11-13-2017 10:10 AM - edited 03-12-2019 04:44 AM
hi,
Just stopped working, and can't even ping the inside interface once connected.
Please find below the following configuration of my firewall.
Result of the command: "sh run"
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.6(1)
!
hostname pegasus
domain-name jth.local
enable password IFomWluDEyOnsYVw encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool PegasusPool 10.200.10.2-10.200.10.253 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address ***********************
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.843
vlan 843
nameif Inside
security-level 99
ip address 10.200.10.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
ip address ***************
!
ftp mode passive
dns domain-lookup Inside
dns server-group DefaultDNS
expire-entry-timer minutes 60
name-server *************102 Inside
name-server *************101 Inside
domain-name *****************
Objects************************
description DNS Resolution
access-list outside_access_in extended deny ip any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Inside_access_in extended permit tcp any object dc3.***** eq domain
access-list Inside_access_in extended permit tcp any object dc1.***** eq domain
access-list Inside_access_in extended permit tcp any object api-****************.duosecurity.com eq ldaps
access-list Inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Inside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group outside_access_in in interface outside
access-group Inside_access_in in interface Inside
route Inside 0.0.0.0 0.0.0.0 10.200.10.254 1
route outside 10.0.10.0 255.255.255.0 192.168.192.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map MAP-ANYCONNECT-LOGIN
map-name memberOf Group-Policy
map-value memberOf CN=AuthorisedAAAUsers,CN=Users,DC=JTH,DC=local GroupPolicy_pegasus
aaa-server LDAPSERVERS protocol ldap
aaa-server LDAPSERVERS (Inside) host *************
timeout 30
ldap-base-dn dc=*****,dc=*****
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Cisco Authentication,CN=Users,DC=****,DC=****
server-type microsoft
ldap-attribute-map MAP-ANYCONNECT-LOGIN
group-search-timeout 30
aaa-server Duo-Ldap protocol ldap
aaa-server Duo-Ldap (Inside) host api-****************.duosecurity.com
timeout 180
server-port 636
ldap-base-dn dc=*********************,dc=duosecurity,dc=com
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=********************,dc=duosecurity,dc=com
ldap-over-ssl enable
server-type auto-detect
user-identity default-domain LOCAL
aaa local authentication attempts max-fail 3
http server enable
http ************************* management
no snmp-server location
no snmp-server contact
sysopt noproxyarp Inside
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint 1&1Certificate
keypair ASDM_TrustPoint0
crl configure
crypto ca trustpool policy
crypto ca certificate chain 1&1Certificate
certificate ******************************************
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
ssl server-version tlsv1.2
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA:AES256-SHA"
ssl trust-point 1&1Certificate outside
webvpn
enable outside
hostscan image disk0:/hostscan_4.3.05028-k9.pkg
hostscan enable
anyconnect image disk0:/anyconnect-win-4.5.02033-webdeploy-k9.pkg 1
anyconnect profiles pegasus disk0:/pegasus.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
mus password *****
group-policy NoAccess internal
group-policy NoAccess attributes
dns-server value ********************************************
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client ssl-clientless
webvpn
customization value CiscoDuo
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_pegasus internal
group-policy GroupPolicy_pegasus attributes
wins-server none
dns-server value ****************************************
vpn-simultaneous-logins 25
vpn-tunnel-protocol ssl-client
password-storage disable
default-domain value *****
webvpn
anyconnect ssl dtls enable
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value dart,posture
anyconnect profiles value pegasus type user
customization value CiscoDuo
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record PegasusACL
description "Pegasus Allowed Clients"
username ***************************************************
username *********************************************************
tunnel-group pegasus type remote-access
tunnel-group pegasus general-attributes
address-pool PegasusPool
authentication-server-group LDAPSERVERS LOCAL
secondary-authentication-server-group Duo-Ldap use-primary-username
default-group-policy NoAccess
tunnel-group pegasus webvpn-attributes
customization CiscoDuo
group-alias pegasus enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
inspect icmp error
inspect ip-options
class class-default
user-statistics accounting
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:77434066823bada6f2fa41bc98743be4
: end
Solved! Go to Solution.
11-14-2017 02:52 AM
You can modify the vpn pool or you could of course change the interconnect network between the router and the asa. It is up to you to chose which is simpler.
The .254 router will need to have a route to the new vpn network.
Also any other router that handles anyconnect traffic will have to know how to reach the asa.
As for acls it looks you do not need to do anything on the asa, considering traffic will be initiated only from anyconnect client.
If you have any other acls configured on other devices and yo changed the vpn pool you will have to replace the 10.200.10.0/24 network with the new one.
11-13-2017 12:32 PM
Hi @broadleon
didn´t look the whole config file but I saw that your first ACL statement is this:
access-list outside_access_in extended deny ip any any
ACL is usually read by devices top to bottom so, this ACL could block everything on you interface.
Also, share the output of:
show run all sysopt
-If I helped you somehow, please, rate it as useful.-
11-13-2017 01:55 PM - edited 11-13-2017 02:01 PM
I not sure how the acl of deny ip any any on the outside will affect traffic on the inside interface since that's where the vpn client will sit once authenticated
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
sysopt noproxyarp Inside
no sysopt noproxyarp management
11-13-2017 02:04 PM
Mate, you get into firewall through outside interface. How do you suppose to do anything if you have a deny any any on the outside?
You should change this. Although you have sysopt connection permit-vpn in place.
-If I helped you somehow, please, rate it as useful.-
11-13-2017 02:09 PM
11-13-2017 02:17 PM
Yeah you can because ACL does not block traffic to the Firewall, it blocks traffic through the Firewall. Control plane and data plane.
I am just saying that you should remove this ACL even though it can might not be the problem.
-If I helped you somehow, please, rate it as useful.-
11-13-2017 02:22 PM
if i remove deny ip any any what stops the unwanted traffic ?
11-13-2017 02:32 PM
No. Firewall will block any traffic unless you explicit permitted.
So, if you don't permit it, it will be blocked, that´s the rule.
-If I helped you somehow, please, rate it as useful.-
11-13-2017 12:33 PM
May I ask from where you are trying to ping and what interface you are trying to ping ?
You might want to config: icmp permit <ip> <netmask> <interface>
11-13-2017 01:57 PM
cannot ping or reach any servers router gateways or reach internet once authenticated on the vpn.
We pass all traffic through the VPN, no split tunnelling.
11-13-2017 02:37 PM
Are you assigned to the GroupPolicy_pegasus when you are connected ?
Please share output from the following command:
show vpn-sessiondb anyconnect
You have the same IPs configured for the vpn pool as well as for the inside interface.
This could lead to duplicate IPs. Try to change the vpn pool.
I do not see NAT configured, that would explain why you are unable to reach the internet when you connect over vpn. However, you should be able to reach internal IPs.
11-13-2017 02:46 PM - edited 11-13-2017 02:49 PM
Yes I'am assigned Pegasus once authenticated.
My internet is through the inside interface off to a router gateway in my network connected, hence the route 0.0.0.0 on the inside. I don't get internet through the same firewall as the vpn connection so i don't need nat on the same firewall.
I only have two ip's on the inside interface .1 the asa, and .254 a router the pool is configured to assign ip's in between is that an issue?
Result of the command: "Show vpn-sessiondb detail anyconnect filter name themaster"
Session Type: AnyConnect Detailed
Username : themaster Index : 17
Assigned IP : 10.200.10.4 Public IP : 10.x.10.x
Protocol : AnyConnect-Parent DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none DTLS-Tunnel: (1)SHA1
Bytes Tx : 16150 Bytes Rx : 91491
Pkts Tx : 12 Pkts Rx : 776
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GroupPolicy_pegasus Tunnel Group : pegasus
Login Time : 18:33:07 UTC Mon Nov 13 2017
Duration : 0h:11m:06s
Inactivity : 0h:02m:31s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a143214000110005a09e563
Security Grp : none
AnyConnect-Parent Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 17.1
Public IP : 10.x.10.x
Encryption : none Hashing : none
TCP Src Port : 49212 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes
Client OS : win
Client OS Ver: 6.1.7601 Service Pack 1
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.5.02033
Bytes Tx : 8075 Bytes Rx : 0
Pkts Tx : 6 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
DTLS-Tunnel:
Tunnel ID : 17.3
Assigned IP : 10.200.10.4 Public IP : 10.x.10.x
Encryption : AES256 Hashing : SHA1
Ciphersuite : AES256-SHA
Encapsulation: DTLSv1.0 Compression : LZS
UDP Src Port : 52319 UDP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 22 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.5.02033
Bytes Tx : 0 Bytes Rx : 89751
Pkts Tx : 0 Pkts Rx : 760
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Username : themaster Index : 18
Assigned IP : 10.200.10.5 Public IP : 10.x.10.x
Protocol : AnyConnect-Parent
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none
Hashing : AnyConnect-Parent: (1)none
Bytes Tx : 16150 Bytes Rx : 74713
Pkts Tx : 12 Pkts Rx : 789
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GroupPolicy_pegasus Tunnel Group : pegasus
Login Time : 18:39:35 UTC Mon Nov 13 2017
Duration : 0h:04m:38s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a143214000120005a09e6e7
Security Grp : none
AnyConnect-Parent Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 18.1
Public IP : 10.0.10.2
Encryption : none Hashing : none
TCP Src Port : 49359 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes
Client OS : win
Client OS Ver: 6.1.7601 Service Pack 1
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.5.02033
Bytes Tx : 8075 Bytes Rx : 0
Pkts Tx : 6 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Username : themaster Index : 19
Assigned IP : 10.200.10.6 Public IP : 10.x.10.x
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 16150 Bytes Rx : 49672
Pkts Tx : 12 Pkts Rx : 536
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GroupPolicy_pegasus Tunnel Group : pegasus
Login Time : 18:41:57 UTC Mon Nov 13 2017
Duration : 0h:02m:16s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a143214000130005a09e775
Security Grp : none
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 19.1
Public IP : 10.x.10.x
Encryption : none Hashing : none
TCP Src Port : 49421 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes
Client OS : win
Client OS Ver: 6.1.7601 Service Pack 1
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.5.02033
Bytes Tx : 8075 Bytes Rx : 0
Pkts Tx : 6 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 19.2
Assigned IP : 10.200.10.6 Public IP : 10.x.10.x
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 Compression : LZS
TCP Src Port : 49425 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.5.02033
Bytes Tx : 8075 Bytes Rx : 1243
Pkts Tx : 6 Pkts Rx : 13
Pkts Tx Drop : 0 Pkts Rx Drop : 0
DTLS-Tunnel:
Tunnel ID : 19.3
Assigned IP : 10.200.10.6 Public IP : 10.x.10.x
Encryption : AES256 Hashing : SHA1
Ciphersuite : AES256-SHA
Encapsulation: DTLSv1.0 Compression : LZS
UDP Src Port : 64843 UDP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.5.02033
Bytes Tx : 0 Bytes Rx : 48429
Pkts Tx : 0 Pkts Rx : 523
Pkts Tx Drop : 0 Pkts Rx Drop : 0
11-13-2017 03:08 PM
I only have two ip's on the inside interface .1 the asa, and .254 a router the pool is configured to assign ip's in between is that an issue?
Yes I believe this is a issue. The .254 device will try to reach the anyconnect directly using arp, but the ASA will not do a proxy arp, so the return packet will never reach the ASA.
You can do a capture on the inside interface to confirm.
11-14-2017 02:06 AM
11-14-2017 02:52 AM
You can modify the vpn pool or you could of course change the interconnect network between the router and the asa. It is up to you to chose which is simpler.
The .254 router will need to have a route to the new vpn network.
Also any other router that handles anyconnect traffic will have to know how to reach the asa.
As for acls it looks you do not need to do anything on the asa, considering traffic will be initiated only from anyconnect client.
If you have any other acls configured on other devices and yo changed the vpn pool you will have to replace the 10.200.10.0/24 network with the new one.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide