Re: VPN network cannot access the internal network

danny25s · ‎09-04-2020

Hi everyone,

I am very new to cisco devices and was tasked with creating a VPN for our small business network. I created the configuration from scratch on our 5506-X ver. 9.8. I am able to connect through Anyconnect successfully, but I'm unable to access the internal network. I've read through all the other post with similar issues but I'm still at a loss. Any help is appreciated.

: Saved

:
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(4)15
!
hostname 5506-ASA
enable password 
names
no mac-address auto
ip local pool VPN_POOL 10.0.0.2-10.0.0.14 mask 255.255.255.240

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INTERNAL-NET
 subnet 192.168.1.0 255.255.255.0
object network ANYCONNECT-NET
 subnet 10.0.0.0 255.255.255.240
access-list vpn_access_in extended permit ip object ANYCONNECT-NET object INTERNAL-NET
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static INTERNAL-NET INTERNAL-NET destination static ANYCONNECT-NET ANYCONNECT-NET no-proxy-arp route-lookup
access-group vpn_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.240 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=5506-ASA
 keypair 5506rsa.key
 crl configure
crypto ca trustpool policy

telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.240 inside
ssh timeout 60
ssh version 2
ssh cipher encryption high
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
 enable outside
 hsts
  enable
  max-age 31536000
  include-sub-domains
  no preload
 anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_5506_VPN internal
group-policy GroupPolicy_5506_VPN attributes
 wins-server none
 dns-server value 192.168.1.101
 vpn-tunnel-protocol ssl-client
 default-domain none
dynamic-access-policy-record DfltAccessPolicy
username admin password xxx privilege 15
username admin attributes
 vpn-simultaneous-logins 1
 vpn-tunnel-protocol ikev2 ssl-client
tunnel-group 5506_VPN type remote-access
tunnel-group 5506_VPN general-attributes
 address-pool VPN_POOL
 default-group-policy GroupPolicy_5506_VPN
tunnel-group 5506_VPN webvpn-attributes
 group-alias 5506_VPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect icmp
  inspect http
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

Rob Ingram · ‎09-04-2020

Hi @danny25s

For testing, remove the ACL you've got applied inbound on the inside interface and then try again

no access-group vpn_access_in in interface inside

danny25s · ‎09-04-2020

I removed the ACL. Still can't connect to the internal.

balaji.bandi · ‎09-04-2020

Try - sysopt connection permit-vpn - see if that works ?

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/vpn_params.html

still has issue -

Once the user connected to VPN post below information :

From PC ipconfig /all output.

Show vpn-sessiondb detail anyconnect filter name username (change the username to your username)

what is the device IP address VPN user trying to connect? what services?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Heino Human · ‎09-10-2020

Run the command below:

#show run group-policy GroupPolicy_5506_VPN

you don't have a split tunnel under your group policy configured.

This is an access list with your private range and then you want your VPN users to use their home internet for anything else.

Hope this help.