ASA Dynamic Access Policies Issues

Hi
I have created a simple DAP to match a specific tunnel group (AAA attribute) and also to match endpoint attributes matching AnyConnect client version 3.1.xx and OS as Win7. When i test the DAPs on ASDM, i see that the custom one i created is selected. However when i actually connect from a client matching the specified AAA and endpoint attributes, the selected DAP is the default one. My aim is to be able to match custom DAPs for different connection profiles (plan to configure more later) so i can then set the action on the default DAP to terminate but i seem to be stuck on this.
I have looked at my config over and again and i guess if the solution could bite me, it would have but i can't seem to find what i need to do to fix this.
Appreciate any and every help here
Seyi
========
Test DAP
========
DAP_TRACE: DAP_open: 778B5E18
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:endpoint["anyconnect"]["clientversion"]="3.1.03103"
DAP_TRACE: name = endpoint["anyconnect"]["clientversion"], value = "3.1.03103"
DAP_TRACE: dap_add_to_lua_tree:endpoint["os"]["version"]="Windows 7"
DAP_TRACE: name = endpoint["os"]["version"], value = "Windows 7"
DAP_TRACE: Selected DAPs: ,POLICY-RSA
DAP_TRACE: dap_process_selected_daps: selected 1 records
DAP_TRACE: dap_aggregate_attr: rec_count = 1
DAP_TRACE: dap_comma_str_fcn: [,] 1 128
DAP_TRACE: DAP_close: 778B5E18
========================
Actual Client Connection
========================
DAP_TRACE: DAP_open: 79E0EA38
DAP_TRACE: Username: user1, aaa.cisco.grouppolicy = POLICY-RSA
DAP_TRACE: Username: user1, aaa.cisco.username = user1
DAP_TRACE: Username: user1, aaa.cisco.username1 = user1
DAP_TRACE: Username: user1, aaa.cisco.username2 =
DAP_TRACE: Username: user1, aaa.cisco.tunnelgroup = POLICY-RSA
DAP_TRACE: Username: user1, DAP_add_SCEP: scep required = [FALSE]
DAP_TRACE: Username: user1, DAP_add_AC:
endpoint.anyconnect.clientversion="3.1.03103";
endpoint.anyconnect.platform="win";
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="user1"
DAP_TRACE: name = aaa["cisco"]["username"], value = "user1"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username1"]="user1"
DAP_TRACE: name = aaa["cisco"]["username1"], value = "user1"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username2"]=""
DAP_TRACE: name = aaa["cisco"]["username2"], value = ""
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["sceprequired"]="false"
DAP_TRACE: name = aaa["cisco"]["sceprequired"], value = "false"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.03103"
DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.03103"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="win"
DAP_TRACE: name = endpoint.anyconnect.platform, value = "win"
DAP_TRACE: Username: user1, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: user1, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: user1, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: user1, DAP_close: 79E0EA38

Hi Seyi,
The problem lies here if you check the ouput of the debug dap trace of the client Pc which is as follow
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.03103"
DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.03103"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="win"
DAP_TRACE: name = endpoint.anyconnect.platform, value = "win"
DAP_TRACE: Username: user1, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: user1, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: user1, Selected DAPs: DfltAccessPolicy
I don't see it looking for OS version Check.
Ideally it should and this entry should have been there in the debug dap trace
endpoint["os"]["version"], value = "Windows 7
And in the DAP policy that you have created you have mentioned 2 end point attributes to be checked which are as follow
endpoint.anyconnect.clientversion, value = "3.1.03103
endpoint["os"]["version"], value = "Windows 7
Since it is not matching both the enpoint attributes it is falling on the
DfltAccessPolicy
Please let me know the host scan image that you have got.
Try with the hostscan_3.1.03103-k9.pkg.
And then check.
HTH
Regards
Raj Kumar

Similar Messages

OIM 9.1.0.2 - Access Policies issue

Hi Gurus,
I have facing a strange behavior in the Access Policies features.
When users are inactived in the OIM, they should be removed from the groups associated to the AP, but the groups remain associated and because that the AP is triggered again provisioning resources to the users.
Has someone faced the issue?
Brgds,
Carlos

What does all of your group membership rules look like? Are you sure your right side is the correct format? You can create a rule where Users.Status = "Active". Just need to make sure it's case sensitive so you'll want to check the database for existing values.
-Kevin

Anyconnect and client certificates for dynamic access policies (dap)

I'm faced with the challenge of rolling out AnyConnect to our clients (which I've done before at another job) but in this case we want to 'NAC' vpn clients... We're still in discussion around the security policy and those details, but I wanted to see if folks on this forum could chime in with their experience on this.
We have a mix of Windows, Linux and MACs that are corporate issued devices that should receive some form of posture checking and then be granted access. Personal devices would also be subjected to some level of posture checking, but if during the initial scan it was deemed that this is not a corporate machine, then that machine would have very limited access.
From what I've read, the OS agnostic route to take is using certificates. I'm looking for design tips or docs that would assist in rolling this out. We do not have a PKI infrastructure today. So some of the questions I have are:
Can the ASA manage all of the client issued certs? From enrollment to revocation?
Or would I look to my Windows infrastructure for that? And if so, how does that integrate with the ASA?
Client certs vs machine certs?
Any advice from high level to low level or partial answers would be appreciated...
Thanks

"Can the ASA manage all of the client issued certs? From enrollment to revocation?"
Yes, please check the Cisco url below, configuration method.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1067758
Hope that helps.
thanks
Rizwan Rafeek

Limit of dynamic access policies?

Hi,
Is there a maximum number of DAP supported by ASA 55XX 9.1 ?
Thanks for your information
Patrick

In my case, it could work if a user is member of groups which are explicitly mapped to ACL.
If he belongs to other groups, ASA will try to map those groups to ACL then we will get this error:
%ASA-4-113030: Group group User user IP ipaddr User ACL acl from AAA
doesn't exist on the device, terminating connection.
The specified ACL was not found on the ASA.
And it wont work.
I will think about using specific LDAP attribute but this will bring other problems (Directory process...)
If you have other ideas, I would be glad to test them
Otherwise I will choose between DAP or LDAP mapping...
Thanks again Marcin !!
Patrick

Dynamic access policy ACL not beeing applied to user

Hi all
I have just configured my ASA for ssl vpn
I have created a dynamic access policy with an ACL in it.
The user connects fine, and I can see on the logs that the DAP policy has applied to the user
However when I click on monitoring, it says no acl is applied to this session, and the client cannot get anywhere
why would this be?
cheers
Carl

When you go to dynamic access policies in ASDM is your NoVPN ACL at the top of the list (highest ACL priority)? These get processed in order and if your user is in both groups the first will be taken and the rest ignored.
Also, is your default policy at that bottom of this list deny access?

Dynamic Access Policy ACL Logging

We use dynamic access policy's with Network ACLs to restrict specifics users access to what they need over the VPN. The ACL's get applied to the users as they should for the most part working as they should. I am in the process of troubleshooting an ACL now that tied to a DAP and I cant find any way of logging the drops (or allows) from the ACL being used for DAP.

When you go to dynamic access policies in ASDM is your NoVPN ACL at the top of the list (highest ACL priority)? These get processed in order and if your user is in both groups the first will be taken and the rest ignored.
Also, is your default policy at that bottom of this list deny access?

Issue in OIM 11gR2Ps2 while provisioning using access policies

Hi,
we are provisioning resources using access policies, we are facing any issue while provisioning resource using two access policies. we are populating the main process form data using two access policies, according to the access policy priority we are seeing the first access policy form data value in the user process form, but the second access policy value is not showing in the user process form, for example we are populating processform fieldvalue1 using access policy1 and processform fieldvalue2 using access policy2.
Thank you,

Hi,
we are facing issue in the following scenario
we are provisioning a resource based on the user position through access policies, for example a user position "contractor" is satisfies two rules based on the rules he will get two roles, these two roles trigger two access policies, and two access policies giving same resource for example "AD", in AD main process form there two lookups(lookup A,lookup B), we are giving looukp A value in acess policy1 and lookup B value in access ploicy2, when ever user gets AD resource through these roles, after provisioning when we see the user process form only lookup A value is there and lookup B is empty.But i want to get both lookup A,lookup B values, what i observed was based on the priority access policy values are comming to user resource form, the next access policy form values are not reflecting the user process form.
Thanks,

Cisco ASA 5505 - IPsec Tunnel issue

Issue with IPsec Child SA
Hi,
I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
hostname GARPR-COM1-WF01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
description Failover Link
switchport access vlan 950
interface Ethernet0/1
description Outside FW Link
switchport access vlan 999
interface Ethernet0/2
description Inside FW Link
switchport access vlan 998
interface Ethernet0/3
description Management Link
switchport access vlan 6
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan6
nameif management
security-level 100
ip address 10.65.1.20 255.255.255.240
interface Vlan950
description LAN Failover Interface
interface Vlan998
nameif inside
security-level 100
ip address 10.65.1.5 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ************* 255.255.255.248
boot system disk0:/asa922-4-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ***************
object network North_American_LAN
subnet 10.73.0.0 255.255.0.0
description North American LAN
object network Queretaro_LAN
subnet 10.74.0.0 255.255.0.0
description Queretaro_LAN
object network Tor_LAN
subnet 10.75.0.0 255.255.0.0
description Tor LAN
object network Mor_LAN
subnet 10.76.0.0 255.255.0.0
description Mor LAN
object network Tus_LAN
subnet 10.79.128.0 255.255.128.0
description North American LAN
object network Mtl_LAN
subnet 10.88.0.0 255.255.0.0
description Mtl LAN
object network Wic_LAN
subnet 10.90.0.0 255.254.0.0
description Wic LAN
object network Wic_LAN_172
subnet 172.18.0.0 255.255.0.0
description Wic Servers/Legacy Client LAN
object network Mtl_LAN_172
subnet 172.19.0.0 255.255.0.0
description Mtl Servers/Legacy Client LAN
object network Tor_LAN_172
subnet 172.20.0.0 255.255.0.0
description Tor Servers/Legacy Client LAN
object network Bridge_LAN_172
subnet 172.23.0.0 255.255.0.0
description Bridge Servers/Legacy Client LAN
object network Mtl_WLAN
subnet 10.114.0.0 255.255.0.0
description Mtl Wireless LAN
object network Bel_WLAN
subnet 10.115.0.0 255.255.0.0
description Bel Wireless LAN
object network Wic_WLAN
subnet 10.116.0.0 255.255.0.0
description Wic Wireless LAN
object network Mtl_Infrastructure_10
subnet 10.96.0.0 255.255.0.0
description Mtl Infrastructre LAN
object network BA_Small_Site_Blocks
subnet 10.68.0.0 255.255.0.0
description BA Small Sites Blocks
object network Bel_LAN
subnet 10.92.0.0 255.255.0.0
description Bel LAN 10 Network
object network LAN_172
subnet 172.25.0.0 255.255.0.0
description LAN 172 Network
object network Gar_LAN
subnet 10.65.1.0 255.255.255.0
description Gar LAN
object network garpr-com1-wf01.net.aero.bombardier.net
host **************
description Garching Firewall
object-group network BA_Sites
description Internal Networks
network-object object BA_Small_Site_Blocks
network-object object Bel_LAN
network-object object Bel_LAN_172
network-object object Bel_WLAN
network-object object Bridge_LAN_172
network-object object Mtl_Infrastructure_10
network-object object Mtl_LAN
network-object object Mtl_LAN_172
network-object object Mtl_WLAN
network-object object Mor_LAN
network-object object North_American_LAN
network-object object Queretaro_LAN
network-object object Tor_LAN
network-object object Tor_LAN_172
network-object object Tus_LAN
network-object object Wic_LAN
network-object object Wic_LAN_172
network-object object Wic_WLAN
access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm informational
logging host outside 172.25.5.102
mtu management 1500
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface Failover_Link Vlan950
failover polltime interface msec 500 holdtime 5
failover key *****
failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 ************* 1
route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.65.1.0 255.255.255.0 inside
http 172.25.5.0 255.255.255.0 inside
http 10.65.1.21 255.255.255.255 management
snmp-server host inside 172.25.49.0 community ***** udp-port 161
snmp-server host outside 172.25.49.0 community *****
snmp-server host inside 172.25.5.101 community ***** udp-port 161
snmp-server host outside 172.25.5.101 community *****
snmp-server host inside 172.25.81.88 poll community *****
snmp-server host outside 172.25.81.88 poll community *****
snmp-server location:
snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev2 ipsec-proposal aes256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map GARCH 10 match address 101
crypto map GARCH 10 set pfs group19
crypto map GARCH 10 set peer *******************
crypto map GARCH 10 set ikev2 ipsec-proposal aes256
crypto map GARCH 10 set security-association lifetime seconds 3600
crypto map GARCH interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
telnet 10.65.1.6 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.5.0 255.255.255.0 inside
ssh 172.19.9.49 255.255.255.255 inside
ssh 172.25.5.0 255.255.255.0 outside
ssh 172.19.9.49 255.255.255.255 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcprelay server 172.25.81.1 outside
dhcprelay server 172.25.49.1 outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.19.109.41
ntp server 172.19.109.42
ntp server 172.19.9.49 source outside
tunnel-group ********* type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
: end
I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
where for destination network 10.92.0.0/16 there is only one child sa:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
          remote selector 10.92.0.0/0 - 10.92.255.255/6553
Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
Thanks
Jonathan

Hi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks

Cisco ASA 5505 VPN connection issue ("Unable to add route")

I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3     IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.1.255
Netmask     255.255.255.255
Gateway     172.16.1.1
Interface     172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3     IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.1.255
Netmask     255.255.255.255
Gateway     172.16.1.1
Interface     172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?

Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)#

ASA 5505 vpn connection issues

Hello I am having some issues with getting my vpn connection working on a new site. I get no internet connection when hooking up the asa. My current config is below. I have included a packet trace from my remote site to my main site. Any help would be appriciated, I am not very experanced in coniguring the devices.
hostname ciscoasa
domain-name .com
enable password w3iW.W8jLtqmhFnt encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 72.xxx.xx.xx 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name .com
access-list NONATACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.2
55.255.0
access-list VPNACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.255
.255.0
access-list OUTSIDEACL extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/flash
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONATACL
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDEACL in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 10.10.10.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESPDESMD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 13 match address VPNACL
crypto map VPNMAP 13 set peer 68.xx.xxx.xxx
crypto map VPNMAP 13 set transform-set ESPDESMD5
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 13
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 10.10.10.0 255.255.255.0 inside
telnet 192.1.1.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.1.1.6 192.1.1.4
dhcpd wins 192.1.1.6 192.1.1.4
dhcpd ping_timeout 750
dhcpd domain .com
dhcpd auto_config outside
dhcpd address 10.10.10.10-10.10.10.40 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 76.xxx.xxx.xx type ipsec-l2l
tunnel-group 76.xxx.xxx.xx ipsec-attributes
pre-shared-key *
tunnel-group 68.xx.xxx.xxx type ipsec-l2l
tunnel-group 68.xx.xxx.xxx ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:229af8a14b475d91b876176163124158
: end
ciscoasa(config)#reciated

Hello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio

ASA 5505 VPN conenction issue

Good morning everyone. I am in need of some help. I am a newbie when it comes to configuring the ASA. Here is my problem. I have the asa configure and it is allowing me to get out to the internet. I have several VLANs on my network and from inside I can ping everything. I have created the VPN and I am able to connect to it and get in IP assigned from the pool of address. If I have multiple connections I can ping the other PCs. Right now I am able to ping the outside and inside interfaces of the ASA but no where else. I have split tunneling enabled. Here is a copy of my config.
Thanks
Dave
Result of the command: "sh run"
: Saved
: Serial Number: *****
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.1(5)21
hostname Main-ASA
domain-name *****
enable password ***** encrypted
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool AnyC-CPN-Client-Pool 192.168.59.0-192.168.59.250 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 12
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.252
interface Vlan12
nameif Outside
security-level 0
ip address dhcp setroute
banner login *************************************
banner login       Unuathorized access is prohibited !!
banner login *************************************
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup Outside
dns server-group DefaultDNS
domain-name *****
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VLAN54
subnet 192.168.54.0 255.255.255.0
description VLAN 54
object network Management
subnet 192.168.80.0 255.255.255.0
description Management
object network VLAN51
subnet 192.168.51.0 255.255.255.0
description VLAN 51
object network VLAN52
subnet 192.168.52.0 255.255.255.0
description VLAN 52
object network VLAN53
subnet 192.168.53.0 255.255.255.0
description VLAN 53
object network VLAN55
subnet 192.168.55.0 255.255.255.0
description VLAN 55
object network VLAN56
subnet 192.168.56.0 255.255.255.0
description VLAN 56
object service 443
service tcp destination eq https
object service 80
service tcp destination eq www
object service 8245
service tcp destination eq 8245
object service 25295
service udp destination eq 25295
description Blocking 25295
object network VPN-Connections
subnet 192.168.59.0 255.255.255.0
description VPN Connections
object-group service No-IP
description no-ip.com DDNS Update
service-object object 80
service-object object 8245
service-object object 443
access-list inside_access_in remark No-ip DDNS Update
access-list inside_access_in extended permit object-group No-IP object VLAN51 any
access-list inside_access_in extended permit ip any any
access-list VPN standard permit 192.168.0.0 255.255.0.0
access-list Outside_access_in remark Blocking 25295 to HTPC
access-list Outside_access_in extended deny object 25295 any object VLAN54
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,Outside) source dynamic any interface
access-group inside_access_in in interface inside
access-group Outside_access_in in interface Outside
router eigrp 1
no auto-summary
network 192.168.0.0 255.255.255.252
network 192.168.59.0 255.255.255.0
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.168.51.1
server-port 636
ldap-base-dn cn=users,dc=spicerslocal
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn cn=users,dc=*****
sasl-mechanism digest-md5
ldap-over-ssl enable
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=Main-ASA
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate
  quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpn-addr-assign local reuse-delay 5
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 Outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable Outside
anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles AnyC-SSL-VPN_client_profile disk0:/AnyC-SSL-VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.51.1 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
default-domain value *****
split-dns value 8.8.8.8
group-policy GroupPolicy_AnyC-SSL-VPN internal
group-policy GroupPolicy_AnyC-SSL-VPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
default-domain value *****
webvpn
anyconnect profiles value AnyC-SSL-VPN_client_profile type user
username Dave password ***** encrypted privilege 15
username Don password ***** encrypted privilege 15
tunnel-group AnyC-SSL-VPN type remote-access
tunnel-group AnyC-SSL-VPN general-attributes
address-pool AnyC-CPN-Client-Pool
tunnel-group AnyC-SSL-VPN webvpn-attributes
group-alias AnyC-SSL-VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:af0fad1092e0314b0a80f20add03e3f7
: end

Hi Dave,
It seems to be an issue with the NAT, I saw your VPN configuration:
ip local pool AnyC-CPN-Client-Pool 192.168.59.0-192.168.59.250 mask 255.255.255.0
unnel-group AnyC-SSL-VPN type remote-access
tunnel-group AnyC-SSL-VPN general-attributes
address-pool AnyC-CPN-Client-Pool
tunnel-group AnyC-SSL-VPN webvpn-attributes
group-alias AnyC-SSL-VPN enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.51.1 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
default-domain value *****
split-dns value 8.8.8.8
access-list VPN standard permit 192.168.0.0 255.255.0.0
You will need to set up a NAT exemption as follow:
object-group network obj-192.168.59.0-Pool
network-object 192.168.59.0 255.255.255.0
object-group network obj-192.168.0.0
network-object 192.168.0.0 255.255.0.0
nat (inside,outside) 1 source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.59.0-Pool obj-192.168.59.0-Pool no-proxy-arp route-lookup
Please proceed to rate and mark as correct this post, if it helps!
David Castro,
Regards,

Feature Request : provide a way to create access policies or identities with matching condition based on the HTTP header's "Referer" field

Hello,
I have a use-case I would like to share with you. When a customer configures its WSA with highly restrictive internet access like in the example below, it may trigger some issues :
1- allow internet access only for URLs defined in whitelist.
2- block ALL other requests.
Let's take the following example :
1- the customer only allow requests to www.siteA.com. siteA.com is the only URL included in its whitelist.
2- www.siteA.com contains many embedded objects (such as facebook like tags, youtube videos, links to partners sites, ...)
In this configuration, the end user will be allowed to reach siteA but the page will not be fully displayed. All the embedded objects not directly located on siteA will be missing.
With WSA, the easiest way I can imagine to solve the issue is to list all the embedded objects present on siteA, get back their URL and also add these URLs to the whitelist. But this solution if of course far to be really convenient since it involves to know exactly how each HTTP page you want to consult is built.
With other proxies, such as Bluecoat proxies or McAfee Web Gateway proxies for example, I used to solve this kind of issue by using the HTTP referer field (the URL you come from). For example with Bluecoat :
<Proxy>
ALLOW request.header.Referer.url.domain=//www.siteA.com/
=> All requested objects from siteA.com will be automatically allowed by the proxy, even if they are not part of my whitelist.
- Do you have a better suggestion than the one I'm currently using with WSA (adding each sites in whitelist) ?
- Would it be possible to add the field HTTP referer as a matching condition for Identities and access policies in your next release ?
Thanks in advance
Best regards

As far as I'm aware this functionality is still not available... would be an awesome feature to have, but could also be abused at the same time by a user writing their own "middleware" proxy and setting the referrer header to that allowed site.. could be done in like ~15 lines of perl / python.
Either way... would still be a cool feature to have.

ACS 5.2 NDG Locations not showing up in Access Policies

When I add locations under Network Device Groups and then try and use them in my Access Policies they don't show up. It just says "No data to display". If I try and recreate them I get an error "Object you are trying to Create already exists.' but it is blank. I can run an export and they show up in the CSV file but they don't show up anywhere on the GUI. I have deleted the file and recreated with the same result.
I have been searching all over for anyone with a similar situation but have come up empty. Any thougts?
Regards,
Andy

I have recollections about two issues related to this:
- If there are mutliple attributes with the same name as the NDG. Eg if create a user attribute called "Locations" it can cause problems. Can be resolved by renaming the attribute
- Could be issues if word "system" appears in NDG node name
Not 100% sure for these (disclaimer) but wanted to mention in case it gives some pointers

E4200 Firmware 1.0.03 Parental Controls/ Intenet Access Policies not kicking in.

I have configured my e4200 to block traffic at certian times uses both the Parental Controls and the Intenet Access Polices. Neither one seems to work though. The traffic just keeps flowing.
I have the following summary in my IAP:
1    9toMidStoT                 Deny Sun, Mon, Tue, Wed, Thu   21:30 - 23:55
2    midto6AMEveryday   Deny   Every Day                              00:00 - 06:00
3    AllowDays                  Allow Every Day                                06:00 - 21:30
4    Late Allow Fri, Sat                                    21:30 - 23:55
Each of the four rules is enabled.
I have the same MAC addresses specified in each rule. Initally I had only the first two rules. Those didn't work, so I added rule 3 and 4 (they do the same thing as rules 1 and 2 but from the opposite direction). There are no compliaints, but they don't stop any traffic.
I started with the Parental Controls, they didn't work either. The page in there that lets you pick which machines you want to block seemed next to worthless. I have about four rows listed as "Network Device." REALLY LAME! As the MAC addresses are accesible and these weren't working I went to the IAP.
Does anyone else have this working? Is this feature broken in 1.0.03? I had it working in 1.0.01.
Thanks!

What happens when you set "block internet access" to always? I have also had weird experiences with this feature.
For example, as I am typing this message, I have instructed the router to block all internet access on this computer (using parental controls), yet I am still able to visit this forum; although, other websites are blocked. I'll also try your rules and see what effect they have on my computer.
I also agree with you about the annoying "network device" issue that happens when the router isn't able to identify the devices' hostnames. There are also devices that appear in that list, which haven't seen in my DHCP table for awhile.
I don't work for Cisco. I'm just here to help.

ACS v5 best practice w/ access policies.

Hello, I am in the process of deploying a ACS v5 appliance with 2 network devices talking through it to MS Active Directory via LDAP. It works great but I have a design question.
Our current access policy has one AD group match, one AD attribute match, and network device type is valid. If those 3 items match then permit access. Pretty simple. But my question is specific to the network device type. Is it best practice to have one large access policy with different network device types OR have one access policy per device type?
For example, lets say I have a 3000 series Concentrator and a 5500 series ASA and logging into the network via there devices I have the same IT support person and I am pulling the AD attribute msdialin=TRUE.
One Access Policy
1: IT Support memberOf=VPN User Allow Dial in=True Network Device=VPN 3000
2: IT Support memberOf=VPN User Allow Dial in=True Network Device=ASA 5500
Or have two Access Policies, one dedicated to each device type?
Access Services
>VPN 3000
>Authorization
1: IT Support memberOf=VPN User Allow Dial in=True
Access Services
>ASA 5500
>Authorization
1: IT Support memberOf=VPN User Allow Dial in=True
Just not sure which way to go. Any help is greatly appreciated.
e-

Hello, I am in the process of deploying a ACS v5 appliance with 2 network devices talking through it to MS Active Directory via LDAP. It works great but I have a design question.
Our current access policy has one AD group match, one AD attribute match, and network device type is valid. If those 3 items match then permit access. Pretty simple. But my question is specific to the network device type. Is it best practice to have one large access policy with different network device types OR have one access policy per device type?
For example, lets say I have a 3000 series Concentrator and a 5500 series ASA and logging into the network via there devices I have the same IT support person and I am pulling the AD attribute msdialin=TRUE.
One Access Policy
1: IT Support memberOf=VPN User Allow Dial in=True Network Device=VPN 3000
2: IT Support memberOf=VPN User Allow Dial in=True Network Device=ASA 5500
Or have two Access Policies, one dedicated to each device type?
Access Services
>VPN 3000
>Authorization
1: IT Support memberOf=VPN User Allow Dial in=True
Access Services
>ASA 5500
>Authorization
1: IT Support memberOf=VPN User Allow Dial in=True
Just not sure which way to go. Any help is greatly appreciated.
e-

ASA Dynamic Access Policies Issues

Similar Messages

Maybe you are looking for