10-20-2023 07:57 AM - edited 10-20-2023 07:58 AM
Hello, I'm a student studying networking and I'm currently trying to learn how VPNs work, I own a ASA 5512-X with a Security Plus License. I decided to use the built-in ASDM wizard to try to get my AnyConnect VPN up and running - from videos online, it seemed very easy.
However, upon connecting to the VPN using my Windows 11 PC, I could only ping my inside interface (192.168.60.1) and nothing else. The strange part is, I'm able to ping my PC using the firewall and 'inside' servers. I'm suspecting that NAT could be an issue but I'm not too sure due to the previously mentioned part.
Things I've checked:
PC was assigned an IP specified in the pool (192.168.60.200 in my case)
Windows Firewall completely disabled
Another Windows 10 PC
Redoing the VPN Wizard
Startup Config:
: Saved
:
: Serial Number: <REDACTED>
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2800 MHz, 1 CPU (2 cores)
: Written by enable_15 at 14:45:30.697 UTC Fri Oct 20 2023
!
ASA Version 9.12(4)40
!
hostname R1-FW1
enable password <REDACTED>
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
names
no mac-address auto
ip local pool inside 192.168.60.200-192.168.60.230 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
bridge-group 1
nameif switch
security-level 100
!
interface GigabitEthernet0/2
bridge-group 1
nameif management
security-level 100
!
interface GigabitEthernet0/3
bridge-group 2
nameif IoT
security-level 50
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.60.1 255.255.255.0
!
interface BVI2
nameif DMZ
security-level 50
ip address 192.168.70.1 255.255.255.0
!
boot system disk0:/asa9-12-4-40-smp-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
object network Switch
subnet 0.0.0.0 0.0.0.0
object network Man
subnet 0.0.0.0 0.0.0.0
object network IoTWAN
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.60.192_26
subnet 192.168.60.192 255.255.255.192
access-list SPLIT-TUNNEL standard permit 192.168.60.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu switch 1500
mtu management 1500
mtu IoT 1500
no failover
no failover wait-disable
no monitor-interface inside
no monitor-interface DMZ
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7181-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
object network Switch
nat (switch,outside) dynamic interface
object network Man
nat (management,outside) dynamic interface
object network IoTWAN
nat (IoT,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 192.168.60.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
fqdn none
subject-name CN=192.168.60.1,CN=R1-FW1
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint VPN
enrollment self
subject-name CN=R1-FW1
keypair VPN-KEYS
no ca-check
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
certificate 63153165
308202cc 308201b4 a0030201 02020463 15316530 0d06092a 864886f7 0d01010b
05003028 310f300d 06035504 03130652 312d4657 31311530 13060355 0403130c
3139322e 3136382e 36302e31 301e170d 32333130 31393132 35393235 5a170d33
33313031 36313235 3932355a 3028310f 300d0603 55040313 0652312d 46573131
15301306 03550403 130c3139 322e3136 382e3630 2e313082 0122300d 06092a86
4886f70d 01010105 00038201 0f003082 010a0282 010100c4 315c5005 ce0ea737
3a9fa6e4 d8e0ebc0 dc7ebece 81e5da56 05b6b61c a6617c06 fc8bc712 9b060c0e
