cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1160
Views
0
Helpful
8
Replies

Remote Access VPN, no split tunneling, internet access..

KasperPBE
Level 1
Level 1

Hi Community. I have been searching the forum for the topic and tried them all. Problem is I still  can't get it to work, so I am asking for your help. I want to provide internet access from remote VPN, without having to enable split-tunnel. My debug says "

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse
flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to
NAT reverse path failure."

and 

packet-tracer input outside tcp 8.8.8.8 12345 192.168.0.254 80 detail

shows:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.0.254 using egress ifc identity

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.0.1 using egress ifc outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d6e889800, priority=1, domain=nat-per-session, deny=true
hits=21189, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d7dba7330, priority=0, domain=permit, deny=true
hits=1804, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

I hope you can help with any suggestions. My config is this:

 

 

ASA Version 9.8(4)
!
hostname asa
domain-name xxxx.eu
enable password xxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
name 216.239.35.8 time3.google.com
name 216.239.35.4 time2.google.com
no mac-address auto
ip local pool ANY-CONNECT 192.168.2.200-192.168.2.210 mask 255.255.255.0

!
interface GigabitEthernet0/0
description Outside
nameif outside
security-level 0
ip address 192.168.0.254 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ
nameif DMZ
security-level 50
ip address 172.16.2.1 255.255.255.0
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif Management
security-level 100
ip address 192.168.3.30 255.255.255.0
!
boot system disk0:/asa984-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name xxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network IHC-Controller
host 192.168.2.5
object network Mustaine-01
host 192.168.2.12
object network Mustaine-02
host 192.168.2.12
object network Mustaine-03
host 192.168.2.12
object network Mustaine-04
host 192.168.2.12
object network Mustaine-05
host 192.168.2.12
object network Mustaine-06
host 192.168.2.12
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network Mustaine-07
host 192.168.2.12
object network Mustaine-08
host 192.168.2.12
object service FTP_PASV_PORT_RANGE
service tcp source range 20011 20020 destination range 20011 20020
object network kasperstoreSFTP1
host 192.168.2.51
object network kasperstoreSFTP2
host 192.168.2.51
object network kasperstoreSFTP3
host 192.168.2.51
object network kasperstoreSFTP4
host 192.168.2.51
object network kasperstoreSFTP5
host 192.168.2.51
object network kasperstoreSFTP6
host 192.168.2.51
object network kasperstoreSFTP7
host 192.168.2.51
object network kasperstoreSFTP8
host 192.168.2.51
object network kasperstoreSFTP9
host 192.168.2.51
object network kasperstoreSFTP10
host 192.168.2.51
object network kasperstoreFTP
host 192.168.2.51
object network Hikevision-cam1
host 192.168.2.60
object network obj-Mustaine
object network kasperstore-2
host 192.168.2.51
object network kasperstore-1
host 192.168.2.51
object network kasperstore-3
host 192.168.2.51
object network kasperstore-4
host 192.168.2.51
object network kasperstore-5
host 192.168.2.51
object network kasperstore-6
host 192.168.2.51
object network kasperstore-7
host 192.168.2.51
object network kasperstore-8
host 192.168.2.51
object network KasperPC-01
host 192.168.2.199
object network NETWORK_OBJ_192.168.2.192_27
subnet 192.168.2.192 255.255.255.224
object network KasperPC-02
host 192.168.2.199
object network OBJ-ANY-CONNECT
range 192.168.2.200 192.168.2.210
description VPN-pool
object network VPN-PAT
subnet 192.168.2.0 255.255.255.0
description kaspers pc
object network Outside-hosts
range 192.168.0.1 192.168.0.254
object network Inside-hosts
range 192.168.2.1 192.168.2.254
object network DMZ-hosts
range 172.16.2.1 172.16.2.254
object network Inside-hosts2
range 192.168.2.1 192.168.2.254
object service www-80
service tcp source eq www
object network VPN-HOSTS
subnet 192.168.2.0 255.255.255.0
object-group service IHC-Controller-tcp tcp
port-object eq 8080
object-group service kasperstore-tcp tcp
port-object eq 8000
port-object eq ssh
port-object eq ftp
port-object range 20001 20020
port-object range 20001 20030
port-object eq 8001
port-object eq rtsp
port-object eq 1884
port-object eq 8884
port-object eq 60000
port-object eq 20000
port-object eq 4433
port-object eq https
port-object range 9900 9908
object-group service Hikevision-tcp tcp
port-object eq 8808
object-group service mustaine-udp udp
description kaspers pc
port-object eq 64202
port-object eq 3389
port-object eq 1935
object-group service kasperstore-udp udp
object-group service mustaine-tcp tcp
description kaspers pc
port-object eq 3724
port-object eq 6112
port-object eq 23680
port-object eq 3389
port-object eq 1935
port-object eq 5938
object-group service outside-axcess-in-tcp tcp
group-object IHC-Controller-tcp
group-object kasperstore-tcp
group-object Hikevision-tcp
object-group service outside-axcess-in-udp udp
group-object mustaine-udp

access-list outside_access_in extended permit tcp any4 any4 object-group outside-axcess-in-tcp
access-list outside_access_in extended permit udp any4 any4 object-group outside-axcess-in-udp
access-list outside_access_in extended permit tcp host 212.130.69.130 any4 eq ssh
access-list outside_access_in extended permit tcp host 83.92.202.122 any4 eq ssh
access-list outside_access_in extended permit tcp host 212.130.69.130 any4 eq telnet
access-list outside_access_in extended permit tcp host 83.92.202.122 any4 eq telnet
access-list outside_access_in extended permit icmp object Outside-hosts object Inside-hosts
access-list outside_access_in extended permit tcp object OBJ-ANY-CONNECT eq www any
access-list outside_access_in extended permit tcp object OBJ-ANY-CONNECT eq www interface outside
access-list dmz_access_in extended permit tcp any4 any4 range 1 65535
access-list dmz_access_in extended permit udp any4 any4 range 1 65535
access-list dmz_access_in extended permit icmp object DMZ-hosts any
access-list internal-LAN standard permit 192.168.2.0 255.255.255.0
access-list Split-Tunnel-ACL standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging emblem
logging buffer-size 8000
logging monitor debugging
logging buffered debugging
logging trap informational
logging asdm debugging
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu Management 1500
ip verify reverse-path interface outside
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.2.192_27 NETWORK_OBJ_192.168.2.192_27 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network IHC-Controller
nat (inside,outside) static interface service tcp 8080 8080
object network obj_any-01
nat (outside,outside) dynamic interface
object network obj_any-02
nat (DMZ,outside) dynamic interface
object network kasperstoreSFTP1
nat (inside,outside) static interface service tcp 20022 20022
object network kasperstoreSFTP2
nat (inside,outside) static interface service tcp 20023 20023
object network kasperstoreSFTP3
nat (inside,outside) static interface service tcp 20024 20024
object network kasperstoreSFTP4
nat (inside,outside) static interface service tcp 20025 20025
object network kasperstoreSFTP5
nat (inside,outside) static interface service tcp 20026 20026
object network kasperstoreSFTP6
nat (inside,outside) static interface service tcp 20027 20027
object network kasperstoreSFTP7
nat (inside,outside) static interface service tcp 20028 20028
object network kasperstoreSFTP8
nat (inside,outside) static interface service tcp 20029 20029
object network kasperstoreSFTP9
nat (inside,outside) static interface service tcp 20030 20030
object network kasperstoreFTP
nat (inside,outside) static interface service tcp 20021 20021
object network kasperstore-2
nat (inside,outside) static interface service tcp 8001 8001
object network kasperstore-1
nat (inside,outside) static interface service tcp 8000 8000
object network kasperstore-4
nat (inside,outside) static interface service tcp rtsp rtsp
object network kasperstore-5
nat (inside,outside) static interface service tcp 1884 1884
object network kasperstore-6
nat (inside,outside) static interface service tcp 8884 8884
object network kasperstore-7
nat (inside,outside) static interface service tcp 60000 60000
object network kasperstore-8
nat (inside,outside) static interface service tcp 20000 20000
object network KasperPC-01
nat (inside,outside) static interface service tcp 3389 3389
object network KasperPC-02
nat (inside,outside) static interface service tcp 5938 5938
!
nat (outside,outside) after-auto source dynamic VPN-HOSTS interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication login-history
http server enable 4443
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint SSL-Trustpoint
enrollment terminal
*******
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd lease 1036800
dhcpd auto_config outside
!
dhcpd address 192.168.2.211-192.168.2.250 inside
dhcpd dns 193.162.153.164 194.239.134.83 interface inside
dhcpd enable inside
!
dhcpd address 172.16.2.211-172.16.2.250 DMZ
dhcpd dns 193.162.153.164 194.239.134.83 interface DMZ
dhcpd enable DMZ
!
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server time2.google.com source outside prefer
ntp server time3.google.com source outside prefer
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 inside vpnlb-ip
webvpn
enable outside
enable inside
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.7.04056-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy webvpn internal
group-policy webvpn attributes
vpn-tunnel-protocol ssl-client ssl-clientless
group-policy GroupPolicy_ANY-CONNECT internal
group-policy GroupPolicy_ANY-CONNECT attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ssl-client
default-domain value xxxx.eu
dynamic-access-policy-record DfltAccessPolicy
username xxx password xxxx encrypted privilege 15
username yyyy password yyy/OMGV encrypted privilege 0
tunnel-group webvpn type remote-access
tunnel-group webvpn general-attributes
default-group-policy webvpn
tunnel-group webvpn webvpn-attributes
group-alias webvpn enable
group-url https://..../webvpn enable
group-url https://..../webvpn enable
tunnel-group ANY-CONNECT type remote-access
tunnel-group ANY-CONNECT general-attributes
address-pool ANY-CONNECT
default-group-policy GroupPolicy_ANY-CONNECT
tunnel-group ANY-CONNECT webvpn-attributes
group-alias ANY-CONNECT enable
!
class-map i
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
class class-default
user-statistics accounting
!
service-policy global_policy global
smtp-server 192.168.2.1
prompt hostname context

 

8 Replies 8

JP Miranda Z
Cisco Employee
Cisco Employee

Hi KasperPBE,

 

The packet tracer for traffic from the outside for VPN traffic is always going to show a drop since can't simulate encrypted traffic, here is the config you need to get this working:

 

AnyConnect uturn nat:

object network OBJ-ANY-CONNECT

nat (outside,outside) dynamic interface

 

Hope this info helps!!

 

Rate if helps you!! 

 

-JP- 

Hi JP Miranda Z and thank you for taking your time for helping me. I have added the small config you provided. Unfortunate I still don't have any internet connections through the VPN. 

The debug says:

5Mar 20 202020:24:32305013192.168.2.200627088.8.8.853Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.2.200/62708(LOCAL\kasper) dst outside:8.8.8.8/53 denied due to NAT reverse path failure

 

8.8.8.8 is DNS, but I guess you know :-)

 

Br. Kasper

I was checking the config again and actually you already had a uturn nat so the nat i suggested shouldn't make much of a difference, now try the following:

1-connect to the AnyConnect

2-do a show-vpnsessiodb anyconnect filter name <youruser>

3- run a packet tracer from the outside using 8.8.8.8 but going to the AnyConnect client ip address:

 

packet-tracer input outside tcp 8.8.8.8 12345 192.168.2.x 80 detail -->replace the X with the last octect of the ip that you are getting on the show-vpnsessiondb anyconnect...

 

 

packet-tracer input outside tcp 8.8.8.8 12345 192.168.0.254 80 detail --> this is your old packet tracer and 192.168.0.254 is not part of the subnet of your ip local pool which mean the packet tracer is not going to give us the right information.

 

 

Hope this info helps!!

 

Rate if helps you!! 

 

-JP- 

 

Seems like an accesslist, but it doesn't tell me which. any suggestions?

 

asa5525# sh vpn-sessiondb anyconnect filter name kasper

Session Type: AnyConnect

Username : kasper Index : 19668
Assigned IP : 192.168.2.200 Public IP : 80.62.116.71
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256
Bytes Tx : 15252 Bytes Rx : 24568
Group Policy : GroupPolicy_ANY-CONNECT
Tunnel Group : ANY-CONNECT
Login Time : 12:49:56 CEST Sat Mar 21 2020
Duration : 0h:00m:54s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a8020104cd40005e75ff64
Security Grp : none

asa5525# packet-tracer input outside tcp 8.8.8.8 12345 192.168.2.200 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.2.200 using egress ifc outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.0.1 using egress ifc outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff863c0c510, priority=11, domain=permit, deny=true
hits=7655, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

KasperPBE,

 

Can you run the following command:

 

sh run all sysopt

 

Even with the drop we should see the nat outside outside being used before the drop and doesn't seems to be happening.

 

Hope this info helps!!

 

Rate if helps you!! 

 

-JP- 

Hi

here is the output

asa5525# sh run all sysopt
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp inside
no sysopt noproxyarp DMZ
no sysopt noproxyarp Management

I will just put up the newest config, as it might have changed a bit since the first post.  I was trying various thing and adding and deleting in the former config. this is the current config:

ASA Version 9.8(4)
!
hostname asa5525
domain-name elsborg.eu
enable password 
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
name 216.239.35.8 time3.google.com
name 216.239.35.4 time2.google.com
no mac-address auto
ip local pool ANY-CONNECT 192.168.2.200-192.168.2.210 mask 255.255.255.0

!
interface GigabitEthernet0/0
description Outside
nameif outside
security-level 0
ip address 192.168.0.254 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ
nameif DMZ
security-level 50
ip address 172.16.2.1 255.255.255.0
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif Management
security-level 100
ip address 192.168.3.30 255.255.255.0
!
boot system disk0:/asa984-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
name-server 193.162.153.164
name-server 194.239.134.83
domain-name elsborg.eu
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network IHC-Controller
host 192.168.2.5
object network Mustaine-01
host 192.168.2.12
object network Mustaine-02
host 192.168.2.12
object network Mustaine-03
host 192.168.2.12
object network Mustaine-04
host 192.168.2.12
object network Mustaine-05
host 192.168.2.12
object network Mustaine-06
host 192.168.2.12
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network Mustaine-07
host 192.168.2.12
object network Mustaine-08
host 192.168.2.12
object network Hikevision-cam1
host 192.168.2.60
object network obj-Mustaine
object network kasperstore-2
host 192.168.2.51
object network kasperstore-1
host 192.168.2.51
object network kasperstore-3
host 192.168.2.51
object network kasperstore-4
host 192.168.2.51
object network kasperstore-5
host 192.168.2.51
object network kasperstore-6
host 192.168.2.51
object network kasperstore-7
host 192.168.2.51
object network kasperstore-8
host 192.168.2.51
object network KasperPC-01
host 192.168.2.199
object network KasperWLC
host 192.168.2.12
object network NETWORK_OBJ_192.168.2.192_27
subnet 192.168.2.192 255.255.255.224
object network KasperPC-02
host 192.168.2.199
object network OBJ-ANY-CONNECT
range 192.168.2.200 192.168.2.210
description VPN-pool
object network VPN-PAT
subnet 192.168.2.0 255.255.255.0
description kaspers pc
object network Outside-hosts
range 192.168.0.1 192.168.0.254
object network Inside-hosts
range 192.168.2.1 192.168.2.254
object network DMZ-hosts
range 172.16.2.1 172.16.2.254
object network Inside-hosts2
range 192.168.2.1 192.168.2.254
object service www-80
service tcp source eq www
object network VPN-HOSTS
subnet 192.168.2.0 255.255.255.0
object network VPN-POOL
subnet 192.168.2.0 255.255.255.0
object-group service IHC-Controller-tcp tcp
port-object eq 8080
object-group service kasperstore-tcp tcp
port-object eq 8000
port-object eq ssh
port-object eq ftp
port-object eq 8001
port-object eq rtsp
port-object eq 1884
port-object eq 8884
port-object eq 60000
port-object eq 20000
port-object eq 4433
port-object eq https
port-object range 9900 9908
object-group service Hikevision-tcp tcp
port-object eq 8808
object-group service mustaine-udp udp
description kaspers pc
port-object eq 64202
port-object eq 3389
port-object eq 1935
object-group service kasperstore-udp udp
object-group service mustaine-tcp tcp
description kaspers pc
port-object eq 3724
port-object eq 6112
port-object eq 23680
port-object eq 3389
port-object eq 1935
port-object eq 5938
object-group service outside-axcess-in-tcp tcp
group-object IHC-Controller-tcp
group-object kasperstore-tcp
group-object Hikevision-tcp
group-object mustaine-tcp
object-group service outside-axcess-in-udp udp
group-object mustaine-udp
access-list outside_access_in extended permit tcp any4 any4 object-group outside-axcess-in-tcp
access-list outside_access_in extended permit udp any4 any4 object-group outside-axcess-in-udp
access-list outside_access_in extended permit tcp host 212.130.69.130 any4 eq ssh
access-list outside_access_in extended permit tcp host 83.92.202.122 any4 eq ssh
access-list outside_access_in extended permit tcp host 212.130.69.130 any4 eq telnet
access-list outside_access_in extended permit tcp host 83.92.202.122 any4 eq telnet
access-list outside_access_in extended permit icmp object Outside-hosts object Inside-hosts
access-list outside_access_in extended permit tcp object OBJ-ANY-CONNECT eq www any
access-list outside_access_in extended permit tcp object OBJ-ANY-CONNECT eq www interface outside
access-list dmz_access_in extended permit tcp any4 any4 range 1 65535
access-list dmz_access_in extended permit udp any4 any4 range 1 65535
access-list dmz_access_in extended permit icmp object DMZ-hosts any
access-list internal-LAN standard permit 192.168.2.0 255.255.255.0
access-list Split-Tunnel-ACL standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging emblem
logging buffer-size 8000
logging monitor debugging
logging buffered debugging
logging trap informational
logging asdm debugging
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu Management 1500
ip verify reverse-path interface outside
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.2.192_27 NETWORK_OBJ_192.168.2.192_27 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network IHC-Controller
nat (inside,outside) static interface service tcp 8080 8080
object network obj_any-01
nat (outside,outside) dynamic interface
object network obj_any-02
nat (DMZ,outside) dynamic interface
object network kasperstore-2
nat (inside,outside) static interface service tcp 8001 8001
object network kasperstore-1
nat (inside,outside) static interface service tcp 8000 8000
object network kasperstore-4
nat (inside,outside) static interface service tcp rtsp rtsp
object network kasperstore-5
nat (inside,outside) static interface service tcp 1884 1884
object network kasperstore-6
nat (inside,outside) static interface service tcp 8884 8884
object network kasperstore-7
nat (inside,outside) static interface service tcp 60000 60000
object network kasperstore-8
nat (inside,outside) static interface service tcp 20000 20000
object network KasperPC-01
nat (inside,outside) static interface service tcp 3389 3389
object network KasperPC-02
nat (inside,outside) static interface service tcp 5938 5938
!
nat (outside,outside) after-auto source dynamic VPN-POOL interface
nat (outside,outside) after-auto source dynamic OBJ-ANY-CONNECT interface
access-group outside_access_in in interface outside
access-group dmz_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication login-history
http server enable 4443
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint SSL-Trustpoint
enrollment terminal
fqdn asaelsborg.eu
subject-name CN=asa5525.elsborg.eu O=Area51 C=Denmark St=CPH L=Greve
serial-number
keypair SSL-Keypair
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=www.elsborg.eu,CN=elsborg.eu
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=Kasper-ASA5550
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.2.1,CN=Kasper-ASA5500
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
fqdn none
subject-name CN=192.168.2.1,CN=asa5525
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
certificate 41a9635e
308202cc 308201b4 a0030201 02020441 a9635e30 0d06092a 864886f7 0d01010b
05003028 3110300e 06035504 03130761 73613535 32353114 30120603 55040313
0b313932 2e313638 2e322e31 301e170d 32303033 30373134 30333535 5a170d33
30303330 35313430 3335355a 30283110 300e0603 55040313 07617361 35353235
31143012 06035504 03130b31 39322e31 36382e32 2e313082 0122300d 06092a86
4886f70d 01010105 00038201 0f003082 010a0282 010100e2 b36d9ce5 da8ed0a2
50cc50c8 55669fd5 91673030 c599c01b 1cb7c4d7 84d32c54 80d6ff59 8a3d9edd
0d86c287 f0fead94 2788488a 91172b82 8d0954da 066180a5 b02de4b5 d47f7a86
74960cac e5bf1642 5e164597 193babce 426e72d5 74c0c8d0 023177d7 90a4bef3
1ee7f319 63ff99de 20b37154 2ec044da 2a5cdb7b 00ce7c6c 0207a248 7488ac96
ce752a98 33f2ffa3 ee80ca3c f684cdf2 407172d2 165b4ff2 a8fb402a 93fdcf3c
f4cac120 e7d2ea59 04aa7655 b6bd43d8 7f0338f7 1df55d2d 353966a3 a576cc62
d200f2a8 90dee79c b09058fc c2ea16df 0f63ef4a 883add33 4715d515 3933daf6
b2c72a02 efd9c266 5414835f 65e41755 2042f80d a2b64d02 03010001 300d0609
2a864886 f70d0101 0b050003 82010100 d07c4eb6 4815ac78 399225f6 1059e1f4
bb19ee5e 4e144f5a e581604e ba19ece8 24607b7e ad1ba3d7 b1e40a81 36610049
4224d503 3ee85611 b049e652 3cab160a 63df59e2 6bfa598e 18bfc0bd d3ce2494
6dcc1718 6f3dcd74 c1f73f63 15ff473e 0b02b428 c204805d 630ee206 1726032a
12a1780b 42971ff0 4c3893b7 0b9cdd49 0a8fd4eb 34916aa8 99b3818c 6edc836c
81347e98 5006f737 13d052c4 2b62eab4 04294cff 6a9c4c51 dfe5fbd6 8edf6cd3
978df00d 6db4f7c6 4e31eea7 7c052863 6120ddeb dbf7b174 1218ee55 e33cea26
cdf98587 c3f174bc eb045084 3543a0a8 baa217e8 68f104ea 20dd711a 34ae1075
014bb4ab f971510e 6bfe421a 8ec9e230
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_1
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd lease 1036800
dhcpd auto_config outside
!
dhcpd address 192.168.2.211-192.168.2.250 inside
dhcpd dns 193.162.153.164 194.239.134.83 interface inside
dhcpd enable inside
!
dhcpd address 172.16.2.211-172.16.2.250 DMZ
dhcpd dns 193.162.153.164 194.239.134.83 interface DMZ
dhcpd enable DMZ
!
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server time2.google.com source outside prefer
ntp server time3.google.com source outside prefer
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 DMZ
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 inside vpnlb-ip
webvpn
enable outside
enable inside
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.7.04056-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy webvpn internal
group-policy webvpn attributes
vpn-tunnel-protocol ssl-client ssl-clientless
group-policy GroupPolicy_ANY-CONNECT internal
group-policy GroupPolicy_ANY-CONNECT attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ssl-client
default-domain value elsborg.eu
dynamic-access-policy-record DfltAccessPolicy
username kasper password xxxx encrypted privilege 15
tunnel-group webvpn type remote-access
tunnel-group webvpn general-attributes
default-group-policy webvpn
tunnel-group webvpn webvpn-attributes
group-alias webvpn enable
group-url https://80.162.61.63/webvpn enable
group-url https://93.161.28.136/webvpn enable
group-url https://80.166.168.32/webvpn enable
tunnel-group ANY-CONNECT type remote-access
tunnel-group ANY-CONNECT general-attributes
address-pool ANY-CONNECT
default-group-policy GroupPolicy_ANY-CONNECT
tunnel-group ANY-CONNECT webvpn-attributes
group-alias ANY-CONNECT enable
!
class-map i
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
class class-default
user-statistics accounting
!
service-policy global_policy global
smtp-server 192.168.2.1
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable

 

Hi,

 

   Try this config:

 

object network INSIDE_SUBNET

 subnet 192.168.2.0 255.255.255.0

!

object network DMZ_SUBNET

 subnet 172.16.2.0 255.255.255.0

!

object network VPN_RANGE

 range 192.168.2.200 192.168.2.210

!

nat (inside,outside) 1 source static INSIDE_SUBNET INSIDE_SUBNET destination static VPN_RANGE VPN_RANGE proxy-arp route-lookup

nat (dmz,outside) 2 source static DMZ_SUBNET DMZ_SUBNET destination static VPN_RANGE VPN_RANGE no-proxy-arp route-lookup

 

 

   However, i strongly recommend to use a VPN IP pool which is different than any connected subnet configured on ASA interfaces, you avoid many possible problems due to ARP. So, here's a better config:

 

no ip local pool ANY-CONNECT 192.168.2.200-192.168.2.210 mask 255.255.255.0

ip local pool NEW-ANY-CONNECT 192.168.3.200-192.168.3.210 mask 255.255.255.0

!

object network INSIDE_SUBNET

 subnet 192.168.2.0 255.255.255.0

!

object network DMZ_SUBNET

 subnet 172.16.2.0 255.255.255.0

!

object network NEW_VPN_SUBNET

 subnet 192.168.3.0 255.255.255.0

!

nat (inside,outside) 1 source static INSIDE_SUBNET INSIDE_SUBNET destination static NEW_VPN_SUBNET NEW_VPN_SUBNET no-proxy-arp route-lookup

nat (dmz,outside) 2 source static DMZ_SUBNET DMZ_SUBNET destination static NEW_VPN_SUBNET NEW_VPN_SUBNET no-proxy-arp route-lookup

 

Regards,

Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: