So I've been having trouble setting up vpns on our ASA 5510. I would like to use IPsec VPNs so that we don't have to worry about licensing issues, but from what I've read you can do this with and still use Cisco Anyconnect. My knowledge on how to set up VPNs especially in iOS verion 8.4 is limited so I've been using a combination of command line and ASDM.

I'm finally able to connect from a remote location but once I connect, nothing else works. From what I've read, you can use IPsec for client-to-lan connections. I've been using a preshared key for this. Documentation is limited on what should happen after you connect? Shouldn't I be able to access computers that are local to the vpn connection? I'm trying to set this up from work. If I VPN from home, shouldn't I be able to access all resources at work? I think because I've used the command line as well as ASDM I've confused some of the configuration. Plus I think some of the default policies are confusing me too. So I probably need a lot of help. Below is my current configuration with IP address altered and stuff that is completely non-related to vpns removed.

NOTE: We are still testing this ASA and it isn't in production.

Any help you can give me is much appreciated.

ASA Version 8.4(2)

!

hostname ASA

domain-name domain.com

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 50.1.1.225 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

no nameif

security-level 100

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa842-k8.bin

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

!

same-security-traffic permit intra-interface

!

object network NETWORK_OBJ_192.168.0.224_27

subnet 192.168.0.224 255.255.255.224

!

object-group service VPN

service-object esp

service-object tcp destination eq ssh

service-object tcp destination eq https

service-object udp destination eq 443

service-object udp destination eq isakmp

!

access-list ips extended permit ip any any

!

ip local pool VPNPool 192.168.0.225-192.168.0.250 mask 255.255.255.0

no failover

failover timeout -1

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 no-proxy-arp route-lookup

!

object network LAN

nat (inside,outside) dynamic interface

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 50.1.1.250 1

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ASA

crl configure

crypto ca server

shutdown

crypto ca certificate chain ASDM_TrustPoint0

certificate d2c18c4e

    308201f3 3082015c a0030201 020204d2 c18c4e30 0d06092a 864886f7 0d010105

    0500303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886

    f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63

    6f6d301e 170d3131 31303036 31393133 31365a17 0d323131 30303331 39313331

    365a303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886

    f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63

    6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b2

    8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b

    37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c

    234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c51782

    3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02

    03010001 300d0609 2a864886 f70d0101 05050003 8181009d d2d4228d 381112a1

    cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc

    18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6

    beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef

    af72e31f a1c4a892 d0acc618 888b53d1 9b888669 70e398

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 10

console timeout 0

management-access inside

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3

anyconnect profiles VPN disk0:/devpn.xml

anyconnect enable

tunnel-group-list enable

group-policy VPN internal

group-policy VPN attributes

wins-server value 50.1.1.17 50.1.1.18

dns-server value 50.1.1.17 50.1.1.18

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client

default-domain value digitalextremes.com

webvpn

  anyconnect profiles value VPN type user

  always-on-vpn profile-setting

username administrator password xxxxxxxxx encrypted privilege 15

username VPN1 password xxxxxxxxx encrypted

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool (inside) VPNPool

address-pool VPNPool

authorization-server-group LOCAL

default-group-policy VPN

tunnel-group VPN webvpn-attributes

group-alias VPN enable

tunnel-group VPN ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

class-map ips

match access-list ips

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect http

class ips

  ips inline fail-open

class class-default

  user-statistics accounting