cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
989
Views
0
Helpful
2
Replies

Pass traffic to AnyConnect Client

Daymo1209
Level 1
Level 1

Hi,

 

I am getting used to the Cisco ASA devices and have successfully setup the SSL VPN, with split tunnels in my demo environment. 

 

I have one issue, which I am struggling to resolve though. 

 

When an AnyConnect SSL VPN user connects to the client (using split tunnel) they are able to contact everything on the inside network as expected. All other traffic flows out of their internet connection. What I am now trying to achieve is being able to contact that client, using it's IP address assigned by the SSL DHCP Pool, from my inside network. 

 

For example, a server on the inside network (192.168.1.1) can ping my client on the VPN (192.168.5.1). 

 

Ultimately, I am trying to see if it is possible to port redirect to the client on the VPN, so a request comes in on port 5050 and is then sent to the client connected via AnyConnect. But before I get there, I need to try and get basic connectivity working. 

 

Can anyone explain how this can be achieved? preferably using ASDM, as I am still getting my head round CLI. 

 

Thanks!

 

 

2 Replies 2

Hello,

 

it is difficult to tell what you are missing without seeing your configuration. Try to get to the command line and post it...

Hi,

 

Please see below:

 

ASA Version 9.2(2)
!
hostname BUZZ-ASA-01
domain-name BUZZ.LOCAL
enable password
names
ip local pool BUZZ-IT-SSL-DHCP 192.168.5.1-192.168.5.30 mask 255.255.255.224
ip local pool BUZZ-RADIO-SSL-DHCP 192.168.5.32-192.168.5.62 mask 255.255.255.224
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
pppoe client vpdn group ISP
ip address pppoe setroute
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 192.168.100.254 255.255.255.0
!
interface GigabitEthernet0/2
description VoIP LAN
shutdown
nameif VoIP
security-level 100
ip address 192.168.101.250 255.255.255.0
!
interface GigabitEthernet0/3
description Guest Network
nameif Guest
security-level 10
ip address 192.168.0.254 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/8
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Guest
dns server-group DefaultDNS
name-server 192.168.100.1
domain-name BUZZ.LOCAL
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NAT-InsideNetwork
subnet 192.168.100.0 255.255.255.0
object network BUZZ-EX-01
host 192.168.100.2
object network BUZZ-COMMS-01
host 192.168.100.3
object network NAT-RDP-Redirection
host 192.168.100.3
description RDP to BUZZ-COMMS-01
object network DHCP-SSL-BUZZ-IT
subnet 192.168.5.0 255.255.255.224
description DHCP Range for Buzz IT Services
object network NAT-HTTPS
host 192.168.100.2
description HTTPS to BUZZ-EX-01
object service HTTP
service tcp destination eq www
description HTTP
object service RDP
service tcp destination eq 3389
description RDP TCP
object network NAT-Icecast
host 192.168.100.3
description 8000 to BUZZ-COMMS-01
object network NAT-HTTP
host 192.168.100.3
description 80 to BUZZ-COMMS-01
object network Inside-Network
object network Inside-Network-Range
subnet 192.168.100.0 255.255.255.0
object network DHCP-SSL-BUZZ-RADIO
subnet 192.168.5.32 255.255.255.224
description DHCP Range for Buzz Radio SSL VPN
object network BUZZ-DJ-01
host 192.168.100.63
description Buzz DJ Laptop 01
object network NAT-SBRequests
host 192.168.100.63
description 1221 to BUZZ-DJ-01
object service SB-Requests
service tcp destination eq 1221
description Requests for Sam Broadcaster
object network NAT-ExternalIP-Hairpin
host 212.159.100.197
object network AnyConnect-Profile-UDP
host 224.0.0.251
object network AnyConnect-Profile-UDP2
host 224.0.0.251
object-group service MSExchange
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service P2P-Applications
description SoulSeek & Vuze
service-object object SoulSeek-1
service-object object SoulSeek-2
service-object object VuzeTCP
service-object object VuzeUDP
object-group service BuzzRadio
service-object object IceCast
service-object object HTTP
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp6
service-object icmp echo
service-object icmp echo-reply
service-object icmp6 echo
service-object icmp6 echo-reply
access-list Outside_access_in extended permit object-group MSExchange any object BUZZ-EX-01
access-list Outside_access_in extended permit object RDP any object BUZZ-COMMS-01 inactive
access-list Outside_access_in extended permit object-group P2P-Applications any object BUZZ-COMMS-01
access-list Outside_access_in extended permit object-group BuzzRadio any object BUZZ-COMMS-01
access-list Outside_access_in extended permit object SB-Requests any object BUZZ-DJ-01
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list Outside_access_in extended deny ip any any
access-list Split-ACL remark Inside Interface
access-list Split-ACL standard permit 192.168.100.0 255.255.255.0
access-list Split-ACL standard permit 192.168.5.0 255.255.255.224
access-list Split-ACL standard permit 192.168.5.32 255.255.255.224
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 object AnyConnect-Profile-UDP eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 23
mtu Outside 1492
mtu Inside 1500
mtu VoIP 1500
mtu Guest 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static Inside-Network-Range Inside-Network-Range destination static DHCP-SSL-BUZZ-IT DHCP-SSL-BUZZ-IT no-proxy-arp route-lookup
nat (Inside,Outside) source static Inside-Network-Range Inside-Network-Range destination static DHCP-SSL-BUZZ-RADIO DHCP-SSL-BUZZ-RADIO no-proxy-arp route-lookup
nat (Inside,Inside) source dynamic any interface destination static NAT-ExternalIP-Hairpin BUZZ-COMMS-01
!
object network NAT-InsideNetwork
nat (any,Outside) dynamic interface
object network NAT-RDP-Redirection
nat (any,Outside) static interface service tcp 3389 1209
object network NAT-HTTPS
nat (any,Outside) static interface service tcp https https
object network NAT-HTTP
nat (any,Outside) static interface service tcp www www
object network NAT-SBRequests
nat (any,Outside) static interface service tcp 1221 1221
object network NAT-ExternalIP-Hairpin
nat (Inside,Outside) static BUZZ-COMMS-01
access-group Outside_access_in in interface Outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server BUZZ-LDAP(AD) protocol ldap
aaa-server BUZZ-LDAP(AD) (Inside) host 192.168.100.1
timeout 5
ldap-base-dn dc=buzz,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password
ldap-login-dn
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 4443
http 192.168.100.0 255.255.255.0 Inside
http 86.188.175.230 255.255.255.255 Outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate ca 33b51c38dd58d18f4bedcc3230b0ad4f

quit
telnet timeout 5
no ssh stricthostkeycheck
ssh 86.188.175.230 255.255.255.255 Outside
ssh 192.168.100.0 255.255.255.0 Inside
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group PlusNet request dialout pppoe
vpdn group PlusNet localname daimian2@plusdsl.net
vpdn group PlusNet ppp authentication chap
vpdn username daimian2@plusdsl.net password Kildare1209
dhcpd address 192.168.0.50-192.168.0.99 Guest
dhcpd dns 8.8.8.8 8.8.4.4 interface Guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
!
!
tls-proxy maximum-session 500
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
port 4444
enable Outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.3.02039-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy "GroupPolicy_Buzz Radio" internal
group-policy "GroupPolicy_Buzz Radio" attributes
wins-server none
dns-server value 192.168.100.1
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-ACL
default-domain value BUZZ.LOCAL
group-policy "GroupPolicy_Buzz IT Services" internal
group-policy "GroupPolicy_Buzz IT Services" attributes
wins-server none
dns-server value 192.168.100.1
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-ACL
default-domain value BUZZ.LOCAL
username server password encrypted privilege 15
tunnel-group "Buzz IT Services" type remote-access
tunnel-group "Buzz IT Services" general-attributes
address-pool BUZZ-IT-SSL-DHCP
authentication-server-group BUZZ-LDAP(AD)
default-group-policy "GroupPolicy_Buzz IT Services"
tunnel-group "Buzz IT Services" webvpn-attributes
authentication aaa certificate
group-alias "Buzz IT Services" enable
tunnel-group "Buzz Radio" type remote-access
tunnel-group "Buzz Radio" general-attributes
address-pool BUZZ-RADIO-SSL-DHCP
authentication-server-group BUZZ-LDAP(AD)
default-group-policy "GroupPolicy_Buzz Radio"
tunnel-group "Buzz Radio" webvpn-attributes
authentication certificate
group-alias "Buzz Radio" enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect rtsp
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
!
service-policy global_policy global
smtp-server 192.168.100.2
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:eef766a9773d3ef711fdda3c167fb971

 

I have removed some information which I didn't want to publish publically. I will send if needed though. 

 

Thanks,
Daimian