11-30-2012 09:55 AM - edited 02-21-2020 06:31 PM
Hello, everyone!
I am having a problem getting an iPad to pass traffic to more than one subnet through our ASA 5510. The local identity is restricted to the 192.168.10.0/24 subnet, and I need it to be 0.0.0.0 0.0.0.0 like it is on all the other clients. As a workaround, I am using the AnyConnect client, but we have a limited amount of licenses. Below is my configuration:
!
hostname Firewall
domain-name domain.domain
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 123.123.123.123 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
<--- More --->
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif FALLBACK
security-level 10
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa822-16-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
<--- More --->
domain-name domain.domain
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DNS tcp-udp
port-object eq domain
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list acl-out extended permit a bunch of IP's and ports
access-list nonat extended permit ip any 172.16.6.0 255.255.255.0
access-list splittunnel standard permit 192.168.10.0 255.255.255.0
access-list splittunnel standard permit 192.168.10 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging list VPN message 113005
logging list VPN message 713049
logging list VPN message 716001
logging list VPN message 716002
logging buffer-size 32768
logging buffered VPN
logging trap VPN
logging asdm warnings
logging host inside 192.168.10.8
<--- More --->
logging permit-hostdown
flow-export destination inside 192.168.10.8 2055
flow-export template timeout-rate 1
mtu outside 1500
mtu inside 1500
mtu FALLBACK 1500
ip local pool VPNPOOL 172.16.6.10-172.16.6.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-634-53.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 123.123.123.124 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
<--- More --->
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map CISCOMAP
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN Users,OU=Groups,OU=VPN,DC=domain,DC=domain" VPNACCESS
ldap attribute-map SSLVPNMAP
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN Users,OU=Groups,OU=VPN,DC=domain,DC=domain" SSLVPN
ldap attribute-map tunneling_protocols
map-name msNPAllowDialin Tunneling-Protocols
map-value msNPAllowDialin "FALSE" 16
map-value msNPAllowDialin "TRUE" 36
dynamic-access-policy-record DfltAccessPolicy
aaa-server PDC protocol ldap
aaa-server PDC (inside) host PDC
server-port 636
ldap-base-dn DC=domain,DC=domain
ldap-scope subtree
ldap-naming-attribute samAccountName
ldap-login-password *****
ldap-login-dn CN=login,OU=Users,OU=Group,OU=Users,OU=VPN,DC=domain,DC=domain
ldap-over-ssl enable
server-type microsoft
<--- More --->
ldap-attribute-map CISCOMAP
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.10.18
key *****
aaa-server SSLPDC protocol ldap
aaa-server SSLPDC (inside) host PDC
server-port 636
ldap-base-dn DC=domain,DC=domain
ldap-scope subtree
ldap-naming-attribute samAccountName
ldap-login-password *****
ldap-login-dn CN=login,OU=Users,OU=Group,OU=Users,OU=VPN,DC=domain,DC=domain
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map SSLVPNMAP
aaa authentication enable console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
snmp-server host inside 192.168.10.8 community ***** version 2c
no snmp-server location
<--- More --->
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set remote esp-aes-256 esp-sha-hmac
crypto ipsec transform-set Intellys esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RemoteVPN 65535 set pfs
crypto dynamic-map RemoteVPN 65535 set transform-set remote
crypto map Remote 65535 ipsec-isakmp dynamic RemoteVPN
<--- More --->
crypto map Remote interface outside
crypto ca trustpoint localtrust
enrollment self
fqdn host.domain.com
subject-name CN=host.domain.com
crl configure
crypto ca certificate chain localtrust
certificate c9ff1e4b
308201f3 3082015c a0030201 020204c9 ff1e4b30 0d06092a 864886f7 0d010104
0500303e 311a3018 06035504 03131176 706e2e6d 756c7469 76696577 2e636f6d
3120301e 06092a86 4886f70d 01090216 1176706e 2e6d756c 74697669 65772e63
6f6d301e 170d3039 31323039 30313339 32315a17 0d313931 32303730 31333932
315a303e 311a3018 06035504 03131176 706e2e6d 756c7469 76696577 2e636f6d
3120301e 06092a86 4886f70d 01090216 1176706e 2e6d756c 74697669 65772e63
6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100bd
8dcc45c2 a12391f5 4e2b24ba 30ed3020 af854c59 3ba8ed64 efbc6e07 5d294a03
7457ecad bfa92962 03bb821f 44e53f63 5471b19e ee6beef2 5579c4c7 53bbeaa8
a706ffdf 21792a11 ff27cf89 1e59e661 9f2ce729 76d7ca48 7f73d6bf f74007ef
92a36621 4e9523bb 43e52dc9 5afbf2f1 271854be 4c71779e 85bdbcc7 de07c102
03010001 300d0609 2a864886 f70d0101 04050003 818100b3 39fd4059 9c18ef2d
c13d6346 e807897b 9f1964e0 0a78f7ff 24715ef7 d3696231 8efdc7fa 244842ca
bdeda83e 67ba2979 92a58945 c60fb411 9376e94e eaa553a4 e24add67 de33410e
9125ddc5 f7689731 9490bf22 bf035598 73f67b94 469f1ef1 c575236f 4d15d60f
<--- More --->
4174de27 e0366d65 75a5b746 ce0f2fd1 9848b720 6c0559
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
<--- More --->
ssh timeout 5
console timeout 0
dhcpd dns 4.2.2.2
dhcpd ping_timeout 750
dhcpd domain domain.domain
!
!
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.0.1 source inside prefer
ssl trust-point localtrust outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
banner value Welcome to the Network
dns-server value 192.168.10.29
vpn-simultaneous-logins 750
<--- More --->
vpn-tunnel-protocol svc
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value domain.domain
address-pools value VPNPOOL
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec
group-policy VPNACCESS internal
group-policy VPNACCESS attributes
banner value Welcome to the Network
dns-server value 192.168.10.29
vpn-simultaneous-logins 750
vpn-tunnel-protocol IPSec
re-xauth enable
pfs enable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value domain.domain
secure-unit-authentication enable
user-authentication enable
<--- More --->
nem enable
address-pools value VPNPOOL
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
dns-server value 192.168.10.29
vpn-tunnel-protocol IPSec
ip-comp enable
re-xauth enable
pfs enable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value domain.domain
secure-unit-authentication enable
user-authentication enable
nem enable
address-pools value VPNPOOL
username admin password blahdeedeeblahblahblah
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool VPNPOOL
authentication-server-group PDC
default-group-policy NOACCESS
<--- More --->
password-management
tunnel-group RemoteVPN ipsec-attributes
pre-shared-key *****
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool VPNPOOL
authentication-server-group SSLPDC
default-group-policy NOACCESS
password-management
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
<--- More --->
class-map global_policy
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-any block-url-class
class-map NetFlow-traffic
match access-list netflow-hosts
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http block-url-policy
parameters
class block-url-class
drop-connection log
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
<--- More --->
inspect tftp
inspect xdmcp
inspect pptp
inspect ftp
inspect ip-options
inspect dns preset_dns_map
class NetFlow-traffic
flow-export event-type all destination 192.168.10.8
!
service-policy global_policy global
prompt hostname context
call-home
Cryptochecksum:f8ffec8272c98e8b310126ec4071388c
: end
Thanks!
11-30-2012 03:40 PM
Hello,
What tunnel-group are you using to connect ( using the remote-ipsec client)
After answering that question share the following
show run tunnel-group xx ( The one you use to answer)
show run group-policy xxxx ( the default one used by your tunnel group)
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide