Solved: ASA 5510 Anyconnect VPN client can VPN in and get IP but no access to interal LAN(Ping, RDP....)

richardlaiCanada · ‎06-27-2020

Hello, I am a new bee of this and I have pulling my hair for a week now, could not find solution. I setup SSL VPN by using Anyconnect VPN winzard, after then , I run my anyconnect client, get in and being signed IP within the VPN LAN pool, but I can not access any internal LAN resource such as ping, RDP etc to any host in the LAN. not even ping LAN gateway. any help will be great appreciate!. below is my configuration.

: Saved
:
ASA Version 9.1(5) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
ip local pool VPN_ADD_POOL 10.10.20.2-10.10.20.5 mask 255.255.255.0
ip local pool VPN_SSL_POOL1 10.10.10.10-10.10.10.20 mask 255.255.255.0
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.0.201 255.255.255.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
boot system disk0:/asa915-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network OBJ-GENERIC-ALL
 subnet 0.0.0.0 0.0.0.0
object network OBJ-SPECIFIC-192_168_100_0
 subnet 192.168.100.0 255.255.255.0
 description LAN of RV110W behind inside
object network OBJ-192.168.0.1
 host 192.168.0.1
 description Rogers Gateway and Modem IP
object network OBJ-DNS-GOOGLE
 host 8.8.8.8
 description Google DNS server IP
object network NETWORK_OBJ_10.10.20.0_29
 subnet 10.10.20.0 255.255.255.248
object network NETWORK_OBJ_10.10.10.0_27
 subnet 10.10.10.0 255.255.255.224
object network RV110W
 host 10.10.10.254
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object icmp
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
access-list AnyConnect_Client_Local_Print extended permit object-group DM_INLINE_PROTOCOL_1 interface inside object OBJ-SPECIFIC-192_168_100_0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic OBJ-GENERIC-ALL interface
nat (inside,outside) source dynamic OBJ-SPECIFIC-192_168_100_0 OBJ-192.168.0.1
nat (inside,inside) source static OBJ-SPECIFIC-192_168_100_0 OBJ-SPECIFIC-192_168_100_0 destination static NETWORK_OBJ_10.10.20.0_29 NETWORK_OBJ_10.10.20.0_29 no-proxy-arp route-lookup
nat (inside,outside) source static OBJ-SPECIFIC-192_168_100_0 OBJ-SPECIFIC-192_168_100_0 destination static NETWORK_OBJ_10.10.20.0_29 NETWORK_OBJ_10.10.20.0_29 no-proxy-arp route-lookup
nat (inside,outside) source static OBJ-SPECIFIC-192_168_100_0 OBJ-SPECIFIC-192_168_100_0 destination static NETWORK_OBJ_10.10.10.0_27 NETWORK_OBJ_10.10.10.0_27 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.20.0_29 NETWORK_OBJ_10.10.20.0_29 no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 
route inside 0.0.0.0 0.0.0.0 10.10.10.254 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_LRZ_Trustpoint01
 enrollment self
 subject-name CN=ciscoasa
 keypair MyHomeVPNSSL_LRZ
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_LRZ_Trustpoint01
 certificate 9d04f65e
    308202d4 308201bc a0030201 0202049d 04f65e30 0d06092a 864886f7 0d010105 
    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648 
    86f70d01 09021608 63697363 6f617361 301e170d 32303036 32363135 30343035 
    5a170d33 30303632 34313530 3430355a 302c3111 300f0603 55040313 08636973 
    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082 
    0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100ea 
    297574c1 54f5592c 8a86ab2d e89b728c 9e91b8d9 13da19b6 01507e83 468628d1 
    648afea7 b275323d 65e1ae49 7df1d8cc 0322d345 98c13cb2 d8856119 5b8d1245 
    25402122 5d3dcfe2 2dcf8d91 6adb80e3 040e10a7 39efe052 5ad96948 c2e2322f 
    543f4424 05f2ae4f 33ceaf21 c5cccd34 0cd990ca f218bc5f f91bc75b aff02a2f 
    df3f9681 8c95cdc4 c562d7a3 edc42b52 071e7831 443db853 afb25526 91b46953 
    3cbfc672 8536bedb 393ed65a c530586e d434964d 4ca8217d 436d17b4 cf3e60be 
    dce6c41c 2f4b688d 1c0705de 24be731e 22fdbf8b 21eb7669 b61327ce e65dd5e7 
    1214db8d dea23301 2a890983 70b7e83f 5aa11b19 b4164b72 d12630c3 d604b702 
    03010001 300d0609 2a864886 f70d0101 05050003 82010100 8213f7bd 143a6c37 
    e88465ea c3132e9a f53ef7ef 9bf0ff68 f6bad438 265d3cad 370ec06f 102ce5b4 
    398dee8c 75c87856 197ce5f6 408cdcf7 dfdb0ac7 ff9c8014 ff3e262c e6aa8fd6 
    f15d8560 e4036342 ea029abe 653318cc 1e97d850 e67a5b15 22960e19 991222b9 
    42bc4d7e 26a7bae6 93ab47e6 bf33ca6b 8a23ae49 7b3f8e5e d23848cd 3963f5a8 
    296e4272 b9a1aac8 68950c32 16dc2664 f1d704bd b3f597f1 b0ee019f 1c814178 
    17ed3674 7a90dbec 86f87b66 e01fd1fa 4d4f159f 7f1c61d9 866eeac7 6c607d48 
    8060aaa3 a2ec80ce 6e726c67 980a8ed1 5b745dfa f04ba37e c12a18fb 6cc1ab7c 
    3161a4b8 a21a8176 8027df0c 065d40f4 fad37d32 da6c8d95
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_LRZ_Trustpoint01 outside
ssl trust-point ASDM_LRZ_Trustpoint01 inside
webvpn
 enable outside
 enable inside
 anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_MySSLVPN internal
group-policy GroupPolicy_MySSLVPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client 
 default-domain none
username rlai password S9hNxLnK8M9KCmhx encrypted
tunnel-group MySSLVPN type remote-access
tunnel-group MySSLVPN general-attributes
 address-pool VPN_ADD_POOL
 default-group-policy GroupPolicy_MySSLVPN
tunnel-group MySSLVPN webvpn-attributes
 group-alias MySSLVPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8b7e4b6eeefbcd7abe0e906476805530
: end
asdm image disk0:/asdm-761.bin
no asdm history enable

richardlaiCanada · ‎06-29-2020

Hi Balaji, Thanks for your replay and I have spent past 2 days to test and test based the info you post, seems no luck for me, I checked the NAT Exemption and ACL which I do have them. but I am not sure if ACL I configured is correct or not. also for VPN Filter missing in the VPN Profile, I pretty follow the example of the YouTube post with link you send over, no luck at all, will you be able to take my newest configuration file and lighting me up?

: Saved
:
ASA Version 9.1(5) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
ip local pool Anyconnect-Pool 10.253.253.2-10.253.253.10 mask 255.255.255.0
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.0.201 255.255.255.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
boot system disk0:/asa915-k8.bin
ftp mode passive
object network OBJ_GENERIC_ALL
 subnet 0.0.0.0 0.0.0.0
object network OBJ_SPECIFIC_192-168-1-0
 subnet 192.168.1.0 255.255.255.0
object network Rogers_Gateway
 host 192.168.1.0
object network NETWORK_OBJ_10.253.253.0_28
 subnet 10.253.253.0 255.255.255.240
object network RV110W
 host 10.10.10.254
access-list SPIT-TUNEL standard permit 10.10.10.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
nat (inside,outside) source dynamic OBJ_SPECIFIC_192-168-1-0 Rogers_Gateway
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.253.253.0_28 NETWORK_OBJ_10.253.253.0_28 no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 
route inside 0.0.0.0 0.0.0.0 10.10.10.254 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0_LRZ
 enrollment terminal
 subject-name CN=ciscoasa
 keypair MyKeyPair
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 keypair MyKeyPair
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
 certificate cf05fa5e
    308202d4 308201bc a0030201 020204cf 05fa5e30 0d06092a 864886f7 0d010105 
    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648 
    86f70d01 09021608 63697363 6f617361 301e170d 32303036 32393135 34373431 
    5a170d33 30303632 37313534 3734315a 302c3111 300f0603 55040313 08636973 
    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082 
    0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100ee 
    30816c09 e0fe5909 b09075a7 199bc910 d117cca3 b3f39331 14cf342d 1a7f52f0 
    2df26f5e 9d6daf52 12b51f11 4d463e64 6dac441b efb9f537 ca362c20 2883238a 
    2200326d cdd22f0d d5f05b52 2f37a726 5fbe5369 3479a340 56f28c2d d3c6c26a 
    b266bbb4 13a2efcc 4ff5b607 f88eed72 cba44424 897f88fa d8711eac 1f01d6c2 
    3ec5a53c 78b9d531 b540c9fd a0937c3a 94a0cec8 7a4caf58 7295a8f0 c001b523 
    0100569a 8ede8c47 f652de26 d85c95d9 6f0ee5ec f2a673ab 9e755439 b1e02391 
    60a18de5 74a3b4e8 2a41787e 15a65c6d c44be063 01297d16 92821ddb 71a33186 
    c4ce769d 30dbe17a aa150284 c33b7523 aabbdb2f b43a028a 55994bae 4553b502 
    03010001 300d0609 2a864886 f70d0101 05050003 82010100 a2ae8992 51a480be 
    dacc5dd7 397a1dcc d0dac6dc 5417829d 137368d5 44a86ae6 20b8a113 bf0e19e6 
    6cf516ac e7a86e85 4b671206 26d52782 0c08e8f5 62012861 39a204fa 94b625df 
    39dca2e8 b2bc3b4c 1a212541 3d973d0f 8d7ff69d 499aba5f ef7c02ac 41b25bd8 
    66b721ad 2521acee ebf47314 8c93164c 3e4e76fd 06e72d03 af90e725 1cb6bb4e 
    01e54df7 f9f19bc5 5c76ec59 cd0d7a0c 21508771 87f0d39e a8b80915 83801f6b 
    c049c7bb b3735a24 86cda685 b0ecc8ed f9470533 67100c8d 4e5a304b 804f8ef0 
    70e5163b 664dc4b6 9dcf5589 76cfdc9e 2a3805d2 e9ff8abc 6590b024 1aadb0a7 
    be3771e9 ef154c5e 8cb65013 a8cf6374 6ac81cd7 4b0b699f
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_SSLVPN internal
group-policy GroupPolicy_SSLVPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client 
 split-tunnel-network-list value SPIT-TUNEL
 default-domain none
username rlai password S9hNxLnK8M9KCmhx encrypted
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
 address-pool Anyconnect-Pool
 default-group-policy GroupPolicy_SSLVPN
tunnel-group SSLVPN webvpn-attributes
 group-alias SSLVPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:491b3e53feda9d071c57c98c2f8d654c
: end
asdm image disk0:/asdm-761.bin
no asdm history enable

View solution in original post

balaji.bandi · ‎06-27-2020

Check 2 things missing here on a high level

NAT Exemption and ACL or VPN Filter missing in the VPN Profile.

here is an example guide :

https://www.petenetlive.com/KB/Article/0000943

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

richardlaiCanada · ‎06-29-2020

Hi Balaji, Thanks for your replay and I have spent past 2 days to test and test based the info you post, seems no luck for me, I checked the NAT Exemption and ACL which I do have them. but I am not sure if ACL I configured is correct or not. also for VPN Filter missing in the VPN Profile, I pretty follow the example of the YouTube post with link you send over, no luck at all, will you be able to take my newest configuration file and lighting me up?

: Saved
:
ASA Version 9.1(5) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
ip local pool Anyconnect-Pool 10.253.253.2-10.253.253.10 mask 255.255.255.0
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.0.201 255.255.255.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
boot system disk0:/asa915-k8.bin
ftp mode passive
object network OBJ_GENERIC_ALL
 subnet 0.0.0.0 0.0.0.0
object network OBJ_SPECIFIC_192-168-1-0
 subnet 192.168.1.0 255.255.255.0
object network Rogers_Gateway
 host 192.168.1.0
object network NETWORK_OBJ_10.253.253.0_28
 subnet 10.253.253.0 255.255.255.240
object network RV110W
 host 10.10.10.254
access-list SPIT-TUNEL standard permit 10.10.10.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
nat (inside,outside) source dynamic OBJ_SPECIFIC_192-168-1-0 Rogers_Gateway
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.253.253.0_28 NETWORK_OBJ_10.253.253.0_28 no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 
route inside 0.0.0.0 0.0.0.0 10.10.10.254 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0_LRZ
 enrollment terminal
 subject-name CN=ciscoasa
 keypair MyKeyPair
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 keypair MyKeyPair
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
 certificate cf05fa5e
    308202d4 308201bc a0030201 020204cf 05fa5e30 0d06092a 864886f7 0d010105 
    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648 
    86f70d01 09021608 63697363 6f617361 301e170d 32303036 32393135 34373431 
    5a170d33 30303632 37313534 3734315a 302c3111 300f0603 55040313 08636973 
    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082 
    0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100ee 
    30816c09 e0fe5909 b09075a7 199bc910 d117cca3 b3f39331 14cf342d 1a7f52f0 
    2df26f5e 9d6daf52 12b51f11 4d463e64 6dac441b efb9f537 ca362c20 2883238a 
    2200326d cdd22f0d d5f05b52 2f37a726 5fbe5369 3479a340 56f28c2d d3c6c26a 
    b266bbb4 13a2efcc 4ff5b607 f88eed72 cba44424 897f88fa d8711eac 1f01d6c2 
    3ec5a53c 78b9d531 b540c9fd a0937c3a 94a0cec8 7a4caf58 7295a8f0 c001b523 
    0100569a 8ede8c47 f652de26 d85c95d9 6f0ee5ec f2a673ab 9e755439 b1e02391 
    60a18de5 74a3b4e8 2a41787e 15a65c6d c44be063 01297d16 92821ddb 71a33186 
    c4ce769d 30dbe17a aa150284 c33b7523 aabbdb2f b43a028a 55994bae 4553b502 
    03010001 300d0609 2a864886 f70d0101 05050003 82010100 a2ae8992 51a480be 
    dacc5dd7 397a1dcc d0dac6dc 5417829d 137368d5 44a86ae6 20b8a113 bf0e19e6 
    6cf516ac e7a86e85 4b671206 26d52782 0c08e8f5 62012861 39a204fa 94b625df 
    39dca2e8 b2bc3b4c 1a212541 3d973d0f 8d7ff69d 499aba5f ef7c02ac 41b25bd8 
    66b721ad 2521acee ebf47314 8c93164c 3e4e76fd 06e72d03 af90e725 1cb6bb4e 
    01e54df7 f9f19bc5 5c76ec59 cd0d7a0c 21508771 87f0d39e a8b80915 83801f6b 
    c049c7bb b3735a24 86cda685 b0ecc8ed f9470533 67100c8d 4e5a304b 804f8ef0 
    70e5163b 664dc4b6 9dcf5589 76cfdc9e 2a3805d2 e9ff8abc 6590b024 1aadb0a7 
    be3771e9 ef154c5e 8cb65013 a8cf6374 6ac81cd7 4b0b699f
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_SSLVPN internal
group-policy GroupPolicy_SSLVPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client 
 split-tunnel-network-list value SPIT-TUNEL
 default-domain none
username rlai password S9hNxLnK8M9KCmhx encrypted
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
 address-pool Anyconnect-Pool
 default-group-policy GroupPolicy_SSLVPN
tunnel-group SSLVPN webvpn-attributes
 group-alias SSLVPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:491b3e53feda9d071c57c98c2f8d654c
: end
asdm image disk0:/asdm-761.bin
no asdm history enable

Rob Ingram · ‎06-29-2020

Hi @richardlaiCanada

The order of your NAT rules is important, you traffic is probably being natted on your first nat rule. You can check which NAT rule is being match by running the command "show nat detail" and looking at the translated and untranslated hits.

You can move the first nat rule to after your NAT exemption rule using the following:-

no nat (INSIDE,OUTSIDE) source dynamic OBJ_GENERIC_ALL interface
nat (INSIDE,OUTSIDE) after-auto source dynamic OBJ_GENERIC_ALL interface

HTH

balaji.bandi · ‎06-29-2020

May due to your Generic object network - i am sure first NAT rule hitting as order operation you can view as suggested. ( maybe you can go specific IP address space in the network Group and check)

object network OBJ_GENERIC_ALL
subnet 0.0.0.0 0.0.0.0

or try other option as suggested by @Rob Ingram

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

richardlaiCanada · ‎06-29-2020

Thanks Rob,

I have it work now as I mention with another replay, I forget I have RV110W in the LAn and there is another firewall, as soon as stop the second firewall and make it as router I got everything works.

Thanks

Richard

richardlaiCanada · ‎06-29-2020

I think I got it work now, I have a RV110W which has firewall there. it actually block traffic from internal LAN to LAN behind the RV110W.

balaji.bandi · ‎06-29-2020

Glad you could able to figure out the issue and solve..thanks for the feedback.#

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help