- Cisco Community
- Technology and Support
- Security
- VPN
- Re: VPN pool cannot ping inside interface and hosts in inside network
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VPN pool cannot ping inside interface and hosts in inside network
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2020 02:09 AM
It's been a while since I installed a Cisco ASA 5545 in HA.
I have several Address Pools, VPN Profiles and everything works perfectly.
I can reach all the VPN Pools from the internal network.
I can reach all the internal networks from the VPN Pools except one!
I am unable to reach the LAN interface (inside) of the ASA 5545 and not the hosts that are in the same network.
I'm thinking about a NAT/NO-NAT issue, but I can't solve this problem.
If someone can help me, it would be really nice.
Thank you very much.
Here is my configuration :
ASA Version 9.13(1)
!
hostname asa5545x-01
domain-name MyDomain.grp
enable password ***** pbkdf2
names
no mac-address auto
ip local pool POOL_USERS 10.160.92.1-10.160.95.254 mask 255.255.252.0
ip local pool POOL_ADMINS 10.160.102.1-10.160.102.254 mask 255.255.255.0
ip local pool POOL_NOMADES 10.160.136.1-10.160.137.254 mask 255.255.254.0
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description MGMT Interface
management-only
nameif management
security-level 100
ip address 10.160.140.241 255.255.255.0 standby 10.160.140.242
!
interface Redundant1
description OUT Interface
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif internet
security-level 0
ip address 213.218.154.84 255.255.255.240
!
interface Redundant2
description IN Interface
member-interface GigabitEthernet0/2
member-interface GigabitEthernet0/3
nameif lan
security-level 100
ip address 10.160.28.1 255.255.255.0 standby 10.160.28.2
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup lan
dns server-group DefaultDNS
name-server 10.160.55.170 lan
name-server 10.160.55.175 lan
domain-name MyDomain.grp
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network gw_vlan_428
host 10.160.140.253
description vlan management
object network gw_vlan_28
host 10.160.28.254
description vlan interco lan
object network vlan_48
subnet 10.160.48.0 255.255.255.0
description vlan DSI
object network gw_vlan_774
host 213.218.154.81
description Gateway Internet
object network MyDomain_network
subnet 10.160.0.0 255.255.0.0
object network vpn_pool_users
subnet 10.160.92.0 255.255.252.0
object network vlan_46
subnet 10.160.46.0 255.255.255.0
description vlan ADMIN
object network vpn_pool_admins
subnet 10.160.102.0 255.255.255.0
object network vpn_pool_nomade
subnet 10.160.136.0 255.255.254.0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_8
protocol-object ip
protocol-object icmp
object-group service rdp tcp
description Remote Desktop
port-object eq 3389
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object udp destination eq snmp
service-object udp destination eq snmptrap
service-object udp destination eq syslog
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
service-object tcp
service-object icmp alternate-address
service-object icmp conversion-error
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object udp destination eq snmp
service-object udp destination eq snmptrap
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
service-object udp destination eq syslog
service-object tcp
object-group protocol DM_INLINE_PROTOCOL_10
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_11
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_12
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_13
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_14
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_15
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_9
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_16
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_17
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_18
protocol-object ip
protocol-object icmp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_19
protocol-object ip
protocol-object icmp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_20
protocol-object ip
protocol-object icmp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object vpn_pool_admins
network-object object vpn_pool_nomade
network-object object vpn_pool_users
object-group network DM_INLINE_NETWORK_2
network-object object vpn_pool_admins
network-object object vpn_pool_nomade
network-object object vpn_pool_users
object-group protocol DM_INLINE_PROTOCOL_21
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_3
network-object object vpn_pool_admins
network-object object vpn_pool_nomade
network-object object vpn_pool_users
object-group protocol DM_INLINE_PROTOCOL_22
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_23
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_24
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_25
protocol-object ip
protocol-object icmp
protocol-object tcp
access-list ACL_domain_ADMINS standard permit 10.160.0.0 255.255.0.0
access-list ACL_domain_ADMINS standard permit 10.0.0.0 255.0.0.0
access-list ACL_domain_ADMINS standard permit 10.90.0.0 255.255.0.0
access-list ACL_domain_ADMINS standard permit 10.196.0.0 255.255.0.0
access-list ACL_domain_ADMINS standard permit 172.23.0.0 255.255.0.0
access-list ACL_domain_ADMINS standard permit 10.145.0.0 255.255.0.0
access-list EXT_ACL_domain_USERS_ADMINS extended permit object-group DM_INLINE_PROTOCOL_21 object MyDomain_network any
access-list EXT_ACL_domain_USERS_ADMINS extended permit object-group DM_INLINE_SERVICE_1 any any log debugging
access-list EXT_ACL_domain_USERS_ADMINS extended permit object-group DM_INLINE_SERVICE_2 any any
access-list EXT_ACL_domain_USERS_ADMINS extended permit object-group DM_INLINE_PROTOCOL_25 any object MyDomain_network
access-list ACL_domain_RDP standard permit 10.160.0.0 255.255.0.0
access-list ACL_domain_NOMADES standard permit 10.160.0.0 255.255.0.0
access-list ACL_domain_NOMADES standard permit 10.196.0.0 255.255.0.0
access-list ACL_domain_NOMADES standard permit 10.90.0.0 255.255.0.0
access-list ACL_domain_NOMADES standard permit 172.23.0.0 255.255.0.0
access-list ACL_domain_NOMADES standard permit 10.0.0.0 255.0.0.0
access-list ACL_domain_NOMADES standard permit 10.145.0.0 255.255.0.0
access-list EXT_ACL_domain_USERS_RDP extended permit object-group DM_INLINE_PROTOCOL_1 object vpn_pool_users any
access-list EXT_ACL_domain_USERS_RDP extended permit object-group DM_INLINE_PROTOCOL_8 any object vpn_pool_users
access-list EXT_ACL_domain_USERS_NOMADES extended permit object-group DM_INLINE_PROTOCOL_4 any any
access-list EXT_ACL_domain_USERS_NOMADES extended permit object-group DM_INLINE_PROTOCOL_5 any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 log debugging
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list ACL_domain_ANIMATEURS standard permit 10.160.0.0 255.255.0.0
access-list ACL_domain_KEEPCALL standard permit 10.160.0.0 255.255.0.0
access-list ACL_domain_KEEPCALL standard permit 10.145.0.0 255.255.0.0
access-list ACL_domain_DEV standard permit 10.160.0.0 255.255.0.0
access-list ACL_domain_DEV standard permit 10.0.0.0 255.0.0.0
access-list ACL_domain_DEV standard permit 10.90.0.0 255.255.0.0
access-list ACL_domain_DEV standard permit 10.196.0.0 255.255.0.0
access-list ACL_domain_DEV standard permit 172.23.0.0 255.255.0.0
access-list ACL_domain_DEV standard permit 10.145.0.0 255.255.0.0
access-list ACL_domain_RECEPTIF standard permit 10.160.0.0 255.255.0.0
access-list ACL_domain_MAROC standard permit 10.160.0.0 255.255.0.0
access-list EXT_ACL_USERS_ANIMATEURS extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list EXT_ACL_USERS_ANIMATEURS extended permit object-group DM_INLINE_PROTOCOL_6 any any
access-list EXT_ACL_USERS_RECEPTIF extended permit object-group DM_INLINE_PROTOCOL_14 any any
access-list EXT_ACL_USERS_RECEPTIF extended permit object-group DM_INLINE_PROTOCOL_15 any any
access-list EXT_ACL_USERS_MAROC extended permit object-group DM_INLINE_PROTOCOL_12 any any
access-list EXT_ACL_USERS_MAROC extended permit object-group DM_INLINE_PROTOCOL_13 any any
access-list EXT_ACL_USERS_DEV extended permit object-group DM_INLINE_PROTOCOL_7 any any
access-list EXT_ACL_USERS_DEV extended permit object-group DM_INLINE_PROTOCOL_9 any any
access-list EXT_ACL_USERS_KEEPCALL extended permit object-group DM_INLINE_PROTOCOL_10 any any
access-list EXT_ACL_USERS_KEEPCALL extended permit object-group DM_INLINE_PROTOCOL_11 any any
access-list lan_access_in extended permit object-group DM_INLINE_PROTOCOL_19 object MyDomain_network object-group DM_INLINE_NETWORK_2
access-list lan_access_in extended permit object-group DM_INLINE_PROTOCOL_24 213.218.154.80 255.255.255.240 any
access-list lan_access_in extended permit object-group DM_INLINE_PROTOCOL_20 object-group DM_INLINE_NETWORK_1 object MyDomain_network
access-list internet_access_in extended permit object-group DM_INLINE_PROTOCOL_22 object MyDomain_network any
access-list internet_access_in extended permit object-group DM_INLINE_PROTOCOL_23 object-group DM_INLINE_NETWORK_3 any
pager lines 24
logging enable
logging timestamp rfc5424
logging buffer-size 8192
logging trap debugging
logging asdm informational
logging host management 10.160.140.30
mtu management 1500
mtu internet 1500
mtu lan 1500
failover
failover lan unit secondary
failover lan interface FailoverLAN GigabitEthernet0/4
failover link FailoverLAN GigabitEthernet0/4
failover interface ip FailoverLAN 10.160.125.1 255.255.255.0 standby 10.160.125.2
failover ipsec pre-shared-key *****
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any lan
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
access-group internet_access_in in interface internet
access-group lan_access_in in interface lan
access-group EXT_ACL_domain_USERS_ADMINS global
route internet 0.0.0.0 0.0.0.0 213.218.154.81 1
route lan 10.0.0.0 255.0.0.0 10.160.28.254 1
route lan 10.148.0.0 255.255.0.0 10.160.28.254 1
route lan 10.160.0.0 255.255.0.0 10.160.28.254 1
route management 10.160.48.0 255.255.255.0 10.160.140.253 1
route lan 10.196.0.0 255.255.0.0 10.160.28.254 1
route lan 172.23.0.0 255.255.0.0 10.160.28.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
ldap attribute-map MAP_USERS_ADMINS
map-name memberOf Group-Policy
map-value memberOf CN=VPN_ADMINS,OU=VPN,OU=Groupes,OU=MyDomain,DC=MyDomain,DC=grp GroupPolicy_domain_USERS_ADMINS
ldap attribute-map MAP_USERS_ANIMATEURS
map-name memberOf Group-Policy
map-value memberOf CN=VPN_ANIMATEURS,OU=VPN,OU=Groupes,OU=MyDomain,DC=MyDomain,DC=grp GroupPolicy_domain_USERS_ANIMATEURS
ldap attribute-map MAP_USERS_DEV
map-name memberOf Group-Policy
map-value memberOf CN=VPN_DEV,OU=VPN,OU=Groupes,OU=MyDomain,DC=MyDomain,DC=grp GroupPolicy_domain_USERS_DEV
ldap attribute-map MAP_USERS_KEEPCALL
map-name memberOf Group-Policy
map-value memberOf CN=VPN_KEEPCALL,OU=VPN,OU=Groupes,OU=MyDomain,DC=MyDomain,DC=grp GroupPolicy_domain_USERS_KEEPCALL
ldap attribute-map MAP_USERS_MAROC
map-name memberOf Group-Policy
map-value memberOf CN=VPN_MAROC,OU=VPN,OU=Groupes,OU=MyDomain,DC=MyDomain,DC=grp GroupPolicy_domain_USERS_MAROC
ldap attribute-map MAP_USERS_NOMADES
map-name memberOf Group-Policy
map-value memberOf CN=VPN_NOMADES,OU=VPN,OU=Groupes,OU=MyDomain,DC=MyDomain,DC=grp GroupPolicy_domain_USERS_NOMADES
ldap attribute-map MAP_USERS_RDP
map-name memberOf Group-Policy
map-value memberOf CN=VPN_USERS,OU=VPN,OU=Groupes,OU=MyDomain,DC=MyDomain,DC=grp GroupPolicy_domain_USERS_RDP
ldap attribute-map MAP_USERS_RECEPTIF
map-name memberOf Group-Policy
map-value memberOf CN=VPN_RECEPTIF,OU=VPN,OU=Groupes,OU=MyDomain,DC=MyDomain,DC=grp GroupPolicy_domain_USERS_RECEPTIF
aaa-server AUTHENT_KERBEROS protocol kerberos
aaa-server AUTHENT_KERBEROS (lan) host 10.160.55.170
kerberos-realm MyDomain.GRP
aaa-server AUTHENT_KERBEROS (lan) host 10.160.55.175
kerberos-realm MyDomain.GRP
aaa-server AD_ADMINS protocol ldap
aaa-server AD_ADMINS (lan) host 10.160.55.170
server-port 389
ldap-base-dn DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_ADMINS
aaa-server AD_ADMINS (lan) host 10.160.55.175
ldap-base-dn DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_ADMINS
aaa-server AD_NOMADES protocol ldap
aaa-server AD_NOMADES (lan) host 10.160.55.170
ldap-base-dn DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_NOMADES
aaa-server AD_NOMADES (lan) host 10.160.55.175
ldap-base-dn DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_NOMADES
aaa-server AD_USERS protocol ldap
aaa-server AD_USERS (lan) host 10.160.55.170
ldap-base-dn DC=MyDomain,DC=grp
ldap-group-base-dn OU=VPN,OU=Groupe,OU=MyDomain,DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_RDP
aaa-server AD_USERS (lan) host 10.160.55.175
ldap-base-dn DC=MyDomain,DC=grp
ldap-group-base-dn OU=VPN,OU=Groupe,OU=MyDomain,DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_RDP
aaa-server AD_MAROC protocol ldap
aaa-server AD_MAROC (lan) host 10.160.55.170
ldap-base-dn DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_MAROC
aaa-server AD_MAROC (lan) host 10.160.55.175
ldap-base-dn DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_MAROC
aaa-server AD_ANIMATEURS protocol ldap
aaa-server AD_ANIMATEURS (lan) host 10.160.55.170
ldap-base-dn DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_ANIMATEURS
aaa-server AD_ANIMATEURS (lan) host 10.160.55.175
ldap-base-dn DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_ANIMATEURS
aaa-server AD_DEV protocol ldap
aaa-server AD_DEV (lan) host 10.160.55.170
ldap-base-dn DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_DEV
aaa-server AD_DEV (lan) host 10.160.55.175
ldap-base-dn DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_DEV
aaa-server AD_KEEPCALL protocol ldap
aaa-server AD_KEEPCALL (lan) host 10.160.55.170
ldap-base-dn DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_KEEPCALL
aaa-server AD_KEEPCALL (lan) host 10.160.55.175
ldap-base-dn DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_KEEPCALL
aaa-server AD_RECEPTIF protocol ldap
aaa-server AD_RECEPTIF (lan) host 10.160.55.170
ldap-base-dn DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_RECEPTIF
aaa-server AD_RECEPTIF (lan) host 10.160.55.175
ldap-base-dn DC=MyDomain,DC=grp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=GenCISCO,OU=Comptes Systemes,OU=MyDomain,DC=MyDomain,DC=grp
server-type microsoft
ldap-attribute-map MAP_USERS_RECEPTIF
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 10.160.48.0 255.255.255.0 management
http 10.160.55.0 255.255.255.0 management
http 10.160.66.0 255.255.255.0 management
http 10.160.66.176 255.255.255.255 lan
http 10.160.46.0 255.255.255.0 management
http 10.160.66.135 255.255.255.255 lan
http 10.160.46.0 255.255.255.0 lan
snmp-server host lan 10.160.66.176 community ***** version 2c
snmp-server location FR
snmp-server contact infra@MyDomain.com
snmp-server community *****
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES245_2020
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal AES192_2020
protocol esp encryption aes-192
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES
crypto map internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet_map interface internet
crypto map lan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map lan_map interface lan
crypto ca trustpoint ASDM_dom.FR
keypair ASDM_dom.FR
crl configure
crypto ca trustpoint ASDM_2021_dom.FR
keypair ASDM_2021_dom.FR
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_dom.FR
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 21 20 19
prf sha256
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha256
group 21 20 19
prf sha256
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 21 20 19
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption aes
integrity sha
group 21 20 19
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 21 20 19
prf sha
lifetime seconds 86400
crypto ikev2 enable internet client-services port 443
crypto ikev2 enable lan client-services port 443
crypto ikev2 remote-access trustpoint ASDM_2021_dom.FR
crypto ikev1 enable internet
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 14
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 14
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 14
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 14
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 10.160.48.0 255.255.255.0 management
ssh 10.160.55.0 255.255.255.0 management
ssh 10.160.46.0 255.255.255.0 management
ssh 10.160.40.0 255.255.255.0 management
ssh 10.160.66.176 255.255.255.255 lan
ssh 10.160.46.0 255.255.255.0 lan
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
management-access management
vpn-addr-assign local reuse-delay 1
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.160.55.175 source lan
ntp server 10.160.55.170 source lan prefer
ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl trust-point ASDM_2021_dom.FR internet
ssl trust-point ASDM_2021_dom.FR lan
webvpn
enable internet
enable lan
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
no anyconnect-essentials
anyconnect image disk0:/anyconnect-macos-4.8.03052-webdeploy-k9.pkg 1 regex "Intel Mac OS X"
anyconnect image disk0:/anyconnect-win-4.8.03052-webdeploy-k9.pkg 2 regex "Windows NT"
anyconnect profiles client_profile_domain_users_admins disk0:/client_profile_domain_users_admins.xml
anyconnect profiles client_profile_domain_users_keepcall disk0:/client_profile_domain_users_keepcall.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
application-type citrix-receiver default tunnel-group TEST
group-policy NOACCESS internal
group-policy NOACCESS attributes
dns-server value 10.160.55.170
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
default-domain value MyDomain.grp
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_domain_USERS_KEEPCALL internal
group-policy GroupPolicy_domain_USERS_KEEPCALL attributes
dns-server value 10.160.55.170 10.160.55.175
vpn-simultaneous-logins 3
vpn-session-timeout none
vpn-filter value ACL_domain_KEEPCALL
vpn-tunnel-protocol ikev2 ssl-client
group-lock value domain_USERS_KEEPCALL
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_domain_KEEPCALL
default-domain value MyDomain.grp
split-tunnel-all-dns disable
address-pools value POOL_NOMADES
webvpn
anyconnect profiles value client_profile_domain_users_keepcall type user
group-policy GroupPolicy_domain_USERS_DEV internal
group-policy GroupPolicy_domain_USERS_DEV attributes
dns-server value 10.160.55.170 10.160.55.175
vpn-simultaneous-logins 3
vpn-session-timeout none
vpn-filter value EXT_ACL_USERS_DEV
vpn-tunnel-protocol ikev2 ssl-client
group-lock value domain_USERS_DEV
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_domain_DEV
default-domain value MyDomain.grp
split-tunnel-all-dns disable
address-pools value POOL_ADMINS
webvpn
anyconnect profiles value client_profile_domain_users_admins type user
group-policy GroupPolicy_domain_USERS_NOMADES internal
group-policy GroupPolicy_domain_USERS_NOMADES attributes
dns-server value 10.160.55.170 10.160.55.175
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout 600
vpn-filter value EXT_ACL_domain_USERS_NOMADES
vpn-tunnel-protocol ikev2 ssl-client
group-lock value domain_USERS_NOMADES
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_domain_NOMADES
default-domain value MyDomain.grp
address-pools value POOL_NOMADES
webvpn
anyconnect modules value nvm,vpngina
anyconnect profiles value client_profile_domain_users_admins type user
group-policy GroupPolicy_domain_USERS_ANIMATEURS internal
group-policy GroupPolicy_domain_USERS_ANIMATEURS attributes
dns-server value 10.160.55.170 10.160.55.175
vpn-simultaneous-logins 3
vpn-session-timeout none
vpn-filter value EXT_ACL_USERS_ANIMATEURS
vpn-tunnel-protocol ikev2 ssl-client
group-lock value domain_USERS_ANIMATEURS
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_domain_ANIMATEURS
default-domain value MyDomain.grp
split-tunnel-all-dns disable
address-pools value POOL_NOMADES
webvpn
anyconnect profiles value client_profile_domain_users_admins type user
group-policy GroupPolicy_domain_USERS_MAROC internal
group-policy GroupPolicy_domain_USERS_MAROC attributes
dns-server value 10.160.55.170 10.160.55.175
vpn-simultaneous-logins 3
vpn-session-timeout none
vpn-filter value EXT_ACL_USERS_MAROC
vpn-tunnel-protocol ikev2 ssl-client
group-lock value domain_USERS_MAROC
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_domain_MAROC
default-domain value MyDomain.grp
split-tunnel-all-dns disable
address-pools value POOL_USERS
webvpn
anyconnect profiles value client_profile_domain_users_admins type user
group-policy GroupPolicy_domain_USERS_ADMINS internal
group-policy GroupPolicy_domain_USERS_ADMINS attributes
dns-server value 10.160.55.170 10.160.55.175
vpn-simultaneous-logins 3
vpn-session-timeout none
vpn-filter value EXT_ACL_domain_USERS_ADMINS
vpn-tunnel-protocol ikev2 ssl-client
group-lock value domain_USERS_ADMINS
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_domain_ADMINS
default-domain value MyDomain.grp
split-tunnel-all-dns disable
address-pools value POOL_ADMINS
webvpn
anyconnect profiles value client_profile_domain_users_admins type user
group-policy GroupPolicy_domain_USERS_RDP internal
group-policy GroupPolicy_domain_USERS_RDP attributes
wins-server none
dns-server value 10.160.55.170 10.160.55.175
vpn-simultaneous-logins 3
vpn-session-timeout 600
vpn-filter value EXT_ACL_domain_USERS_RDP
vpn-tunnel-protocol ikev2 ssl-client
group-lock value domain_USERS_RDP
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_domain_RDP
default-domain value MyDomain.grp
split-tunnel-all-dns enable
address-pools value POOL_USERS
webvpn
anyconnect profiles value client_profile_domain_users_admins type user
dynamic-access-policy-record DfltAccessPolicy
username cpalitta password ***** pbkdf2 privilege 15
username sfalla password ***** pbkdf2 privilege 15
username tlallement password ***** pbkdf2 privilege 15
username kfaure password ***** pbkdf2 privilege 15
tunnel-group domain_USERS_RDP type remote-access
tunnel-group domain_USERS_RDP general-attributes
address-pool POOL_USERS
authentication-server-group AUTHENT_KERBEROS
authorization-server-group AD_USERS
default-group-policy NOACCESS
tunnel-group domain_USERS_RDP webvpn-attributes
group-alias domain_USERS_RDP enable
tunnel-group domain_USERS_NOMADES type remote-access
tunnel-group domain_USERS_NOMADES general-attributes
address-pool POOL_NOMADES
authentication-server-group AUTHENT_KERBEROS
authorization-server-group AD_NOMADES
default-group-policy NOACCESS
tunnel-group domain_USERS_NOMADES webvpn-attributes
group-alias domain_USERS_NOMADES enable
tunnel-group domain_USERS_ADMINS type remote-access
tunnel-group domain_USERS_ADMINS general-attributes
address-pool POOL_ADMINS
authentication-server-group AUTHENT_KERBEROS
authorization-server-group AD_ADMINS
default-group-policy NOACCESS
tunnel-group domain_USERS_ADMINS webvpn-attributes
group-alias domain_USERS_ADMINS enable
tunnel-group domain_USERS_MAROC type remote-access
tunnel-group domain_USERS_MAROC general-attributes
address-pool POOL_NOMADES
authentication-server-group AUTHENT_KERBEROS
authorization-server-group AD_MAROC
default-group-policy NOACCESS
tunnel-group domain_USERS_MAROC webvpn-attributes
group-alias domain_USERS_MAROC enable
tunnel-group domain_USERS_DEV type remote-access
tunnel-group domain_USERS_DEV general-attributes
address-pool POOL_ADMINS
authentication-server-group AUTHENT_KERBEROS
authorization-server-group AD_DEV
default-group-policy NOACCESS
tunnel-group domain_USERS_DEV webvpn-attributes
group-alias domain_USERS_DEV enable
tunnel-group domain_USERS_RECEPTIF type remote-access
tunnel-group domain_USERS_RECEPTIF general-attributes
address-pool POOL_NOMADES
authentication-server-group AUTHENT_KERBEROS
authorization-server-group AD_RECEPTIF
default-group-policy NOACCESS
tunnel-group domain_USERS_RECEPTIF webvpn-attributes
group-alias domain_USERS_RECEPTIF enable
group-url https://vpn.dom.fr/receptifs enable
tunnel-group domain_USERS_KEEPCALL type remote-access
tunnel-group domain_USERS_KEEPCALL general-attributes
address-pool POOL_NOMADES
authentication-server-group AD_KEEPCALL
authorization-server-group AD_KEEPCALL
default-group-policy NOACCESS
tunnel-group domain_USERS_KEEPCALL webvpn-attributes
group-alias domain_USERS_KEEPCALL enable
tunnel-group domain_USERS_ANIMATEURS type remote-access
tunnel-group domain_USERS_ANIMATEURS general-attributes
address-pool POOL_NOMADES
authentication-server-group AUTHENT_KERBEROS
authorization-server-group AD_ANIMATEURS
default-group-policy NOACCESS
tunnel-group domain_USERS_ANIMATEURS webvpn-attributes
group-alias domain_USERS_ANIMATEURS enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a557ac6fdee5cba9177580169dee1cb9
- Labels:
-
AnyConnect
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2020 06:19 AM
It's that I did too and it doesn't work
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2020 06:25 AM - edited 11-08-2020 08:32 AM
Is the ASA a dedicated VPN headend? So does your core switch have a route via the ASA for your RAVPN IP Pool networks? Or is the ASA your main firewall? therefore you'd probably have a default route via the ASA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2020 12:19 AM
ASA is only used for VPN.
We have a dedicated Firewall/Router that effectively routes VPN networks to the LAN/internal leg of the ASA.
- « Previous
-
- 1
- 2
- Next »
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide