6aa8fd6 f15d8560 e4036342 ea029abe 653318cc 1e97d850 e67a5b15 22960e19 991222b9 42bc4d7e 26a7bae6 93ab47e6 bf33ca6b 8a23ae49 7b3f8e5e d23848cd 3963f5a8 296e4272 b9a1aac8 68950c32 16dc2664 f1d704bd b3f597f1 b0ee019f 1c814178 17ed3674 7a90dbec 86f87b66 e01fd1fa 4d4f159f 7f1c61d9 866eeac7 6c607d48 8060aaa3 a2ec80ce 6e726c67 980a8ed1 5b745dfa f04ba37e c12a18fb 6cc1ab7c 3161a4b8 a21a8176 8027df0c 065d40f4 fad37d32 da6c8d95 quit telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl trust-point ASDM_LRZ_Trustpoint01 outside ssl trust-point ASDM_LRZ_Trustpoint01 inside webvpn enable outside enable inside anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1 anyconnect enable tunnel-group-list enable group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless group-policy GroupPolicy_MySSLVPN internal group-policy GroupPolicy_MySSLVPN attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ssl-client default-domain none username rlai password S9hNxLnK8M9KCmhx encrypted tunnel-group MySSLVPN type remote-access tunnel-group MySSLVPN general-attributes address-pool VPN_ADD_POOL default-group-policy GroupPolicy_MySSLVPN tunnel-group MySSLVPN webvpn-attributes group-alias MySSLVPN enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map global policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:8b7e4b6eeefbcd7abe0e906476805530 : end asdm image disk0:/asdm-761.bin no asdm history enable
Solved! Go to Solution.
ā06-29-2020 10:40 AM
Hi Balaji, Thanks for your replay and I have spent past 2 days to test and test based the info you post, seems no luck for me, I checked the NAT Exemption and ACL which I do have them. but I am not sure if ACL I configured is correct or not. also for VPN Filter missing in the VPN Profile, I pretty follow the example of the YouTube post with link you send over, no luck at all, will you be able to take my newest configuration file and lighting me up?
: Saved : ASA Version 9.1(5) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd 2KFQnbNIdI.2KYOU encrypted names dns-guard ip local pool Anyconnect-Pool 10.253.253.2-10.253.253.10 mask 255.255.255.0 ! interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.0.201 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! boot system disk0:/asa915-k8.bin ftp mode passive object network OBJ_GENERIC_ALL subnet 0.0.0.0 0.0.0.0 object network OBJ_SPECIFIC_192-168-1-0 subnet 192.168.1.0 255.255.255.0 object network Rogers_Gateway host 192.168.1.0 object network NETWORK_OBJ_10.253.253.0_28 subnet 10.253.253.0 255.255.255.240 object network RV110W host 10.10.10.254 access-list SPIT-TUNEL standard permit 10.10.10.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu management 1500 mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-761.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface nat (inside,outside) source dynamic OBJ_SPECIFIC_192-168-1-0 Rogers_Gateway nat (inside,outside) source static any any destination static NETWORK_OBJ_10.253.253.0_28 NETWORK_OBJ_10.253.253.0_28 no-proxy-arp route-lookup route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 route inside 0.0.0.0 0.0.0.0 10.10.10.254 tunneled timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint ASDM_TrustPoint0_LRZ enrollment terminal subject-name CN=ciscoasa keypair MyKeyPair crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa keypair MyKeyPair crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 certificate cf05fa5e 308202d4 308201bc a0030201 020204cf 05fa5e30 0d06092a 864886f7 0d010105 0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648 86f70d01 09021608 63697363 6f617361 301e170d 32303036 32393135 34373431 5a170d33 30303632 37313534 3734315a 302c3111 300f0603 55040313 08636973 636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100ee 30816c09 e0fe5909 b09075a7 199bc910 d117cca3 b3f39331 14cf342d 1a7f52f0 2df26f5e 9d6daf52 12b51f11 4d463e64 6dac441b efb9f537 ca362c20 2883238a 2200326d cdd22f0d d5f05b52 2f37a726 5fbe5369 3479a340 56f28c2d d3c6c26a b266bbb4 13a2efcc 4ff5b607 f88eed72 cba44424 897f88fa d8711eac 1f01d6c2 3ec5a53c 78b9d531 b540c9fd a0937c3a 94a0cec8 7a4caf58 7295a8f0 c001b523 0100569a 8ede8c47 f652de26 d85c95d9 6f0ee5ec f2a673ab 9e755439 b1e02391 60a18de5 74a3b4e8 2a41787e 15a65c6d c44be063 01297d16 92821ddb 71a33186 c4ce769d 30dbe17a aa150284 c33b7523 aabbdb2f b43a028a 55994bae 4553b502 03010001 300d0609 2a864886 f70d0101 05050003 82010100 a2ae8992 51a480be dacc5dd7 397a1dcc d0dac6dc 5417829d 137368d5 44a86ae6 20b8a113 bf0e19e6 6cf516ac e7a86e85 4b671206 26d52782 0c08e8f5 62012861 39a204fa 94b625df 39dca2e8 b2bc3b4c 1a212541 3d973d0f 8d7ff69d 499aba5f ef7c02ac 41b25bd8 66b721ad 2521acee ebf47314 8c93164c 3e4e76fd 06e72d03 af90e725 1cb6bb4e 01e54df7 f9f19bc5 5c76ec59 cd0d7a0c 21508771 87f0d39e a8b80915 83801f6b c049c7bb b3735a24 86cda685 b0ecc8ed f9470533 67100c8d 4e5a304b 804f8ef0 70e5163b 664dc4b6 9dcf5589 76cfdc9e 2a3805d2 e9ff8abc 6590b024 1aadb0a7 be3771e9 ef154c5e 8cb65013 a8cf6374 6ac81cd7 4b0b699f quit telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl trust-point ASDM_TrustPoint0 outside webvpn enable outside anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1 anyconnect enable tunnel-group-list enable group-policy GroupPolicy_SSLVPN internal group-policy GroupPolicy_SSLVPN attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ssl-client split-tunnel-network-list value SPIT-TUNEL default-domain none username rlai password S9hNxLnK8M9KCmhx encrypted tunnel-group SSLVPN type remote-access tunnel-group SSLVPN general-attributes address-pool Anyconnect-Pool default-group-policy GroupPolicy_SSLVPN tunnel-group SSLVPN webvpn-attributes group-alias SSLVPN enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error ! service-policy global_policy global prompt hostname context call-home reporting anonymous prompt 2 call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:491b3e53feda9d071c57c98c2f8d654c : end asdm image disk0:/asdm-761.bin no asdm history enable
ā06-27-2020 09:34 PM
Check 2 things missing here on a high level
NAT Exemption and ACL or VPN Filter missing in the VPN Profile.
here is an example guide :
ā06-29-2020 10:40 AM
Hi Balaji, Thanks for your replay and I have spent past 2 days to test and test based the info you post, seems no luck for me, I checked the NAT Exemption and ACL which I do have them. but I am not sure if ACL I configured is correct or not. also for VPN Filter missing in the VPN Profile, I pretty follow the example of the YouTube post with link you send over, no luck at all, will you be able to take my newest configuration file and lighting me up?
: Saved : ASA Version 9.1(5) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd 2KFQnbNIdI.2KYOU encrypted names dns-guard ip local pool Anyconnect-Pool 10.253.253.2-10.253.253.10 mask 255.255.255.0 ! interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.0.201 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! boot system disk0:/asa915-k8.bin ftp mode passive object network OBJ_GENERIC_ALL subnet 0.0.0.0 0.0.0.0 object network OBJ_SPECIFIC_192-168-1-0 subnet 192.168.1.0 255.255.255.0 object network Rogers_Gateway host 192.168.1.0 object network NETWORK_OBJ_10.253.253.0_28 subnet 10.253.253.0 255.255.255.240 object network RV110W host 10.10.10.254 access-list SPIT-TUNEL standard permit 10.10.10.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu management 1500 mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-761.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface nat (inside,outside) source dynamic OBJ_SPECIFIC_192-168-1-0 Rogers_Gateway nat (inside,outside) source static any any destination static NETWORK_OBJ_10.253.253.0_28 NETWORK_OBJ_10.253.253.0_28 no-proxy-arp route-lookup route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 route inside 0.0.0.0 0.0.0.0 10.10.10.254 tunneled timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint ASDM_TrustPoint0_LRZ enrollment terminal subject-name CN=ciscoasa keypair MyKeyPair crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa keypair MyKeyPair crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 certificate cf05fa5e 308202d4 308201bc a0030201 020204cf 05fa5e30 0d06092a 864886f7 0d010105 0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648 86f70d01 09021608 63697363 6f617361 301e170d 32303036 32393135 34373431 5a170d33 30303632 37313534 3734315a 302c3111 300f0603 55040313 08636973 636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100ee 30816c09 e0fe5909 b09075a7 199bc910 d117cca3 b3f39331 14cf342d 1a7f52f0 2df26f5e 9d6daf52 12b51f11 4d463e64 6dac441b efb9f537 ca362c20 2883238a 2200326d cdd22f0d d5f05b52 2f37a726 5fbe5369 3479a340 56f28c2d d3c6c26a b266bbb4 13a2efcc 4ff5b607 f88eed72 cba44424 897f88fa d8711eac 1f01d6c2 3ec5a53c 78b9d531 b540c9fd a0937c3a 94a0cec8 7a4caf58 7295a8f0 c001b523 0100569a 8ede8c47 f652de26 d85c95d9 6f0ee5ec f2a673ab 9e755439 b1e02391 60a18de5 74a3b4e8 2a41787e 15a65c6d c44be063 01297d16 92821ddb 71a33186 c4ce769d 30dbe17a aa150284 c33b7523 aabbdb2f b43a028a 55994bae 4553b502 03010001 300d0609 2a864886 f70d0101 05050003 82010100 a2ae8992 51a480be dacc5dd7 397a1dcc d0dac6dc 5417829d 137368d5 44a86ae6 20b8a113 bf0e19e6 6cf516ac e7a86e85 4b671206 26d52782 0c08e8f5 62012861 39a204fa 94b625df 39dca2e8 b2bc3b4c 1a212541 3d973d0f 8d7ff69d 499aba5f ef7c02ac 41b25bd8 66b721ad 2521acee ebf47314 8c93164c 3e4e76fd 06e72d03 af90e725 1cb6bb4e 01e54df7 f9f19bc5 5c76ec59 cd0d7a0c 21508771 87f0d39e a8b80915 83801f6b c049c7bb b3735a24 86cda685 b0ecc8ed f9470533 67100c8d 4e5a304b 804f8ef0 70e5163b 664dc4b6 9dcf5589 76cfdc9e 2a3805d2 e9ff8abc 6590b024 1aadb0a7 be3771e9 ef154c5e 8cb65013 a8cf6374 6ac81cd7 4b0b699f quit telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl trust-point ASDM_TrustPoint0 outside webvpn enable outside anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1 anyconnect enable tunnel-group-list enable group-policy GroupPolicy_SSLVPN internal group-policy GroupPolicy_SSLVPN attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ssl-client split-tunnel-network-list value SPIT-TUNEL default-domain none username rlai password S9hNxLnK8M9KCmhx encrypted tunnel-group SSLVPN type remote-access tunnel-group SSLVPN general-attributes address-pool Anyconnect-Pool default-group-policy GroupPolicy_SSLVPN tunnel-group SSLVPN webvpn-attributes group-alias SSLVPN enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error ! service-policy global_policy global prompt hostname context call-home reporting anonymous prompt 2 call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:491b3e53feda9d071c57c98c2f8d654c : end asdm image disk0:/asdm-761.bin no asdm history enable
ā06-29-2020 11:17 AM
The order of your NAT rules is important, you traffic is probably being natted on your first nat rule. You can check which NAT rule is being match by running the command "show nat detail" and looking at the translated and untranslated hits.
You can move the first nat rule to after your NAT exemption rule using the following:-
no nat (INSIDE,OUTSIDE) source dynamic OBJ_GENERIC_ALL interface
nat (INSIDE,OUTSIDE) after-auto source dynamic OBJ_GENERIC_ALL interface
HTH
ā06-29-2020 11:44 AM
May due to your Generic object network - i am sure first NAT rule hitting as order operation you can view as suggested. ( maybe you can go specific IP address space in the network Group and check)
object network OBJ_GENERIC_ALL
subnet 0.0.0.0 0.0.0.0
or try other option as suggested by @Rob Ingram
ā06-29-2020 12:07 PM
Thanks Rob,
I have it work now as I mention with another replay, I forget I have RV110W in the LAn and there is another firewall, as soon as stop the second firewall and make it as router I got everything works.
Thanks
Richard
ā06-29-2020 12:05 PM
I think I got it work now, I have a RV110W which has firewall there. it actually block traffic from internal LAN to LAN behind the RV110W.
ā06-29-2020 01:02 PM
Glad you could able to figure out the issue and solve..thanks for the feedback.#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide