06-15-2012 06:01 AM
I am sure this problem has been solved a million times over but I can't get this to work. Can someone take a look at this config quick and tell me what is wrong?
The Cisco VPN client connects no problem but I can't access anything.
ASA Version 8.4(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 15
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.43.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address a.a.a.a 255.255.255.248
!
interface Vlan15
no forward interface Vlan1
nameif IPOffice
security-level 100
ip address 192.168.42.254 255.255.255.0
!
boot system disk0:/asa844-k8.bin
ftp mode passive
object network obj-192.168.43.0
subnet 192.168.43.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.11.12.0_24
subnet 10.11.12.0 255.255.255.0
object network NETWORK_OBJ_192.168.43.160_28
subnet 192.168.43.160 255.255.255.240
object network IPOffice
subnet 0.0.0.0 0.0.0.0
access-list outside_access_in extended permit icmp any 192.168.42.0 255.255.255.0
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 192.168.43.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu IPOffice 1500
ip local pool newvpnpool 10.11.12.100-10.11.12.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.11.12.0_24 NETWORK_OBJ_10.11.12.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 no-proxy-arp route-lookup
nat (IPOffice,outside) source static any any destination static NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network IPOffice
nat (IPOffice,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 b.b.b.b 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.43.0 255.255.255.0 inside
http 192.168.42.0 255.255.255.0 IPOffice
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set strong-des esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set encrypt-method-1 esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dynmap 30 set pfs group1
crypto dynamic-map dynmap 30 set ikev1 transform-set strong-des
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map rpVPN 65535 ipsec-isakmp dynamic dynmap
crypto map rpVPN interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.43.5-192.168.43.36 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy RPVPN internal
group-policy RPVPN attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1
username admin password gP3lHsTOEfvj7Z3g encrypted privilege 15
username mark password blPoPZBKFYhjYewF encrypted privilege 0
tunnel-group RPVPN type remote-access
tunnel-group RPVPN general-attributes
address-pool newvpnpool
default-group-policy RPVPN
tunnel-group RPVPN ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b3f15dda5472d65341d7c457f2e8b2a2
: end
Solved! Go to Solution.
06-18-2012 07:02 AM
Well, to access the ASA inside interface via the VPN Client, you would also need the following command:
http 10.11.12.0 255.255.255.0 inside
and I believe you already have "management-access inside" command as well earlier.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide