07-23-2013 03:21 AM - edited 02-21-2020 07:02 PM
Hi folks,
ASA 5512-X, ver. 9.1(2). Internal network 192.168.0.0/16, internal gateway (ASA inside) 192.168.0.101, AnyConnect VPN clients get their addresses from a Windows 2008 DHCP server.
I've got the AnyConnect VPN tunnel connecting, but problem is, that the route that is pushed to the VPN client is completely wrong, 192.168.0.1. This IP address is not defined anywhere in the ASA, nor in the whole network. The route that should be pushed instead, is the address of the ASA inside interface, that is 192.168.0.101. This implies that only the ASA itself is reachable when AnyConnect is active.
What's wrong here? Where can I define the gateway that should be pushed to the VPN client?
Another question is, why does the VPN client software replace the default gateway? I don't want all my traffic to go through the VPN tunnel, only traffic destined for the corporate network (that is traffic to 192.168.0.0/16).
Anybody got any ideas?
Best regards,
Peter
07-23-2013 04:17 AM
Hi,
Can we see your ip pool address configs? as well full config of your anyconnect that might help with a more logical reasoning.
Cheers.
Teddy
07-23-2013 07:08 AM
Hi Teddy,
The address pool, or absence of any address pool, hasn't got any effect. I'm getting addresses from the corporate DHCP server (see my post above). The problem here is that the route that's pushed to the VPN client is wrong. The default gateway is terribly wrong. There can be no conflict with my remote network, as that is a 172.16.0.0/24 network. The relevant parts of my configuration is also appended below.
Thansk for your input.
Peter
Ethernet adapter Cisco AnyConnect VPN Client Connection:
Connection-specific DNS Suffix . : mylocaldomain.local
Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.128.13
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.201
: Saved
: Written by admin at 14:55:01.180 CEDT Tue Jul 23 2013
: Call-home enabled from prompt by enable_15 at 07:35:43 UTC Jul 13 2013
!
ASA Version 9.1(2)
!
hostname mygate
domain-name mylocaldomain.local
names
ip local pool VPNClientAddresses 192.168.128.1-192.168.144.254 mask 255.255.0.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 95.xxx.xxx.xxx 255.xxx.xxx.xxx
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.101 255.255.0.0
!
----
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.0.201
name-server 78.xxx.xxx.xxx
name-server 78.xxx.xxx.yyy
domain-name mylocaldomain.local
same-security-traffic permit intra-interface
object network smtpservices
object network Server_Mail
host 192.168.0.212
object service SSH_Service
service tcp destination eq ssh
object service SMTP_Service
service tcp destination eq smtp
object network Diagserver
host 192.168.0.213
object network diagextip
host 78.110.208.42
object network Servicehelper
host 192.168.0.213
object service OpenVPN_Custom
service udp destination eq 19455
object network FakeSSH
host 192.168.0.213
object-group service OpenVPN-custom udp
port-object eq 19455
object-group service VirtualSSH tcp
port-object eq 18871
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group icmp-type DM_INLINE_ICMP_1
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group network DM_INLINE_NETWORK_1
network-object 10.0.1.0 255.255.255.0
network-object 10.0.2.0 255.255.255.0
network-object 10.0.3.0 255.255.255.0
access-list outside_access_in extended permit object SMTP_Service any object Server_Mail
access-list outside_access_in extended permit tcp any object Diagserver eq www
access-list outside_access_in extended permit tcp any object Servicehelper eq ssh
access-list outside_access_in extended permit udp any object Servicehelper eq 19455
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit ip any any
access-list tcp_bypass extended permit ip any object-group DM_INLINE_NETWORK_1
access-list AnyConnect_Client_Local_Print extended permit ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside
icmp deny any outside
!
object network Server_Mail
nat (inside,outside) static interface service tcp smtp smtp
object network Diagserver
nat (inside,outside) static diagextip service tcp www www
object network Servicehelper
nat (inside,outside) static interface service udp 19455 19455
object network FakeSSH
nat (inside,outside) static interface service tcp ssh 18871
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 95.xxx.xxx.yyy 1
route inside 10.0.1.0 255.255.255.0 192.168.0.213 1
route inside 10.0.2.0 255.255.255.0 192.168.0.213 1
route inside 10.0.3.0 255.255.255.0 192.168.0.213 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
no vpn-addr-assign aaa
no vpn-addr-assign local
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles MainVPN_client_profile disk0:/MainVPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
keepout "Forbidden"
group-policy DfltGrpPolicy attributes
dns-server value 192.168.0.201 78.xxx.xxx.xxx
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value mylocaldomain.local
group-policy GroupPolicy_MainVPN internal
group-policy GroupPolicy_MainVPN attributes
wins-server none
dns-server value 192.168.0.201 78.xxx.xxx.xxx
vpn-tunnel-protocol ikev2 ssl-client
default-domain value mylocaldomain.local
webvpn
anyconnect profiles value MainVPN_client_profile type user
tunnel-group DefaultRAGroup general-attributes
dhcp-server 192.168.0.201
tunnel-group DefaultRAGroup webvpn-attributes
authentication aaa certificate
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication certificate
tunnel-group MainVPN type remote-access
tunnel-group MainVPN general-attributes
address-pool TempPool
default-group-policy GroupPolicy_MainVPN
dhcp-server 192.168.0.201
scep-enrollment enable
username-from-certificate use-entire-name
tunnel-group MainVPN webvpn-attributes
group-alias MainVPN enable
tunnel-group-map enable rules
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
class-map tcp_bypass
match access-list tcp_bypass
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect xdmcp
inspect rsh
inspect rtsp
inspect esmtp
inspect sunrpc
inspect netbios
policy-map global-policy
class global-class
inspect icmp
inspect dns
inspect ftp
inspect esmtp
inspect icmp error
policy-map tcp_bypass_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
!
service-policy global-policy global
service-policy tcp_bypass_policy interface inside
smtp-server 192.168.0.212
07-23-2013 09:53 AM
Forgot to activate the address pool
Peter
07-23-2013 12:29 PM
Hi Peter!
Sorry for responding late! But I should say from your last post you have it resolved now. I'm glad if that is the case! because theres just a lot to do sometimes we forget the nitigrities that needs to be looked into very well.
I've been in that possition too! I forgot to do same as the address pool you did! My case was that i couldn't even get an IP that was something that just give me an indication that I am missing the address pool
Have a great one mate!
Cheers
Teddy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide