06-27-2020 08:23 AM - edited 06-27-2020 09:05 AM
I am stuck on completing AnyConnect VPN Client configuration.We are using OpenLDAP and I have just completed integrating to ASA 5506. User authentication test worked so I moved on to setting up AnyConnectI have successfully enabled connecting to ASA 5506 and download AnyConnect software. Using that when a VPN Client uses AnyConnect and successfully logs in I have internet access and email but I cannot access internal devices such as NAS nor can I ping internal networks.
Our VPN pool is 10.8.40.0/24 and is named VPN-Pool
Our internal network is
10.8.32.0/24 Servers
10.8.34.0/24 Users
10.8.36.0/24 VoIP
10.8.38.0/24 SecCam
Internally DNS, DHCP, OpenLDAP comes from 10.8.32.9
I have attempted several NAT Rules specifically for VPN Clients but have failed to create a solution and am not sure what I am not setting correctly.
Here's my config. Any suggestions on what I am not doing correctly?
Result of the command: "sho run" : Saved : : Serial Number: : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.5(1) ! hostname SCG-ASA-01 domain-name hq.scgconnect.com enable password 0TAz8qRS9LuZZzJv encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd zJXfJytEpmEl08Wj encrypted names ip local pool VPN-Pool 10.8.40.200-10.8.40.220 mask 255.255.255.0 ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address 24.213.128.10 255.255.255.248 ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 10.8.31.2 255.255.255.0 ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only nameif management security-level 100 ip address 10.8.30.9 255.255.255.0 ! boot system disk0:/asa961-lfbff-k8.SPA boot system disk0:/asa952-6-lfbff-k8.SPA ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 10.8.32.9 inside name-server 24.92.226.11 outside name-server 24.92.226.12 outside domain-name hq.scgconnect.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network NET_10.8.32.0_24_Servers subnet 10.8.32.0 255.255.255.0 object network NET_10.8.34.0_24_Users subnet 10.8.34.0 255.255.255.0 object network NET_10.8.36.0_24_VOIP subnet 10.8.36.0 255.255.255.0 object network NET_10.8.38.0_24_SecCam subnet 10.8.38.0 255.255.255.0 object network NET_192.168.1.0_24_Dev subnet 192.168.1.0 255.255.255.0 object network NET_10.2.1.0_24_Dev2 subnet 10.2.1.0 255.255.255.0 object network NET_10.0.0.0_8 subnet 10.0.0.0 255.0.0.0 object network HOST_10.8.32.9_tcp1723 host 10.8.32.9 object network HOST_10.8.32.10_gre host 10.8.32.10 object network HOST_88.150.240.0 subnet 88.150.240.0 255.255.255.0 object network NET_113.105.128.0_24 subnet 113.105.128.0 255.255.255.0 object network NET_66.241.99.0_24 subnet 66.241.99.0 255.255.255.0 object network HOST_10.8.32.10 host 10.8.32.10 object network HOST_10.1.1.8 host 10.1.1.8 object network HOST_10.8.32.12 host 10.8.32.12 object network HOST_10.8.32.13 host 10.8.32.13 object network HOST_10.8.38.81 host 10.8.38.81 description Axis Camera object network HOST_10.8.38.82 host 10.8.38.82 description Axis Camera object network HOST_10.8.38.83 host 10.8.38.83 description Axis Camera object network HOST_10.8.38.84 host 10.8.38.84 description Axis Camera object network HOST_10.8.38.85 host 10.8.38.85 description Axis Camera object network HOST_10.8.32.13_tcp6180 host 10.8.32.13 object network HOST_10.8.32.13_tcp6181 host 10.8.32.13 object network HOST_10.8.32.13_tcp6182 host 10.8.32.13 object network HOST_10.8.32.13_tcp6183 host 10.8.32.13 object network HOST_10.8.32.13_tcp6185 host 10.8.32.13 object network HOST_10.8.32.13_tcp6188 host 10.8.32.13 object network HOST_10.8.32.9_udp500 host 10.8.32.9 object network HOST_10.8.32.9_udp4500 host 10.8.32.9 object network HOST_10.8.32.10_tcp443 host 10.8.32.10 object network HOST_10.8.32.10_443 object network HOST_10.1.1.8_tcp9000 host 10.1.1.8 object network HOST_10.1.1.8_tcp8081 host 10.1.1.8 object network HOST_10.8.32.9_tcp1701 host 10.8.32.9 object network NET_172.16.1.0 subnet 172.16.1.0 255.255.255.0 object network HOST_10.8.36.2_udp5060 host 10.8.36.2 object network NETWORK_OBJ_10.8.40.0_24 subnet 10.8.40.0 255.255.255.0 description VPN users object network HOST_172.16.1.2_udp5060 host 172.16.1.2 object network HOST_10.8.32.12_tcp9101 host 10.8.32.12 description SCG AXIS ADMIN DEVELOPMENT object network HOST_10.8.38.86 host 10.8.38.86 description Axis Camera object network HOST_10.8.38.87 host 10.8.38.87 description Axis Camera object network HOST_10.8.32.12_tcp9201 host 10.8.32.12 description Voter Viewer web interface object network HOST_10.8.32.12_tcp9301 host 10.8.32.12 description PDS web interface object network HOST_10.8.32.9_tcp5001 host 10.8.32.9 description Synology NAS object network Host_10.8.32.9_tcp5005 host 10.8.32.9 description Synology NAS object network VPN-Pool range 10.8.40.200 10.8.40.220 description VPN Users object network HOST_10.8.40.200_10.8.40.220 range 10.8.40.200 10.8.40.220 description VPN Users object-group service DM_INLINE_TCPUDP_1 tcp-udp port-object eq 5061 port-object eq sip object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list outside_access_in extended permit ip object NETWORK_OBJ_10.8.40.0_24 any access-list outside_access_in extended deny ip object HOST_88.150.240.0 any access-list outside_access_in extended deny ip object NET_113.105.128.0_24 any access-list outside_access_in extended permit object-group TCPUDP object NET_66.241.99.0_24 any object-group DM_INLINE_TCPUDP_1 log access-list outside_access_in extended deny udp any any eq sip log access-list outside_access_in extended permit tcp any any eq https access-list outside_access_in extended permit tcp any any eq 500 access-list outside_access_in extended permit udp any any eq 1701 access-list outside_access_in extended permit tcp any any eq pptp access-list outside_access_in extended permit tcp any any eq 3306 log access-list outside_access_in extended permit tcp any any eq 4500 access-list outside_access_in extended permit tcp any any eq 5001 access-list outside_access_in extended permit tcp any any eq 6180 access-list outside_access_in extended permit tcp any any eq 6181 access-list outside_access_in extended permit tcp any any eq 6182 access-list outside_access_in extended permit tcp any any eq 6183 access-list outside_access_in extended permit tcp any any eq 6185 access-list outside_access_in extended permit tcp any any eq 6188 access-list outside_access_in extended permit tcp any any eq 9000 access-list outside_access_in extended permit tcp any any eq 8081 log access-list outside_access_in extended permit udp any any log access-list outside_access_in extended permit tcp any any log access-list outside_access_in extended permit gre any any access-list outside_access_in extended permit ipinip any any access-list outside_access_in extended permit esp any any access-list outside_access_in extended permit ip any any log access-list outside_access_in extended permit ip host 10.1.1.22 host 10.1.1.13 access-list VPN-SCG2 standard permit 10.8.0.0 255.255.192.0 access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-751.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp ! object network HOST_10.8.32.9_tcp1723 nat (inside,outside) static interface service tcp pptp pptp object network HOST_10.8.32.12 nat (inside,outside) static interface service tcp 3306 3306 object network HOST_10.8.32.13 nat (inside,outside) static interface service tcp 6188 6188 object network HOST_10.8.38.81 nat (inside,outside) static interface service tcp 9111 9111 object network HOST_10.8.38.82 nat (inside,outside) static interface service tcp 9112 9112 object network HOST_10.8.38.83 nat (inside,outside) static interface service tcp 9113 9113 object network HOST_10.8.38.84 nat (inside,outside) static interface service tcp 9114 9114 object network HOST_10.8.38.85 nat (inside,outside) static interface service tcp 9115 9115 object network HOST_10.8.32.13_tcp6180 nat (inside,outside) static interface service tcp 6180 6180 object network HOST_10.8.32.13_tcp6181 nat (inside,outside) static interface service tcp 6181 6181 object network HOST_10.8.32.13_tcp6182 nat (inside,outside) static interface service tcp 6182 6182 object network HOST_10.8.32.13_tcp6183 nat (inside,outside) static interface service tcp 6183 6183 object network HOST_10.8.32.13_tcp6185 nat (inside,outside) static interface service tcp 6185 6185 object network HOST_10.8.32.13_tcp6188 nat (inside,outside) static interface service tcp 6188 6188 object network HOST_10.8.32.9_udp500 nat (inside,outside) static interface service udp isakmp isakmp object network HOST_10.8.32.9_udp4500 nat (inside,outside) static interface service udp 4500 4500 object network HOST_10.1.1.8_tcp9000 nat (inside,outside) static interface service tcp 9000 9000 object network HOST_10.1.1.8_tcp8081 nat (inside,outside) static interface service tcp 8081 8081 object network HOST_10.8.32.9_tcp1701 nat (inside,outside) static interface service tcp 1701 1701 object network HOST_172.16.1.2_udp5060 nat (inside,outside) static interface service udp sip sip object network HOST_10.8.32.12_tcp9101 nat (inside,outside) static interface service tcp 9101 9101 object network HOST_10.8.38.86 nat (inside,outside) static interface service tcp 9116 9116 object network HOST_10.8.38.87 nat (inside,outside) static interface service tcp 9117 9117 object network HOST_10.8.32.12_tcp9201 nat (inside,outside) static interface service tcp 9201 9201 object network HOST_10.8.32.12_tcp9301 nat (inside,outside) static interface net-to-net service tcp 9301 9301 object network HOST_10.8.32.9_tcp5001 nat (inside,outside) static interface service tcp 5001 5001 object network Host_10.8.32.9_tcp5005 nat (inside,outside) static interface service tcp 5005 5005 ! nat (outside,outside) after-auto source dynamic NETWORK_OBJ_10.8.40.0_24 interface nat (inside,outside) after-auto source dynamic any interface nat (outside,outside) after-auto source dynamic any interface access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 24.213.128.9 1 route inside 10.0.0.0 255.0.0.0 10.8.31.1 1 route inside 172.16.1.0 255.255.255.0 10.8.31.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 ldap attribute-map CiscoMAP map-name memberOf IETF-Radius-Class map-value memberOf CN=workgroup,DC=hq,DC=scgconnect,DC=com UID aaa-server SCG protocol ldap aaa-server SCG (inside) host 10.8.32.9 server-port 636 ldap-base-dn cn=users,dc=hq,dc=scgconnect,dc=com ldap-scope subtree ldap-naming-attribute uid ldap-over-ssl enable server-type microsoft ldap-attribute-map CiscoMAP no user-identity enable user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable 5000 http 192.168.1.0 255.255.255.0 inside http 10.8.32.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=remote.scgconnect.com no ca-check crl configure crypto ca trustpoint Cisco_Manufacturing_CA enrollment terminal crl configure crypto ca trustpoint CAP-RTP-001 enrollment terminal crl configure crypto ca trustpoint CAP-RTP-002 enrollment terminal crl configure crypto ca trustpoint CAPF enrollment terminal no ca-check crl configure crypto ca trustpoint asdm_cuma_local enrollment terminal crl configure crypto ca trustpoint asdm_cuma_root_ca enrollment terminal crl configure crypto ca trustpoint asdm_cuma_local_proxy enrollment terminal validation-usage ssl-client crl configure crypto ca trustpoint Cisco_Root_CA_2048 enrollment terminal crl configure crypto ca trustpoint CallManager enrollment terminal no ca-check crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment terminal crl configure crypto ca trustpoint ccm_proxy enrollment self fqdn none subject-name cn=Proxy serial-number crl configure crypto ca trustpoint ldc_server enrollment self fqdn ldc.scgconnect.com subject-name cn=LDC_SIGNER serial-number proxy-ldc-issuer crl configure crypto ca trustpoint ASDM_TrustPoint5 enrollment self subject-name CN=hq.scgconnect.com crl configure crypto ca trustpoint ASDM_TrustPoint3 enrollment self subject-name CN=SCG-ASA-01 crl configure crypto ca trustpool policy crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 telnet 10.8.32.0 255.255.255.0 inside telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 inside ssh 10.8.32.0 255.255.255.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 ! tls-proxy maximum-session 160 ! ! tls-proxy my_proxy server trust-point ccm_proxy client ldc issuer ldc_server client cipher-suite aes128-sha1 aes256-sha1 threat-detection basic-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp authenticate ntp server 129.6.15.28 source inside ntp server 10.8.32.20 source inside prefer ssl trust-point ASDM_TrustPoint5 outside webvpn enable outside anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-macos-4.8.01090-webdeploy-k9.pkg 2 anyconnect image disk0:/anyconnect-linux64-4.8.01090-webdeploy-k9.pkg 3 anyconnect profiles SCG2_anyconnect disk0:/scg2_anyconnect.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable ! ctl-provider my_ctl client interface inside address 10.8.32.20 client username rubenc password IxJu2LI1uG0ssLO6 encrypted export certificate ccm_proxy ! group-policy GroupPolicy_SSL internal group-policy GroupPolicy_SSL attributes wins-server none dns-server value 10.8.32.9 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelall default-domain value hq.scgconnect.com split-tunnel-all-dns enable group-policy GroupPolicy_SGC2 internal group-policy GroupPolicy_SGC2 attributes wins-server none dns-server value 10.8.32.9 vpn-filter value outside_access_in vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value VPN-SCG2 default-domain value hq.scgconnect.com split-dns value hq.scgconnect.com split-tunnel-all-dns disable client-bypass-protocol enable webvpn anyconnect profiles value SCG2_anyconnect type user dynamic-access-policy-record DfltAccessPolicy tunnel-group SGC2 type remote-access tunnel-group SGC2 general-attributes address-pool VPN-Pool authentication-server-group SCG default-group-policy GroupPolicy_SGC2 tunnel-group SGC2 webvpn-attributes group-alias SGC2 enable tunnel-group SSL type remote-access tunnel-group SSL general-attributes address-pool VPN-Pool default-group-policy GroupPolicy_SSL tunnel-group SSL webvpn-attributes authentication certificate group-url https://hq.scgconnect.com/SSL enable ! class-map sec_skinny match port tcp eq 2443 class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map type inspect skinny skinny_inspect parameters policy-map global_policy class inspection_default inspect ftp inspect ip-options inspect netbios inspect rsh inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect xdmcp inspect dns preset_dns_map inspect skinny skinny_inspect class sec_skinny inspect skinny skinny_inspect tls-proxy my_proxy policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 ! service-policy global_policy global prompt hostname context service call-home call-home reporting anonymous call-home contact-email-addr cfitzsimmons@scgconnect.com profile CiscoTAC-1 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily hpm topN enable Cryptochecksum:b85da98bf45fe4104d7360a320a935e0 : end
Solved! Go to Solution.
06-27-2020 11:35 AM
06-27-2020 08:33 AM
Hi,
You will need NAT exemption rules to ensure traffic between the internal LAN networks and the VPN Pool network is not natted.
Example:-
nat (inside,outside) source static NET_10.8.32.0_24_Servers NET_10.8.32.0_24_Servers destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
nat (inside,outside) source static NET_10.8.34.0_24_Users NET_10.8.34.0_24_Users destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
HTH
06-27-2020 08:55 AM
Rob,
Thanks for you response. I just wrote that to the ASA and logged in using AnyConnect. I still cannot ping 10.8.32.0 or any other internal network.
Email and internet still work
I include the latest config
Carl
Result of the command: "sho run" : Saved : : Serial Number: : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.5(1) ! hostname SCG-ASA-01 domain-name hq.scgconnect.com enable password 0TAz8qRS9LuZZzJv encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd zJXfJytEpmEl08Wj encrypted names ip local pool VPN-Pool 10.8.40.200-10.8.40.220 mask 255.255.255.0 ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address 24.213.128.10 255.255.255.248 ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 10.8.31.2 255.255.255.0 ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only nameif management security-level 100 ip address 10.8.30.9 255.255.255.0 ! boot system disk0:/asa961-lfbff-k8.SPA boot system disk0:/asa952-6-lfbff-k8.SPA ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 10.8.32.9 inside name-server 24.92.226.11 outside name-server 24.92.226.12 outside domain-name hq.scgconnect.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network NET_10.8.32.0_24_Servers subnet 10.8.32.0 255.255.255.0 object network NET_10.8.34.0_24_Users subnet 10.8.34.0 255.255.255.0 object network NET_10.8.36.0_24_VOIP subnet 10.8.36.0 255.255.255.0 object network NET_10.8.38.0_24_SecCam subnet 10.8.38.0 255.255.255.0 object network NET_192.168.1.0_24_Dev subnet 192.168.1.0 255.255.255.0 object network NET_10.2.1.0_24_Dev2 subnet 10.2.1.0 255.255.255.0 object network NET_10.0.0.0_8 subnet 10.0.0.0 255.0.0.0 object network HOST_10.8.32.9_tcp1723 host 10.8.32.9 object network HOST_10.8.32.10_gre host 10.8.32.10 object network HOST_88.150.240.0 subnet 88.150.240.0 255.255.255.0 object network NET_113.105.128.0_24 subnet 113.105.128.0 255.255.255.0 object network NET_66.241.99.0_24 subnet 66.241.99.0 255.255.255.0 object network HOST_10.8.32.10 host 10.8.32.10 object network HOST_10.1.1.8 host 10.1.1.8 object network HOST_10.8.32.12 host 10.8.32.12 object network HOST_10.8.32.13 host 10.8.32.13 object network HOST_10.8.38.81 host 10.8.38.81 description Axis Camera object network HOST_10.8.38.82 host 10.8.38.82 description Axis Camera object network HOST_10.8.38.83 host 10.8.38.83 description Axis Camera object network HOST_10.8.38.84 host 10.8.38.84 description Axis Camera object network HOST_10.8.38.85 host 10.8.38.85 description Axis Camera object network HOST_10.8.32.13_tcp6180 host 10.8.32.13 object network HOST_10.8.32.13_tcp6181 host 10.8.32.13 object network HOST_10.8.32.13_tcp6182 host 10.8.32.13 object network HOST_10.8.32.13_tcp6183 host 10.8.32.13 object network HOST_10.8.32.13_tcp6185 host 10.8.32.13 object network HOST_10.8.32.13_tcp6188 host 10.8.32.13 object network HOST_10.8.32.9_udp500 host 10.8.32.9 object network HOST_10.8.32.9_udp4500 host 10.8.32.9 object network HOST_10.8.32.10_tcp443 host 10.8.32.10 object network HOST_10.8.32.10_443 object network HOST_10.1.1.8_tcp9000 host 10.1.1.8 object network HOST_10.1.1.8_tcp8081 host 10.1.1.8 object network HOST_10.8.32.9_tcp1701 host 10.8.32.9 object network NET_172.16.1.0 subnet 172.16.1.0 255.255.255.0 object network HOST_10.8.36.2_udp5060 host 10.8.36.2 object network NETWORK_OBJ_10.8.40.0_24 subnet 10.8.40.0 255.255.255.0 description VPN users object network HOST_172.16.1.2_udp5060 host 172.16.1.2 object network HOST_10.8.32.12_tcp9101 host 10.8.32.12 description SCG AXIS ADMIN DEVELOPMENT object network HOST_10.8.38.86 host 10.8.38.86 description Axis Camera object network HOST_10.8.38.87 host 10.8.38.87 description Axis Camera object network HOST_10.8.32.12_tcp9201 host 10.8.32.12 description Voter Viewer web interface object network HOST_10.8.32.12_tcp9301 host 10.8.32.12 description PDS web interface object network HOST_10.8.32.9_tcp5001 host 10.8.32.9 description Synology NAS object network Host_10.8.32.9_tcp5005 host 10.8.32.9 description Synology NAS object network VPN-Pool range 10.8.40.200 10.8.40.220 description VPN Users object network HOST_10.8.40.200_10.8.40.220 range 10.8.40.200 10.8.40.220 description VPN Users object-group service DM_INLINE_TCPUDP_1 tcp-udp port-object eq 5061 port-object eq sip object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list outside_access_in extended permit ip object NETWORK_OBJ_10.8.40.0_24 any access-list outside_access_in extended deny ip object HOST_88.150.240.0 any access-list outside_access_in extended deny ip object NET_113.105.128.0_24 any access-list outside_access_in extended permit object-group TCPUDP object NET_66.241.99.0_24 any object-group DM_INLINE_TCPUDP_1 log access-list outside_access_in extended deny udp any any eq sip log access-list outside_access_in extended permit tcp any any eq https access-list outside_access_in extended permit tcp any any eq 500 access-list outside_access_in extended permit udp any any eq 1701 access-list outside_access_in extended permit tcp any any eq pptp access-list outside_access_in extended permit tcp any any eq 3306 log access-list outside_access_in extended permit tcp any any eq 4500 access-list outside_access_in extended permit tcp any any eq 5001 access-list outside_access_in extended permit tcp any any eq 6180 access-list outside_access_in extended permit tcp any any eq 6181 access-list outside_access_in extended permit tcp any any eq 6182 access-list outside_access_in extended permit tcp any any eq 6183 access-list outside_access_in extended permit tcp any any eq 6185 access-list outside_access_in extended permit tcp any any eq 6188 access-list outside_access_in extended permit tcp any any eq 9000 access-list outside_access_in extended permit tcp any any eq 8081 log access-list outside_access_in extended permit udp any any log access-list outside_access_in extended permit tcp any any log access-list outside_access_in extended permit gre any any access-list outside_access_in extended permit ipinip any any access-list outside_access_in extended permit esp any any access-list outside_access_in extended permit ip any any log access-list outside_access_in extended permit ip host 10.1.1.22 host 10.1.1.13 access-list VPN-SCG2 standard permit 10.8.0.0 255.255.192.0 access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-751.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp nat (inside,outside) source static NET_10.8.32.0_24_Servers NET_10.8.32.0_24_Servers destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp nat (inside,outside) source static NET_10.8.34.0_24_Users NET_10.8.34.0_24_Users destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp ! object network HOST_10.8.32.9_tcp1723 nat (inside,outside) static interface service tcp pptp pptp object network HOST_10.8.32.12 nat (inside,outside) static interface service tcp 3306 3306 object network HOST_10.8.32.13 nat (inside,outside) static interface service tcp 6188 6188 object network HOST_10.8.38.81 nat (inside,outside) static interface service tcp 9111 9111 object network HOST_10.8.38.82 nat (inside,outside) static interface service tcp 9112 9112 object network HOST_10.8.38.83 nat (inside,outside) static interface service tcp 9113 9113 object network HOST_10.8.38.84 nat (inside,outside) static interface service tcp 9114 9114 object network HOST_10.8.38.85 nat (inside,outside) static interface service tcp 9115 9115 object network HOST_10.8.32.13_tcp6180 nat (inside,outside) static interface service tcp 6180 6180 object network HOST_10.8.32.13_tcp6181 nat (inside,outside) static interface service tcp 6181 6181 object network HOST_10.8.32.13_tcp6182 nat (inside,outside) static interface service tcp 6182 6182 object network HOST_10.8.32.13_tcp6183 nat (inside,outside) static interface service tcp 6183 6183 object network HOST_10.8.32.13_tcp6185 nat (inside,outside) static interface service tcp 6185 6185 object network HOST_10.8.32.13_tcp6188 nat (inside,outside) static interface service tcp 6188 6188 object network HOST_10.8.32.9_udp500 nat (inside,outside) static interface service udp isakmp isakmp object network HOST_10.8.32.9_udp4500 nat (inside,outside) static interface service udp 4500 4500 object network HOST_10.1.1.8_tcp9000 nat (inside,outside) static interface service tcp 9000 9000 object network HOST_10.1.1.8_tcp8081 nat (inside,outside) static interface service tcp 8081 8081 object network HOST_10.8.32.9_tcp1701 nat (inside,outside) static interface service tcp 1701 1701 object network HOST_172.16.1.2_udp5060 nat (inside,outside) static interface service udp sip sip object network HOST_10.8.32.12_tcp9101 nat (inside,outside) static interface service tcp 9101 9101 object network HOST_10.8.38.86 nat (inside,outside) static interface service tcp 9116 9116 object network HOST_10.8.38.87 nat (inside,outside) static interface service tcp 9117 9117 object network HOST_10.8.32.12_tcp9201 nat (inside,outside) static interface service tcp 9201 9201 object network HOST_10.8.32.12_tcp9301 nat (inside,outside) static interface net-to-net service tcp 9301 9301 object network HOST_10.8.32.9_tcp5001 nat (inside,outside) static interface service tcp 5001 5001 object network Host_10.8.32.9_tcp5005 nat (inside,outside) static interface service tcp 5005 5005 ! nat (outside,outside) after-auto source dynamic NETWORK_OBJ_10.8.40.0_24 interface nat (inside,outside) after-auto source dynamic any interface nat (outside,outside) after-auto source dynamic any interface access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 24.213.128.9 1 route inside 10.0.0.0 255.0.0.0 10.8.31.1 1 route inside 172.16.1.0 255.255.255.0 10.8.31.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 ldap attribute-map CiscoMAP map-name memberOf IETF-Radius-Class map-value memberOf CN=workgroup,DC=hq,DC=scgconnect,DC=com UID aaa-server SCG protocol ldap aaa-server SCG (inside) host 10.8.32.9 server-port 636 ldap-base-dn cn=users,dc=hq,dc=scgconnect,dc=com ldap-scope subtree ldap-naming-attribute uid ldap-over-ssl enable server-type microsoft ldap-attribute-map CiscoMAP no user-identity enable user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable 5000 http 192.168.1.0 255.255.255.0 inside http 10.8.32.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=remote.scgconnect.com no ca-check crl configure crypto ca trustpoint Cisco_Manufacturing_CA enrollment terminal crl configure crypto ca trustpoint CAP-RTP-001 enrollment terminal crl configure crypto ca trustpoint CAP-RTP-002 enrollment terminal crl configure crypto ca trustpoint CAPF enrollment terminal no ca-check crl configure crypto ca trustpoint asdm_cuma_local enrollment terminal crl configure crypto ca trustpoint asdm_cuma_root_ca enrollment terminal crl configure crypto ca trustpoint asdm_cuma_local_proxy enrollment terminal validation-usage ssl-client crl configure crypto ca trustpoint Cisco_Root_CA_2048 enrollment terminal crl configure crypto ca trustpoint CallManager enrollment terminal no ca-check crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment terminal crl configure crypto ca trustpoint ccm_proxy enrollment self fqdn none subject-name cn=Proxy serial-number crl configure crypto ca trustpoint ldc_server enrollment self fqdn ldc.scgconnect.com subject-name cn=LDC_SIGNER serial-number proxy-ldc-issuer crl configure crypto ca trustpoint ASDM_TrustPoint5 enrollment self subject-name CN=hq.scgconnect.com crl configure crypto ca trustpoint ASDM_TrustPoint3 enrollment self subject-name CN=SCG-ASA-01 crl configure crypto ca trustpool policy crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 telnet 10.8.32.0 255.255.255.0 inside telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 inside ssh 10.8.32.0 255.255.255.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 ! tls-proxy maximum-session 160 ! ! tls-proxy my_proxy server trust-point ccm_proxy client ldc issuer ldc_server client cipher-suite aes128-sha1 aes256-sha1 threat-detection basic-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp authenticate ntp server 129.6.15.28 source inside ntp server 10.8.32.20 source inside prefer ssl trust-point ASDM_TrustPoint5 outside webvpn enable outside anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-macos-4.8.01090-webdeploy-k9.pkg 2 anyconnect image disk0:/anyconnect-linux64-4.8.01090-webdeploy-k9.pkg 3 anyconnect profiles SCG2_anyconnect disk0:/scg2_anyconnect.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable ! ctl-provider my_ctl client interface inside address 10.8.32.20 client username rubenc password IxJu2LI1uG0ssLO6 encrypted export certificate ccm_proxy ! group-policy GroupPolicy_SSL internal group-policy GroupPolicy_SSL attributes wins-server none dns-server value 10.8.32.9 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelall default-domain value hq.scgconnect.com split-tunnel-all-dns enable group-policy GroupPolicy_SGC2 internal group-policy GroupPolicy_SGC2 attributes wins-server none dns-server value 10.8.32.9 vpn-filter value outside_access_in vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value VPN-SCG2 default-domain value hq.scgconnect.com split-dns value hq.scgconnect.com split-tunnel-all-dns disable client-bypass-protocol enable webvpn anyconnect profiles value SCG2_anyconnect type user dynamic-access-policy-record DfltAccessPolicy tunnel-group SGC2 type remote-access tunnel-group SGC2 general-attributes address-pool VPN-Pool authentication-server-group SCG default-group-policy GroupPolicy_SGC2 tunnel-group SGC2 webvpn-attributes group-alias SGC2 enable tunnel-group SSL type remote-access tunnel-group SSL general-attributes address-pool VPN-Pool default-group-policy GroupPolicy_SSL tunnel-group SSL webvpn-attributes authentication certificate group-url https://hq.scgconnect.com/SSL enable ! class-map sec_skinny match port tcp eq 2443 class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map type inspect skinny skinny_inspect parameters policy-map global_policy class inspection_default inspect ftp inspect ip-options inspect netbios inspect rsh inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect xdmcp inspect dns preset_dns_map inspect skinny skinny_inspect class sec_skinny inspect skinny skinny_inspect tls-proxy my_proxy policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 ! service-policy global_policy global prompt hostname context service call-home call-home reporting anonymous call-home contact-email-addr cfitzsimmons@scgconnect.com profile CiscoTAC-1 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily hpm topN enable Cryptochecksum:b85da98bf45fe4104d7360a320a935e0 : end
06-27-2020 09:05 AM
06-27-2020 09:14 AM - edited 06-27-2020 09:49 AM
tunnel-group SCG2
show nat detail
Result of the command: "show nat detail" Manual NAT Policies (Section 1) 1 (inside) to (outside) source static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp translate_hits = 0, untranslate_hits = 0 Source - Origin: 10.8.40.0/24, Translated: 10.8.40.0/24 Destination - Origin: 10.8.40.0/24, Translated: 10.8.40.0/24 2 (inside) to (outside) source static NET_10.8.32.0_24_Servers NET_10.8.32.0_24_Servers destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp translate_hits = 231, untranslate_hits = 231 Source - Origin: 10.8.32.0/24, Translated: 10.8.32.0/24 Destination - Origin: 10.8.40.0/24, Translated: 10.8.40.0/24 3 (inside) to (outside) source static NET_10.8.34.0_24_Users NET_10.8.34.0_24_Users destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp translate_hits = 0, untranslate_hits = 0 Source - Origin: 10.8.34.0/24, Translated: 10.8.34.0/24 Destination - Origin: 10.8.40.0/24, Translated: 10.8.40.0/24 4 (inside) to (outside) source static NET_10.8.36.0_24_VOIP NET_10.8.36.0_24_VOIP destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp translate_hits = 0, untranslate_hits = 0 Source - Origin: 10.8.36.0/24, Translated: 10.8.36.0/24 Destination - Origin: 10.8.40.0/24, Translated: 10.8.40.0/24 5 (inside) to (outside) source static NET_10.8.38.0_24_SecCam NET_10.8.38.0_24_SecCam destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp translate_hits = 1, untranslate_hits = 1 Source - Origin: 10.8.38.0/24, Translated: 10.8.38.0/24 Destination - Origin: 10.8.40.0/24, Translated: 10.8.40.0/24 Auto NAT Policies (Section 2) 1 (inside) to (outside) source static HOST_10.1.1.8_tcp8081 interface service tcp 8081 8081 translate_hits = 0, untranslate_hits = 31 Source - Origin: 10.1.1.8/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 8081 Mapped: 8081 2 (inside) to (outside) source static HOST_10.1.1.8_tcp9000 interface service tcp 9000 9000 translate_hits = 0, untranslate_hits = 23 Source - Origin: 10.1.1.8/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 9000 Mapped: 9000 3 (inside) to (outside) source static HOST_10.8.32.9_tcp1701 interface service tcp 1701 1701 translate_hits = 0, untranslate_hits = 3 Source - Origin: 10.8.32.9/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 1701 Mapped: 1701 4 (inside) to (outside) source static HOST_10.8.32.9_tcp1723 interface service tcp pptp pptp translate_hits = 0, untranslate_hits = 8 Source - Origin: 10.8.32.9/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: pptp Mapped: pptp 5 (inside) to (outside) source static HOST_10.8.32.9_tcp5001 interface service tcp 5001 5001 translate_hits = 0, untranslate_hits = 11 Source - Origin: 10.8.32.9/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 5001 Mapped: 5001 6 (inside) to (outside) source static HOST_10.8.32.9_udp4500 interface service udp 4500 4500 translate_hits = 0, untranslate_hits = 12 Source - Origin: 10.8.32.9/32, Translated: 24.213.128.10/29 Service - Protocol: udp Real: 4500 Mapped: 4500 7 (inside) to (outside) source static HOST_10.8.32.9_udp500 interface service udp isakmp isakmp translate_hits = 0, untranslate_hits = 9 Source - Origin: 10.8.32.9/32, Translated: 24.213.128.10/29 Service - Protocol: udp Real: isakmp Mapped: isakmp 8 (inside) to (outside) source static Host_10.8.32.9_tcp5005 interface service tcp 5005 5005 translate_hits = 0, untranslate_hits = 4 Source - Origin: 10.8.32.9/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 5005 Mapped: 5005 9 (inside) to (outside) source static HOST_10.8.32.12 interface service tcp 3306 3306 translate_hits = 0, untranslate_hits = 33 Source - Origin: 10.8.32.12/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 3306 Mapped: 3306 10 (inside) to (outside) source static HOST_10.8.32.12_tcp9101 interface service tcp 9101 9101 translate_hits = 0, untranslate_hits = 0 Source - Origin: 10.8.32.12/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 9101 Mapped: 9101 11 (inside) to (outside) source static HOST_10.8.32.12_tcp9201 interface service tcp 9201 9201 translate_hits = 0, untranslate_hits = 2 Source - Origin: 10.8.32.12/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 9201 Mapped: 9201 12 (inside) to (outside) source static HOST_10.8.32.12_tcp9301 interface service tcp 9301 9301 net-to-net translate_hits = 0, untranslate_hits = 2 Source - Origin: 10.8.32.12/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 9301 Mapped: 9301 13 (inside) to (outside) source static HOST_10.8.32.13 interface service tcp 6188 6188 translate_hits = 0, untranslate_hits = 0 Source - Origin: 10.8.32.13/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 6188 Mapped: 6188 14 (inside) to (outside) source static HOST_10.8.32.13_tcp6180 interface service tcp 6180 6180 translate_hits = 0, untranslate_hits = 31 Source - Origin: 10.8.32.13/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 6180 Mapped: 6180 15 (inside) to (outside) source static HOST_10.8.32.13_tcp6181 interface service tcp 6181 6181 translate_hits = 0, untranslate_hits = 0 Source - Origin: 10.8.32.13/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 6181 Mapped: 6181 16 (inside) to (outside) source static HOST_10.8.32.13_tcp6182 interface service tcp 6182 6182 translate_hits = 0, untranslate_hits = 0 Source - Origin: 10.8.32.13/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 6182 Mapped: 6182 17 (inside) to (outside) source static HOST_10.8.32.13_tcp6183 interface service tcp 6183 6183 translate_hits = 0, untranslate_hits = 1 Source - Origin: 10.8.32.13/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 6183 Mapped: 6183 18 (inside) to (outside) source static HOST_10.8.32.13_tcp6185 interface service tcp 6185 6185 translate_hits = 0, untranslate_hits = 1 Source - Origin: 10.8.32.13/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 6185 Mapped: 6185 19 (inside) to (outside) source static HOST_10.8.32.13_tcp6188 interface service tcp 6188 6188 translate_hits = 0, untranslate_hits = 0 Source - Origin: 10.8.32.13/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 6188 Mapped: 6188 20 (inside) to (outside) source static HOST_10.8.38.81 interface service tcp 9111 9111 translate_hits = 0, untranslate_hits = 2 Source - Origin: 10.8.38.81/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 9111 Mapped: 9111 21 (inside) to (outside) source static HOST_10.8.38.82 interface service tcp 9112 9112 translate_hits = 0, untranslate_hits = 2 Source - Origin: 10.8.38.82/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 9112 Mapped: 9112 22 (inside) to (outside) source static HOST_10.8.38.83 interface service tcp 9113 9113 translate_hits = 0, untranslate_hits = 4 Source - Origin: 10.8.38.83/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 9113 Mapped: 9113 23 (inside) to (outside) source static HOST_10.8.38.84 interface service tcp 9114 9114 translate_hits = 0, untranslate_hits = 0 Source - Origin: 10.8.38.84/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 9114 Mapped: 9114 24 (inside) to (outside) source static HOST_10.8.38.85 interface service tcp 9115 9115 translate_hits = 0, untranslate_hits = 0 Source - Origin: 10.8.38.85/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 9115 Mapped: 9115 25 (inside) to (outside) source static HOST_10.8.38.86 interface service tcp 9116 9116 translate_hits = 0, untranslate_hits = 2 Source - Origin: 10.8.38.86/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 9116 Mapped: 9116 26 (inside) to (outside) source static HOST_10.8.38.87 interface service tcp 9117 9117 translate_hits = 0, untranslate_hits = 2 Source - Origin: 10.8.38.87/32, Translated: 24.213.128.10/29 Service - Protocol: tcp Real: 9117 Mapped: 9117 27 (inside) to (outside) source static HOST_172.16.1.2_udp5060 interface service udp sip sip translate_hits = 0, untranslate_hits = 136 Source - Origin: 172.16.1.2/32, Translated: 24.213.128.10/29 Service - Protocol: udp Real: sip Mapped: sip Manual NAT Policies (Section 3) 1 (outside) to (outside) source dynamic NETWORK_OBJ_10.8.40.0_24 interface translate_hits = 0, untranslate_hits = 0 Source - Origin: 10.8.40.0/24, Translated: 24.213.128.10/29 2 (inside) to (outside) source dynamic any interface translate_hits = 40868, untranslate_hits = 4781 Source - Origin: 0.0.0.0/0, Translated: 24.213.128.10/29 3 (outside) to (outside) source dynamic any interface translate_hits = 0, untranslate_hits = 0 Source - Origin: 0.0.0.0/0, Translated: 24.213.128.10/29
show vpn-sessiondb detail anyconnect
Result of the command: "show vpn-sessiondb detail anyconnect" Session Type: AnyConnect Detailed Username : carlfitzsimmons Index : 26 Assigned IP : 10.8.40.200 Public IP : 107.77.224.90 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1 Bytes Tx : 30472 Bytes Rx : 31070 Pkts Tx : 20 Pkts Rx : 390 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : GroupPolicy_SGC2 Tunnel Group : SGC2 Login Time : 12:18:57 EDT Sat Jun 27 2020 Duration : 0h:27m:49s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 0a081f020001a0005ef77171 Security Grp : none AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 26.1 Public IP : 107.77.224.90 Encryption : none Hashing : none TCP Src Port : 37322 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 2 Minutes Client OS : mac-intel Client OS Ver: 10.13.6 Client Type : AnyConnect Client Ver : Cisco AnyConnect VPN Agent for Mac OS X 4.8.01090 Bytes Tx : 15236 Bytes Rx : 3397 Pkts Tx : 10 Pkts Rx : 3 Pkts Tx Drop : 0 Pkts Rx Drop : 0 SSL-Tunnel: Tunnel ID : 26.4 Assigned IP : 10.8.40.200 Public IP : 107.77.224.90 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384 Encapsulation: TLSv1.2 TCP Src Port : 61338 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 16 Minutes Client OS : Mac OS X Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Mac OS X 4.8.01090 Bytes Tx : 7618 Bytes Rx : 1966 Pkts Tx : 5 Pkts Rx : 26 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : outside_access_in DTLS-Tunnel: Tunnel ID : 26.5 Assigned IP : 10.8.40.200 Public IP : 107.77.224.90 Encryption : AES256 Hashing : SHA1 Ciphersuite : DHE-RSA-AES256-SHA Encapsulation: DTLSv1.0 UDP Src Port : 59894 UDP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Mac OS X Client Type : DTLS VPN Client Client Ver : Cisco AnyConnect VPN Agent for Mac OS X 4.8.01090 Bytes Tx : 0 Bytes Rx : 21846 Pkts Tx : 0 Pkts Rx : 312 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : outside_access_in
User logged in
06-27-2020 10:41 AM
I can see you are hitting the second Nat rule. Do the internal devices have a local firewall that could be blocking your access from the RAVPN network?
Can you remove your VPN filter and try again.
Is this ASA the default gateway for the internal networks?
Do the internal networks have a route to the RAVPN pool network?
06-27-2020 10:55 AM - edited 06-27-2020 11:01 AM
When you say 'Remove VPN Filter' do you mean remove NETWORK_OBJ_10.8.40.0_24 from ACL?
The ASA is on the edge and internally is directly connected to the 3750G
Traffic is passed to a 3750G. VLANS are setup inside the 3750G to enable routing.Here is VLAN 40
Interface Vlan40 description AnyConnect VPN Clients ip address 10.8.40.1 255.255.255.0
On the 3750G these are the specific ports connected to the ASA
interface GigabitEthernet2/0/9 description ASA-INSIDE-G1/2 switchport access vlan 31
power inline never
interface GigabitEthernet2/0/11
description SCG Data net
switchport access vlan 32
power inline never
Trunking is setup on G25-28 to pass all VLANS
Here is SHO IP ARP and SHO IP RO
SCG-1-3750G-24-POE#sho ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.2.1.1 90 0011.93b0.9301 ARPA Vlan15 Internet 10.99.99.1 - 0019.56ed.334c ARPA Vlan99 Internet 10.8.30.4 91 b862.1fc7.1d43 ARPA Vlan30 Internet 10.8.30.5 92 001c.57b8.eb42 ARPA Vlan30 Internet 10.8.31.1 - 0019.56ed.3344 ARPA Vlan31 Internet 10.8.30.1 - 0019.56ed.3343 ARPA Vlan30 Internet 10.8.31.2 70 5897.bd27.852f ARPA Vlan31 Internet 10.8.32.2 89 001f.cae3.4ca1 ARPA Vlan32 Internet 10.8.38.5 182 001c.57b8.eb46 ARPA Vlan38 Internet 10.8.34.1 - 0019.56ed.3346 ARPA Vlan34 Internet 10.8.36.5 89 001c.57b8.eb45 ARPA Vlan36 Internet 10.8.32.1 - 0019.56ed.3345 ARPA Vlan32 Internet 10.8.36.2 88 001f.cae3.4ca1 ARPA Vlan36 Internet 10.8.32.6 9 a02b.b862.3bfa ARPA Vlan32 Internet 10.8.34.5 92 001c.57b8.eb44 ARPA Vlan34 Internet 10.8.32.7 0 0090.a9dd.f700 ARPA Vlan32 Internet 10.8.38.1 - 0019.56ed.3349 ARPA Vlan38 Internet 10.8.32.5 84 001c.57b8.eb43 ARPA Vlan32 Internet 10.8.36.1 - 0019.56ed.3348 ARPA Vlan36 Internet 10.8.32.10 187 003e.e1c7.3b18 ARPA Vlan32 Internet 10.8.41.1 - 0019.56ed.334b ARPA Vlan41 Internet 10.8.32.9 0 0011.32c5.6c59 ARPA Vlan32 Internet 10.8.40.1 - 0019.56ed.334a ARPA Vlan40 Internet 10.8.32.14 39 0024.369f.c2d3 ARPA Vlan32 Internet 10.8.32.15 8 20c9.d09a.720c ARPA Vlan32 Internet 10.8.32.12 6 10dd.b1e3.b73e ARPA Vlan32 Internet 10.8.32.19 0 6c70.9fd5.51cf ARPA Vlan32 Internet 10.8.32.16 9 6c70.9fd5.51cf ARPA Vlan32 Internet 10.8.32.20 113 000c.2906.3d2d ARPA Vlan32 Internet 10.8.32.30 0 000c.29df.aea5 ARPA Vlan32 Internet 10.8.36.103 3 c8f9.f969.198d ARPA Vlan36 Internet 10.8.36.101 3 001f.6c7f.36ef ARPA Vlan36 Internet 10.8.32.100 4 38f9.d303.3d39 ARPA Vlan32 Internet 10.8.32.101 9 685b.359b.4db4 ARPA Vlan32 Internet 10.8.32.106 56 d081.7ac3.7b1a ARPA Vlan32 Internet 10.8.32.105 66 0c08.b4d6.b075 ARPA Vlan32 Internet 10.8.32.110 0 6c70.9fd5.51cf ARPA Vlan32 Internet 10.8.36.106 3 2c3e.cf76.c6fb ARPA Vlan36 Internet 10.8.36.107 0 0057.d2c1.7362 ARPA Vlan36 Internet 10.8.36.104 3 0022.9003.7fd9 ARPA Vlan36 Internet 10.8.36.105 3 2c3e.cf76.c561 ARPA Vlan36 Internet 192.168.254.254 - 0019.56ed.334d ARPA Vlan192 Internet 10.8.38.84 0 accc.8e2b.470f ARPA Vlan38 Internet 10.8.38.85 1 accc.8e14.aa5f ARPA Vlan38 Internet 10.8.38.86 2 0040.8cfd.c54c ARPA Vlan38 Internet 10.8.38.87 1 accc.8e2b.0aac ARPA Vlan38 Internet 10.8.38.81 0 accc.8e2b.6159 ARPA Vlan38 Internet 10.8.38.82 206 accc.8e2b.6c6a ARPA Vlan38 Internet 10.8.38.83 0 0040.8cda.f818 ARPA Vlan38 Internet 192.168.1.254 - 0019.56ed.3342 ARPA Vlan19 Internet 10.8.32.191 0 0009.b0f4.64a4 ARPA Vlan32 Internet 10.8.32.132 0 3412.9891.f5da ARPA Vlan32 Internet 10.8.32.137 0 88a9.a714.f916 ARPA Vlan32 Internet 10.8.32.141 1 d0d2.b012.8bb6 ARPA Vlan32 Internet 172.16.1.1 - 0019.56ed.3347 ARPA Vlan35 Internet 172.16.1.2 91 001f.cae3.4ca1 ARPA Vlan35 Internet 10.8.200.1 - 0019.56ed.334e ARPA Vlan1003 Internet 10.8.40.200 0 Incomplete ARPA Internet 10.2.1.253 - 0019.56ed.3341 ARPA Vlan15 Internet 10.2.1.254 92 001c.57b8.eb41 ARPA Vlan15 SCG-1-3750G-24-POE#sho ip ro Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.8.31.2 to network 0.0.0.0 20.0.0.0/24 is subnetted, 1 subnets S 20.3.9.0 [1/0] via 10.2.1.254 172.16.0.0/24 is subnetted, 1 subnets C 172.16.1.0 is directly connected, Vlan35 10.0.0.0/24 is subnetted, 12 subnets C 10.2.1.0 is directly connected, Vlan15 S 10.1.2.0 [1/0] via 10.2.1.254 C 10.99.99.0 is directly connected, Vlan99 S 10.1.1.0 [1/0] via 10.2.1.254 C 10.8.30.0 is directly connected, Vlan30 C 10.8.31.0 is directly connected, Vlan31 C 10.8.34.0 is directly connected, Vlan34 C 10.8.32.0 is directly connected, Vlan32 C 10.8.38.0 is directly connected, Vlan38 C 10.8.36.0 is directly connected, Vlan36 C 10.8.40.0 is directly connected, Vlan40 C 10.8.41.0 is directly connected, Vlan41 C 192.168.254.0/24 is directly connected, Vlan192 C 192.168.1.0/24 is directly connected, Vlan19 C 192.168.3.0/24 is directly connected, Tunnel0 S* 0.0.0.0/0 [1/0] via 10.8.31.2 SCG-1-3750G-24-POE#
internally is
06-27-2020 11:06 AM
Under the group-policy
group-policy GroupPolicy_SGC2 attributes no vpn-filter value outside_access_in
06-27-2020 11:18 AM
Removed
Still cannot ping inside
FYI: When SSH into ASA I did a ping and here are the results
SCG-ASA-01# ping 10.8.32.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.8.32.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms SCG-ASA-01#
Also for clarity sake I noticed SYNTAX errors in naming so I changed all SGC to SCG and attach that config with your change request
Result of the command: "sho run" : Saved : : Serial Number: : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.5(1) ! hostname SCG-ASA-01 domain-name hq.scgconnect.com enable password 0TAz8qRS9LuZZzJv encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd zJXfJytEpmEl08Wj encrypted names ip local pool VPN-Pool 10.8.40.200-10.8.40.220 mask 255.255.255.0 ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address 24.213.128.10 255.255.255.248 ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 10.8.31.2 255.255.255.0 ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only nameif management security-level 100 ip address 10.8.30.9 255.255.255.0 ! boot system disk0:/asa961-lfbff-k8.SPA boot system disk0:/asa952-6-lfbff-k8.SPA ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 10.8.32.9 inside name-server 24.92.226.11 outside name-server 24.92.226.12 outside domain-name hq.scgconnect.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network NET_10.8.32.0_24_Servers subnet 10.8.32.0 255.255.255.0 object network NET_10.8.34.0_24_Users subnet 10.8.34.0 255.255.255.0 object network NET_10.8.36.0_24_VOIP subnet 10.8.36.0 255.255.255.0 object network NET_10.8.38.0_24_SecCam subnet 10.8.38.0 255.255.255.0 object network NET_192.168.1.0_24_Dev subnet 192.168.1.0 255.255.255.0 object network NET_10.2.1.0_24_Dev2 subnet 10.2.1.0 255.255.255.0 object network NET_10.0.0.0_8 subnet 10.0.0.0 255.0.0.0 object network HOST_10.8.32.9_tcp1723 host 10.8.32.9 object network HOST_10.8.32.10_gre host 10.8.32.10 object network HOST_88.150.240.0 subnet 88.150.240.0 255.255.255.0 object network NET_113.105.128.0_24 subnet 113.105.128.0 255.255.255.0 object network NET_66.241.99.0_24 subnet 66.241.99.0 255.255.255.0 object network HOST_10.8.32.10 host 10.8.32.10 object network HOST_10.1.1.8 host 10.1.1.8 object network HOST_10.8.32.12 host 10.8.32.12 object network HOST_10.8.32.13 host 10.8.32.13 object network HOST_10.8.38.81 host 10.8.38.81 description Axis Camera object network HOST_10.8.38.82 host 10.8.38.82 description Axis Camera object network HOST_10.8.38.83 host 10.8.38.83 description Axis Camera object network HOST_10.8.38.84 host 10.8.38.84 description Axis Camera object network HOST_10.8.38.85 host 10.8.38.85 description Axis Camera object network HOST_10.8.32.13_tcp6180 host 10.8.32.13 object network HOST_10.8.32.13_tcp6181 host 10.8.32.13 object network HOST_10.8.32.13_tcp6182 host 10.8.32.13 object network HOST_10.8.32.13_tcp6183 host 10.8.32.13 object network HOST_10.8.32.13_tcp6185 host 10.8.32.13 object network HOST_10.8.32.13_tcp6188 host 10.8.32.13 object network HOST_10.8.32.9_udp500 host 10.8.32.9 object network HOST_10.8.32.9_udp4500 host 10.8.32.9 object network HOST_10.8.32.10_tcp443 host 10.8.32.10 object network HOST_10.8.32.10_443 object network HOST_10.1.1.8_tcp9000 host 10.1.1.8 object network HOST_10.1.1.8_tcp8081 host 10.1.1.8 object network HOST_10.8.32.9_tcp1701 host 10.8.32.9 object network NET_172.16.1.0 subnet 172.16.1.0 255.255.255.0 object network HOST_10.8.36.2_udp5060 host 10.8.36.2 object network NETWORK_OBJ_10.8.40.0_24 subnet 10.8.40.0 255.255.255.0 description VPN users object network HOST_172.16.1.2_udp5060 host 172.16.1.2 object network HOST_10.8.32.12_tcp9101 host 10.8.32.12 description SCG AXIS ADMIN DEVELOPMENT object network HOST_10.8.38.86 host 10.8.38.86 description Axis Camera object network HOST_10.8.38.87 host 10.8.38.87 description Axis Camera object network HOST_10.8.32.12_tcp9201 host 10.8.32.12 description Voter Viewer web interface object network HOST_10.8.32.12_tcp9301 host 10.8.32.12 description PDS web interface object network HOST_10.8.32.9_tcp5001 host 10.8.32.9 description Synology NAS object network Host_10.8.32.9_tcp5005 host 10.8.32.9 description Synology NAS object network VPN-Pool range 10.8.40.200 10.8.40.220 description VPN Users object network HOST_10.8.40.200_10.8.40.220 range 10.8.40.200 10.8.40.220 description VPN Users object-group service DM_INLINE_TCPUDP_1 tcp-udp port-object eq 5061 port-object eq sip object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list outside_access_in extended permit ip object NETWORK_OBJ_10.8.40.0_24 any access-list outside_access_in extended deny ip object HOST_88.150.240.0 any access-list outside_access_in extended deny ip object NET_113.105.128.0_24 any access-list outside_access_in extended permit object-group TCPUDP object NET_66.241.99.0_24 any object-group DM_INLINE_TCPUDP_1 log access-list outside_access_in extended deny udp any any eq sip log access-list outside_access_in extended permit tcp any any eq https access-list outside_access_in extended permit tcp any any eq 500 access-list outside_access_in extended permit udp any any eq 1701 access-list outside_access_in extended permit tcp any any eq pptp access-list outside_access_in extended permit tcp any any eq 3306 log access-list outside_access_in extended permit tcp any any eq 4500 access-list outside_access_in extended permit tcp any any eq 5001 access-list outside_access_in extended permit tcp any any eq 6180 access-list outside_access_in extended permit tcp any any eq 6181 access-list outside_access_in extended permit tcp any any eq 6182 access-list outside_access_in extended permit tcp any any eq 6183 access-list outside_access_in extended permit tcp any any eq 6185 access-list outside_access_in extended permit tcp any any eq 6188 access-list outside_access_in extended permit tcp any any eq 9000 access-list outside_access_in extended permit tcp any any eq 8081 log access-list outside_access_in extended permit udp any any log access-list outside_access_in extended permit tcp any any log access-list outside_access_in extended permit gre any any access-list outside_access_in extended permit ipinip any any access-list outside_access_in extended permit esp any any access-list outside_access_in extended permit ip any any log access-list outside_access_in extended permit ip host 10.1.1.22 host 10.1.1.13 access-list VPN-SCG2 standard permit 10.8.0.0 255.255.192.0 access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-751.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp nat (inside,outside) source static NET_10.8.32.0_24_Servers NET_10.8.32.0_24_Servers destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp nat (inside,outside) source static NET_10.8.34.0_24_Users NET_10.8.34.0_24_Users destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp ! object network HOST_10.8.32.9_tcp1723 nat (inside,outside) static interface service tcp pptp pptp object network HOST_10.8.32.12 nat (inside,outside) static interface service tcp 3306 3306 object network HOST_10.8.32.13 nat (inside,outside) static interface service tcp 6188 6188 object network HOST_10.8.38.81 nat (inside,outside) static interface service tcp 9111 9111 object network HOST_10.8.38.82 nat (inside,outside) static interface service tcp 9112 9112 object network HOST_10.8.38.83 nat (inside,outside) static interface service tcp 9113 9113 object network HOST_10.8.38.84 nat (inside,outside) static interface service tcp 9114 9114 object network HOST_10.8.38.85 nat (inside,outside) static interface service tcp 9115 9115 object network HOST_10.8.32.13_tcp6180 nat (inside,outside) static interface service tcp 6180 6180 object network HOST_10.8.32.13_tcp6181 nat (inside,outside) static interface service tcp 6181 6181 object network HOST_10.8.32.13_tcp6182 nat (inside,outside) static interface service tcp 6182 6182 object network HOST_10.8.32.13_tcp6183 nat (inside,outside) static interface service tcp 6183 6183 object network HOST_10.8.32.13_tcp6185 nat (inside,outside) static interface service tcp 6185 6185 object network HOST_10.8.32.13_tcp6188 nat (inside,outside) static interface service tcp 6188 6188 object network HOST_10.8.32.9_udp500 nat (inside,outside) static interface service udp isakmp isakmp object network HOST_10.8.32.9_udp4500 nat (inside,outside) static interface service udp 4500 4500 object network HOST_10.1.1.8_tcp9000 nat (inside,outside) static interface service tcp 9000 9000 object network HOST_10.1.1.8_tcp8081 nat (inside,outside) static interface service tcp 8081 8081 object network HOST_10.8.32.9_tcp1701 nat (inside,outside) static interface service tcp 1701 1701 object network HOST_172.16.1.2_udp5060 nat (inside,outside) static interface service udp sip sip object network HOST_10.8.32.12_tcp9101 nat (inside,outside) static interface service tcp 9101 9101 object network HOST_10.8.38.86 nat (inside,outside) static interface service tcp 9116 9116 object network HOST_10.8.38.87 nat (inside,outside) static interface service tcp 9117 9117 object network HOST_10.8.32.12_tcp9201 nat (inside,outside) static interface service tcp 9201 9201 object network HOST_10.8.32.12_tcp9301 nat (inside,outside) static interface net-to-net service tcp 9301 9301 object network HOST_10.8.32.9_tcp5001 nat (inside,outside) static interface service tcp 5001 5001 object network Host_10.8.32.9_tcp5005 nat (inside,outside) static interface service tcp 5005 5005 ! nat (outside,outside) after-auto source dynamic NETWORK_OBJ_10.8.40.0_24 interface nat (inside,outside) after-auto source dynamic any interface nat (outside,outside) after-auto source dynamic any interface access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 24.213.128.9 1 route inside 10.0.0.0 255.0.0.0 10.8.31.1 1 route inside 172.16.1.0 255.255.255.0 10.8.31.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 ldap attribute-map CiscoMAP map-name memberOf IETF-Radius-Class map-value memberOf CN=workgroup,DC=hq,DC=scgconnect,DC=com UID aaa-server SCG protocol ldap aaa-server SCG (inside) host 10.8.32.9 server-port 636 ldap-base-dn cn=users,dc=hq,dc=scgconnect,dc=com ldap-scope subtree ldap-naming-attribute uid ldap-over-ssl enable server-type microsoft ldap-attribute-map CiscoMAP no user-identity enable user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable 5000 http 192.168.1.0 255.255.255.0 inside http 10.8.32.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=remote.scgconnect.com no ca-check crl configure crypto ca trustpoint Cisco_Manufacturing_CA enrollment terminal crl configure crypto ca trustpoint CAP-RTP-001 enrollment terminal crl configure crypto ca trustpoint CAP-RTP-002 enrollment terminal crl configure crypto ca trustpoint CAPF enrollment terminal no ca-check crl configure crypto ca trustpoint asdm_cuma_local enrollment terminal crl configure crypto ca trustpoint asdm_cuma_root_ca enrollment terminal crl configure crypto ca trustpoint asdm_cuma_local_proxy enrollment terminal validation-usage ssl-client crl configure crypto ca trustpoint Cisco_Root_CA_2048 enrollment terminal crl configure crypto ca trustpoint CallManager enrollment terminal no ca-check crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment terminal crl configure crypto ca trustpoint ccm_proxy enrollment self fqdn none subject-name cn=Proxy serial-number crl configure crypto ca trustpoint ldc_server enrollment self fqdn ldc.scgconnect.com subject-name cn=LDC_SIGNER serial-number proxy-ldc-issuer crl configure crypto ca trustpoint ASDM_TrustPoint5 enrollment self subject-name CN=hq.scgconnect.com crl configure crypto ca trustpoint ASDM_TrustPoint3 enrollment self subject-name CN=SCG-ASA-01 crl configure crypto ca trustpool policy crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 telnet 10.8.32.0 255.255.255.0 inside telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 inside ssh 10.8.32.0 255.255.255.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 ! tls-proxy maximum-session 160 ! ! tls-proxy my_proxy server trust-point ccm_proxy client ldc issuer ldc_server client cipher-suite aes128-sha1 aes256-sha1 threat-detection basic-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp authenticate ntp server 129.6.15.28 source inside ntp server 10.8.32.20 source inside prefer ssl trust-point ASDM_TrustPoint5 outside webvpn enable outside anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-macos-4.8.01090-webdeploy-k9.pkg 2 anyconnect image disk0:/anyconnect-linux64-4.8.01090-webdeploy-k9.pkg 3 anyconnect profiles SCG2_anyconnect disk0:/scg2_anyconnect.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable ! ctl-provider my_ctl client interface inside address 10.8.32.20 client username rubenc password IxJu2LI1uG0ssLO6 encrypted export certificate ccm_proxy ! group-policy GroupPolicy_SSL internal group-policy GroupPolicy_SSL attributes wins-server none dns-server value 10.8.32.9 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelall default-domain value hq.scgconnect.com split-tunnel-all-dns enable group-policy GroupPolicy_SCG2 internal group-policy GroupPolicy_SCG2 attributes wins-server none dns-server value 10.8.32.9 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value VPN-SCG2 default-domain value hq.scgconnect.com split-dns value hq.scgconnect.com split-tunnel-all-dns disable client-bypass-protocol enable webvpn anyconnect profiles value SCG2_anyconnect type user dynamic-access-policy-record DfltAccessPolicy tunnel-group SCG2 type remote-access tunnel-group SCG2 general-attributes address-pool VPN-Pool authentication-server-group SCG default-group-policy GroupPolicy_SCG2 tunnel-group SCG2 webvpn-attributes group-alias SCG2 enable tunnel-group SSL type remote-access tunnel-group SSL general-attributes address-pool VPN-Pool default-group-policy GroupPolicy_SSL tunnel-group SSL webvpn-attributes authentication certificate group-url https://hq.scgconnect.com/SSL enable ! class-map sec_skinny match port tcp eq 2443 class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map type inspect skinny skinny_inspect parameters policy-map global_policy class inspection_default inspect ftp inspect ip-options inspect netbios inspect rsh inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect xdmcp inspect dns preset_dns_map inspect skinny skinny_inspect class sec_skinny inspect skinny skinny_inspect tls-proxy my_proxy policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 ! service-policy global_policy global prompt hostname context service call-home call-home reporting anonymous call-home contact-email-addr cfitzsimmons@scgconnect.com profile CiscoTAC-1 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily hpm topN enable Cryptochecksum:b85da98bf45fe4104d7360a320a935e0 : end
06-27-2020 11:35 AM
06-27-2020 11:51 AM - edited 06-27-2020 11:54 AM
Nice - improvement. I can ping devices on the network on different VLANS however DNS does not work. Interestingly when I use an IP I know I can get to the device like a NAS but nslookup forward or reverse fails and it is because the lookup is going out to the cloud not to the internal DNS server which is 10.8.32.9.
That IP is set as DNS inside the ASA.
You have significantly helped me on this and the DNS was not part of the original problem. If you have any suggestions on that it would be appreciated.
I have had a couple of people who are really good at setting up networks and they missed that as well as I did
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: