AnyConnect VPN doesn't access the ASA
Hello,
I have an ASA 5512-x configured as a VPN AnyConnect concentrator, but when I connect I can't access the firewall... I can ping the address 10.4.11.2 but I can't connect... Any idea what to do? This is the running configuration:
: Saved
ASA Version 8.6(1)2
hostname asa-oi
domain-name xx.xx.xx.xx
enable password 7Hb0WWuK1NRtRaEy encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 1.1.1.1 DefaultGW-Outside description Default Gateway Outside
name 10.4.11.1 DefaultGW-Inside description Default Gateway Inside
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.4.11.2 255.255.255.0
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
interface GigabitEthernet0/5.2000
vlan 2000
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone BRST -3
clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 1.1.1.1
name-server 1.1.1.2
domain-name xx.xx.xx.xx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network PoolAnyConnect
subnet 10.6.4.0 255.255.252.0
access-list outside_in extended permit ip any any
access-list tunneled standard permit 10.0.0.0 255.0.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 1048576
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool PoolAnyConnect 10.6.4.1-10.6.7.254 mask 255.255.252.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-66114.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static PoolAnyConnect PoolAnyConnect no-proxy-arp route-lookup
nat (outside,inside) source static PoolAnyConnect PoolAnyConnect no-proxy-arp route-lookup
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 DefaultGW-Outside 1
route inside 10.0.0.0 255.0.0.0 DefaultGW-Inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 3.3.3.3
timeout 5
ldap-base-dn o=xx
ldap-scope subtree
ldap-naming-attribute sAMAccountName
server-type novell
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 2.2.2.2 255.255.255.240 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 2.2.2.2 255.255.255.240 outside
ssh timeout 10
console timeout 10
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GrpPolicyAnyConnect internal
group-policy GrpPolicyAnyConnect attributes
dns-server value 1.1.1.1 1.1.1.2
vpn-simultaneous-logins 1000
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value tunneled
default-domain value xx.xx.xx.xx
username admin password Dp4l7Cmqr7SMHl.l encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool PoolAnyConnect
authentication-server-group LDAP
default-group-policy GrpPolicyAnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ctiqbe
inspect http
inspect dcerpc
inspect dns
inspect icmp
inspect icmp error
inspect ils
inspect ipsec-pass-thru
inspect mgcp
inspect pptp
inspect snmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9399e42e238b5824eebaa115c93ad924
: end
Btw, I changed NAT configuration a lot of times trying to solve the problem, this one is the current one...
I didn't remember if I already tried it, anyway, I tried now:
asa-oi(config)# sh run nat
nat (inside,outside) source static any any destination static PoolAnyConnect PoolAnyConnect route-lookup
nat (outside,inside) source static PoolAnyConnect PoolAnyConnect route-lookup
but no difference, had the same problem...
Btw, when I try to connect via SSH, these logs messages appears: (don't know if it can help)
Syslog ID: 302013
Source IP Add: 10.6.4.1
Source Port: 2181
Dest IP Add: 10.4.11.2
Dest Port: 22
Description: Built inbound TCP connection 202412 for outside:10.6.4.1/2181 (10.6.4.1/2181)(LOCAL\VpnAnyConnect) to identity:10.4.11.2/22 (10.4.11.2/22) (VpnAnyConnect)
Syslog ID: 302014
Source IP Add: 10.6.4.1
Source Port: 2181
Dest IP Add: 10.4.11.2
Dest Port: 22
Description: Teardown TCP connection 202412 for outside:10.6.4.1/2181(LOCAL\VpnAnyConnect) to identity:10.4.11.2/22 duration 0:00:30 bytes 0 SYN Timeout (VpnAnyConnect)
Similar Messages
-
Control what AnyConnect VPN clients can Access
Hello!
How do I ensure that my VPN users that are connected using AnyConnect VPN to my ASA5520 have the same access restrictions/permissions as those connected locally?
Assign a pool in the same vlan/subnet as those connected locally?
Any input helps. ThanksYour annyconnect RA clients should have unique separate network from any other internal subnets and you will find much easier management and administration as soon as you start creating different RA tunnels for different purposes in future, at least this is my practice and find easy to administer and/or troubleshoot. If you decide using VPN tunnel network the same as an inside subnet you may encounter problems down the road which will be hard to troubleshoot.
Now you have VLAN10 subnet internally, if I understand correctly you want RA clients have the same access VLAN10 users have,my question to you is what type of access are you refering to? does VLAN10 users have access to certain internal networks or specific hosts and some don't? if this is so when you use vpn filters build the same access control you have defined for VLAN10 users, you don't necessarily have to create per user vpn filers but rather a group policy defining the permit access through the acl and apply it to the Annyconnect RA tunnel if the intend is for the whole tunnel group, just as shown in the RA vpn filter example link posted excluding the per user vpn filer.
Rgds
Jorge -
The iosx and open VPN app on the iPad/phone aren't compatible w my school's VPN, but my Mac is via tunnelblick. I would really like to have VPN access from my tablet so I can access journals without undergoing a tedious process.
Has anyone encountered this and found a remedy? I'm imagining an app from the tablet that can access the Mac at home to turn on the VPN to the school and then have access.. But then I'm thinking id be reading through 2 screens then formatting/resolution could be a problem.
Another thought was setting up a VPN at home so that my iPad can connect to my computer at home via VPN which would then allow me easy access to journals. But I'm lacking experience in this, especially a security issue as I'm going from point A to point C to get back to point B.
I'm open to any suggestions.
ThanksYou should be able to use the OpenVPN Connect app running on your iPad to connect your iPad to the VPN directly. It is an official OpenVPN client for iOS devices.
In what way is it "not compatible"? Have you tried it? Tunnelblick is an OpenVPN client, so your school's VPN is using the OpenVPN protocol. That means any OpenVPN client should be able to access it. (It is possible, but unlikely, that your school uses encryption that is not available on the iPad, but that would be very unusual.)
Otherwise, a remote control app on your iPad would let you control your Mac at home. "Back to My Mac", for example, would allow you to control your Mac remotely. The tricky part of this is that usually a VPN is set up to send all Internet traffic via the VPN server, and I'm not sure how that would work with "Back to My Mac". -
Re: Internet Browser doesn't access the Internet after Enterprise Activation
do you know how to tell if i am using my blackberry unlimited internet? or am using my mobiles net?
Hi dinodog4
Go into Options>Advanced Options>Browser and make sure your Default Browser Configuration is set to Internet Browser. This will ensure you are using your BlackBerry data service.
Thanks
-CptS
Come follow your BlackBerry Technical Team on twitter! @BlackBerryHelp
Be sure to click Kudos! for those who have helped you.Click Solution? for posts that have solved your issue(s)! -
VPN session established but cannot access trusted LAN segment on the ASA
Just a roundup of my Cisco ASA configuration...
1) Configure remote access IPSec VPN
2) Group Policies - vpntesting
3) AES256 SHA DH group 5
4) Configure local user vpntesting
5) Configure dhcp pool - 10.27.165.2 to 10.27.165.128 mask /24
6) open access on outside interface
7) IKE group - vpntesting
A) Did I miss anything?
B) For example, there is a LAN segment - 10.27.40.x/24 on the trusted leg of the Cisco ASA but I can't access it. Do I need to create access lists to allow my VPN session to access the trust LANs?
C) Any good guide for configuring remote access VPN using ASDM?I have couple of issues with my EasyVPN server and Cisco VPN Client on Win7.
1: Sometimes, clients are connected, connection shows established but no traffic or pings can be made to corp network. I might have to do with NAT settings to except VPN traffic from being NATed.
2: VPN Clients don't pick the same IP address from local address pool even though I specified "RECYLE" option.
I would apprecaite if you look at my configuration and advise any mis-config or anything that needs to be corrected.
Thank you so much.
Configuration:
TQI-WN-RT2911#sh run
Building configuration...
Current configuration : 7420 bytes
! Last configuration change at 14:49:13 UTC Fri Oct 12 2012 by admin
! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname TQI-WN-RT2911
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
no ipv6 cef
ip source-route
ip cef
ip dhcp remember
ip domain name telquestintl.com
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-2562258950
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2562258950
revocation-check none
rsakeypair TP-self-signed-2562258950
crypto pki certificate chain TP-self-signed-2562258950
certificate self-signed 01
quit
license udi pid CISCO2911/K9 sn ##############
redundancy
track 1 ip sla 1 reachability
delay down 10 up 20
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ############## address 173.161.255.###
255.255.255.240
crypto isakmp client configuration group EASY_VPN
key ##############
dns 10.10.0.241 10.0.0.241
domain domain.com
pool EZVPN-POOL
acl VPN+ENVYPTED_TRAFFIC
save-password
max-users 50
max-logins 10
netmask 255.255.255.0
crypto isakmp profile EASY_VPN_IKE_PROFILE1
match identity group EASY_VPN
client authentication list default
isakmp authorization list default
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile EASY_VPN_IPSec_PROFILE1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile EASY_VPN_IKE_PROFILE1
crypto map VPN_TUNNEL 10 ipsec-isakmp
description ***TUNNEL-TO-FAIRFIELD***
set peer 173.161.255.241
set transform-set ESP-3DES-SHA
match address 105
interface Loopback1
ip address 10.10.30.1 255.255.255.0
interface Tunnel1
ip address 172.16.0.2 255.255.255.0
ip mtu 1420
tunnel source GigabitEthernet0/0
tunnel destination 173.161.255.241
tunnel path-mtu-discovery
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Optonline WAN secondary
ip address 108.58.179.### 255.255.255.248 secondary
ip address 108.58.179.### 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN_TUNNEL
interface GigabitEthernet0/1
description T1 WAN Link
ip address 64.7.17.### 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/2
description LAN
ip address 10.10.0.1 255.255.255.0 secondary
ip address 10.10.0.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile EASY_VPN_IPSec_PROFILE1
router eigrp 1
network 10.10.0.0 0.0.0.255
network 10.10.30.0 0.0.0.255
network 172.16.0.0 0.0.0.255
router odr
router bgp 100
bgp log-neighbor-changes
ip local pool EZVPN-POOL 10.10.30.51 10.10.30.199 recycle delay
65535
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map OPTIMUM-ISP interface
GigabitEthernet0/0 overload
ip nat inside source route-map T1-ISP interface GigabitEthernet0/1
overload
ip nat inside source static tcp 10.10.0.243 25 108.58.179.### 25
extendable
ip nat inside source static tcp 10.10.0.243 80 108.58.179.### 80
extendable
ip nat inside source static tcp 10.10.0.243 443 108.58.179.### 443
extendable
ip nat inside source static tcp 10.10.0.220 3389 108.58.179.### 3389
extendable
ip nat inside source static tcp 10.10.0.17 12000 108.58.179.###
12000 extendable
ip nat inside source static tcp 10.10.0.16 80 108.58.179.### 80
extendable
ip nat inside source static tcp 10.10.0.16 443 108.58.179.### 443
extendable
ip nat inside source static tcp 10.10.0.16 3389 108.58.179.### 3389
extendable
ip route 0.0.0.0 0.0.0.0 108.58.179.### track 1
ip route 0.0.0.0 0.0.0.0 64.7.17.97 ##
ip access-list extended VPN+ENVYPTED_TRAFFIC
permit ip 10.10.0.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any
permit ip 10.10.30.0 0.0.0.255 any
ip sla 1
icmp-echo 108.58.179.### source-interface GigabitEthernet0/0
threshold 100
timeout 200
frequency 3
ip sla schedule 1 life forever start-time now
access-list 1 permit 10.10.0.0 0.0.0.255
access-list 2 permit 10.10.0.0 0.0.0.255
access-list 100 permit ip 10.10.0.0 0.0.0.255 any
access-list 105 remark ***GRE-TRAFFIC TO FAIRFIELD***
access-list 105 permit gre host 108.58.179.### host 173.161.255.###
route-map T1-ISP permit 10
match ip address 100
match interface GigabitEthernet0/1
route-map OPTIMUM-ISP permit 10
match ip address 100
match interface GigabitEthernet0/0
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
end
TQI-WN-RT2911# -
ASA 5505 Anyconnect VPN Users can't access Internet
Vpn user cannot access the internet but able to ping the lan network (192.168.1.0).. it seem like im missing a lan or nat rule.. Possibly allowing the vpn subnet 192.168.2.0 /24 to pass through to the internet. Im looking to accomplish this without split tunneling.. Thanks
on 8.2.5 version or lower: Let say your inside hosts are accessing Internet by using dynamic nat index "1" and now you can use the same nat index "1" allow your vpn-pool range to be part of the same dynamic-nat index "1" to access the Internet. Note I am natting source interface is be outside for vpn-client users because they (vpn-users) are physically coming off the outside interface.
nat (outside) 1 192.168.2.0 255.255.255.0
on 8.3 version or greater:
object network vpn-user-subnet
subnet 192.168.2.0 255.255.255.0
nat (outside,outside) dynamic interface
Hope this helps.
Thanks
Rizwan Rafeek -
Anyconnect VPN PING replies from NAT address
I have been attmepting to setup an Anyconnect client to access an internal LAN via an ASA running 8.6(1)2.
The VPN client connects to the ASA successfully, and I get an IP address from the pool on the ASA, so far so good.
I have an issue whereby a ping from a AnyConnect VPN client to an inside host that has a static nat translation is getting a response from the nat (public) address rather than its real (inside) address as below:
C:\ ping 10.191.16.3 (inside host that is natted to lets say 123.123.123.123 on the ASA)
Pinging 10.191.16.3 with 32 bytes of data:
Reply from 123.123.123.123: bytes=32 time=62ms TTL=127
How do I get the response to come from the real address? Pinging inside hosts that do not have static NAT entries are ok.
Below is what I beleive are the relevant parts of the config..(Let me know if more is needed and I can post)
interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/3
nameif InsideNet99
security-level 100
ip address 10.191.99.251 255.255.255.0
object network VPNClients
subnet 10.191.18.0 255.255.255.0
object network inside_network
subnet 10.191.16.0 255.255.254.0
nat (inside,outside) source static inside_network inside_network destination static VPNClients VPNClients no-proxy-arp route-lookup
object network inside_network
nat (inside,outside) dynamic interface
route inside 10.191.16.0 255.255.254.0 10.191.99.254 1
nat (inside,outside) source static 10.191.16.3 123.123.123.123Hi,
Many thanks for taking the time to reply.
Here is the output you requested...
The only things I have changed are public IP's (I changed the names of a few things in the original post).
FIREWALL-01# sh run nat
nat (InsideNet99,outside) source static fp-private fp-public
nat (InsideNet99,outside) source static tmg-private tmg-public
nat (InsideNet99,outside) source static ex-private ex-public
nat (InsideNet99,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.191.18.0_24 NETWORK_OBJ_10.191.18.0_24 no-proxy-arp route-lookup
object network VRF-VLAN2
nat (InsideNet99,outside) dynamic interface
object network VRF-VLAN3
nat (InsideNet99,outside) dynamic interface
object network VRF-VLAN5
nat (InsideNet99,outside) dynamic interface
object network VRF-VLAN12
nat (InsideNet99,outside) dynamic interface
object network WIFIPUBLIC
nat (wifipublic,outside) dynamic interface
object network VRF-VLAN11
nat (InsideNet99,outside) dynamic interface
object network VRF-VLAN17
nat (InsideNet99,outside) dynamic interface
FIREWALL-01#
Other info...
object network fp-public
host ***.***.***.***
object network VRF-VLAN11
subnet 10.191.16.0 255.255.254.0
object network fp-private
host 10.191.16.1
object network tmg-private
host 10.191.16.3
object network ex-public
host **.***.***.***
object network tmg-public
host 123.123.123.123
object network ex-private
host 10.191.16.2
object network NETWORK_OBJ_10.191.18.0_24
subnet 10.191.18.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object VRF-VLAN11
The VPN client has address 10.191.18.1, pinging 10.191.16.3 and getting reply from 123.123.123.123 (The public address of 10.191.16.3).
(123.123.123.123 used for purposes of this forum, not real address).
btw, I can PING other devices on 10.191.16.0/23 that do not have static NATs on the ASA and they respond correctly from the real IP. -
VPN clients cannot access to Remote location
I have setup the VPN remote access to ASA 5520. The login is working. The users can access to the local network. But they can't access to the remote network through the tunnel. Is it the NAT setting need to be set for the tunnel or the VPN client to allow the VPN client access to the remote network?
ThanksHi Chieu,
There are couple of questions I have for you that might help me to help you too!
First what software code are you using?
Can you post a descent config of your device?
Do you have multiple vlans in your network?
Did you implement routing for your remote vpn subnet to access the lan?
What is your topology like?
Once I get a good grasp of these we might be able to resolve your problem together.
Thanks
Teddy -
VPN - can't access internet over VPN
Hi,
I have an issue with VPN.
For my work I need to be able to log into my office network remotely and then access remote desktop connection from within my work network.
This won't work unless I am accessing the internet from inside the VPN.
I have got this working on a PC, just had to select "Use default gateway on remote network" and now when I access the VPN on a windows laptop I am accessing the internet over the VPN.
When I connect to the VPN on the Mac I can access the network, email server, file servers etc, but can not access the internet through the VPN.
I have tried:
- changing the service order
- ticking and unpicking the send all traffic over VPN setting
I can get to the point where I can access my work network over the VPN while also accessing the internet over my wifi but cannot get it so I can access the internet over the VPN connection. It is a PPTP VPN.
Does anyone know how I get my Mac to use the default gateway on the remote network?If this server is behind a (NAT-) router you need to turn on "ipforwarding only" in Server Admin NAT configuration otherwise the server wont route packets beyond it's subnet.
-
Vpn client can access internet but cannot access internal network
I am using PIX 501 to setup a VPN. At first the VPN client cannot access the internet once they logged in via the Cisco system vpn client, so i enable split tunneling. Now the VPN client can access the internet but they can't access the internal network.Due to the limited characters can be posted here, only necessary IOS coding is posted on the next message. Who knows how to solve this problem? Pls Help.....
enable password ********** encrypted
passwd ********** encrypted
hostname Firewall
domain-name aqswdefrgt.com.sg
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list nat permit tcp any host 65.165.123.142 eq smtp
access-list nat permit tcp any host 65.165.123.142 eq pop3
access-list nat permit tcp any host 65.165.123.143 eq smtp
access-list nat permit tcp any host 65.165.123.143 eq pop3
access-list nat permit tcp any host 65.165.123.143 eq www
access-list nat permit tcp any host 65.165.123.152 eq smtp
access-list nat permit tcp any host 65.165.123.152 eq pop3
access-list nat permit tcp any host 65.165.123.152 eq www
access-list nat permit tcp any host 65.165.123.143 eq https
access-list nat permit icmp any any
ip address outside 65.165.123.4 255.255.255.240
ip address inside 192.168.1.2 255.255.255.0
ip verify reverse-path interface outside
ip local pool clientpool 192.168.50.1-192.168.50.50
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255
.255 0 0
static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.
255.255 0 0
static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.
255.255 0 0
static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255
.255.255 0 0
access-group nat in interface outside
route outside 0.0.0.0 0.0.0.0 65.165.123.1 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server plexus protocol radius
aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map client authentication plexus
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup vpn3000 address-pool clientpool
vpngroup vpn3000 dns-server 192.168.1.55
vpngroup vpn3000 wins-server 192.168.1.55
vpngroup vpn3000 default-domain aqswdefrgt.com.sg
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80 -
CiscoSystems AnyConnect VPN Client 3.0.3054 Posture module
Hello,
I have aproblem installing the posture module of AnyConnect VPN Client. During the installation I get an error:
"Product: Cisco AnyConnect Posture Module -- Error 1335. The cabinet file 'disk1.cab' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package."
I found out that this error appears when I'm installing from a local copy of the files from the ISO. If the installation is from a virtual drive it installs fine.
I need to install the client to multiple users so I have to use the source out of the ISO.
Is there a way to to install this module from HDD?
Thanks in advance!
IliyanThanks for your reply.
The problem was because of brocken source.
I downloaded it from another location and everything is fine now
The discussion can be closed. -
Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN
Hi Guys,
I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
For some odd reason, I am able to ping the following, with no issues.
Cisco 3750 SVI (192.168.1.3)
CentOS web server (connected directly to the Cisco ASA 5505)
I have checked and enable the following:
Nat Exemption
Sysopt connection permit-vpn
ACL's
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Added ICMP in the inspection policy
Packet-capture - Only getting echo requests.
Thanks in advance!Hi,
I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
object network acvpnpool
subnet <anyconnect VPN Subnet>
object network insidelan
subnet <inside lan subnet>
nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
Regards
Karthik -
ASA 5505 AnyConnect VPN Can RDP to clients but can't ping/icmp
Hello all,
I've been searching all day for a solution to this problem. I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. It may be something simple and I would appreciate any help. Most of the time people end up posting their config so I will as well.
MafSecASA# show run
: Saved
ASA Version 8.2(1)
hostname MafSecASA
domain-name mafsec.com
names
interface Vlan1
nameif inside
security-level 100
ip address 10.4.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 7.3.3.2 255.255.255.248
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.20.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name mafsec.com
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark allow remote users to internal users
access-list inside_access_in remark allow remote users to internal users
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list inside_split_tunnel standard permit 10.4.0.0 255.255.255.0
access-list inside_split_tunnel standard permit 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SSLVPNPool2 10.5.0.1-10.5.0.254 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 7.3.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.4.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.4.0.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd option 6 ip 8.8.8.8 8.8.4.4
dhcpd address 10.4.0.15-10.4.0.245 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd lease 86400 interface inside
dhcpd option 3 ip 10.4.0.1 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol svc
group-lock none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inside_split_tunnel
vlan none
address-pools value SSLVPNPool2
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username user1 password
username user1 attributes
service-type remote-access
username user2 password
tunnel-group SSLVPNGROUP type remote-access
tunnel-group SSLVPNGROUP general-attributes
address-pool SSLVPNPool2
default-group-policy SSLVPN
tunnel-group SSLVPNGROUP webvpn-attributes
group-alias SSLVPN enable
prompt hostname context
Cryptochecksum:3b16cbc9bbdfa20e6987857c1916a396
: end
Thank in advance for any help!Your config actually looks good (you have the ACL that would allow the echo-reply back since you don't have inspection turned on) - are you sure this isn't a windows firewall issue on the PCs? I'd try pinging a router or switch just to make sure.
--Jason -
Securing AnyConnect VPN user access via specific LDAP groups in Active Directory?
Is there a brief tutorial on how to secure AnyConnect VPN access using Active Directoty security groups?
I have AAA LDAP authentication working on my ASA5510, to authenticate users against my internal AD 2008 R2 server, but the piece I'm missing is how to lock down access to AnyConnect users ONLY if they are a member of a specific Security Group (i.e. VPNUsers) within my AD schema.This looks fairly complete
http://www.compressedmatter.com/guides/2010/8/19/cisco-asa-ldap-authentication-authorization-for-vpn-clients.html
Sent from Cisco Technical Support iPad App -
AnyConnect VPN Clients IP Address access rules
I setup ASA5540 for SSL-VPN (clientless) works fine.
But I try to use Client (AnyConnect) to access internal resources, it is failed. It is stiil initiate sessions from remote client IP.
I need to initiate session from client IP assigned by ASA5540 box (same with Cisco VPN client connect to Cat65 SVC module).
How I setup it?I use Cisco VPN client (remote access VPN)to connect ASA.
There is a configuration setup for group authentication/w password on Cisco VPN client.I do not know to setup on ASA to match this?
Second, remote client connect ASA, I should get the client IP address which I setup on ASA.
It should use this IP to connect ASA internal net,but I failed.( Both Cisco VPN and AnyConnect)
How I setup this ( SSL VPN on this ASA works).
Maybe you are looking for
-
Buying right memory modules for my mac-mini (mid 2011)
Could someone please confirm if I could use one of the following DIMMs for my mid 2011 mac-mini? (I'll be using 2x4GB DIMMs) I tend to go for the transcend one, being cheaper & I see good number of folks using it without issue on their macbook pros's
-
Listening to Podcasts AND music
I can listen to podcasts on my shuffle with no problem, and they play fine; and I can do the same with music selections. However, whenever there is music AND podcasts on the shuffle, the podcasts don't play...only the music. Any suggestions?
-
Error on extenal site for picture library webpart
Hi, I have inserted a picture library web part on a page which works on an internal url i.e. http://spportal, however, when I load the page on the external site (which uses ssl), I receive the following error where the web part should be. Any ideas o
-
Oracle on Development Platform
I had Oracle 10g setup on the production server running 2 database. Now I want to setup another oracle 10g on the development server so every night the data of both database in the production server will be copy over to the oracle on the development
-
I created a flyout menu using asp.net 2.0, but my entire website is in .php... using dreamweaver (or anything for that matter) is it possible for me to insert the menu into my pages using the existing .php pages? Originally, the menu was simple html