a5e82b4e 56a5a889 2d94881e 4c276e03 bb6b9f57 2aed3716 14cf02bf f77928ee
d3b9552c ac14e995 b3dadf05 1e210300 b3036805 540ce233 fbe63f10 fbb88ead
d70b4f36 bcc457e6 e04fe1fc 4309c292 c68496e3 9d7f2a81 acca6fb2 42eb7e32
451b74c4 db662f34 38036766 0f8ca314 9a3d30cb 3bba528a 11a3f067 e340e0f8
f777a3ce 5d505d93 e3252576 2d8c9bb6 129d906e 99c9f9e6 418894d3 0eaf7d06
816146f3 2891ecdb d96ab138 227bcacb 43d8782e 3c0224f1 03f6356c a8ad9db0
90787746 b072b5d2 f1c68ddb 72b62e0c be55ca44 f2f65302 03010001 300d0609
2a864886 f70d0101 0b050003 82010100 6aa57f5b 15e7fd2d 519d0b1f f9c7a30c
0365378e c7f318eb 5993dd49 3a5b31ee 6f462367 444af30c 3411685b 08522637
384c5ec2 863468e2 9b9a0240 5a62c088 3e860a04 c0174e29 58ea34e5 c421273c
067f184f 8f83a9d3 35d7308a 560873fe a09ea411 051fc091 608111f6 6c3efcab
88819c28 55ba72d0 230d3c56 8dbabdbc a100fad1 295b543c 473282a9 6619ae14
aaa8effd 09c868b6 aa64dc00 47a50db4 d8ea93e1 0e9440f0 d7d86827 ddddf3ae
3089409d 78dd83b0 8c932cb1 122ca55d 64530f56 8080adfa 77622106 21339638
61b13b3d febc04ef cd825c49 fe7caf31 10dd22ee 87ce71c2 75506512 ae218205
b95dd09b 51f2bc69 0ff95fe7 fe7683be
quit
crypto ca certificate chain VPN
certificate 64153165
308204cc 308202b4 a0030201 02020464 15316530 0d06092a 864886f7 0d01010b
05003028 310f300d 06035504 03130652 312d4657 31311530 1306092a 864886f7
0d010902 16065231 2d465731 301e170d 32333130 31393133 31343234 5a170d33
33313031 36313331 3432345a 3028310f 300d0603 55040313 0652312d 46573131
15301306 092a8648 86f70d01 09021606 52312d46 57313082 0222300d 06092a86
4886f70d 01010105 00038202 0f003082 020a0282 020100af adca4561 42641a74
8d3e441f 1eabc0e6 ed0e5db8 405e2928 303685fe 27fd4d5d b041155f 7597c1eb
1803a5b6 dc9b4c1c f051932a 44ba52be 0ecda963 b18279c4 fead407e 17837390
e7e57d59 2e2571ab dc521aee dd1be851 036e4716 68eaa577 bc629d63 51c36ecc
285b40a7 079175cb 92ed6479 46a7ef07 7b62b845 4d174a8a e39fdce6 baed43c5
f1d4f069 9760c52d e735b9d5 3cd23fe8 4087c925 b61b8f70 43babf2b e36e2082
30a82c6c dbee044b 6fdbf78b 1130f0ec 5f8d851b 03de0a2f 3c9fe51f 58103951
d0446f1f ab6ad3c1 7715d2f1 f2542ade f4631036 6cc3bbba 27ca1868 8a29c701
7c31f10c dcab716e 6d70b112 17cc598d f0bf3ecc 241f88ac 34d8686f d78b22e8
65e04cf7 2d89a511 f29b2551 fbed3676 7b597ffc 45fdb20a 94ef0bdc 1e6fae39
f82534ff 1c979b75 afa3e0f3 005f0ee3 e242a3d7 c410e9f2 53748170 a4ec4cd8
948e49d1 47723e06 c68bd0fa e905dbee 1da9a18c 1e8911ff b2ff3553 cbe4c2c1
a87bfeb8 2e048732 497eea0a b00f7c35 35826de3 3e5a0bae 0c624961 4b1da8b2
b9306fdd 11b3291d d975b8b0 3620f671 b8d14006 1e1a7c4d c73e5292 dd74575c
675713d4 a4dce722 f3b22f61 4ab60297 28ebd1c8 00dd14a4 2af0a111 f9bff888
8fd75d13 18948d3b dcf8f642 0e7170b5 ae9d4cfc b5759c83 9d1f1453 1eec1dc9
51e39a75 5c55b124 41ac3533 fa2bf017 f98f370c d610cb02 03010001 300d0609
2a864886 f70d0101 0b050003 82020100 2af46e02 158cfd7e 920ef049 9efd2dad
752064a6 c22cee7a 8134d56f 16bf581b df88c914 fe1750b5 9c299310 61c860eb
f2a0de34 5229a66a bbdb6e0a cf23f0ec 6a24d837 440dab0c 8737d0fb d94c7340
82435001 db1b7e17 1c5ed9d7 7bad9a72 9e9d9e82 e5e3b381 aff7c109 46573c77
b559fe14 f30317cd eb5d9146 905ca37b 3392ae06 a50442b3 db8034bb bf3edde3
3020884b de88ea7c f75456a5 d4d7bba9 f567692c 7c84ad17 c5e63368 7e4c94dd
a83d2fa7 f941cab3 3cbc4e09 1e8372f0 3a03f4b5 d66d5910 1a9d506b ec4dc5fa
48b2896a 76327292 343fdadd 2ab960f0 c060141e 62ff3150 36e613f8 faaab51a
eae884be 098706d6 b529fc9e bcd20bd2 44056c00 728ff3c1 35b72c83 50a4ea27
0d1f6734 e2a862c4 2173b8e6 41a2da70 11cc0369 f00ac57d f14c7007 9fcc4c7e
4f282b01 388696ec 974298f4 da7479b8 8e9cec25 f0f002c1 9d0992fe a7e40766
233da061 51c1ed10 9ffdd11b 8bcb08ee 370eef7e 682207cf c90140f0 a518c87e
e94ed7ee 96bcee65 ab59174a 56025d88 69c580dd 6d4f6c36 b7a84450 f3427b41
97c2b9e8 6e756f69 a500ad45 af3ff4bb e866397e 7dcc3330 58de4db6 8d8b9a83
c7916ffe 09537416 e10392f8 d61a86c7 83fe0fd0 ac67595f a6b37ab8 c632d57e
79dc28f5 17346e1d a181c380 79c2985f 5f2ed6bd ae955d2a c8fca665 18929ea3
10bb897d a062cd1a 202c4972 3c600a53
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint VPN
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 192.168.50.0 255.255.255.0 outside
ssh 192.168.60.0 255.255.255.0 management
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.60.5-192.168.60.254 inside
dhcpd enable inside
!
dhcpd address 192.168.70.5-192.168.70.254 DMZ
dhcpd enable DMZ
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point VPN outside
ssl trust-point VPN inside
ssl trust-point VPN DMZ
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 inside vpnlb-ip
webvpn
enable outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
http-headers
x-content-type-options
x-xss-protection
content-security-policy
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server none
dns-server none
vpn-tunnel-protocol ikev2 ssl-client
default-domain none
webvpn
anyconnect profiles value VPN_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username ong password <REDACTED>
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool inside
default-group-policy GroupPolicy_VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:80c897e74f23643f53949cf5d7578ec5
: end
Solved! Go to Solution.
10-20-2023 08:05 AM
@plaush yes, probably a NAT issue....create a NAT exemption rule to ensure traffic between the local and RAVPN network is not unintentially translated. You should change the RAVPN pool network would not be a different network from the LAN. Example:
object network LAN
subnet 192.168.60.0 255.255.255.0
!
object network RAVPN
subnet 192.168.61.192 255.255.255.192
!
nat (switch,outside) source static LAN LAN destination static RAVPN RAVPN
!
ip local pool inside 192.168.61.200-192.168.61.230 mask 255.255.255.0
10-20-2023 08:04 AM
Change the pool subnet and check again.
The vpn must not share subnet with any FW interface.
10-20-2023 08:04 AM
Ouhh, I didn't know that! I'll attempt it, thank you for the prompt reply.
10-20-2023 08:05 AM
@plaush yes, probably a NAT issue....create a NAT exemption rule to ensure traffic between the local and RAVPN network is not unintentially translated. You should change the RAVPN pool network would not be a different network from the LAN. Example:
object network LAN
subnet 192.168.60.0 255.255.255.0
!
object network RAVPN
subnet 192.168.61.192 255.255.255.192
!
nat (switch,outside) source static LAN LAN destination static RAVPN RAVPN
!
ip local pool inside 192.168.61.200-192.168.61.230 mask 255.255.255.0
10-20-2023 06:55 PM
Hello, this works perfectly! Thank you so much, you have saved me hours of troubleshooting. I’ll try to understand what each command does now
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide