Solved: Help please - VPN AnyConnect Hairpinning configuration

support · ‎09-18-2011

Hi there, forgive me if I missed any forum protocols as this is my first post.

I am trying to configure an AnyConnect VPN and I think it's almost there but not quite yet. When I login from an outside network it gives me the following error "... No address available for SVC connection". I checked the address pools and from what I can see they are assigned to the correct profile. I am trying to also do Hairpinning, I want all VPN traffic to pass through this router... remote LAN and Internet traffic for times when I am at unfamiliar wifi hotspots. I have been trying to get this working for over 1 week along with scouring many different forums. I have included my running config for anyone to assist me with. I greatly appreciate any replies to get me on the right track. Thank you.

Update 15 minutes later: I assigned my SSLVPN IP pool to the DefaultWebVPNGroup and it connected but I was unable to browse the web or ping any network resources. I would like to disable the "DefaultWebVPNGroup" without any consequences to the setup. Do I even need to disable it???

-------------------------------------------------------------------------------

Result of the command: "show running-config"

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.123.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa842-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 208.67.220.220

name-server 208.67.222.222

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object tcp destination eq https

service-object tcp destination eq pptp

service-object tcp destination eq www

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object tcp destination eq https

service-object tcp destination eq pptp

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 192.168.123.0 255.255.255.0

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.123.0 255.255.255.0 any

access-list ACL1 standard permit any

access-list ACL1 standard permit 192.168.123.0 255.255.255.0

access-list nat0 extended permit ip any 192.168.123.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSLVPNpool 192.168.132.50-192.168.132.60 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat (outside,inside) source dynamic any interface

nat (inside,outside) source dynamic any interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 76.x.x.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.123.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd dns 208.67.220.220 208.67.222.222

dhcpd auto_config outside

!

dhcpd address 192.168.123.150-192.168.123.181 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable inside

enable outside

anyconnect image disk0:/anyconnect-win-2.5.3054-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.5.3054-k9.pkg 2

anyconnect enable

group-policy SSLVPN internal

group-policy SSLVPN attributes

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelall

default-domain none

address-pools value SSLVPNpool

webvpn

anyconnect keep-installer installed

anyconnect ssl rekey time 30

anyconnect ssl rekey method ssl

anyconnect ask none default anyconnect

group-policy DfltGrpPolicy attributes

dns-server value 208.67.220.220 208.67.222.222

vpn-tunnel-protocol ssl-client

username Vxxxxx password ZyAw6vc2r45CIuoa encrypted

username Vxxxxx attributes

vpn-group-policy SSLVPN

vpn-tunnel-protocol ssl-client

username admin password 61Ltj5qI0f4Xy3Xwe26sgA== nt-encrypted privilege 15

username Sxxxxx password qvauk1QVzYCihs3c encrypted privilege 15

username Sxxxxx attributes

vpn-group-policy SSLVPN

vpn-tunnel-protocol ssl-client

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

address-pool (inside) SSLVPNpool

address-pool SSLVPNpool

default-group-policy SSLVPN

tunnel-group SSLVPN webvpn-attributes

group-alias SSLVPN_users enable

!

policy-map global-policy

class class-default

user-statistics accounting

!

service-policy global-policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:989735d558c9b1f3a3a8d7cca928c046

: end

----------------------------------------------------------------------------------------------------

Thanks again everyone.

Jennifer Halim · ‎09-19-2011

To access internal resources from the VPN, here is what needs to be configured for the NAT:

object network obj-SSL-pool

subnet 192.168.132.0 255.255.255.0

object network obj-inside-LAN

subnet 192.168.123.0 255.255.255.0

nat (inside,outside) source static obj-inside-LAN obj-inside-LAN destination static obj-SSL-pool obj-SSL-pool

I would also advise that you remove the following NAT statement:

nat (outside,inside) source dynamic any interface

If you would like all internet traffic from the VPN to be routed towards the tunnel, then here is the NAT config:

object network obj-SSL-internet

subnet 192.168.132.0 255.255.255.0

nat (outside,outside) dynamic interface

And lastly, you can't disable the default "DefaultWebVPNGroup" group policy. As long as when you log-in, you chose

SSLVPN_users tunnel group, that will apply the SSLVPN group-policy automatically as you have explicitly configured that.

Hope this helps.

View solution in original post

Jennifer Halim · ‎09-19-2011

To access internal resources from the VPN, here is what needs to be configured for the NAT:

object network obj-SSL-pool

subnet 192.168.132.0 255.255.255.0

object network obj-inside-LAN

subnet 192.168.123.0 255.255.255.0

nat (inside,outside) source static obj-inside-LAN obj-inside-LAN destination static obj-SSL-pool obj-SSL-pool

I would also advise that you remove the following NAT statement:

nat (outside,inside) source dynamic any interface

If you would like all internet traffic from the VPN to be routed towards the tunnel, then here is the NAT config:

object network obj-SSL-internet

subnet 192.168.132.0 255.255.255.0

nat (outside,outside) dynamic interface

And lastly, you can't disable the default "DefaultWebVPNGroup" group policy. As long as when you log-in, you chose

SSLVPN_users tunnel group, that will apply the SSLVPN group-policy automatically as you have explicitly configured that.

Hope this helps.

support · ‎09-19-2011

Thank you sooo much, this helped and I was able to connect and surf the web and when I did an IP lookup, it was my IP at home instead of my remote locatoin. What commands would I need to be able to access network resources? I assigned the VPN pool IPs of 192.168.132.x and my local IPs are 192.168.123.x... If I wanted to setup a traditional IPSec VPN utilizing Hairpinning, would I use the same commands you provided but modify them slightly?

Thanks again for your help, I really appreciate it.

Jennifer Halim · ‎09-20-2011

You should be able to access the internal network resources. Can you access it by IP Address? Can you ping those internal hosts in 192.168.123.x network?

And yes, for traditional IPSec VPN hairpin, the NAT command is the same, just change it with the specific subnet accordingly.