Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5663
Views
0
Helpful
22
Replies

Cannot access internal network though AnyConnect SSL VPN, ASA 9.1(6)

Go to solution
chris.curtiss
Level 1
Level 1

‎07-15-2015 12:02 PM - edited ‎02-21-2020 08:20 PM

Hello Cisco Support Community,

 

I have a lab that consists of a two virtual environments connected to a 3750-G switch which is connected to a 2901 router which is connected to an ASA 5512-X which is connected to my ISP gateway. I have configured SSL VPN using AnyConnect and can establish a VPN connection to the ASA from outside but once connected I cannot access the internal network resources or access the internet. My network information and ASA configuration is listed below. Thank you very much for any assistance you can offer.

 

ISP Gateway Network: 10.1.10.0 /24

ASA to Router Network: 10.1.40.0 /30

VPN DHCP Pool: 10.1.30.0 /24

Range Network: 10.1.20.0 /24

Development Network: 10.1.10.0 /24

 

: Saved
:
: Serial Number: FCH18477CPT
: Hardware:   ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA Version 9.1(6)1
!
hostname ctcndasa01
enable password bcn1WtX5vuf3YzS3 encrypted
names
ip local pool cnd-vpn-dhcp-pool 10.1.30.1-10.1.30.200 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.1.40.1 255.255.255.252
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address X.X.X.237 255.255.255.248
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa916-1-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.1.30.0_24
 subnet 10.1.30.0 255.255.255.0
object network obj_any
object network obj_10.1.40.0
 subnet 10.1.40.0 255.255.255.0
object network obj_10.1.30.0
 subnet 10.1.30.0 255.255.255.0
access-list outside_access_in extended permit ip object NETWORK_OBJ_10.1.30.0_24 any
access-list NAT-EXEMPT extended permit ip 10.1.40.0 255.255.255.0 10.1.30.0 255.255.255.0
access-list 101 extended permit icmp any4 any4 echo-reply
access-list split standard permit 10.1.40.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-743.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj_10.1.40.0 obj_10.1.40.0 destination static obj_10.1.30.0 obj_10.1.30.0 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.1.30.0_24 NETWORK_OBJ_10.1.30.0_24 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
!
router eigrp 1
 network 10.1.10.0 255.255.255.0
 network 10.1.20.0 255.255.255.0
 network 10.1.30.0 255.255.255.0
 network 10.1.40.0 255.255.255.252
!
route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
http X.X.X.238 255.255.255.255 outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=10.1.30.254,CN=ctcndasa01
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate c902a155
    308201cd 30820136 a0030201 020204c9 02a15530 0d06092a 864886f7 0d010105
    0500302b 31133011 06035504 03130a63 74636e64 61736130 31311430 12060355
    0403130b 31302e31 2e33302e 32353430 1e170d31 35303731 32303530 3133315a
    170d3235 30373039 30353031 33315a30 2b311330 11060355 0403130a 6374636e
    64617361 30313114 30120603 55040313 0b31302e 312e3330 2e323534 30819f30
    0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a47cfc 6b5f8b9e
    9b106ad6 857ec34c 01028f71 d35fb7b5 6a61ea33 569fefca 3791657f eeee91f2
    705ab2ea 09207c4f dfbbc18a 749b19ae d3ca8aa7 3370510b a5a96fd4 f9e06332
    2e586ccc fa164c05 819d4355 db1a4b88 475f96a1 318f7031 40668a4d afa44384
    3ea59b78 5976f685 2abbdcf6 f3b448e5 30aa96a8 1ed4e178 4d020301 0001300d
    06092a86 4886f70d 01010505 00038181 0093656f 639e138e 90b69e66 b50190fc
    42d9b4a8 11828da4 e0765d9c 52d84f8b 8e70747e e760de88 c43dc5eb 1808bd0f
    fd2230c1 53f68ea1 00f3e956 97eb313e 26cc49d7 25b927b5 43d8d3fa f212fcaf
    59eb8104 98e3a1d9 e05d3bcb 428cd7c6 61b530f5 fe193d15 ef8c7f08 37ad16f5
    d8966b50 917a88bb f4f30d82 6f8b58ba 61
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 360
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0  vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 4
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 5
 anyconnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 6
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_cnd-vpn internal
group-policy GroupPolicy_cnd-vpn attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client
 default-domain none
username xxxx password GCOh1bma8K1tKZHa encrypted
tunnel-group cnd-vpn type remote-access
tunnel-group cnd-vpn general-attributes
 address-pool cnd-vpn-dhcp-pool
 default-group-policy GroupPolicy_cnd-vpn
tunnel-group cnd-vpn webvpn-attributes
 group-alias cnd-vpn enable
!
class-map icmp-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map icmp_policy
 class icmp-class
  inspect icmp
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:261228832f3b57983bcc2b4ed5a8a9d0
: end
asdm image disk0:/asdm-743.bin
no asdm history enable

 

 

Labels:
0 Helpful
22 Replies 22

Go to solution
rizwanr74
Level 7
Level 7
In response to chris.curtiss

‎07-17-2015 07:45 AM

can you please post a diagram of your toplogy.

0 Helpful

Go to solution
chris.curtiss
Level 1
Level 1
In response to rizwanr74

‎07-17-2015 10:13 AM

I added the webvpn | svc enable statement. Still no change.

Diagram attached.

 

Thanks

Chris

Preview file
404 KB
0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to chris.curtiss

‎07-17-2015 11:09 AM

Can you confirm this is correct, your diagram shows your public IP on ASA as /30 whereas you have assinged on "outside" interface as /29?

 

 

0 Helpful

Go to solution
chris.curtiss
Level 1
Level 1
In response to rizwanr74

‎07-17-2015 11:13 AM

This was a mistake on the diagram. The outside network is a /29

 

Correct diagram is attached.

Preview file
405 KB
0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to chris.curtiss

‎07-17-2015 11:26 AM

Are you able to ping a public IP, such as 4.2.2.2 from the ASA?

0 Helpful

Go to solution
chris.curtiss
Level 1
Level 1
In response to rizwanr74

‎07-17-2015 11:32 AM

Yes I can ping 4.2.2.2

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to chris.curtiss

‎07-17-2015 06:33 PM

just for temp you may want to allow icmp any any on your ouside acl.

 

access-list outside_access_in line 1 extended permit icmp any any 

 

I can ping your default-gate address but not your ASA's outside address.

 

Can you post output from "show interface GigabitEthernet0/1"

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to chris.curtiss

‎07-17-2015 08:01 AM

Please copy this line on "config mode" and try it.

 

webvpn
 svc enable

 

thanks

 

0 Helpful
Customers Also Viewed These Support Documents