Cisco ASA 5505 VPN connection issue ("Unable to add route")

Similar Messages

• ASA 5505 VPN Connection Issue

  Good morning everyone,
  At my last position I was IT Director whose area of expertise was database and application development. All of the company's networking planning and maintainence I entrusted to my sysadmin, Salvadore. Back in 2004 we began implementing major changes in the network. Salvadore recommended SonicWALL firewalls. He did a fantastic job of securing our valuable server assets. Among the many improvements Salvadore established VPN access to the datacenter assets for mobile employees. What I remember especially well was the ease-of-use: start the VPN Client then RDP to a server or connect with SQL Server, in addition to connecting to all devices on my home network. It was absolutely beautiful!
  Fast forward to today. I have since retired. I do a little bit of daytrading on the side for entertainment. I leased a dedicated server to run an application that runs continuously 24 hours a day, 5 days a week. I contacted Salvadore to do a security audit on the server. As expected the server was under constant assault by bots trying to hack the RDP port. Salvadore recommended a firewall. The datacenter host offered us two choices of Cisco firewalls, one of which we chose: ASA 5505.
  Today I have a secure server which pleases me. The one thing that bothers me however is that I lose access to my home network devices while the VPN Client is connected. Here are the symptoms:
  I cannot send an email with Outlook as I normally do by relaying off of my Internet provider's SMTP server.
  I cannot connect to the TradeStation servers with my TradeStation application using login credentials that are authorized for my home network only.
  I cannot access my Seagate network storage drive.
  This is what I discovered:
  My wireless adapter (which I use from this laptop) identifies itself as "Wireless LAN adapter Wireless Network Connection" in IPCONFIG. IPv4 address is 192.168.0.5. Default Gateway: 192.168.0.1.
  After I connect the VPN Client, IPCONFIG reports a new adapter: "Ethernet adapter Local Area Connection 2". IPv4 address is 10.0.10.4. Default Gateway: 10.0.10.1.
  When I launch Windows Task Manager and click on the Networking tab, I see those two adapters.
  When launch IE and go to bandwidthplace.com to run a test, I see all of the network traffic going over "Ethernet adapter Local Area Connection 2".
  When I disconnect VPN and then rerun the bandwidth test, I see that all of the network traffic now goes over "Wireless LAN adapter Wireless Network Connection".
  This explains all of the symptoms:
  My Internet Provider will only allow me to relay off of their email servers if I am connected to their network.
  TradeStation refuses connection to their network because my credentials do not match my network address.
  There is no Seagate network storage device on the remote server network.
  My questions to the Cisco Support Community are:
  Is this the best I can hope for?
  Must all traffic be routed through the VPN connection?
  Is there any way to route traffic destined for 10.0.*.* through VPN and everything else through the default connection?
  Thank you everyone for your help. I would be happy to provide additional detailed information.

  Hi Brian,
  you can route traffic destined to 10.0.*.* over the VPN and keep normal internet traffic unencrypted over the default connection - this setup is known as VPN Split Tunnelling.
  This doc shows how to setup the access control list and apply this to the tunnel policy.
  Hope this helps
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

• ASA 5505 vpn connection issues

  Hello I am having some issues with getting my vpn connection working on a new site. I get no internet connection when hooking up the asa. My current config is below. I have included a packet trace from my remote site to my main site. Any help would be appriciated, I am not very experanced in coniguring the devices.
  hostname ciscoasa
  domain-name .com
  enable password w3iW.W8jLtqmhFnt encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
   nameif inside
   security-level 100
   ip address 10.10.10.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 72.xxx.xx.xx 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
   domain-name .com
  access-list NONATACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.2
  55.255.0
  access-list VPNACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.255
  .255.0
  access-list OUTSIDEACL extended permit icmp any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/flash
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONATACL
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group OUTSIDEACL in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 inside
  http 10.10.10.1 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESPDESMD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map VPNMAP 13 match address VPNACL
  crypto map VPNMAP 13 set peer 68.xx.xxx.xxx
  crypto map VPNMAP 13 set transform-set ESPDESMD5
  crypto map VPNMAP interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 13
   authentication pre-share
   encryption des
   hash md5
   group 2
   lifetime 86400
  telnet 10.10.10.0 255.255.255.0 inside
  telnet 192.1.1.0 255.255.255.0 outside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.1.1.6 192.1.1.4
  dhcpd wins 192.1.1.6 192.1.1.4
  dhcpd ping_timeout 750
  dhcpd domain .com
  dhcpd auto_config outside
  dhcpd address 10.10.10.10-10.10.10.40 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 76.xxx.xxx.xx type ipsec-l2l
  tunnel-group 76.xxx.xxx.xx ipsec-attributes
   pre-shared-key *
  tunnel-group 68.xx.xxx.xxx type ipsec-l2l
  tunnel-group 68.xx.xxx.xxx ipsec-attributes
   pre-shared-key *
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:229af8a14b475d91b876176163124158
  : end
  ciscoasa(config)#reciated

  Hello Belnet,
  What do the logs show from the ASA.
  Can you post them ??
  Any other question..Sure..Just remember to rate all of the community answers.
  Julio

• Cisco asa 5505 vpn issue

  I have a cisco asa 5505 that I am setting up VPN access too. I have multiple subnets all routed through  a layer 3 switch conected to my asa. My problem is I can ping everything on VLAN1 (192.168.100.0/24) but no other VLANS (10.141.152.0/23 etc.) 

  Post the config of your ASA and someone will be able to assist.

• CISCO ASA 5505 VPN problem in Windows 7

  I am using CISCO ASA 5505. Client PC with Windows XP can use IE to make the VPN connection normally.
  However, client PC with Windows 7 cannot use IE to make the VPN connection.
  It just show the error of "Internet Explorer cannot display the webpage"
  Would you please help?
  Thank you very much!

  Hi Timothy,
  Could you please try disabling UAC in Win 7. Also try to connect from a machine where you have admin privileges (in case you are trying connection from a restricted machine.
  Also, add the site under trusted sites in IE. i.e if you are connecting to https://1.1.1.1 or https://vpn.abc.com then please add it under the trusted sites:
  Let me know if this helps.
  Thanks,
  Vishnu Sharma

• Cisco ASA 5505 VPN Routing/Networking Question

  I have a very basic question about Cisco ASA 5505 IPsec Site to Site VPNs.  I want to install a Cisco ASA 5505 at a Data Center, in a LAN subnet that utilizes publicly routable IP addresses.  I would like to install a second Cisco ASA 5505 in a remote branch office as its peer. 
  Regardless of whether I use publicly routable IPs at the branch office in the "inside" network or non-routable IPs, how would the devices and servers at the Data Center know to route IP packets destined for the branch office back through the Cisco ASA instead of through the default gateway at the Data Center?  I can see accomplishing this if every single device at the Data Center is configured with routing table entries, but that isn't feasible.  It also isn't feasible to use the Cisco ASA 5505 as the default gateway for all of the devices as the Data Center, allowing it to decide where the traffic should go.
  What am I missing?  Is the solution to try to map branch office IPs to IP addresses within the Data Center's LAN subnet so that all of the traffic is on the same subnet?

  You can do it in several different ways.
  One way is to tell the server that if it has traffic to network x then it needs to go to the ASA all other traffic is to head for the default gateway.
  In windows this is done via the route command
  do not forget to make it "persistent" otherwise the route will disapear when your reboot the server.
  in unix/linux
  It is also the route command
  Or you can tell your "default gateway" to route that network to the ASA
  Good luck
  HTH

• Port Forwarding for Cisco ASA 5505 VPN

  This is the Network
  Linksys E2500 ---> Cisco ASA 5505 ---> Server
  I beleive I need to forward some ports to the asa to use the IPsec VPN I just setup. I had the SSL VPN working but only needed to forward 443 for that....I assume that IPsec tunnel is a specific port.
  Thank You

  For IPSec VPN, you need to port forward UDP/500 and UDP/4500, and remember to enable NAT-T on the ASA.
  Command to enable NAT-T on ASA:
  crypto isakmp nat-traversal 30

• ASA 5505 VPN conenction issue

  Good morning everyone. I am in need of some help. I am a newbie when it comes to configuring the ASA. Here is my problem. I have the asa configure and it is allowing me to get out to the internet. I have several VLANs on my network and from inside I can ping everything. I have created the VPN and I am able to connect to it and get in IP assigned from the pool of address. If I have multiple connections I can ping the other PCs. Right now I am able to ping the outside and inside interfaces of the ASA but no where else. I have split tunneling enabled. Here is a copy of my config.
  Thanks
  Dave 
  Result of the command: "sh run"
  : Saved
  : Serial Number: *****
  : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  ASA Version 9.1(5)21
  hostname Main-ASA
  domain-name *****
  enable password ***** encrypted
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  ip local pool AnyC-CPN-Client-Pool 192.168.59.0-192.168.59.250 mask 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 12
  interface Ethernet0/1
   switchport access vlan 2
  interface Ethernet0/2
   shutdown
  interface Ethernet0/3
   shutdown
  interface Ethernet0/4
   shutdown
  interface Ethernet0/5
   shutdown
  interface Ethernet0/6
   shutdown
  interface Ethernet0/7
   shutdown
  interface Vlan2
   nameif inside
   security-level 100
   ip address 192.168.0.1 255.255.255.252
  interface Vlan12
   nameif Outside
   security-level 0
   ip address dhcp setroute
  banner login *************************************
  banner login       Unuathorized access is prohibited !!
  banner login *************************************
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns domain-lookup Outside
  dns server-group DefaultDNS
   domain-name *****
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network VLAN54
   subnet 192.168.54.0 255.255.255.0
   description VLAN 54
  object network Management
   subnet 192.168.80.0 255.255.255.0
   description Management
  object network VLAN51
   subnet 192.168.51.0 255.255.255.0
   description VLAN 51
  object network VLAN52
   subnet 192.168.52.0 255.255.255.0
   description VLAN 52
  object network VLAN53
   subnet 192.168.53.0 255.255.255.0
   description VLAN 53
  object network VLAN55
   subnet 192.168.55.0 255.255.255.0
   description VLAN 55
  object network VLAN56
   subnet 192.168.56.0 255.255.255.0
   description VLAN 56
  object service 443
   service tcp destination eq https
  object service 80
   service tcp destination eq www
  object service 8245
   service tcp destination eq 8245
  object service 25295
   service udp destination eq 25295
   description Blocking 25295
  object network VPN-Connections
   subnet 192.168.59.0 255.255.255.0
   description VPN Connections
  object-group service No-IP
   description no-ip.com DDNS Update
   service-object object 80
   service-object object 8245
   service-object object 443
  access-list inside_access_in remark No-ip DDNS Update
  access-list inside_access_in extended permit object-group No-IP object VLAN51 any
  access-list inside_access_in extended permit ip any any
  access-list VPN standard permit 192.168.0.0 255.255.0.0
  access-list Outside_access_in remark Blocking 25295 to HTPC
  access-list Outside_access_in extended deny object 25295 any object VLAN54
  pager lines 24
  logging enable
  logging asdm warnings
  mtu inside 1500
  mtu Outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,Outside) source dynamic any interface
  access-group inside_access_in in interface inside
  access-group Outside_access_in in interface Outside
  router eigrp 1
   no auto-summary
   network 192.168.0.0 255.255.255.252
   network 192.168.59.0 255.255.255.0
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server LDAP protocol ldap
  aaa-server LDAP (inside) host 192.168.51.1
   server-port 636
   ldap-base-dn cn=users,dc=spicerslocal
   ldap-scope subtree
   ldap-naming-attribute cn
   ldap-login-password *****
   ldap-login-dn cn=users,dc=*****
   sasl-mechanism digest-md5
   ldap-over-ssl enable
   server-type microsoft
  user-identity default-domain LOCAL
  http server enable
  http 192.168.0.0 255.255.0.0 inside
  http 0.0.0.0 0.0.0.0 Outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map Outside_map interface Outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
   enrollment self
   subject-name CN=Main-ASA
   crl configure
  crypto ca trustpool policy
  crypto ca certificate chain ASDM_TrustPoint0
   certificate
    quit
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-192
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 20
   encryption aes
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable Outside
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  telnet timeout 5
  ssh stricthostkeycheck
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  management-access inside
  vpn-addr-assign local reuse-delay 5
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint0 Outside
  ssl trust-point ASDM_TrustPoint0 inside
  webvpn
   enable Outside
   anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
   anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
   anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
   anyconnect profiles AnyC-SSL-VPN_client_profile disk0:/AnyC-SSL-VPN_client_profile.xml
   anyconnect enable
   tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
   dns-server value 192.168.51.1 8.8.8.8
   vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value VPN
   default-domain value *****
   split-dns value 8.8.8.8
  group-policy GroupPolicy_AnyC-SSL-VPN internal
  group-policy GroupPolicy_AnyC-SSL-VPN attributes
   wins-server none
   dns-server value 8.8.8.8
   vpn-tunnel-protocol ikev2 ssl-client
   default-domain value *****
   webvpn
    anyconnect profiles value AnyC-SSL-VPN_client_profile type user
  username Dave password ***** encrypted privilege 15
  username Don password ***** encrypted privilege 15
  tunnel-group AnyC-SSL-VPN type remote-access
  tunnel-group AnyC-SSL-VPN general-attributes
   address-pool AnyC-CPN-Client-Pool
  tunnel-group AnyC-SSL-VPN webvpn-attributes
   group-alias AnyC-SSL-VPN enable
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:af0fad1092e0314b0a80f20add03e3f7
  : end

  Hi Dave,
  It seems to be an issue with the NAT, I saw your VPN configuration:
  ip local pool AnyC-CPN-Client-Pool 192.168.59.0-192.168.59.250 mask 255.255.255.0
  unnel-group AnyC-SSL-VPN type remote-access
  tunnel-group AnyC-SSL-VPN general-attributes
   address-pool AnyC-CPN-Client-Pool
  tunnel-group AnyC-SSL-VPN webvpn-attributes
   group-alias AnyC-SSL-VPN enable
  group-policy DfltGrpPolicy attributes
   dns-server value 192.168.51.1 8.8.8.8
   vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value VPN
   default-domain value *****
   split-dns value 8.8.8.8
  access-list VPN standard permit 192.168.0.0 255.255.0.0
  You will need to set up a NAT exemption as follow:
  object-group network obj-192.168.59.0-Pool
   network-object 192.168.59.0 255.255.255.0
  object-group network obj-192.168.0.0
   network-object 192.168.0.0 255.255.0.0
  nat (inside,outside) 1 source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.59.0-Pool obj-192.168.59.0-Pool no-proxy-arp route-lookup
  Please proceed to rate and mark as correct this post, if it helps!
  David Castro,
  Regards,

• Cisco ASA 5505 VPN help for local lan access.

  Hi all,
  I am very new to Cisco systems. Recently I was tasked to enable local lan access for one of my server. The problem is this. I have this server with 2 interfaces. One interface to my FTP server(192.168.2.3) and the other to the Cisco ASA(192.168.1.1). Whenever I connect the server to Cisco Anyconnect VPN, I am unable to access the FTP server anymore.
  I googled and found out that the problem is because the metric level is 1 for Ciscoanyconnect network interface which causes all traffic to go through the Cisco VPN Interface. Another problem is I can't change the metric of the Cisco VPN Interface as whenever I reconnect to the VPN, the metric resets back to 1 again. I tried to follow some guides to configure split tunnel but my traffic is still going through the VPN connection.
  Anyone can tell me what I am missing here? Sorry I am very new to Cisco systems. Spent about 5 days troubleshooting and I feel I am getting it soon. Anyone can guide me what else I am supposed to do?
  What I did> Configuration>> Remote access VPN>> Network Client Access>> Group Policies>> Advanced>> Split Tunneling>> Uncheck Inherit and select "Exclude Network List below.>> Uncheck Network List and select Manage, Add 192.168.2.0/24 to permit.
  Really appreciate if anyone can tell me what else I can do to ensure my server has access the my FTP Server after connecting to the VPN.
  Thanks all!
  Wen Qi

  Hi,
  Try adding the following configuration
  policy-map global_policy
  class inspection_default
    inspect pptp
  And then try again.
  I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)
  - Jouni

• Cisco ASA 5505 VPN Remote Acces Problem

  Hello Guys .. i have cisco 5505 Asa security Adaptive , and i have two local networks 192.168.1.0 /24   and 192.168.2.0/24 , and i have my ISP public connection,,,,,what i want to do is i want to connect Remote VPN connection and access my  Private Network of 192. my public ip is like 155.155.155.0 /24    ...
  i put my ISP connection in the EO/0 and my private networks into E0/1 and E0/2.
  so i created a remote vpn connection ,, and then i connected to the VPN ..
  My problem i can't reach and access my private networks .. this probem frustrated me a lot .. so cisco guys please help me
  and iam using ASDM cisco graphic interface

  Hi Timothy,
  Could you please try disabling UAC in Win 7. Also try to connect from a machine where you have admin privileges (in case you are trying connection from a restricted machine.
  Also, add the site under trusted sites in IE. i.e if you are connecting to https://1.1.1.1 or https://vpn.abc.com then please add it under the trusted sites:
  Let me know if this helps.
  Thanks,
  Vishnu Sharma

• Cisco ASA 5505 - IPsec Tunnel issue

  Issue with IPsec Child SA
  Hi,
  I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
  hostname GARPR-COM1-WF01
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  interface Ethernet0/0
   description Failover Link
   switchport access vlan 950
  interface Ethernet0/1
   description Outside FW Link
   switchport access vlan 999
  interface Ethernet0/2
   description Inside FW Link
   switchport access vlan 998
  interface Ethernet0/3
   description Management Link
   switchport access vlan 6
  interface Ethernet0/4
   shutdown
  interface Ethernet0/5
   shutdown
  interface Ethernet0/6
   shutdown
  interface Ethernet0/7
   shutdown
  interface Vlan1
   no nameif
   no security-level
   no ip address
  interface Vlan6
   nameif management
   security-level 100
   ip address 10.65.1.20 255.255.255.240
  interface Vlan950
   description LAN Failover Interface
  interface Vlan998
   nameif inside
   security-level 100
   ip address 10.65.1.5 255.255.255.252
  interface Vlan999
   nameif outside
   security-level 0
   ip address ************* 255.255.255.248
  boot system disk0:/asa922-4-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
   domain-name ***************
  object network North_American_LAN
   subnet 10.73.0.0 255.255.0.0
   description North American LAN
  object network Queretaro_LAN
   subnet 10.74.0.0 255.255.0.0
   description Queretaro_LAN
  object network Tor_LAN
   subnet 10.75.0.0 255.255.0.0
   description Tor LAN
  object network Mor_LAN
   subnet 10.76.0.0 255.255.0.0
   description Mor LAN
  object network Tus_LAN
   subnet 10.79.128.0 255.255.128.0
   description North American LAN
  object network Mtl_LAN
   subnet 10.88.0.0 255.255.0.0
   description Mtl LAN
  object network Wic_LAN
   subnet 10.90.0.0 255.254.0.0
   description Wic LAN
  object network Wic_LAN_172
   subnet 172.18.0.0 255.255.0.0
   description Wic Servers/Legacy Client LAN
  object network Mtl_LAN_172
   subnet 172.19.0.0 255.255.0.0
   description Mtl Servers/Legacy Client LAN
  object network Tor_LAN_172
   subnet 172.20.0.0 255.255.0.0
   description Tor Servers/Legacy Client LAN
  object network Bridge_LAN_172
   subnet 172.23.0.0 255.255.0.0
   description Bridge Servers/Legacy Client LAN
  object network Mtl_WLAN
   subnet 10.114.0.0 255.255.0.0
   description Mtl Wireless LAN
  object network Bel_WLAN
   subnet 10.115.0.0 255.255.0.0
   description Bel Wireless LAN
  object network Wic_WLAN
   subnet 10.116.0.0 255.255.0.0
   description Wic Wireless LAN
  object network Mtl_Infrastructure_10
   subnet 10.96.0.0 255.255.0.0
   description Mtl Infrastructre LAN
  object network BA_Small_Site_Blocks
   subnet 10.68.0.0 255.255.0.0
   description BA Small Sites Blocks
  object network Bel_LAN
   subnet 10.92.0.0 255.255.0.0
   description Bel LAN 10 Network
  object network LAN_172
   subnet 172.25.0.0 255.255.0.0
   description  LAN 172 Network
  object network Gar_LAN
   subnet 10.65.1.0 255.255.255.0
   description Gar LAN
  object network garpr-com1-wf01.net.aero.bombardier.net
   host **************
   description Garching Firewall
  object-group network BA_Sites
   description Internal Networks
   network-object object BA_Small_Site_Blocks
   network-object object Bel_LAN
   network-object object Bel_LAN_172
   network-object object Bel_WLAN
   network-object object Bridge_LAN_172
   network-object object Mtl_Infrastructure_10
   network-object object Mtl_LAN
   network-object object Mtl_LAN_172
   network-object object Mtl_WLAN
   network-object object Mor_LAN
   network-object object North_American_LAN
   network-object object Queretaro_LAN
   network-object object Tor_LAN
   network-object object Tor_LAN_172
   network-object object Tus_LAN
   network-object object Wic_LAN
   network-object object Wic_LAN_172
   network-object object Wic_WLAN
  access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
  access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
  pager lines 24
  logging enable
  logging timestamp
  logging buffered warnings
  logging trap informational
  logging asdm informational
  logging host outside 172.25.5.102
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  failover
  failover lan unit primary
  failover lan interface Failover_Link Vlan950
  failover polltime interface msec 500 holdtime 5
  failover key *****
  failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-731-101.bin
  asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
  route outside 0.0.0.0 0.0.0.0 ************* 1
  route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
  route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
  route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
  route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
  route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
  route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 10.65.1.0 255.255.255.0 inside
  http 172.25.5.0 255.255.255.0 inside
  http 10.65.1.21 255.255.255.255 management
  snmp-server host inside 172.25.49.0 community ***** udp-port 161
  snmp-server host outside 172.25.49.0 community *****
  snmp-server host inside 172.25.5.101 community ***** udp-port 161
  snmp-server host outside 172.25.5.101 community *****
  snmp-server host inside 172.25.81.88 poll community *****
  snmp-server host outside 172.25.81.88 poll community *****
  snmp-server location:
  snmp-server contact
  snmp-server community *****
  snmp-server enable traps syslog
  crypto ipsec ikev2 ipsec-proposal aes256
   protocol esp encryption aes-256
   protocol esp integrity sha-1
  crypto ipsec security-association lifetime seconds 3600
  crypto ipsec security-association pmtu-aging infinite
  crypto map GARCH 10 match address 101
  crypto map GARCH 10 set pfs group19
  crypto map GARCH 10 set peer *******************
  crypto map GARCH 10 set ikev2 ipsec-proposal aes256
  crypto map GARCH 10 set security-association lifetime seconds 3600
  crypto map GARCH interface outside
  crypto ca trustpool policy
  no crypto isakmp nat-traversal
  crypto ikev2 policy 10
   encryption aes-256
   integrity sha256
   group 19
   prf sha256
   lifetime seconds 86400
  crypto ikev2 enable outside
  telnet 10.65.1.6 255.255.255.255 inside
  telnet timeout 5
  ssh stricthostkeycheck
  ssh 172.25.5.0 255.255.255.0 inside
  ssh 172.19.9.49 255.255.255.255 inside
  ssh 172.25.5.0 255.255.255.0 outside
  ssh 172.19.9.49 255.255.255.255 outside
  ssh timeout 30
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 30
  management-access inside
  dhcprelay server 172.25.81.1 outside
  dhcprelay server 172.25.49.1 outside
  dhcprelay enable inside
  dhcprelay timeout 60
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 172.19.109.41
  ntp server 172.19.109.42
  ntp server 172.19.9.49 source outside
  tunnel-group ********* type ipsec-l2l
  tunnel-group ********* ipsec-attributes
   ikev2 remote-authentication pre-shared-key *****
   ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
  : end
  I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
  GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
  where for destination network 10.92.0.0/16 there is only one child sa:
  GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
            remote selector 10.92.0.0/0 - 10.92.255.255/6553
  Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
  Thanks
  Jonathan

  Hi there,
  I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
  I don't know, the device is too old to stay alive.
  thanks

• ASA 5505 vpn/OWA issue

  I have a client that is running Win2003 Server R2 with Exchange Server 2003. OWA was setup and clients could connect to their exchange mailbox from the internet with no problems.
  We recently configured vpn on the ASA 5505 and now no-one can connect to OWA since that time.
  Any thoughts?

  Have you been using the ASDM to configure the VPN? In that case, you may have removed the required portforwarding or modified the access-list that allows traffic from the outside.
  regards,
  Leo

• Cisco ASA 5505 VPN with iPhone

  Hello Everyone. I am a newbie to the Cisco appliances, so please bear with me. I am trying to configure this unit to allow iPhone VPN access to our network to sync LOTUS DOMINO (Not Exchange) user's Email, Contacts, and Calendar. We have a Sonicwall NSA 2400 that is our main router, so the ASA will only be used for VPN access, not routing. It will be in the DMZ providing VPN access for the iPhones. With the VPN connected, we need to limit access to only those services required by the iphone to sync information. The Software version on the Cisco is 7.2(4). If there is anyone that could help me out, I would greatly appreciate it. Please remember I am new to this, so please be patient. Where do I begin? I hope to hear from anyone soon.

  Hi,
  I cannot help you with the Cisco side of the equation, but do you know about Lotus Traveler? It's free from IBM and essentially adds ActiveSync support to your Domino email environment. The iPhone is configured with an Exchange ActiveSync account and pointed to the Lotus Traveler server (which sits in your DMZ and only needs port 80/443 access). It gives you full push email/contacts/calendar (Blackberry-like) functionality.
  Like I said, it's a free add-on from IBM Lotus for all licensed Domino users.

• Cisco ASA 5505 VPN problem

  I've got a new 5505, and I've run through two wizards: one to start up, one to add client VPN. As a result, I can now connect from a client, the client gets the right info (ip adress, dns, gateway), but it cannot connect to any of the servers on the 'inside' network. The config is here:
  http://www.dubbele.com/asaconfig.txt.
  I've tried a lot of different things, but I cannot seem to get what's going wrong. Any clues would be very welcome!

  John,
  I strongly suggest to always use different ip-scheme for each of vpn RA tunnels and that they not be the same any of the asa inside interfaces.
  interface Vlan1
  ip address 192.168.6.25 255.255.255.0
  ip local pool vpnhaarlem 192.168.6.150-192.168.6.175 mask 255.255.255.0
  for vpnhaarlem do the following.
  use a unique private IP scheme for it as you have done with rotterdam , as an example lets use 10.20.20.0/24
  remove
  no ip local pool vpnhaarlem 192.168.6.150-192.168.6.175 mask 255.255.255.0
  add
  ip local pool vpnhaarlem 10.20.20.1-10.20.20.254 mask 255.255.255.0
  This first line acl is ok but persoannly I suggest to be more granular allowing specific RA tunnel group networks and not just permit ip any, again example for 10.20.20.0/24 network .
  stick with one no NAT acl for RA tunnels like inside_nat0_outbound remove the 1 and 2 otherwise you will have to create more
  nat (inside) access-list statements for RA networks.
  remove
  no access-list inside_nat0_outbound_1 extended permit ip any 192.168.6.0 255.255.255.0
  no access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.6.0 255.255.255.0
  add
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 10.20.20.0 255.255.255.0
  for the rotterdam tunnel group it is fine with unique IP scheme , I would apply my suggestion above
  no access-list inside_nat0_outbound_2 extended permit ip 192.168.6.0 255.255.255.0 192.168.6.128 255.255.255.192
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.0
  re-adjust the no-nat acl statement bellow
  no nat (inside) 0 access-list inside_nat0_outbound_2
  nat (inside) 0 access-list inside_nat0_outbound
  Let us know how it works out
  Rgds
  Jorge

• Cisco ASA 5505 VPN Anyconnect no address assignment

  I have a problem with ip assigment via anyconnect. I always get the message no assigned address via anyconnect. I assigned to my profile for vpn a address pool, but it's still not working. Here is my config:
  hostname firewall
  domain-name ITTRIPP.local
  enable password 8K8UeTZ9KV5Lvofo encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  ip local pool 192.168.178.0 192.168.178.151-192.168.178.171 mask 255.255.255.255
  ip local pool net-10 10.0.0.1-10.0.0.10 mask 255.255.255.0
  ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
   switchport access vlan 3
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   description Private Interface
   nameif inside
   security-level 100
   ip address 192.168.178.10 255.255.255.0
   ospf cost 10
  interface Vlan2
   description Public Interface
   nameif outside
   security-level 0
   ip address 192.168.177.2 255.255.255.0
   ospf cost 10
  interface Vlan3
   description DMZ-Interface
   nameif dmz
   security-level 0
   ip address 10.10.10.2 255.255.255.0
  boot system disk0:/asa914-k8.bin
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  dns domain-lookup dmz
  dns server-group DefaultDNS
   name-server 192.168.178.3
   name-server 192.168.177.1
   domain-name ITTRIPP.local
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network 192.168.178.x
   subnet 192.168.178.0 255.255.255.0
  object network NETWORK_OBJ_192.168.178.0_26
   subnet 192.168.178.0 255.255.255.192
  object service teamviewer
   service tcp source eq 5938
  object service smtp_tls
   service tcp source eq 587
  object service all_tcp
   service tcp source range 1 65535
  object service udp_all
   service udp source range 1 65535
  object network NETWORK_OBJ_192.168.178.128_26
   subnet 192.168.178.128 255.255.255.192
  object network NETWORK_OBJ_10.0.0.0_28
   subnet 10.0.0.0 255.255.255.240
  object-group service Internet-udp udp
   description UDP Standard Internet Services
   port-object eq domain
   port-object eq ntp
   port-object eq isakmp
   port-object eq 4500
  object-group service Internet-tcp tcp
   description TCP Standard Internet Services
   port-object eq www
   port-object eq https
   port-object eq smtp
   port-object eq 465
   port-object eq pop3
   port-object eq 995
   port-object eq ftp
   port-object eq ftp-data
   port-object eq domain
   port-object eq ssh
   port-object eq telnet
  object-group user DM_INLINE_USER_1
   user LOCAL\admin
   user LOCAL\lukas
   user LOCAL\sarah
  object-group service DM_INLINE_TCP_1 tcp
   port-object eq ftp
   port-object eq ftp-data
   port-object eq ssh
  object-group service 192.168.178.network tcp
   port-object eq 5000
   port-object eq 5001
  object-group service DM_INLINE_SERVICE_1
   service-object object smtp_tls
   service-object tcp destination eq imap4
   service-object object teamviewer
  object-group service DM_INLINE_SERVICE_2
   service-object object all_tcp
   service-object object udp_all
  object-group service DM_INLINE_SERVICE_3
   service-object object all_tcp
   service-object object smtp_tls
   service-object object teamviewer
   service-object object udp_all
   service-object tcp destination eq imap4
  object-group service vpn udp
   port-object eq 1701
   port-object eq 4500
   port-object eq isakmp
  object-group service openvpn udp
   port-object eq 1194
  access-list NAT-ACLs extended permit ip 192.168.178.0 255.255.255.0 any
  access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside in                                                                                                                    terface]=-
  access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any object                                                                                                                    -group Internet-udp
  access-list inside-in extended permit tcp 192.168.178.0 255.255.255.0 any object                                                                                                                    -group Internet-tcp
  access-list inside-in extended permit icmp 192.168.178.0 255.255.255.0 any
  access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any eq sip                                                                                                                    
  access-list inside-in extended permit object-group DM_INLINE_SERVICE_1 192.168.1                                                                                                                    78.0 255.255.255.0 any
  access-list inside-in extended permit object-group DM_INLINE_SERVICE_2 192.168.1                                                                                                                    78.0 255.255.255.0 any
  access-list outside-in remark -=[Access Lists For Incoming Packets on OUTSIDE in                                                                                                                    terface]=-
  access-list outside-in extended permit icmp any 192.168.178.0 255.255.255.0 echo                                                                                                                    -reply
  access-list outside-in extended permit tcp object-group-user DM_INLINE_USER_1 an                                                                                                                    y host 192.168.178.95 object-group DM_INLINE_TCP_1
  access-list outside-in extended permit tcp any host 192.168.178.95 object-group                                                                                                                     192.168.178.network
  access-list outside-in extended permit tcp any 192.168.178.0 255.255.255.0 eq si                                                                                                                    p
  access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.                                                                                                                    251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Nam                                                                                                                    e Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.                                                                                                                    252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbi                                                                                                                    os-ns
  access-list dmz_access_in remark -=[Access Lists For Outgoing Packets from DMZ i                                                                                                                    nterface]=-
  access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_3 10.10                                                                                                                    .10.0 255.255.255.0 any
  access-list dmz_access_in extended permit icmp 10.10.10.0 255.255.255.0 any
  access-list dmz_access_in extended permit tcp 10.10.10.0 255.255.255.0 any objec                                                                                                                    t-group Internet-tcp
  access-list dmz_access_in extended permit udp 10.10.10.0 255.255.255.0 any objec                                                                                                                    t-group Internet-udp
  pager lines 24
  logging enable
  logging buffer-size 30000
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16                                                                                                                    8.178.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
  nat (dmz,outside) source static any any destination static NETWORK_OBJ_192.168.1                                                                                                                    78.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16                                                                                                                    8.178.128_26 NETWORK_OBJ_192.168.178.128_26 no-proxy-arp route-lookup
  nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.0                                                                                                                    .0_28 NETWORK_OBJ_10.0.0.0_28 no-proxy-arp route-lookup
  object network 192.168.178.x
   nat (inside,outside) dynamic interface
  nat (dmz,outside) after-auto source dynamic 192.168.178.x interface
  access-group inside-in in interface inside
  access-group outside-in in interface outside
  access-group dmz_access_in in interface dmz
  route outside 0.0.0.0 0.0.0.0 192.168.177.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server ITTRIPP protocol ldap
  aaa-server ITTRIPP (inside) host 192.168.178.3
   ldap-base-dn CN=Users,DC=ITTRIPP,DC=local
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn CN=Administrator,DC=ITTRIPP,DC=local
   server-type microsoft
  user-identity default-domain LOCAL
  eou allow none
  aaa authentication telnet console LOCAL
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  aaa local authentication attempts max-fail 5
  http server enable
  http 192.168.178.0 255.255.255.0 inside
  http redirect outside 80
  http redirect inside 80
  http redirect dmz 80
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-A                                                                                                                    ES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A                                                                                                                    ES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2                                                                                                                    56 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map dmz_map interface dmz
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
   enrollment self
   subject-name CN=firewall
   crl configure
  crypto ca trustpoint ASDM_TrustPoint1
   enrollment self
   fqdn l1u.dyndns.org
   email [email protected]
   subject-name CN=l1u.dyndns.org,OU=VPN Services,O=ITTRIPP,C=DE,St=NRW,L=PLBG,EA=                                                                                                                    [email protected]
   serial-number
   crl configure
  crypto ca trustpool policy
  crypto ca certificate chain ASDM_TrustPoint0
   certificate 6a871953
      308201cf 30820138 a0030201 0202046a 87195330 0d06092a 864886f7 0d010105
      0500302c 3111300f 06035504 03130866 69726577 616c6c31 17301506 092a8648
      86f70d01 09021608 66697265 77616c6c 301e170d 31343033 30373039 31303034
      5a170d32 34303330 34303931 3030345a 302c3111 300f0603 55040313 08666972
      6577616c 6c311730 1506092a 864886f7 0d010902 16086669 72657761 6c6c3081
      9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c0 8f17fa6c
      2f227dd9 9d2856e1 b1f8193b 13c61cfe 2d6cbf94 62373535 71db9ac7 5f4ad79f
      7594cfef 1360d88d ad3c69c1 6e617071 c6629bfa 3c77c2d2 a59b1ce1 39ae7a44
      3f8c852d f51d03c1 d9924f7c 24747bbb bf79af9a 68365ed8 7f56e58c a37c7036
      4db983e0 414d1b5e a8a2226f 7c76f50d d14ca714 252f7fbb d4a23d02 03010001
      300d0609 2a864886 f70d0101 05050003 81810019 0d0bbce4 31d9342c 3965eb56
      4dde42e0 5ea57cbb a79b3542 4897521a 8a6859c6 daf5e356 9526346d f13fb344
      260f3fc8 fca6143e 25b08f3d d6780448 3e0fdf6a c1fe5379 1b9227b1 cee01a20
      aa252698 6b29954e ea8bb250 4310ff96 f6c6f0dc 6c7c6021 3c72c756 f7b2e6a1
      1416d222 0e11ca4a 0f0b840a 49489303 b76632
    quit
  crypto ca certificate chain ASDM_TrustPoint1
   certificate 580c1e53
      308202ff 30820268 a0030201 02020458 0c1e5330 0d06092a 864886f7 0d010105
      05003081 c3312230 2006092a 864886f7 0d010901 16136d61 696c406c 31752e64
      796e646e 732e6f72 67310d30 0b060355 04071304 504c4247 310c300a 06035504
      0813034e 5257310b 30090603 55040613 02444531 10300e06 0355040a 13074954
      54524950 50311530 13060355 040b130c 56504e20 53657276 69636573 31173015
      06035504 03130e6c 31752e64 796e646e 732e6f72 67313130 12060355 0405130b
      4a4d5831 3533345a 30575430 1b06092a 864886f7 0d010902 160e6c31 752e6479
      6e646e73 2e6f7267 301e170d 31343033 31353036 35303535 5a170d32 34303331
      32303635 3035355a 3081c331 22302006 092a8648 86f70d01 09011613 6d61696c
      406c3175 2e64796e 646e732e 6f726731 0d300b06 03550407 1304504c 4247310c
      300a0603 55040813 034e5257 310b3009 06035504 06130244 45311030 0e060355
      040a1307 49545452 49505031 15301306 0355040b 130c5650 4e205365 72766963
      65733117 30150603 55040313 0e6c3175 2e64796e 646e732e 6f726731 31301206
      03550405 130b4a4d 58313533 345a3057 54301b06 092a8648 86f70d01 0902160e
      6c31752e 64796e64 6e732e6f 72673081 9f300d06 092a8648 86f70d01 01010500
      03818d00 30818902 818100c0 8f17fa6c 2f227dd9 9d2856e1 b1f8193b 13c61cfe
      2d6cbf94 62373535 71db9ac7 5f4ad79f 7594cfef 1360d88d ad3c69c1 6e617071
      c6629bfa 3c77c2d2 a59b1ce1 39ae7a44 3f8c852d f51d03c1 d9924f7c 24747bbb
      bf79af9a 68365ed8 7f56e58c a37c7036 4db983e0 414d1b5e a8a2226f 7c76f50d
      d14ca714 252f7fbb d4a23d02 03010001 300d0609 2a864886 f70d0101 05050003
      81810087 8aca9c2b 40c9a326 4951c666 44c311b6 5f3914d5 69fcbe0a 13985b51
      336e3c1b ae29c922 c6c1c29d 161fd855 984b6148 c6cbd50f ff3dde66 a71473c4
      ea949f87 b4aca243 8151acd8 a4a426d1 7a434fbd 1a14bd90 0abe5736 4cd0f21b
      d194b3d6 9ae45fab 2436ccbf d59d6ba9 509580a0 ad8f4131 39e6ccf1 1b7a125d
      d50e4e
    quit
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-192
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 20
   encryption aes
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable inside client-services port 443
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 enable dmz client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
  crypto ikev1 enable outside
  crypto ikev1 policy 10
   authentication crack
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 20
   authentication rsa-sig
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 30
   authentication pre-share
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 40
   authentication crack
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 50
   authentication rsa-sig
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 60
   authentication pre-share
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 70
   authentication crack
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 80
   authentication rsa-sig
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 90
   authentication pre-share
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 100
   authentication crack
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 110
   authentication rsa-sig
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 130
   authentication crack
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 140
   authentication rsa-sig
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 150
   authentication pre-share
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 65535
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet 192.168.178.0 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.178.0 255.255.255.0 inside
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  no vpn-addr-assign aaa
  no vpn-addr-assign local
  no ipv6-vpn-addr-assign aaa
  dhcp-client update dns server both
  dhcpd update dns both
  dhcpd address 192.168.178.100-192.168.178.150 inside
  dhcpd dns 192.168.178.3 192.168.177.1 interface inside
  dhcpd wins 192.168.178.3 interface inside
  dhcpd domain ITTRIPP.local interface inside
  dhcpd update dns both interface inside
  dhcpd option 3 ip 192.168.178.10 interface inside
  dhcpd option 4 ip 192.168.178.3 interface inside
  dhcpd option 6 ip 192.168.178.3 192.168.177.1 interface inside
  dhcpd option 66 ip 192.168.178.95 interface inside
  dhcpd enable inside
  dhcpd address 192.168.177.100-192.168.177.150 outside
  dhcpd dns 192.168.178.3 192.168.177.1 interface outside
  dhcpd wins 192.168.178.3 interface outside
  dhcpd domain ITTRIPP.local interface outside
  dhcpd update dns both interface outside
  dhcpd option 3 ip 192.168.177.2 interface outside
  dhcpd option 4 ip 192.168.178.3 interface outside
  dhcpd option 6 ip 192.168.178.3 interface outside
  dhcpd enable outside
  dhcpd address 10.10.10.100-10.10.10.150 dmz
  dhcpd dns 192.168.178.3 192.168.177.1 interface dmz
  dhcpd wins 192.168.178.3 interface dmz
  dhcpd domain ITTRIPP.local interface dmz
  dhcpd update dns both interface dmz
  dhcpd option 3 ip 10.10.10.2 interface dmz
  dhcpd option 4 ip 192.168.178.3 interface dmz
  dhcpd option 6 ip 192.168.178.3 interface dmz
  dhcpd enable dmz
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag                                                                                                                    e-rate 200
  tftp-server inside 192.168.178.105 /volume1/data/tftp
  ssl encryption 3des-sha1
  ssl trust-point ASDM_TrustPoint0
  ssl trust-point ASDM_TrustPoint1 outside
  ssl trust-point ASDM_TrustPoint1 dmz
  ssl trust-point ASDM_TrustPoint0 dmz vpnlb-ip
  ssl trust-point ASDM_TrustPoint1 inside
  ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip
  ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
  webvpn
   enable inside
   enable outside
   enable dmz
   file-encoding 192.168.178.105 big5
   csd image disk0:/csd_3.5.2008-k9.pkg
   anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 1
   anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 2
   anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 3
   anyconnect profiles SSL-Profile_client_profile disk0:/SSL-Profile_client_profil                                                                                                                    e.xml
   anyconnect enable
   tunnel-group-list enable
   mus password *****
  group-policy DfltGrpPolicy attributes
   wins-server value 192.168.178.3
   dns-server value 192.168.178.3 192.168.177.1
   dhcp-network-scope 192.168.178.0
   vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
   default-domain value ITTRIPP.local
   split-dns value ITTRIPP.local
   webvpn
    anyconnect firewall-rule client-interface public value outside-in
    anyconnect firewall-rule client-interface private value inside-in
  group-policy GroupPolicy_SSL-Profile internal
  group-policy GroupPolicy_SSL-Profile attributes
   wins-server value 192.168.178.3
   dns-server value 192.168.178.3 192.168.177.1
   vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
   default-domain value ITTRIPP.local
   webvpn
    anyconnect profiles value SSL-Profile_client_profile type user
  username sarah password PRgJuqNTubRwqXtd encrypted
  username admin password QkbxX5Qv0P59Hhrx encrypted privilege 15
  username lukas password KGLLoTxH9mCvWzVI encrypted
  tunnel-group DefaultWEBVPNGroup general-attributes
   address-pool SSL-POOL
   secondary-authentication-server-group LOCAL
   authorization-server-group LOCAL
  tunnel-group DefaultWEBVPNGroup ipsec-attributes
   ikev1 trust-point ASDM_TrustPoint0
   ikev1 radius-sdi-xauth
  tunnel-group SSL-Profile type remote-access
  tunnel-group SSL-Profile general-attributes
   address-pool SSL-POOL
   default-group-policy GroupPolicy_SSL-Profile
  tunnel-group SSL-Profile webvpn-attributes
   group-alias SSL-Profile enable
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
   class class-default
    user-statistics accounting
  service-policy global_policy global
  mount FTP type ftp
   server 192.168.178.105
   path /volume1/data/install/microsoft/Cisco
   username lukas
   password ********
   mode passive
   status enable
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                                                    CEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:998674b777e5fd1d3a131d93704ea0e1
  Any idea why it's not working?

  You've got a lot going on there but I'd focus on the line "no vpn-addr-assign local". Per the command reference that tells the ASA NOT to use the  local pool.
  By the way, DHCP on the outside interface looks very counter-intutive, as does enabling VPN on all interfaces over every protocol.