Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
0
Helpful
2
Replies

I can Ping FW inside interface but can not connect to remote resources

ahmedshaker
Level 1
Level 1

‎09-30-2013 09:30 AM

dear all

i configer my asa 5520 through ASDM to enable VPN Connection , i follow the cisco steps and it works fine and the anyconnect version 3.1 in Windows 8 - one day troubleshoot for this point only - can connect and have an IP address from the range , but i have something wrong in NAT may be because all guides talking about old ASDM ( NAT Exempt) but i am confeused to apply it on the new ASDM.

i can ping the inside interface  from my labtop which using anyconnect , but i can not access anything else inside my network

Please anyone has a solution , please describe it using ASDM , thanks for help

This is my configuration

interface GigabitEthernet0/1

description

nameif SRV_ZONE

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/2

description

nameif TRUST_ZONE

security-level 100

ip address 172.17.200.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif MGMT

security-level 0

ip address 10.10.10.1 255.255.255.0

!

dns server-group DefaultDNS

domain-name xxx.xxx.xxx

object network obj-192.168.1.11

host 192.168.1.11

object network obj-xxx.xxx.xxx.xxx

host xxx.xxx.xxx.xxx

object service obj-tcp-source-eq-25

service tcp source eq smtp

object network obj-192.168.1.12

host 192.168.1.12

object network obj-xxx.xxx.xxx.xxx

host xxx.xxx.xxx.xxx

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object service obj-tcp-eq-25

service tcp destination eq smtp

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network obj-172.17.8.8

host 172.17.8.8

object network obj-172.17.0.0

subnet 172.17.0.0 255.255.0.0

object network obj_any-02

subnet 0.0.0.0 0.0.0.0

object network obj_any-03

subnet 0.0.0.0 0.0.0.0

object network obj_any-04

subnet 0.0.0.0 0.0.0.0

object network obj_any-05

subnet 0.0.0.0 0.0.0.0

object network obj_any-06

subnet 0.0.0.0 0.0.0.0

object network obj.172.17.8.115

host 172.17.8.115

object network obj.xxx.xxx.xxx.xxx

host xxx.xxx.xxx.xxx

object service http

service tcp source eq www destination eq www

object network obj.xxx.xxx.xxx.xxx

host xxx.xxx.xxx.xxx

object service https

service tcp source eq https destination eq https

object service newservice

service tcp source eq pop3 destination eq pop3

object network mail

host 172.17.8.8

description mail     

object network 192.168.1.11

host 192.168.1.11

description smtp     

object service smtpnew

service tcp source eq 587 destination eq 587

object network VPN_RANGE

description VPN ACCESS RANGE  

object network VPN_PoOL

subnet 172.17.16.0 255.255.255.0

description vpn

object-group network DM_INLINE_NETWORK_1

network-object host 192.168.1.11

network-object host 192.168.1.12

object-group network Eighth_Floor

network-object 172.17.8.0 255.255.255.0

object-group service WEB_SERVICES

service-object tcp destination eq www

object-group network ENT_SERVERS

network-object host 192.168.1.11

network-object host 192.168.1.1

object-group network DM_INLINE_NETWORK_2

network-object 172.17.200.0 255.255.255.0

network-object 172.17.8.0 255.255.255.0

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

port-object eq smtp

object-group service web tcp

port-object eq www

port-object eq xxx

port-object eq ftp

port-object eq xxx

port-object eq xxx

object-group service xxx_Web_and_Email

service-object object http

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

access-list DMZ_access_in extended permit ip 192.168.1.0 255.255.255.0 172.17.0.0 255.255.0.0

access-list DMZ_access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list justice_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0

access-list xxx-VPN_splitTunnelAcl remark vpn

access-list xxx-VPN_splitTunnelAcl standard permit 172.17.16.0 255.255.255.0

access-list xxx-VPN_splitTunnelAcl standard permit any

access-list cap extended permit tcp any host xxx.xxx.xxx.xxx eq smtp log

access-list cap1 extended permit tcp host 192.168.1.11 any eq smtp

access-list SRV_ZONE_nat_outbound extended permit tcp 192.168.1.0 255.255.255.0 any eq smtp

access-list SRV_ZONE_nat_outbound extended permit ip host 192.168.1.11 any

access-list TRUST_ZONE_access_in extended permit ip host 172.17.88.108 any

access-list TRUST_ZONE_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.10.3.0 255.255.255.0 any

access-list TRUST_ZONE_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.10.50.0 255.255.255.0 any

access-list TRUST_ZONE_access_in extended permit ip 172.17.8.0 255.255.255.0 any

access-list TRUST_ZONE_access_in extended permit ip 172.17.200.0 255.255.255.0 any

access-list TRUST_ZONE_access_in extended permit ip 172.17.0.0 255.255.0.0 host 192.168.1.12

access-list TRUST_ZONE_cryptomap extended permit ip xxx.xxx.xxx.xxx 255.255.255.248 any

access-list outside_access_in extended permit tcp any host 192.168.1.11 eq smtp

access-list outside_access_in extended permit tcp any host 172.17.8.8 eq www

access-list outside_access_in extended permit tcp any host 192.168.1.12 object-group web

access-list outside_access_in extended permit tcp any host 172.17.8.8 eq pop3

access-list outside_access_in extended permit ip 172.17.16.0 255.255.255.0 any inactive

access-list vpn remark vpn

access-list vpn standard permit 172.17.16.0 255.255.255.0

pager lines 24

logging enable

logging trap informational

logging asdm informational

logging host TRUST_ZONE 172.17.8.100

mtu INT_ZONE 1500

mtu SRV_ZONE 1500

mtu TRUST_ZONE 1500

mtu MGMT 1500

ip local pool VPN_POOL 172.17.16.100-172.17.16.254 mask 255.255.255.0

ip verify reverse-path interface INT_ZONE

ip verify reverse-path interface SRV_ZONE

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any SRV_ZONE

icmp permit any TRUST_ZONE

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

nat (SRV_ZONE,INT_ZONE) source static obj-192.168.1.11 obj-xxx.xxx.xxx.xxx service any obj-tcp-source-eq-25

nat (SRV_ZONE,INT_ZONE) source static obj-192.168.1.12 obj-xxx.xxx.xxx.xxx

nat (SRV_ZONE,INT_ZONE) source dynamic obj-192.168.1.0 interface service obj-tcp-eq-25 obj-tcp-eq-25

nat (INT_ZONE,SRV_ZONE) source static any any destination static 192.168.1.11 obj-172.17.8.8 service obj-tcp-source-eq-25 obj-tcp-source-eq-25

nat (TRUST_ZONE,INT_ZONE) source static VPN_PoOL VPN_PoOL destination static VPN_PoOL VPN_PoOL

!

object network obj_any

nat (SRV_ZONE,INT_ZONE) dynamic obj-0.0.0.0

object network obj_any-01

nat (SRV_ZONE,MGMT) dynamic obj-0.0.0.0

object network obj-172.17.8.8

nat (TRUST_ZONE,INT_ZONE) static xxx.xxx.xxx.xxx service tcp www www

object network obj-172.17.0.0

nat (TRUST_ZONE,SRV_ZONE) static 172.17.0.0

object network obj_any-02

nat (TRUST_ZONE,INT_ZONE) dynamic interface

object network obj_any-03

nat (TRUST_ZONE,SRV_ZONE) dynamic interface

object network obj_any-04

nat (TRUST_ZONE,INT_ZONE) dynamic obj-0.0.0.0

object network obj_any-05

nat (TRUST_ZONE,SRV_ZONE) dynamic obj-0.0.0.0

object network obj_any-06

nat (TRUST_ZONE,MGMT) dynamic obj-0.0.0.0

object network obj.172.17.8.115

nat (TRUST_ZONE,INT_ZONE) static obj.xxx.xxx.xxx.xxx service tcp www www

object network mail

nat (TRUST_ZONE,INT_ZONE) static obj-xxx.xxx.xxx.xxx service tcp pop3 pop3

!

nat (TRUST_ZONE,INT_ZONE) after-auto source static obj-172.17.8.8 obj-xxx.xxx.xxx.xxx service https https

access-group outside_access_in in interface INT_ZONE

access-group DMZ_access_in in interface SRV_ZONE

access-group TRUST_ZONE_access_in in interface TRUST_ZONE

route INT_ZONE 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

route TRUST_ZONE 10.10.0.0 255.255.0.0 172.17.200.254 1

route TRUST_ZONE 10.11.0.0 255.255.0.0 172.17.200.254 1

route TRUST_ZONE 10.12.0.0 255.255.0.0 172.17.200.254 1

route TRUST_ZONE 10.13.0.0 255.255.0.0 172.17.200.254 1

route TRUST_ZONE 172.17.0.0 255.255.0.0 172.17.200.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http 172.17.8.0 255.255.255.0 TRUST_ZONE

http 172.17.8.155 255.255.255.255 TRUST_ZONE

http 172.17.8.45 255.255.255.255 TRUST_ZONE

http 10.10.10.2 255.255.255.255 MGMT

http 192.168.1.12 255.255.255.255 SRV_ZONE

http 0.0.0.0 0.0.0.0 INT_ZONE

http 172.17.200.0 255.255.255.0 TRUST_ZONE

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map pol 1 match address TRUST_ZONE_cryptomap

crypto dynamic-map pol 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map INT_ZONE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map TRUST_ZONE_map0 1 ipsec-isakmp dynamic pol

crypto map TRUST_ZONE_map0 interface TRUST_ZONE

crypto map INT_ZONE_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map INT_ZONE_map0 interface INT_ZONE

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn SEC-xxx-FW1

subject-name CN=SEC-xxx-FW1

no client-types

proxy-ldc-issuer

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

subject-name CN=SEC-xxx-FW1

keypair sslvpnkeypair

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 31

    57f4e52e 6b851966 77515d62 c209a0df 1c32ce94 bb90cbce 497cfd04 6745ea85

    efb75f85 2ae1ad35 344d94ab 915e01ab d3292626 ac697a52 b4ed6632 d3ed2332 ae

  quit

crypto ca certificate chain ASDM_TrustPoint1

certificate e6054352

    c64f3661 30f14c3d 06b5f039 9f14560d 3b154fd1 42782268 7531689e 8e547d91

    85e88415 e326f653 74733a6c a3f5c935 f7e83f56 f6

  quit

crypto isakmp enable INT_ZONE

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 INT_ZONE

ssh 172.17.8.0 255.255.255.0 TRUST_ZONE

ssh 10.10.10.2 255.255.255.255 MGMT

ssh timeout 5

console timeout 0

management-access TRUST_ZONE

vpn load-balancing

interface lbpublic INT_ZONE

interface lbprivate INT_ZONE

priority-queue INT_ZONE

  tx-ring-limit 256

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics host number-of-rate 3

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint1 INT_ZONE

webvpn

enable INT_ZONE

svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy xxx-VPN internal

group-policy xxx-VPN attributes

dns-server value xx.xx.xx.xx xx.xx.xx.xx

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value xxx-VPN_splitTunnelAcl

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol webvpn

group-policy GPNEW internal

group-policy GPNEW attributes

dns-server value 172.17.8.41

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

default-domain value xxx.xxx.xxx

address-pools value VPN_POOL

username VPNAM password xxx encrypted

username VPNAM attributes

service-type remote-access

vpn-group-policy xxx-VPN

tunnel-group xxx-VPN type remote-access

tunnel-group xxx-VPN general-attributes

dhcp-server 172.17.8.41

tunnel-group xxx-VPN ipsec-attributes

pre-shared-key *****

tunnel-group pol type ipsec-l2l

tunnel-group pol ipsec-attributes

pre-shared-key *****

trust-point ASDM_TrustPoint0

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

address-pool VPN_POOL

default-group-policy GPNEW

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect ip-options

  inspect pptp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:78a941e3f509dec8f3570c60061eedaa

: end

Labels:
0 Helpful
2 Replies 2

ahmedshaker
Level 1
Level 1

‎10-01-2013 01:23 AM

Please i Need urgent answer if anyone has .... thanks

0 Helpful

ahmedshaker
Level 1
Level 1

‎10-01-2013 08:39 AM

thanks god

i solve the problem

the problem is in NAT

i creat an object with the ip address host from VPN pool and name it vpn

then i do the nat from inside to that host as the following picture...

trust zone is the inside zone

vpn is the outside vpn host...

thanks and hope it helps anyone else...

0 Helpful
Customers Also Viewed These Support Documents