06-05-2012 10:19 AM
Having a problem pinging across a site-to-site. Any ideas would be appreciated.
Anyconnect Client ---- ASA5505 ---- Internet(ipsec tunnel) ---- ASA5510 ---- LAN
Directly connected ---^
From a client PC with AnyConnect I can ping ASA5505, ASA5510, Servers & Clients on the remote LAN. So the tunnel is working and passing traffic.
From a client PC connected directly to the ASA5505 I can ping ASA5505, ASA5510, Servers & Clients on the remote LAN.
From the ASA5505 I can only ping locally attach devices. I cannot ping AnyConnect clients or anything through the tunnel.
From the ASA5510 I can only devices on the LAN
From a PC on the LAN I can ping device connected directly and via AnyConnect to ASA5505. Again showing the tunnel works
Removing "access-list outside_access_in extended deny icmp any any" on the ASA5510 does not fix the problem
ASA5505 ACL
access-list inside_out_outside extended permit ip any any
access-list outside_in_inside extended permit icmp any any
access-list CORVID-Split-Tunnel standard permit 10.100.0.0 255.255.0.0
access-list CORVID-Split-Tunnel standard permit 10.10.0.0 255.255.0.0
access-list INSIDE_NAT0_OUTBOUND extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0
access-list INSIDE_NAT0_OUTBOUND extended permit ip any 10.100.0.0 255.255.0.0
access-list OUTSIDE_1_CRYPTO extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0
ASA5510 ACL
access-list nonat extended permit ip any 10.10.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list nonat extended permit ip 10.100.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq smtp
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq https
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host SonomaBullsEye eq https inactive
access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq https
access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq https
access-list outside_access_in remark HTTP for TeamWeb
access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq www
access-list outside_access_in remark HTTPS for TeamWeb
access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq https
access-list outside_access_in extended permit icmp host 10.100.0.1 any
access-list outside_access_in extended deny icmp any any
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq smtp
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host Sonoma eq https inactive
access-list outside_access_in_1 extended permit tcp any host PMEUPDATE-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq ssh inactive
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq https
access-list outside_access_in_1 remark FTPS
access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT object-group DM_INLINE_TCP_1
access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT range 60200 60400
access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host OSCODA-EXT-OUT object-group SQLTEST_TCP inactive
access-list outside_access_in_1 extended permit udp any host OSCODA-EXT-OUT object-group SQLTEST inactive
access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq https
access-list outside_access_in_1 extended deny icmp any any
access-list inside_access_out extended permit ip any any log
06-05-2012 10:34 AM
This is by design. If you want to ping the inside interface of the peer, try "management-access inside" on both ASAs.
Hope this helps.
Sent from Cisco Technical Support iPhone App
06-05-2012 11:16 AM
This is already there. Not being able to ping is not that much of an issue. What I am really trying to do I allow Anyconnect clients on the ASA5505 authenticate using the RADIUS server located on the LAN(inside the ASA5510).
Currently a client PC behind the ASA5505 can authenticate to the DC behind the ASA5510. I just cannot seem to connect to the DC from the ASA5505.
06-05-2012 11:41 AM
"What I am really trying to do I allow Anyconnect clients on the ASA5505 authenticate using the RADIUS server located on the LAN(inside the ASA5510)."
you need to have an entery in the crypto ACL like shown below and no-nat between tunnel 5505 and 5510.
access-list 100 permit ip host
Let me know, if this helps.
thanks
06-05-2012 12:12 PM
Added the following
ASA5505
access-list OUTSIDE_1_CRYPTO extended permit ip host 207.xxx.xxx.xxx host HOMESTEAD
access-list INSIDE_NAT0_OUTBOUND extended permit ip host 207.xxx.xxx.xxx host HOMESTEAD
ASA5510
access-list nonat extended permit ip host 204.xxx.xxx.xxx 10.100.0.0 255.255.0.0
LEGEND
204.xxx.xxx.xxx is the outside of the ASA5510
207.xxx.xxx.xxx is the outside of the ASA5505
HOMESTEAD is 10.10.2.1 behind the ASA5510
Adding these did not work.
Let me know and I will post the whole configs.
06-05-2012 12:57 PM
Since, traffic is initiated from outside interface, it must be no-nat to outside
access-list OUTSIDE_NAT0_OUTBOUND extended permit ip host 207.xxx.xxx.xxx host HOMESTEAD
nat (outside) access-list OUTSIDE_NAT0_OUTBOUND
Let me know, if this helps.
thanks
06-05-2012 01:10 PM
Please also make sure, from 5510 side to include in the cryto acl, the outside interface (i.e. 5505 outside interface) address as an interesting traffic to raidus server as well.
Please update me
thanks
Rizwan Rafeek
06-05-2012 01:43 PM
Before adding the remainder of the ACLs I did run the test.
test aaa-server authentication PMRADIUS host Homestead
Username: jwright
Password: ********
INFO: Attempting Authentication test to IP address
INFO: Authentication Successful
aaa-server PMRADIUS protocol radius
aaa-server PMRADIUS (inside) host HOMESTEAD
key *****
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group PMRADIUS
Even though it authenticates successfully during the test. When I try from the AnyConnect client I receive "AnyConnect is not enabled on this VPN server". Anyconnect works fine with local usernames until authentication-server-group is set.
06-05-2012 06:43 PM
Please post your current running config, please remove security related info from the config.
thanks
06-06-2012 06:42 AM
Please change your authentication method as shown below for AnyConnect clients.
aaa-server PMRADIUS protocol radius
aaa-server PMRADIUS host HOMESTEAD
key my-shared-key
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group (outside) HOMESTEAD
tunnel-group YOUR-TUNNEL-GROUP-NAME general-attributes
authentication-server-group HOMESTEAD
let me know, if this helps.
thanks
Message was edited by: Rizwan Mohamed
06-05-2012 10:34 AM
Please post a diagram. Your description not so clear.
06-05-2012 11:10 AM
06-06-2012 08:05 AM
Note: If I VPN into the ASA5510 RADIUS works perfectly.
ASA5505
CORVID-WC# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname CORVID-WC
domain-name ***.local
enable password *** encrypted
passwd ptI.utjee51tvD/G encrypted
names
name 204.***.***.*** NewHudson
name 10.10.0.0 NH-LAN
name 10.10.2.1 HOMESTEAD
!
interface Ethernet0/0
description CORVID-WC *WAN* (Physical Interface)
switchport access vlan 2
!
interface Ethernet0/1
description CORVID-WC *LAN* (Physical Interface)
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description CORVID-WC *LAN* Interface
nameif inside
security-level 100
ip address 10.100.0.1 255.255.0.0
!
interface Vlan2
description CORVID-WC *WAN* Interface
nameif outside
security-level 0
ip address 207.***.***.*** 255.255.255.248
!
ftp mode passive
clock timezone MST -5
clock summer-time MST recurring
dns server-group DefaultDNS
domain-name pme.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_out_outside extended permit ip any any
access-list outside_in_inside extended permit icmp any any
access-list CORVID-Split-Tunnel standard permit 10.100.0.0 255.255.0.0
access-list CORVID-Split-Tunnel standard permit NH-LAN 255.255.0.0
access-list INSIDE_NAT0_OUTBOUND extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0
access-list INSIDE_NAT0_OUTBOUND extended permit ip any 10.100.0.0 255.255.0.0
access-list OUTSIDE_1_CRYPTO extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0
pager lines 24
logging enable
logging monitor warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool CORVID-WC-VPNPOOL 10.101.0.10-10.101.0.60 mask 255.255.0.0
ip local pool GENERAL-WC-SSL 10.100.0.101-10.100.0.120 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list INSIDE_NAT0_OUTBOUND
nat (inside) 1 10.100.0.0 255.255.0.0
access-group inside_out_outside in interface inside
access-group outside_in_inside in interface outside
route outside 0.0.0.0 0.0.0.0 207.148.209.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server PMERADIUS protocol radius
aaa-server PMERADIUS (inside) host HOMESTEAD
key *****
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.100.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RTPSET esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CORVID-NH 1 match address OUTSIDE_1_CRYPTO
crypto map CORVID-NH 1 set peer NewHudson
crypto map CORVID-NH 1 set transform-set RTPSET
crypto map CORVID-NH interface outside
crypto ca trustpoint ***.***.com
enrollment terminal
fqdn ***.***.com
subject-name ***REMOVED
keypair ***.com
crl configure
crypto ca certificate chain
***REMOVED
quit
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 204.***.***.*** 255.255.255.224 outside
ssh 207.***.***.*** 255.255.255.248 outside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 204.235.61.9 source outside
ssl trust-point ***.***.com outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc enable
group-policy CORVID-WC-SSL internal
group-policy CORVID-WC-SSL attributes
dns-server value 10.10.2.1
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CORVID-Split-Tunnel
default-domain value ***.local
webvpn
url-list none
svc ask enable
username testuser password *** encrypted privilege 0
username testuser attributes
vpn-group-policy CORVID-WC-SSL
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool GENERAL-WC-SSL
authentication-server-group (inside) PMERADIUS
tunnel-group CORVID-WC-SSL type remote-access
tunnel-group CORVID-WC-SSL general-attributes
address-pool CORVID-WC-VPNPOOL
authentication-server-group PMERADIUS
default-group-policy CORVID-WC-SSL
tunnel-group 204.***.***.*** type ipsec-l2l
tunnel-group 204.***.***.*** ipsec-attributes
pre-shared-key *****
!
!
!
policy-map global_policy
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e17c7854f2937aaaa50c70e6d0683d2d
: end
ASA5510
ciscoasa# sh run
: Saved
:
ASA Version 8.2(1)11
!
hostname ciscoasa
domain-name pme.local
enable password *** encrypted
passwd *** encrypted
names
name 204.***.***.107 Sonoma description OLD MAIL SERVER
name 207.***.***.19 SonomaBullsEye description OLD MAIL SERVER
name 10.10.2.6 DAYTONA-INT
name 10.10.2.62 SEBRING-INT
name 10.10.2.4 AUTHENTICA-INT
name 10.10.2.11 MIDOHIO-INT
name 10.10.2.15 PMEUPDATE-INT
name 10.10.2.25 FILETRANSFER-INT
name 10.10.2.22 FTP-INT
name 10.10.2.1 HOMESTEAD-INT
name 204.***.***.102 DAYTONA-EXT-OUT description CAS Server
name 204.***.***.109 FILETRANSFER-EXT-OUT description Secure File Transfer
name 204.***.***.105 FTP-EXT-OUT description FTPS
name 204.***.***.103 AUTHENTICA-EXT-OUT description Secure PDF
name 204.***.***.106 OSCODA-EXT-OUT description SQL Testing
name 204.***.***.104 ALEXSYS123-EXT-OUT description MidOhio
name 204.***.***.108 PMEUPDATE-EXT-OUT description NC Update server
name 207.***.***.21 FILETRANSFER-EXT-BAK
name 207.***.***.133 DAYTONA-EXT-BAK
name 207.***.***.134 AUTHENTICA-EXT-BAK
name 207.***.***.18 ALEXSYS-EXT-BAK description MIS
!
interface Ethernet0/0
nameif backup
security-level 1
ip address 207.***.***.*** 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.0.0
!
interface Ethernet0/2
shutdown
nameif outside2
security-level 0
no ip address
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 204.***.***.*** 255.255.255.224
!
interface Management0/0
nameif management
security-level 100
ip address 172.17.0.199 255.255.255.0
management-only
!
banner motd **************************** NOTICE ******************************
banner motd * Unauthorized access to this network device is FORBIDDEN! *
banner motd * All connection attempts and sessions are logged and AUDITED! *
banner motd ******************************************************************
banner motd **************************** NOTICE ******************************
banner motd * Unauthorized access to this network device is FORBIDDEN! *
banner motd * All connection attempts and sessions are logged and AUDITED! *
banner motd ******************************************************************
boot system disk0:/asa821-11-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside2
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
name-server HOMESTEAD-INT
name-server SEBRING-INT
domain-name ***.local
same-security-traffic permit intra-interface
object-group service SQLTEST udp
description SQLTEST for VES
port-object eq 1434
object-group service SQLTEST_TCP tcp
description SQLTEST For VES
port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list nonat extended permit ip any 10.10.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list nonat extended permit ip 10.100.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip host 204.***.***.98 10.100.0.0 255.255.0.0
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq smtp
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq https
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host SonomaBullsEye eq https inactive
access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq https
access-list outside_access_in extended permit udp any host 207.***.***.20 eq 1434
access-list outside_access_in extended permit tcp any host 207.***.***.20 eq 1433 inactive
access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq https
access-list outside_access_in remark HTTP for TeamWeb
access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq www
access-list outside_access_in remark HTTPS for TeamWeb
access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq https
access-list outside_access_in extended permit icmp host 10.100.0.1 any
access-list outside_access_in extended deny icmp any any
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 192.168.101.0 255.255.255.0
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq smtp
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host Sonoma eq https inactive
access-list outside_access_in_1 extended permit tcp any host PMEUPDATE-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq ssh inactive
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq https
access-list outside_access_in_1 remark FTPS
access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT object-group DM_INLINE_TCP_1
access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT range 60200 60400
access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host OSCODA-EXT-OUT object-group SQLTEST_TCP inactive
access-list outside_access_in_1 extended permit udp any host OSCODA-EXT-OUT object-group SQLTEST inactive
access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq https
access-list outside_access_in_1 extended deny icmp any any
access-list inside_access_out extended permit ip any any log
pager lines 24
logging enable
logging timestamp
logging trap notifications
logging asdm notifications
logging from-address asa@***.com
logging recipient-address jwright@***.com level errors
logging host inside 10.10.2.12
logging permit-hostdown
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302012
no logging message 302017
no logging message 302016
mtu backup 1500
mtu inside 1500
mtu outside2 1500
mtu outside 1500
mtu management 1500
ip local pool IPSECVPN2 10.10.11.76-10.10.11.100
ip local pool SSLVPN 10.10.11.101-10.10.11.200 mask 255.255.0.0
ip local pool IPSECVPN 10.10.11.25-10.10.11.75
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (backup) 1 207.***.***.132
global (outside) 1 204.***.***.99 netmask 255.255.255.224
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.0.0 255.255.0.0
static (inside,outside) DAYTONA-EXT-OUT DAYTONA-INT netmask 255.255.255.255
static (inside,outside) AUTHENTICA-EXT-OUT AUTHENTICA-INT netmask 255.255.255.255
static (inside,outside) ALEXSYS123-EXT-OUT MIDOHIO-INT netmask 255.255.255.255
static (inside,outside) PMEUPDATE-EXT-OUT PMEUPDATE-INT netmask 255.255.255.255
static (inside,outside) FILETRANSFER-EXT-OUT FILETRANSFER-INT netmask 255.255.255.255
static (inside,outside) FTP-EXT-OUT FTP-INT netmask 255.255.255.255
static (inside,backup) FILETRANSFER-EXT-BAK FILETRANSFER-INT netmask 255.255.255.255
static (inside,backup) DAYTONA-EXT-BAK DAYTONA-INT netmask 255.255.255.255
static (inside,backup) AUTHENTICA-EXT-BAK AUTHENTICA-INT netmask 255.255.255.255
static (inside,backup) ALEXSYS-EXT-BAK MIDOHIO-INT netmask 255.255.255.255
access-group outside_access_in in interface backup
access-group inside_access_out in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 204.***.***.97 1 track 1
route backup 0.0.0.0 0.0.0.0 207.***.***.129 254
route backup 62.109.192.0 255.255.240.0 207.***.***.129 1
route backup 64.68.96.0 255.255.224.0 207.***.***.129 1
route backup 66.114.160.0 255.255.240.0 207.***.***.129 1
route backup 66.163.32.0 255.255.240.0 207.***.***.129 1
route backup 209.197.192.0 255.255.224.0 207.***.***.129 1
route backup 210.4.192.0 255.255.240.0 207.***.***.129 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
http-proxy enable
aaa-server PMERADIUS protocol radius
aaa-server PMERADIUS (inside) host HOMESTEAD-INT
key ******
radius-common-pw ******
aaa authentication ssh console LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
http 172.17.0.0 255.255.255.0 management
http redirect backup 80
http redirect outside 80
snmp-server location Server Room
snmp-server contact Jay Wright
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 216.***.***.*** interface outside
timeout 3000
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set PM1 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set pfs group1
crypto dynamic-map dyn1 1 set transform-set PM1
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map cryptomap1 1 ipsec-isakmp dynamic dyn1
crypto map cryptomap1 interface backup
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ***.***.com
enrollment terminal
fqdn ***.***.com
subject-name ***
keypair ***.***.com
crl configure
crypto ca certificate chain vpn.prattmiller.com
certificate 041200616c79f4
30820577 3082045f a0030201 02020704 1200616c 79f4300d 06092a86 4886f70d
quit
certificate ca 0301
308204de 308203c6 a0030201 02020203 01300d06 092a8648 86f70d01 01050500
quit
crypto isakmp identity address
crypto isakmp enable backup
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp nat-traversal 33
!
track 1 rtr 100 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 15
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.22.86.210 source backup prefer
ssl trust-point ***.***.com outside
ssl trust-point ***.***.com backup
ssl trust-point ***.***.com outside2
webvpn
enable backup
enable outside2
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 2
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 3
svc profiles AllowRemoteUsers disk0:/AnyConnectProfile.xml
svc enable
internal-password enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.10.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain none
group-policy DfltGrpPolicy attributes
dns-server value 10.10.2.1 10.10.2.62
vpn-idle-timeout 600
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value ***.local
webvpn
url-list value Book1
svc profiles value AllowRemoteUsers
svc ask enable default webvpn timeout 10
group-policy AnyConnect internal
group-policy AnyConnect attributes
vpn-tunnel-protocol webvpn
webvpn
svc ask enable default webvpn timeout 15
username jayw password *** encrypted privilege 15
username jwright password *** encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (backup) IPSECVPN2
address-pool (outside2) IPSECVPN2
address-pool (outside) SSLVPN
address-pool SSLVPN
authentication-server-group PMERADIUS
tunnel-group pm_ipsec type remote-access
tunnel-group pm_ipsec general-attributes
address-pool IPSECVPN2
tunnel-group pm_ipsec ipsec-attributes
pre-shared-key *
tunnel-group prattmiller type remote-access
tunnel-group prattmiller general-attributes
address-pool IPSECVPN
tunnel-group prattmiller ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
class class-default
!
service-policy global_policy global
smtp-server 10.10.2.6
prompt hostname context
Cryptochecksum:d8428ae41569ebe5346837bda3723212
: end
06-06-2012 09:01 AM
Hi there,
Please check above couple of my posts, I did before you post your full config.
thanks
06-06-2012 09:30 AM
I receive an error trying to enter it
CORVID-WC(config-tunnel-general)# authentication-server-group (outside) HOMESTEAD
ERROR: aaa-server group HOMESTEAD does not exist
HOMESTEAD is a host not a server group
rizwanr74 wrote:
Please change your authentication method as shown below for AnyConnect clients.
aaa-server PMRADIUS protocol radius
aaa-server PMRADIUS host HOMESTEAD
key my-shared-key
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group (outside) HOMESTEAD
tunnel-group YOUR-TUNNEL-GROUP-NAME general-attributes
authentication-server-group HOMESTEAD
let me know, if this helps.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide