AnyConnect VPN doesn't access the ASA

Similar Messages

• Control what AnyConnect VPN clients can Access

  Hello!
  How do I ensure that my VPN users that are connected using AnyConnect VPN to my ASA5520 have the same access restrictions/permissions as those connected locally?
  Assign a pool in the same vlan/subnet as those connected locally?
  Any input helps. Thanks

  Your annyconnect RA clients should have unique separate network from any other internal subnets and you will find much easier management and administration as soon as you start creating different RA tunnels for different purposes in future, at least this is my practice and find easy to administer and/or troubleshoot. If you decide using VPN tunnel network the same as an inside subnet you may encounter problems down the road which will be hard to troubleshoot.
  Now you have VLAN10 subnet internally, if I understand correctly you want RA clients have the same access VLAN10 users have,my question to you is what type of access are you refering to? does VLAN10 users have access to certain internal networks or specific hosts and some don't? if this is so when you use vpn filters build the same access control you have defined for VLAN10 users, you don't necessarily have to create per user vpn filers but rather a group policy defining the permit access through the acl and apply it to the Annyconnect RA tunnel if the intend is for the whole tunnel group, just as shown in the RA vpn filter example link posted excluding the per user vpn filer.
  Rgds
  Jorge

• I can't access my university VPN with my iPad or iPhone but I can access it with my Mac. I was wondering if there is a simple way so that I can remotely access my home computer from the iPad, turn on the Mac VPN and then access the school network?

  The iosx and open VPN app on the iPad/phone aren't compatible w my school's VPN, but my Mac is via tunnelblick. I would really like to have VPN access from my tablet so I can access journals without undergoing a tedious process.
  Has anyone encountered this and found a remedy? I'm imagining an app from the tablet that can access the Mac at home to turn on the VPN to the school and then have access.. But then I'm thinking id be reading through 2 screens then formatting/resolution could be a problem.
  Another thought was setting up a VPN at home so that my iPad can connect to my computer at home via VPN which would then allow me easy access to journals. But I'm lacking experience in this, especially a security issue as I'm going from point A to point C to get back to point B.
  I'm open to any suggestions.
  Thanks

  You should be able to use the OpenVPN Connect app running on your iPad to connect your iPad to the VPN directly. It is an official OpenVPN client for iOS devices.
  In what way is it "not compatible"? Have you tried it? Tunnelblick is an OpenVPN client, so your school's VPN is using the OpenVPN protocol. That means any OpenVPN client should be able to access it. (It is possible, but unlikely, that your school uses encryption that is not available on the iPad, but that would be very unusual.)
  Otherwise, a remote control app on your iPad would let you control your Mac at home. "Back to My Mac", for example, would allow you to control your Mac remotely. The tricky part of this is that usually a VPN is set up to send all Internet traffic via the VPN server, and I'm not sure how that would work with "Back to My Mac".

• Re: Internet Browser doesn't access the Internet after Enterprise Activation

  do you know how to tell if i am using my blackberry unlimited internet? or am using my mobiles net?

  Hi dinodog4
  Go into Options>Advanced Options>Browser and make sure your Default Browser Configuration is set to Internet Browser.  This will ensure you are using your BlackBerry data service.
  Thanks
  -CptS
  Come follow your BlackBerry Technical Team on twitter! @BlackBerryHelp
  Be sure to click Kudos! for those who have helped you.Click Solution? for posts that have solved your issue(s)!

• VPN session established but cannot access trusted LAN segment on the ASA

  Just a roundup of my Cisco ASA configuration...
  1) Configure remote access IPSec VPN
  2) Group Policies - vpntesting
  3) AES256 SHA DH group 5
  4) Configure local user vpntesting
  5) Configure dhcp pool - 10.27.165.2 to 10.27.165.128 mask /24
  6) open access on outside interface
  7) IKE group - vpntesting
  A) Did I miss anything?
  B) For example, there is a LAN segment - 10.27.40.x/24  on the trusted leg of the Cisco ASA but I can't access it. Do I need to  create access lists to allow my VPN session to access the trust LANs?
  C) Any good guide for configuring remote access VPN using ASDM?

  I have couple of issues with my EasyVPN server and Cisco VPN Client on Win7.
  1: Sometimes, clients are connected, connection shows established but no traffic or pings can be made to corp network. I might have to do with NAT settings to except VPN traffic from being NATed.
  2: VPN Clients don't pick the same IP address from local address pool even though I specified "RECYLE" option.
  I would apprecaite if you look at my configuration and advise any mis-config or anything that needs to be corrected.
  Thank you so much.
  Configuration:
  TQI-WN-RT2911#sh run
  Building configuration...
  Current configuration : 7420 bytes
  ! Last configuration change at 14:49:13 UTC Fri Oct 12 2012 by admin
  ! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
  ! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname TQI-WN-RT2911
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa authorization network default local
  aaa session-id common
  no ipv6 cef
  ip source-route
  ip cef
  ip dhcp remember
  ip domain name telquestintl.com
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-2562258950
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-2562258950
  revocation-check none
  rsakeypair TP-self-signed-2562258950
  crypto pki certificate chain TP-self-signed-2562258950
  certificate self-signed 01
              quit
  license udi pid CISCO2911/K9 sn ##############
  redundancy
  track 1 ip sla 1 reachability
  delay down 10 up 20
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key ############## address 173.161.255.###
  255.255.255.240
  crypto isakmp client configuration group EASY_VPN
  key ##############
  dns 10.10.0.241 10.0.0.241
  domain domain.com
  pool EZVPN-POOL
  acl VPN+ENVYPTED_TRAFFIC
  save-password
  max-users 50
  max-logins 10
  netmask 255.255.255.0
  crypto isakmp profile EASY_VPN_IKE_PROFILE1
     match identity group EASY_VPN
     client authentication list default
     isakmp authorization list default
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile EASY_VPN_IPSec_PROFILE1
  set security-association idle-time 86400
  set transform-set ESP-3DES-SHA
  set isakmp-profile EASY_VPN_IKE_PROFILE1
  crypto map VPN_TUNNEL 10 ipsec-isakmp
  description ***TUNNEL-TO-FAIRFIELD***
  set peer 173.161.255.241
  set transform-set ESP-3DES-SHA
  match address 105
  interface Loopback1
  ip address 10.10.30.1 255.255.255.0
  interface Tunnel1
  ip address 172.16.0.2 255.255.255.0
  ip mtu 1420
  tunnel source GigabitEthernet0/0
  tunnel destination 173.161.255.241
  tunnel path-mtu-discovery
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  description Optonline  WAN secondary
  ip address 108.58.179.### 255.255.255.248 secondary
  ip address 108.58.179.### 255.255.255.248
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN_TUNNEL
  interface GigabitEthernet0/1
  description T1 WAN Link
  ip address 64.7.17.### 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/2
  description LAN
  ip address 10.10.0.1 255.255.255.0 secondary
  ip address 10.10.0.3 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback1
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile EASY_VPN_IPSec_PROFILE1
  router eigrp 1
  network 10.10.0.0 0.0.0.255
  network 10.10.30.0 0.0.0.255
  network 172.16.0.0 0.0.0.255
  router odr
  router bgp 100
  bgp log-neighbor-changes
  ip local pool EZVPN-POOL 10.10.30.51 10.10.30.199 recycle delay
  65535
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source route-map OPTIMUM-ISP interface
  GigabitEthernet0/0 overload
  ip nat inside source route-map T1-ISP interface GigabitEthernet0/1
  overload
  ip nat inside source static tcp 10.10.0.243 25 108.58.179.### 25
  extendable
  ip nat inside source static tcp 10.10.0.243 80 108.58.179.### 80
  extendable
  ip nat inside source static tcp 10.10.0.243 443 108.58.179.### 443
  extendable
  ip nat inside source static tcp 10.10.0.220 3389 108.58.179.### 3389
  extendable
  ip nat inside source static tcp 10.10.0.17 12000 108.58.179.###
  12000 extendable
  ip nat inside source static tcp 10.10.0.16 80 108.58.179.### 80
  extendable
  ip nat inside source static tcp 10.10.0.16 443 108.58.179.### 443
  extendable
  ip nat inside source static tcp 10.10.0.16 3389 108.58.179.### 3389
  extendable
  ip route 0.0.0.0 0.0.0.0 108.58.179.### track 1
  ip route 0.0.0.0 0.0.0.0 64.7.17.97 ##
  ip access-list extended VPN+ENVYPTED_TRAFFIC
  permit ip 10.10.0.0 0.0.0.255 any
  permit ip 10.0.0.0 0.0.0.255 any
  permit ip 10.10.30.0 0.0.0.255 any
  ip sla 1
  icmp-echo 108.58.179.### source-interface GigabitEthernet0/0
  threshold 100
  timeout 200
  frequency 3
  ip sla schedule 1 life forever start-time now
  access-list 1 permit 10.10.0.0 0.0.0.255
  access-list 2 permit 10.10.0.0 0.0.0.255
  access-list 100 permit ip 10.10.0.0 0.0.0.255 any
  access-list 105 remark ***GRE-TRAFFIC TO FAIRFIELD***
  access-list 105 permit gre host 108.58.179.### host 173.161.255.###
  route-map T1-ISP permit 10
  match ip address 100
  match interface GigabitEthernet0/1
  route-map OPTIMUM-ISP permit 10
  match ip address 100
  match interface GigabitEthernet0/0
  control-plane
  line con 0
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  privilege level 15
  transport input telnet ssh
  scheduler allocate 20000 1000
  end
  TQI-WN-RT2911#

• ASA 5505 Anyconnect VPN Users can't access Internet

  Vpn user cannot access the internet but able to ping the lan network (192.168.1.0).. it seem like im missing a lan or nat rule.. Possibly allowing the vpn subnet 192.168.2.0 /24 to pass through to the internet.  Im looking to accomplish this without split tunneling.. Thanks

  on 8.2.5 version or lower:  Let say your inside hosts are accessing Internet by using dynamic nat index "1" and now you can use the same nat index "1" allow your vpn-pool range to be part of the same dynamic-nat index "1" to access the Internet.  Note I am natting source interface is be outside for vpn-client users because they (vpn-users) are physically coming off the outside interface.
  nat (outside) 1 192.168.2.0 255.255.255.0
  on 8.3 version or greater:  
  object network vpn-user-subnet
   subnet 192.168.2.0 255.255.255.0
   nat (outside,outside) dynamic interface
  Hope this helps.
  Thanks
  Rizwan Rafeek

• Anyconnect VPN PING replies from NAT address

  I have been attmepting to setup an Anyconnect client to access an internal LAN via an ASA running 8.6(1)2.
  The VPN client connects to the ASA successfully, and I get an IP address from the pool on the ASA, so far so good.
  I have an issue whereby a ping from a AnyConnect VPN client to an inside host that has a static nat translation is getting a response from the nat (public) address rather than its real (inside) address as below:
  C:\ ping 10.191.16.3 (inside host that is natted to lets say 123.123.123.123 on the ASA)
  Pinging 10.191.16.3 with 32 bytes of data:
  Reply from 123.123.123.123: bytes=32 time=62ms TTL=127
  How do I get the response to come from the real address?  Pinging inside hosts that do not have static NAT entries are ok.
  Below is what I beleive are the relevant parts of the config..(Let me know if more is needed and I can post)
  interface Redundant1
  member-interface GigabitEthernet0/1
  member-interface GigabitEthernet0/3
  nameif InsideNet99
  security-level 100
  ip address 10.191.99.251 255.255.255.0
  object network VPNClients
  subnet 10.191.18.0 255.255.255.0
  object network inside_network
  subnet 10.191.16.0 255.255.254.0
  nat (inside,outside) source static inside_network inside_network destination static VPNClients VPNClients no-proxy-arp route-lookup
  object network inside_network
  nat (inside,outside) dynamic interface
  route inside 10.191.16.0 255.255.254.0 10.191.99.254 1
  nat (inside,outside) source static 10.191.16.3 123.123.123.123

  Hi,
  Many thanks for taking the time to reply.
  Here is the output you requested...
  The only things I have changed are public IP's (I changed the names of a few things in the original post).
  FIREWALL-01# sh run nat
  nat (InsideNet99,outside) source static fp-private fp-public
  nat (InsideNet99,outside) source static tmg-private tmg-public
  nat (InsideNet99,outside) source static ex-private ex-public
  nat (InsideNet99,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.191.18.0_24 NETWORK_OBJ_10.191.18.0_24 no-proxy-arp route-lookup
  object network VRF-VLAN2
  nat (InsideNet99,outside) dynamic interface
  object network VRF-VLAN3
  nat (InsideNet99,outside) dynamic interface
  object network VRF-VLAN5
  nat (InsideNet99,outside) dynamic interface
  object network VRF-VLAN12
  nat (InsideNet99,outside) dynamic interface
  object network WIFIPUBLIC
  nat (wifipublic,outside) dynamic interface
  object network VRF-VLAN11
  nat (InsideNet99,outside) dynamic interface
  object network VRF-VLAN17
  nat (InsideNet99,outside) dynamic interface
  FIREWALL-01#
  Other info...
  object network fp-public
  host ***.***.***.***
  object network VRF-VLAN11
  subnet 10.191.16.0 255.255.254.0
  object network fp-private
  host 10.191.16.1
  object network tmg-private
  host 10.191.16.3
  object network ex-public
  host **.***.***.***
  object network tmg-public
  host 123.123.123.123
  object network ex-private
  host 10.191.16.2
  object network NETWORK_OBJ_10.191.18.0_24
  subnet 10.191.18.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_1
  network-object object VRF-VLAN11
  The VPN client has address 10.191.18.1, pinging 10.191.16.3 and getting reply from 123.123.123.123 (The public address of 10.191.16.3).
  (123.123.123.123 used for purposes of this forum, not real address).
  btw, I can PING other devices on 10.191.16.0/23 that do not have static NATs on the ASA and they respond correctly from the real IP.

• VPN clients cannot access to Remote location

  I have setup the VPN remote access to ASA 5520. The login is working. The users can access to the local network. But they can't access to the remote network through the tunnel. Is it the NAT setting need to be set for the tunnel or the VPN client to allow the VPN client access to the remote network?
  Thanks                  

  Hi Chieu,
  There are couple of questions I have for you that might help me to help you too!
  First what software code are you using?
  Can you post a descent config of your device?
  Do you have multiple vlans in your network?
  Did you implement routing for your remote vpn subnet to access the lan?
  What is your topology like?
  Once I get a good grasp of these we might be able to resolve your problem together.
  Thanks
  Teddy

• VPN - can't access internet over VPN

  Hi,
  I have an issue with VPN.
  For my work I need to be able to log into my office network remotely and then access remote desktop connection from within my work network.
  This won't work unless I am accessing the internet from inside the VPN.
  I have got this working on a PC, just had to select "Use default gateway on remote network" and now when I access the VPN on a windows laptop I am accessing the internet over the VPN.
  When I connect to the VPN on the Mac I can access the network, email server, file servers etc, but can not access the internet through the VPN.
  I have tried:
  - changing the service order
  - ticking and unpicking the send all traffic over VPN setting
  I can get to the point where I can access my work network over the VPN while also accessing the internet over my wifi but cannot get it so I can access the internet over the VPN connection. It is a PPTP VPN.
  Does anyone know how I get my Mac to use the default gateway on the remote network?

  If this server is behind a (NAT-) router you need to turn on "ipforwarding only" in Server Admin NAT configuration otherwise the server wont route packets beyond it's subnet.

• Vpn client can access internet but cannot access internal network

  I am using PIX 501 to setup a VPN. At first the VPN client cannot access the internet once they logged in via the Cisco system vpn client, so i enable split tunneling. Now the VPN client can access the internet but they can't access the internal network.Due to the limited characters can be posted here, only necessary IOS coding is posted on the next message. Who knows how to solve this problem? Pls Help.....

  enable password ********** encrypted
  passwd ********** encrypted
  hostname Firewall
  domain-name aqswdefrgt.com.sg
  access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
  access-list nat permit tcp any host 65.165.123.142 eq smtp
  access-list nat permit tcp any host 65.165.123.142 eq pop3
  access-list nat permit tcp any host 65.165.123.143 eq smtp
  access-list nat permit tcp any host 65.165.123.143 eq pop3
  access-list nat permit tcp any host 65.165.123.143 eq www
  access-list nat permit tcp any host 65.165.123.152 eq smtp
  access-list nat permit tcp any host 65.165.123.152 eq pop3
  access-list nat permit tcp any host 65.165.123.152 eq www
  access-list nat permit tcp any host 65.165.123.143 eq https
  access-list nat permit icmp any any
  ip address outside 65.165.123.4 255.255.255.240
  ip address inside 192.168.1.2 255.255.255.0
  ip verify reverse-path interface outside
  ip local pool clientpool 192.168.50.1-192.168.50.50
  global (outside) 1 interface
  nat (inside) 0 access-list 100
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255
  .255 0 0
  static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.
  255.255 0 0
  static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.
  255.255 0 0
  static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25
  5.255 0 0
  static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255
  .255.255 0 0
  access-group nat in interface outside
  route outside 0.0.0.0 0.0.0.0 65.165.123.1 1
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  aaa-server plexus protocol radius
  aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set myset esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto dynamic-map cisco 1 set transform-set myset
  crypto map dyn-map 20 ipsec-isakmp dynamic cisco
  crypto map dyn-map client authentication plexus
  crypto map dyn-map interface outside
  isakmp enable outside
  isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  isakmp policy 40 authentication pre-share
  isakmp policy 40 encryption 3des
  isakmp policy 40 hash md5
  isakmp policy 40 group 2
  isakmp policy 40 lifetime 86400
  vpngroup vpn3000 address-pool clientpool
  vpngroup vpn3000 dns-server 192.168.1.55
  vpngroup vpn3000 wins-server 192.168.1.55
  vpngroup vpn3000 default-domain aqswdefrgt.com.sg
  vpngroup vpn3000 idle-time 1800
  vpngroup vpn3000 password ********
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  terminal width 80

• CiscoSystems AnyConnect VPN Client 3.0.3054 Posture module

  Hello,
  I have aproblem installing the posture module of AnyConnect VPN Client. During the installation I get an error:
  "Product: Cisco AnyConnect Posture Module -- Error 1335. The cabinet file 'disk1.cab' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package."
  I found out that this error appears when I'm installing from a local copy of the files from the ISO. If the installation is from a virtual drive it installs fine.
  I need to install the client to multiple users so I have to use the source out of the ISO.
  Is there a way to to install this module from HDD?
  Thanks in advance!
  Iliyan

  Thanks for your reply.
  The problem was because of brocken source.
  I downloaded it from another location and everything is fine now
  The discussion can be closed.

• Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

  Hi Guys,
  I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
  Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
  For some odd reason, I am able to ping the following, with no issues.
  Cisco 3750 SVI (192.168.1.3)
  CentOS web server (connected directly to the Cisco ASA 5505)
  I have checked and enable the following:
  Nat Exemption
  Sysopt connection permit-vpn
  ACL's
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  Added ICMP in the inspection policy
  Packet-capture - Only getting echo requests.
  Thanks in advance!

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• ASA 5505 AnyConnect VPN Can RDP to clients but can't ping/icmp

  Hello all,
  I've been searching all day for a solution to this problem. I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. It may be something simple and I would appreciate any help. Most of the time people end up posting their config so I will as well.
  MafSecASA# show run
  : Saved
  ASA Version 8.2(1)
  hostname MafSecASA
  domain-name mafsec.com
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.4.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 7.3.3.2 255.255.255.248
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  ip address 172.20.1.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  speed 100
  duplex full
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 3
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name mafsec.com
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object tcp
  protocol-object udp
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object udp
  protocol-object tcp
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_4
  protocol-object ip
  protocol-object icmp
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in remark allow remote users to internal users
  access-list inside_access_in remark allow remote users to internal users
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any
  access-list inside_split_tunnel standard permit 10.4.0.0 255.255.255.0
  access-list inside_split_tunnel standard permit 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  ip local pool SSLVPNPool2 10.5.0.1-10.5.0.254 mask 255.255.255.0
  ip verify reverse-path interface outside
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 7.3.3.6 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 10.4.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 10.4.0.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd option 6 ip 8.8.8.8 8.8.4.4
  dhcpd address 10.4.0.15-10.4.0.245 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd lease 86400 interface inside
  dhcpd option 3 ip 10.4.0.1 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
  svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
  svc enable
  tunnel-group-list enable
  group-policy SSLVPN internal
  group-policy SSLVPN attributes
  dns-server value 8.8.8.8 8.8.4.4
  vpn-tunnel-protocol svc
  group-lock none
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value inside_split_tunnel
  vlan none
  address-pools value SSLVPNPool2
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  username user1 password
  username user1 attributes
  service-type remote-access
  username user2 password
  tunnel-group SSLVPNGROUP type remote-access
  tunnel-group SSLVPNGROUP general-attributes
  address-pool SSLVPNPool2
  default-group-policy SSLVPN
  tunnel-group SSLVPNGROUP webvpn-attributes
  group-alias SSLVPN enable
  prompt hostname context
  Cryptochecksum:3b16cbc9bbdfa20e6987857c1916a396
  : end
  Thank in advance for any help!

  Your config actually looks good (you have the ACL that would allow the echo-reply back since you don't have inspection turned on) - are you sure this isn't a windows firewall issue on the PCs?  I'd try pinging a router or switch just to make sure.
  --Jason

• Securing AnyConnect VPN user access via specific LDAP groups in Active Directory?

  Is there a brief tutorial on how to secure AnyConnect VPN access using Active Directoty security groups?
  I have AAA LDAP authentication working on my ASA5510, to authenticate users against my internal AD 2008 R2 server, but the piece I'm missing is how to lock down access to AnyConnect users ONLY if they are a member of a specific Security Group (i.e. VPNUsers) within my AD schema.

  This looks fairly complete
  http://www.compressedmatter.com/guides/2010/8/19/cisco-asa-ldap-authentication-authorization-for-vpn-clients.html
  Sent from Cisco Technical Support iPad App

• AnyConnect VPN Clients IP Address access rules

  I setup ASA5540 for SSL-VPN (clientless) works fine.
  But I try to use Client (AnyConnect) to access internal resources, it is failed.  It is stiil initiate sessions from remote client IP.
  I need to initiate session from client IP assigned by ASA5540 box (same with Cisco VPN client connect to Cat65 SVC module).
  How I setup it?

  I use Cisco VPN client (remote access VPN)to connect ASA.
  There is a configuration setup for group authentication/w password on Cisco VPN client.I do not know to setup on ASA to match this?
  Second, remote client  connect ASA, I should get the client IP address which I setup on ASA.
  It should use this IP to connect ASA internal net,but I failed.( Both Cisco VPN and AnyConnect)
  How I setup this ( SSL VPN on this ASA works).