Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1338
Views
5
Helpful
3
Replies

Using Anyconnect SSL VPN - Cannot access internal LAN through VPN

Go to solution
Jakei
Level 1
Level 1

‎02-27-2018 11:40 AM - edited ‎03-12-2019 05:03 AM

I am trying to setup a Cisco ASA 5506-X with a VPN using the Anyconnect SSL VPN client. I am able to successfully complete the wizard, connect via VPN, and have configured split tunneling. The computer with the client running is able to access the internet while connected to the VPN so it at least seems the split tunneling is correct. 

 

However, I have been unable to ping the inside interface of the ASA or any host on the internal network.

 

My end goal is to have a few users setup with outside VPN access so they can RDP into their machines from home. Currently I am just trying to test the vpn connect with ping but cannot get any communication at all.

 

When I open the VPN Client, I can see the connection information and see that tunneling is set to split include and I can see the secured routes in the route details. Under Bytes, after the initial connection I can see some Bytes received but after that the counter does not change.

 

I'd love some help with this and feel like there's probably something obvious I'm missing

- I'll include a show run and show all run sysopt below:

 

 

 

ASA Version 9.8(2)
!
hostname GNC-ASA5506
enable password $sha512$5000$yEVU9SknjxL/NBrKsNTSfQ==$hHmEw28UUGuq/ddYqgpAnw== p bkdf2
names
ip local pool VPN_Client_Pool 192.168.2.240-192.168.2.245 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.240_29
subnet 192.168.2.240 255.255.255.248
access-list Local_Lan_Access standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0. 251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Nam e Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0. 252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbi os-ns
access-list SPLIT-TUNNEL standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside_1,outside) source static any any destination static NETWORK_OBJ_192. 168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.2.0 255.255.255.0 inside_7
http 192.168.2.0 255.255.255.0 inside_1
http 192.168.2.0 255.255.255.0 inside_2
http 192.168.2.0 255.255.255.0 inside_6
http 192.168.2.0 255.255.255.0 inside_3
http 192.168.2.0 255.255.255.0 inside_4
http 192.168.2.0 255.255.255.0 inside_5
http 10.0.0.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2 56 AES192 AES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=GNC-ASA5506
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 95ad8e5a
308202e0 308201c8 a0030201 02020495 ad8e5a30 0d06092a 864886f7 0d01010b
05003032 31143012 06035504 03130b47 4e432d41 53413535 3036311a 30180609
2a864886 f70d0109 02160b47 4e432d41 53413535 3036301e 170d3138 30323237
31343231 34345a17 0d323830 32323531 34323134 345a3032 31143012 06035504
03130b47 4e432d41 53413535 3036311a 30180609 2a864886 f70d0109 02160b47
4e432d41 53413535 30363082 0122300d 06092a86 4886f70d 01010105 00038201
0f003082 010a0282 010100d3 b97b69f5 4252d9e2 bc318b51 e0c5c67d 002ccb05
04e83ad8 d4c1b023 24e481c7 0aaccb4b 9b9a71e2 f71fefd6 2b5df5e7 76b4730a
10657111 9791c4e4 8c49d8f2 be7fc967 143092a5 ebd41da0 3d2c02b1 076f358f
858b9266 e91fe6dd cd36a200 5267ab72 90646de4 b6c74032 0b4c175d 759fc0be
562e5b92 fbb8ef53 ebc24434 6dc2a41e 83f24cd0 35576340 5f713650 8e6bc572
52678170 65359679 25b61ec3 f99f1402 65db48f3 b2833c3f 6a6bb245 3de6a6fb
8bafffd7 522e0664 f0e6ad27 2d5e28c3 87c43458 5348884d 4d6fd6a2 730f8382
a51e5b80 d323a950 14e73202 361994be 1f77f381 b6addbf0 c38e084d c3def9a3
880afc9b 083fa5b6 804af102 03010001 300d0609 2a864886 f70d0101 0b050003
82010100 623c09db 66ed4f56 ee1d2e32 58ea8088 cd08f7be edf3ac00 415a87a4
59b414ca dea9393d a16dd926 9b0bf1f5 1ec81209 51c44f9a ba119c8a 870dfcb1
1abf8404 1d833b9d 5b9bbcb4 f2b800b4 14695799 9da822ab c9e4eb94 d0a7f349
09ed923c efde9710 75e637aa 47bb1544 036b0467 fd352814 fa5e6671 56f881c6
dea9877b 4d4928c1 ff9bae89 8127ad9c 049e4f3a 5c109a35 b6d4a21b 2b3cd0b9
977bce88 06da2abd 1ad55767 2743fd80 a3ca02d3 0cde137b 4f9f2b52 d64b7f83
bac3d150 81bf16ae f50f700a 8f5bb033 0c7f8281 5edd2895 5afeb93f 1626a454
53e3acfc e7136451 e4c3ff74 cf2651f6 29e39398 b34de456 61abec9a 8742647f
e05995f9
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside_1
ssl trust-point ASDM_TrustPoint0 inside_2
ssl trust-point ASDM_TrustPoint0 inside_3
ssl trust-point ASDM_TrustPoint0 inside_4
ssl trust-point ASDM_TrustPoint0 inside_5
ssl trust-point ASDM_TrustPoint0 inside_6
ssl trust-point ASDM_TrustPoint0 inside_7
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
anyconnect profiles VPNClientProfile_client_profile disk0:/VPNClientProfile_cli ent_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_SSLVPN internal
group-policy GroupPolicy_SSLVPN attributes
wins-server value 192.168.2.16
dns-server value 192.168.2.16 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value goodnewsclinics.local
dynamic-access-policy-record DfltAccessPolicy
username ccrow password $sha512$5000$rJX3GAYkUAgmkCbC8uvx/Q==$T0I65IS9r3TJxaAf9Z l/8w== pbkdf2
username ccrow attributes
vpn-group-policy GroupPolicy_SSLVPN
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool VPN_Client_Pool
default-group-policy GroupPolicy_SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5ef843ce14647461cdb52a1a0ed22fcf
: end
GNC-ASA5506# show all run sysopt
^
ERROR: % Invalid input detected at '^' marker.
GNC-ASA5506# show run all sysopt
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp inside_1
no sysopt noproxyarp inside_2
no sysopt noproxyarp inside_3
no sysopt noproxyarp inside_4
no sysopt noproxyarp inside_5
no sysopt noproxyarp inside_6
no sysopt noproxyarp inside_7
no sysopt noproxyarp inside

 

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-27-2018 11:58 AM

You have to replicate the same NAT exempt rule for all bridge group members:

nat (inside_1,outside) source static any any destination static NETWORK_OBJ_192. 168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup

nat (inside_2,outside) source static any any destination static NETWORK_OBJ_192. 168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup.

 

I think the Anyconnect VPN Wizard only creates one by default. 

 

Also, with BVI, ping or ssh the ASA inside interface is not possible when connected via VPN. There is a bug for this:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve82307/?reffering_site=dumpcr

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-27-2018 11:58 AM

You have to replicate the same NAT exempt rule for all bridge group members:

nat (inside_1,outside) source static any any destination static NETWORK_OBJ_192. 168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup

nat (inside_2,outside) source static any any destination static NETWORK_OBJ_192. 168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup.

 

I think the Anyconnect VPN Wizard only creates one by default. 

 

Also, with BVI, ping or ssh the ASA inside interface is not possible when connected via VPN. There is a bug for this:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve82307/?reffering_site=dumpcr

0 Helpful

Go to solution
Jakei
Level 1
Level 1
In response to Rahul Govindan

‎02-27-2018 12:09 PM

Hey, thanks for the quick response. I took your advice and added those NAT exemption rules. I'm going to throw an updated running-config in here.

That is good info about the bug pining the bride interface, from now on I'll just focus my tests on an internal host.

Unfortunately after the changes I have the same issues. Any more pointers would be greatly appreciated.

ASA Version 9.8(2)
!
hostname GNC-ASA5506
enable password $sha512$5000$yEVU9SknjxL/NBrKsNTSfQ==$hHmEw28UUGuq/ddYqgpAnw== p bkdf2
names
ip local pool VPN_Client_Pool 192.168.2.240-192.168.2.245 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.240_29
subnet 192.168.2.240 255.255.255.248
access-list Local_Lan_Access standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0. 251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Nam e Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0. 252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbi os-ns
access-list SPLIT-TUNNEL standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside_1,outside) source static any any destination static NETWORK_OBJ_192. 168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.2.0 255.255.255.0 inside_7
http 192.168.2.0 255.255.255.0 inside_1
http 192.168.2.0 255.255.255.0 inside_2
http 192.168.2.0 255.255.255.0 inside_6
http 192.168.2.0 255.255.255.0 inside_3
http 192.168.2.0 255.255.255.0 inside_4
http 192.168.2.0 255.255.255.0 inside_5
http 10.0.0.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2 56 AES192 AES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=GNC-ASA5506
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 95ad8e5a
308202e0 308201c8 a0030201 02020495 ad8e5a30 0d06092a 864886f7 0d01010b
05003032 31143012 06035504 03130b47 4e432d41 53413535 3036311a 30180609
2a864886 f70d0109 02160b47 4e432d41 53413535 3036301e 170d3138 30323237
31343231 34345a17 0d323830 32323531 34323134 345a3032 31143012 06035504
03130b47 4e432d41 53413535 3036311a 30180609 2a864886 f70d0109 02160b47
4e432d41 53413535 30363082 0122300d 06092a86 4886f70d 01010105 00038201
0f003082 010a0282 010100d3 b97b69f5 4252d9e2 bc318b51 e0c5c67d 002ccb05
04e83ad8 d4c1b023 24e481c7 0aaccb4b 9b9a71e2 f71fefd6 2b5df5e7 76b4730a
10657111 9791c4e4 8c49d8f2 be7fc967 143092a5 ebd41da0 3d2c02b1 076f358f
858b9266 e91fe6dd cd36a200 5267ab72 90646de4 b6c74032 0b4c175d 759fc0be
562e5b92 fbb8ef53 ebc24434 6dc2a41e 83f24cd0 35576340 5f713650 8e6bc572
52678170 65359679 25b61ec3 f99f1402 65db48f3 b2833c3f 6a6bb245 3de6a6fb
8bafffd7 522e0664 f0e6ad27 2d5e28c3 87c43458 5348884d 4d6fd6a2 730f8382
a51e5b80 d323a950 14e73202 361994be 1f77f381 b6addbf0 c38e084d c3def9a3
880afc9b 083fa5b6 804af102 03010001 300d0609 2a864886 f70d0101 0b050003
82010100 623c09db 66ed4f56 ee1d2e32 58ea8088 cd08f7be edf3ac00 415a87a4
59b414ca dea9393d a16dd926 9b0bf1f5 1ec81209 51c44f9a ba119c8a 870dfcb1
1abf8404 1d833b9d 5b9bbcb4 f2b800b4 14695799 9da822ab c9e4eb94 d0a7f349
09ed923c efde9710 75e637aa 47bb1544 036b0467 fd352814 fa5e6671 56f881c6
dea9877b 4d4928c1 ff9bae89 8127ad9c 049e4f3a 5c109a35 b6d4a21b 2b3cd0b9
977bce88 06da2abd 1ad55767 2743fd80 a3ca02d3 0cde137b 4f9f2b52 d64b7f83
bac3d150 81bf16ae f50f700a 8f5bb033 0c7f8281 5edd2895 5afeb93f 1626a454
53e3acfc e7136451 e4c3ff74 cf2651f6 29e39398 b34de456 61abec9a 8742647f
e05995f9
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside_1
ssl trust-point ASDM_TrustPoint0 inside_2
ssl trust-point ASDM_TrustPoint0 inside_3
ssl trust-point ASDM_TrustPoint0 inside_4
ssl trust-point ASDM_TrustPoint0 inside_5
ssl trust-point ASDM_TrustPoint0 inside_6
ssl trust-point ASDM_TrustPoint0 inside_7
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
anyconnect profiles VPNClientProfile_client_profile disk0:/VPNClientProfile_cli ent_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_SSLVPN internal
group-policy GroupPolicy_SSLVPN attributes
wins-server value 192.168.2.16
dns-server value 192.168.2.16 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value goodnewsclinics.local
dynamic-access-policy-record DfltAccessPolicy
username ccrow password $sha512$5000$rJX3GAYkUAgmkCbC8uvx/Q==$T0I65IS9r3TJxaAf9Z l/8w== pbkdf2
username ccrow attributes
vpn-group-policy GroupPolicy_SSLVPN
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool VPN_Client_Pool
default-group-policy GroupPolicy_SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5ef843ce14647461cdb52a1a0ed22fcf
: end
GNC-ASA5506# show all run sysopt
^
ERROR: % Invalid input detected at '^' marker.
GNC-ASA5506# show run all sysopt
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp inside_1
no sysopt noproxyarp inside_2
no sysopt noproxyarp inside_3
no sysopt noproxyarp inside_4
no sysopt noproxyarp inside_5
no sysopt noproxyarp inside_6
no sysopt noproxyarp inside_7
no sysopt noproxyarp inside
GNC-ASA5506# nat (inside_1,outside) source static any any destination static N$

nat (inside_1,outside) source static any any destination static NETWORK_OBJ_192. ^ 168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup

ERROR: % Invalid input detected at '^' marker.
GNC-ASA5506# conf t
GNC-ASA5506(config)# nat (inside_1,outside) source static any any destination $

nat (inside_1,outside) source static any any destination static NETWORK_OBJ_192.
168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup
^
ERROR: % Invalid input detected at '^' marker.
GNC-ASA5506(config)# show run
: Saved

:
: Serial Number: JAD2136042X
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname GNC-ASA5506
enable password $sha512$5000$yEVU9SknjxL/NBrKsNTSfQ==$hHmEw28UUGuq/ddYqgpAnw== pbkdf2
names
ip local pool VPN_Client_Pool 192.168.2.240-192.168.2.245 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.240_29
subnet 192.168.2.240 255.255.255.248
access-list Local_Lan_Access standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list SPLIT-TUNNEL standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside_1,outside) source static any any destination static NETWORK_OBJ_192.168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup
nat (inside_2,outside) source static any any destination static NETWORK_OBJ_192.168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup
nat (inside_3,outside) source static any any destination static NETWORK_OBJ_192.168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup
nat (inside_4,outside) source static any any destination static NETWORK_OBJ_192.168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup
nat (inside_5,outside) source static any any destination static NETWORK_OBJ_192.168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup
nat (inside_6,outside) source static any any destination static NETWORK_OBJ_192.168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup
nat (inside_7,outside) source static any any destination static NETWORK_OBJ_192.168.2.240_29 NETWORK_OBJ_192.168.2.240_29 no-proxy-arp route-lookup
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.2.0 255.255.255.0 inside_7
http 192.168.2.0 255.255.255.0 inside_1
http 192.168.2.0 255.255.255.0 inside_2
http 192.168.2.0 255.255.255.0 inside_6
http 192.168.2.0 255.255.255.0 inside_3
http 192.168.2.0 255.255.255.0 inside_4
http 192.168.2.0 255.255.255.0 inside_5
http 10.0.0.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=GNC-ASA5506
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 95ad8e5a
308202e0 308201c8 a0030201 02020495 ad8e5a30 0d06092a 864886f7 0d01010b
05003032 31143012 06035504 03130b47 4e432d41 53413535 3036311a 30180609
2a864886 f70d0109 02160b47 4e432d41 53413535 3036301e 170d3138 30323237
31343231 34345a17 0d323830 32323531 34323134 345a3032 31143012 06035504
03130b47 4e432d41 53413535 3036311a 30180609 2a864886 f70d0109 02160b47
4e432d41 53413535 30363082 0122300d 06092a86 4886f70d 01010105 00038201
0f003082 010a0282 010100d3 b97b69f5 4252d9e2 bc318b51 e0c5c67d 002ccb05
04e83ad8 d4c1b023 24e481c7 0aaccb4b 9b9a71e2 f71fefd6 2b5df5e7 76b4730a
10657111 9791c4e4 8c49d8f2 be7fc967 143092a5 ebd41da0 3d2c02b1 076f358f
858b9266 e91fe6dd cd36a200 5267ab72 90646de4 b6c74032 0b4c175d 759fc0be
562e5b92 fbb8ef53 ebc24434 6dc2a41e 83f24cd0 35576340 5f713650 8e6bc572
52678170 65359679 25b61ec3 f99f1402 65db48f3 b2833c3f 6a6bb245 3de6a6fb
8bafffd7 522e0664 f0e6ad27 2d5e28c3 87c43458 5348884d 4d6fd6a2 730f8382
a51e5b80 d323a950 14e73202 361994be 1f77f381 b6addbf0 c38e084d c3def9a3
880afc9b 083fa5b6 804af102 03010001 300d0609 2a864886 f70d0101 0b050003
82010100 623c09db 66ed4f56 ee1d2e32 58ea8088 cd08f7be edf3ac00 415a87a4
59b414ca dea9393d a16dd926 9b0bf1f5 1ec81209 51c44f9a ba119c8a 870dfcb1
1abf8404 1d833b9d 5b9bbcb4 f2b800b4 14695799 9da822ab c9e4eb94 d0a7f349
09ed923c efde9710 75e637aa 47bb1544 036b0467 fd352814 fa5e6671 56f881c6
dea9877b 4d4928c1 ff9bae89 8127ad9c 049e4f3a 5c109a35 b6d4a21b 2b3cd0b9
977bce88 06da2abd 1ad55767 2743fd80 a3ca02d3 0cde137b 4f9f2b52 d64b7f83
bac3d150 81bf16ae f50f700a 8f5bb033 0c7f8281 5edd2895 5afeb93f 1626a454
53e3acfc e7136451 e4c3ff74 cf2651f6 29e39398 b34de456 61abec9a 8742647f
e05995f9
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside_1
ssl trust-point ASDM_TrustPoint0 inside_2
ssl trust-point ASDM_TrustPoint0 inside_3
ssl trust-point ASDM_TrustPoint0 inside_4
ssl trust-point ASDM_TrustPoint0 inside_5
ssl trust-point ASDM_TrustPoint0 inside_6
ssl trust-point ASDM_TrustPoint0 inside_7
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
anyconnect profiles VPNClientProfile_client_profile disk0:/VPNClientProfile_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_SSLVPN internal
group-policy GroupPolicy_SSLVPN attributes
wins-server value 192.168.2.16
dns-server value 192.168.2.16 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value goodnewsclinics.local
dynamic-access-policy-record DfltAccessPolicy
username ccrow password $sha512$5000$rJX3GAYkUAgmkCbC8uvx/Q==$T0I65IS9r3TJxaAf9Zl/8w== pbkdf2
username ccrow attributes
vpn-group-policy GroupPolicy_SSLVPN
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool VPN_Client_Pool
default-group-policy GroupPolicy_SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:db4a558fdd9476968046bebac0e247c9
: end
0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Jakei

‎02-27-2018 12:36 PM

The config looks correct on initial glance. Can you try changing the Anyconnect pool to something not in the same range as the 192.168.2.0/24 inside network. Also change your NAT policies accordingly and test.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents