Unable to access inside network using Split tunnel RA VPN
Hi Everyone,
I configured RA Split tunnel VPN.
Connection works fine.
Inside Interface of ASA has connection to Switch IP 10.1.12.1.
When connected via RA VPN i try https://10.1.12.1 but it does not open up.
Inside Interface of ASA has IP 10.0.0.1
ASA1# $
Session Type: IKEv1 IPsec Detailed
Username : ipsec-user Index : 23
Assigned IP : 10.0.0.51 Public IP : 192.168.98.2
Protocol : IKEv1 IPsec
License : Other VPN
Encryption : IKEv1: (1)AES256 IPsec: (1)AES128
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 2130969 Bytes Rx : 259008
Pkts Tx : 6562 Pkts Rx : 3682
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : ipsec-group Tunnel Group : ipsec-group
Login Time : 11:10:41 MST Sun Jan 26 2014
Duration : 0h:40m:30s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
IKEv1 Tunnels: 1
IPsec Tunnels: 1
IKEv1:
Tunnel ID : 23.1
UDP Src Port : 62751 UDP Dst Port : 500
IKE Neg Mode : Aggressive Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 83975 Seconds
D/H Group : 2
Filter Name :
Client OS : WinNT Client OS Ver: 5.0.07.0440
IPsec:
Tunnel ID : 23.2
Local Addr : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 10.0.0.51/255.255.255.255/0/0
Encryption : AES128 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 26375 Seconds
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 2137160 Bytes Rx : 259088
Pkts Tx : 6571 Pkts Rx : 3684
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 2426 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
From ASA i can ping the switch IP
ASA1# ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1#
logs from firewall
Jan 26 2014 11:53:20: %ASA-6-302014: Teardown TCP connection 51636 for outside:10.0.0.51/50747(LOCAL\ipsec-user) to identity:10.0.0.1/443 duration 0:00:00 bytes 1075 TCP Reset-O (ipsec-user)
Jan 26 2014 11:53:20: %ASA-6-106015: Deny TCP (no connection) from 10.0.0.51/50747 to 10.0.0.1/443 flags FIN ACK on interface outside
Why firewall logs show https connection to 10.0.0.1 instead of 10.1.12.1?
Regards
Mahesh
Hi Jouni,
ASA1# sh ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG
Vlan2 outside 192.168.1.171 255.255.255.0 CONFIG
Vlan3 sales 10.12.12.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG
Vlan2 outside 192.168.1.171 255.255.255.0 CONFIG
Vlan3 sales 10.12.12.1 255.255.255.0 CONFIG
Connection is split tunnel.
when i check stats on vpn client all i see bypassed packets.
ASA1# sh run group-polic$
group-policy ipsec-group internal
group-policy ipsec-group attributes
dns-server value 64.59.144.19
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy excludespecified
split-tunnel-network-list value ipsec-group_splitTunnelAcl
Regards
Mahesh
Message was edited by: mahesh parmar
Similar Messages
-
Unable to see logs while using split tunnel for RA
hi everyone,
I have config RA VPN at my home lab using split tunnel.
I can connect fine and able to browse the internet.
When i go to internet sites i do not see logs generated on the VPN ASA?
Need to understand whats the reason behind this?
ASA1# sh conn all
5 in use, 12 most used
UDP outside 10.0.0.51:138 inside 10.0.0.255:138, idle 0:01:38, bytes 201, flags -
TCP outside 192.168.98.2:49509 NP Identity Ifc 192.168.1.171:443, idle 0:00:07, bytes 1067370, flags UOB
TCP outside 192.168.98.2:49507 NP Identity Ifc 192.168.1.171:443, idle 0:00:03, bytes 137779, flags UOB
UDP outside 192.168.98.2:49903 NP Identity Ifc 192.168.1.171:500, idle 0:00:01, bytes 40927, flags -
TCP outside 192.168.99.2:35902 NP Identity Ifc 192.168.1.171:22, idle 0:00:00, bytes 179887, flags UOB
Where 192.168.98.2 is IP of PC.
10.0.0.51 is IP assigned from VPN pool to PC.
Regards
MaheshHi Mahesh,
You are using Split Tunnel VPN. This means that you have configured the VPN Client connection to only tunnel specific networks through the VPN Connection while its active. You have probably configured an ACL that contains your LAN network behind the ASA.
This means that only traffic destined to that LAN network mentioned in the ACL reaches your ASA through the VPN Connection.
The Internet traffic of the user or any traffic that is NOT destined to that network in the ACL will simply use the VPN Client users PCs local Internet connection or local network.
This is the reason you are not seeing any of the Internet connections from the VPN Client on the ASA. The VPN Client connection is only configured to forward traffic to the LAN network and pass all other traffic past the VPN Connection through the users local network connection.
If you were to configure Full Tunnel VPN for the user this would mean that ALL traffic would be forwarded from the VPN Client through the ASA and the ASA would control where that traffic would be forwarded and if that traffic would be allowed.
If you want to look at the current configuration on the CLI you would first have to issue
show run tunnel-group
And find the connection that you are using at the moment. Then you would have to check what "group-policy" is configured under that "tunnel-group"
Then you could issue the command
show run group-policy
This would list you the Group Policy configuration for the VPN connection and would show something like this under it
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
The above configuration would show you the ACL that the VPN Client configuration is using to tell the VPN Client what traffic to send through the VPN Connection.
Hope this helps
- Jouni -
Ok, I've had this problem for quite a while now
There's this 1 site that I cannot access on my computer it says "Unable to access the network Google Chrome is having trouble accessing the network." However I can access the site on my laptop, I don't see how I can fix the problem!?Bradley750 wrote:
Ok, I've had this problem for quite a while now
There's this 1 site that I cannot access on my computer it says "Unable to access the network Google Chrome is having trouble accessing the network." However I can access the site on my laptop, I don't see how I can fix the problem!?
Hi. Welcome to the forums.
Can you give a little more information, mainly the site you're havging problems with.
Have you tried a different browser ? What OS ?
There are a wide variety of reasons, security products interferring, hosts file problems, browser issues etc.
http://www.andyweb.co.uk/shortcuts
http://www.andyweb.co.uk/pictures -
Unable to access Verizon network!
Unable to access Verizon network! Got pop up window that "you've reached your mobile data usage limit. Mobile data turned off. " I have option to click re-enable button but doing so may result in additional charges. I've check settings, my mobile data box is checked. When I try to open a web page it tells me I'm off line with message "Wi-Fi and mobile data are turned off. The page can be loaded once you connect to a network. Error code: ERR_INTERNET_DISCONNECTED" My wi-fi DOES work, it's the Verizon network that I cannot access. Someone PLEASE HELP.
Check the graph in your Data Usage section; it sounds like you've enabled the Alert About Data Usage feature, have reached that limit, and the phone is now restricting your data usage accordingly. For more info., see:
How do I monitor online data usage on my Samsung Galaxy S5? | Support | SAMSUNG UK -
How do split tunnelling in VPNs work?
How do split tunnelling in VPNs work?
The most visible issue is where the client's default gateway goes. In a full tunnel, it moves to the far side of the tunnel. In the split tunnel, it stays local. The security risk of split tunneling is that the client is providing a bridging path for outside malicious traffic to leak across the tunnel, with no influence from the far end's firewall and IDS. The performance risk of full tunnels is that 3rd party outside traffic not terminating at the organization on the far side still has to take the tunnel, which can add latency, limit throughput, or increase packet loss. The best designs require balancing the network layout, uplink sizing, and security posture in concert.
-- Jim Leinweber, WI State Lab of Hygiene -
AnyConnect to ASA 5505 ver 8.4 unable to ping/access Inside network
My AnyConnect VPN connect to the ASA, however I cannot access my inside network hosts (tried Split Tunnel and it didn't work either). I plan to use a Split Tunnel configuration but I thought I would get this working before I implemented that configuration. My inside hosts are on a 10.0.1.0/24 network and 10.1.0.0/16 networks. My AnyConnect hosts are using 192.168.60.0/24 addresses.
I have seen other people that appeared to have similar posts but none of those solutions have worked for me. I have also tried several NAT and ACL configurations to allow traffic form my Inside network to the ANYConnect hosts and back, but apparently I did it incorrectly. I undestand that this ver 8.4 is supposed to be easier to perform NAT and such, but I now in the router IOS it was much simpler.
My configuration is included below.
Thank you in advance for your assistance.
Jerry
ASA Version 8.4(4)
hostname mxfw
domain-name moxiefl.com
enable password (removed)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
switchport trunk allowed vlan 20,22
switchport mode trunk
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
nameif dmz
security-level 50
ip address 172.26.20.1 255.255.255.0
interface Vlan22
nameif dmz2
security-level 50
ip address 172.26.22.1 255.255.255.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name moxiefl.com
same-security-traffic permit inter-interface
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
object network INSIDE_Hosts
subnet 10.1.0.0 255.255.0.0
object network AnyConnect_Hosts
subnet 192.168.60.0 255.255.255.0
object network NETWORK_OBJ_192.168.60.0_26
subnet 192.168.60.0 255.255.255.192
object network DMZ_Network
subnet 172.26.20.0 255.255.255.0
object network DMZ2_Network
subnet 172.26.22.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu dmz2 1500
ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic Generic_All_Network interface
nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.60.0_26 NETWORK_OBJ_192.168.60.0_26 no-proxy-arp route-lookup
nat (dmz,outside) source dynamic Generic_All_Network interface
nat (dmz2,outside) source dynamic Generic_All_Network interface
route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn anyconnect.moxiefl.com
subject-name CN=AnyConnect.moxiefl.com
keypair AnyConnect
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 439a4452
3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd address 10.0.1.20-10.0.1.40 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd enable inside
dhcpd address 172.26.20.21-172.26.20.60 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd enable dmz
dhcpd address 172.26.22.21-172.26.22.200 dmz2
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
dhcpd enable dmz2
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev2 ssl-client
default-domain value moxiefl.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
username user1 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
username user2 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f2c7362097b71bcada023c6bbfc45121
: endHi,
Yes, I have saved the config and did a write erase and reloaded the config, no difference. I rebuilt it once a couple of weeks ago, but that was before I had gotten this far with your assistance. I'll include my ASA and switches configs after this. Here is a little background (took it form the Firewall section issue just because it gives a little insight for the network). I have 2 3560s, one as a L3 switch the other L2 with an etherchannel between them (one of the cables was bad so I am waiting on the replacement to have 2 - Gigabit channels between the switches).
I think our issue with the VPN not getting to the Inside is posibly related to my DMZ issue not getting to the internet.
I am using 2 VLANs on my switch for Guests - one is wired and the other is wireless. I am trying to keep them separate because the wireless are any guest that might be at our restaurant that is getting on WiFi. The wired is for our Private Dining Rooms that vendors may need access and I don't want the wireless being able to see the wired network in that situation.
I have ports on my 3560s that are assigned to VLAN 20 (Guest Wired) and VLAN 22 (Guest Wireless). I am not routing those addresses within the 3560s (one 3560 is setup as a L3 switch). Those VLANs are being L2 switched to the ASA via the trunk to save ports (I tried separating them and used 2 ports on the ASA and it still didn't work). The ASA is providing DCHP for those VLANs and the routing for the DMZ VLANs. I can ping each of the gateways (which are the VLANs on the ASA from devices on the 3560s - 172.26.20.1 and 172.26.22.1. I have those in my DMZ off the ASA so it can control and route the data.
The 3560 is routing for my Corp VLANs. So far I have tested the Wired VLAN 10 (10.1.10.0/24) and it is working and gets to the Internet. I have a default route (0.0.0.0 0.0.0.0) from the L3 switch to e0/1 on the ASA and e0/1 is an Inside interface.
E0/0 on the ASA is my Outside interface and gets it IP from the upstream router (will be an AT&T router/modem when I move it to the building).
So for a simple diagram:
PC (172.26.20.21/24) -----3560 (L2) ------Trunk----(VLAN 20 - DMZ/ VLAN 22 - DMZ2)---- ASA -----Outside ------- Internet (via router/modem)
I will be back at this tomorrow morning - I've been up since 4pm yesterday and it is almost 3pm.
Thank you for all of your assistance.
Jerry
Current ASA Config:
ASA Version 8.4(4)
hostname mxfw
domain-name moxiefl.com
enable password $$$$$$$$$$$$$$$ encrypted
passwd $$$$$$$$$$$$$$$$ encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
switchport access vlan 20
interface Ethernet0/5
switchport trunk allowed vlan 20,22
switchport mode trunk
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
nameif dmz
security-level 50
ip address 172.26.20.1 255.255.255.0
interface Vlan22
nameif dmz2
security-level 50
ip address 172.26.22.1 255.255.255.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name moxiefl.com
same-security-traffic permit inter-interface
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
object network INSIDE_Hosts
subnet 10.1.0.0 255.255.0.0
object network AnyConnect_Hosts
subnet 192.168.60.0 255.255.255.0
object network NETWORK_OBJ_192.168.60.0_26
subnet 192.168.60.0 255.255.255.192
object network DMZ_Network
subnet 172.26.20.0 255.255.255.0
object network DMZ2_Network
subnet 172.26.22.0 255.255.255.0
object network INSIDE
subnet 10.0.1.0 255.255.255.0
access-list capdmz extended permit icmp host 172.26.20.22 host 208.67.222.222
access-list capdmz extended permit icmp host 208.67.222.222 host 172.26.20.22
access-list capout extended permit icmp host 192.168.1.231 host 208.67.222.222
access-list capout extended permit icmp host 208.67.222.222 host 192.168.1.231
access-list capvpn extended permit icmp host 192.168.60.20 host 10.1.10.23
access-list capvpn extended permit icmp host 10.1.10.23 host 192.168.60.20
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list SPLIT-TUNNEL standard permit 10.0.1.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 10.1.0.0 255.255.0.0
access-list capins extended permit icmp host 10.1.10.23 host 10.0.1.1
access-list capins extended permit icmp host 10.0.1.1 host 10.1.10.23
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu dmz2 1500
ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static INSIDE INSIDE destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (dmz,outside) source dynamic Generic_All_Network interface
nat (dmz2,outside) source dynamic Generic_All_Network interface
nat (inside,outside) after-auto source dynamic Generic_All_Network interface
route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn anyconnect.moxiefl.com
subject-name CN=AnyConnect.moxiefl.com
keypair AnyConnect
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 439a4452
3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd address 10.0.1.20-10.0.1.40 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd enable inside
dhcpd address 172.26.20.21-172.26.20.60 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd enable dmz
dhcpd address 172.26.22.21-172.26.22.200 dmz2
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
dhcpd enable dmz2
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value moxiefl.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
username user1 password $$$$$$$$$$$$$ encrypted privilege 15
username user2 password $$$$$$$$$$$ encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f6d9bbacca2a5c8b5af946a8ddc12550
: end
L3 3560 connects to ASA via port f0/3 routed port 10.0.1.0/24 network
Connects to second 3560 via G0/3 & G0/4
version 12.2
no service pad
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
hostname mx3560a
boot-start-marker
boot-end-marker
enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
no aaa new-model
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip routing
ip dhcp excluded-address 10.1.10.1 10.1.10.20
ip dhcp excluded-address 10.1.12.1 10.1.12.20
ip dhcp excluded-address 10.1.14.1 10.1.14.20
ip dhcp excluded-address 10.1.16.1 10.1.16.20
ip dhcp excluded-address 10.1.30.1 10.1.30.20
ip dhcp excluded-address 10.1.35.1 10.1.35.20
ip dhcp excluded-address 10.1.50.1 10.1.50.20
ip dhcp excluded-address 10.1.80.1 10.1.80.20
ip dhcp excluded-address 10.1.90.1 10.1.90.20
ip dhcp excluded-address 10.1.100.1 10.1.100.20
ip dhcp excluded-address 10.1.101.1 10.1.101.20
ip dhcp pool VLAN10
network 10.1.10.0 255.255.255.0
default-router 10.1.10.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN12
network 10.1.12.0 255.255.255.0
default-router 10.1.12.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN14
network 10.1.14.0 255.255.255.0
default-router 10.1.14.1
option 150 ip 10.1.13.1
ip dhcp pool VLAN16
network 10.1.16.0 255.255.255.0
default-router 10.1.16.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN30
network 10.1.30.0 255.255.255.0
default-router 10.1.30.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN35
network 10.1.35.0 255.255.255.0
default-router 10.1.35.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN50
network 10.1.50.0 255.255.255.0
default-router 10.1.50.1
option 43 hex f104.0a01.6564
ip dhcp pool VLAN80
network 10.1.80.0 255.255.255.0
default-router 10.1.80.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN90
network 10.1.90.0 255.255.255.0
default-router 10.1.90.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN100
network 10.1.100.0 255.255.255.0
default-router 10.1.100.1
ip dhcp pool VLAN101
network 10.1.101.0 255.255.255.0
default-router 10.1.101.1
ip dhcp pool VLAN40
dns-server 208.67.222.222 208.67.220.220
port-channel load-balance src-dst-mac
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
vlan internal allocation policy ascending
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
link state group 1 downstream
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
power inline never
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
power inline never
interface FastEthernet0/3
description Interface to MXFW E0/1
no switchport
ip address 10.0.1.2 255.255.255.0
power inline never
interface FastEthernet0/4
switchport mode access
shutdown
power inline never
interface FastEthernet0/5
switchport mode access
shutdown
power inline never
interface FastEthernet0/6
switchport mode access
shutdown
power inline never
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
power inline never
spanning-tree portfast
interface FastEthernet0/8
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/9
switchport mode access
shutdown
power inline never
interface FastEthernet0/10
switchport mode access
shutdown
power inline never
interface FastEthernet0/11
switchport mode access
shutdown
power inline never
interface FastEthernet0/12
switchport access vlan 40
switchport mode access
interface FastEthernet0/13
switchport access vlan 40
switchport mode access
interface FastEthernet0/14
switchport access vlan 40
switchport mode access
interface FastEthernet0/15
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/16
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/17
switchport access vlan 50
switchport mode access
interface FastEthernet0/18
switchport mode access
shutdown
power inline never
interface FastEthernet0/19
switchport mode access
shutdown
power inline never
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/21
switchport mode access
shutdown
power inline never
interface FastEthernet0/22
switchport mode access
shutdown
power inline never
interface FastEthernet0/23
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/24
switchport access vlan 35
switchport mode access
power inline never
interface FastEthernet0/25
switchport mode access
shutdown
power inline never
interface FastEthernet0/26
switchport mode access
shutdown
power inline never
interface FastEthernet0/27
switchport mode access
shutdown
power inline never
interface FastEthernet0/28
switchport access vlan 40
switchport mode access
interface FastEthernet0/29
switchport access vlan 40
switchport mode access
interface FastEthernet0/30
switchport access vlan 40
switchport mode access
interface FastEthernet0/31
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/32
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/33
switchport access vlan 50
switchport mode access
interface FastEthernet0/34
switchport mode access
shutdown
power inline never
interface FastEthernet0/35
switchport mode access
shutdown
power inline never
interface FastEthernet0/36
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/37
switchport mode access
shutdown
power inline never
interface FastEthernet0/38
switchport mode access
shutdown
power inline never
interface FastEthernet0/39
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/40
switchport access vlan 90
switchport mode access
power inline never
interface FastEthernet0/41
switchport mode access
shutdown
power inline never
interface FastEthernet0/42
switchport mode access
shutdown
power inline never
interface FastEthernet0/43
switchport mode access
shutdown
power inline never
interface FastEthernet0/44
switchport access vlan 40
switchport mode access
interface FastEthernet0/45
switchport access vlan 40
switchport mode access
interface FastEthernet0/46
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/47
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/48
switchport mode access
shutdown
power inline never
interface GigabitEthernet0/1
description Interface to MXC2911 Port G0/0
no switchport
ip address 10.1.13.2 255.255.255.0
interface GigabitEthernet0/2
shutdown
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface Vlan1
no ip address
shutdown
interface Vlan10
ip address 10.1.10.1 255.255.255.0
interface Vlan12
ip address 10.1.12.1 255.255.255.0
interface Vlan14
ip address 10.1.14.1 255.255.255.0
interface Vlan16
ip address 10.1.16.1 255.255.255.0
interface Vlan20
ip address 172.26.20.1 255.255.255.0
interface Vlan22
ip address 172.26.22.1 255.255.255.0
interface Vlan30
ip address 10.1.30.1 255.255.255.0
interface Vlan35
ip address 10.1.35.1 255.255.255.0
interface Vlan40
ip address 10.1.40.1 255.255.255.0
interface Vlan50
ip address 10.1.50.1 255.255.255.0
interface Vlan80
ip address 172.16.80.1 255.255.255.0
interface Vlan86
no ip address
shutdown
interface Vlan90
ip address 10.1.90.1 255.255.255.0
interface Vlan100
ip address 10.1.100.1 255.255.255.0
interface Vlan101
ip address 10.1.101.1 255.255.255.0
router eigrp 1
network 10.0.0.0
network 10.1.13.0 0.0.0.255
network 10.1.14.0 0.0.0.255
passive-interface default
no passive-interface GigabitEthernet0/1
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/3 10.0.1.1
ip route 192.168.60.0 255.255.255.0 FastEthernet0/3 10.0.1.1 2
ip http server
ip sla enable reaction-alerts
line con 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
end
L3 3560 Route Table (I added 192.168.60.0/24 instead of just using the default route just in case it wasn't routing for some reason - no change)
mx3560a#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.0.1.1 to network 0.0.0.0
S 192.168.60.0/24 [2/0] via 10.0.1.1, FastEthernet0/3
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.80.0 is directly connected, Vlan80
172.26.0.0/24 is subnetted, 2 subnets
C 172.26.22.0 is directly connected, Vlan22
C 172.26.20.0 is directly connected, Vlan20
10.0.0.0/8 is variably subnetted, 14 subnets, 2 masks
C 10.1.10.0/24 is directly connected, Vlan10
D 10.1.13.5/32 [90/3072] via 10.1.13.1, 4d02h, GigabitEthernet0/1
C 10.1.14.0/24 is directly connected, Vlan14
C 10.1.13.0/24 is directly connected, GigabitEthernet0/1
C 10.1.12.0/24 is directly connected, Vlan12
C 10.0.1.0/24 is directly connected, FastEthernet0/3
C 10.1.30.0/24 is directly connected, Vlan30
C 10.1.16.0/24 is directly connected, Vlan16
C 10.1.40.0/24 is directly connected, Vlan40
C 10.1.35.0/24 is directly connected, Vlan35
C 10.1.50.0/24 is directly connected, Vlan50
C 10.1.90.0/24 is directly connected, Vlan90
C 10.1.101.0/24 is directly connected, Vlan101
C 10.1.100.0/24 is directly connected, Vlan100
S* 0.0.0.0/0 [1/0] via 10.0.1.1, FastEthernet0/3
I have a C2911 for CME on G0/1 - using it only for that purpose at this time.
L2 3560 Config it connects to the ASA as a trunk on e0/5 of the ASA and port f0/3 of the switch - I am using L2 switching for the DMZ networks from the switches to the ASA and allowing the ASA to provide the DHCP and routing out of the network. DMZ networks: 172.26.20.0/24 and 172.26.22.0/24.
version 12.2
no service pad
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
hostname mx3560b
boot-start-marker
boot-end-marker
enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
no aaa new-model
system mtu routing 1500
crypto pki trustpoint TP-self-signed-3877365632
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3877365632
revocation-check none
rsakeypair TP-self-signed-3877365632
crypto pki certificate chain TP-self-signed-3877365632
certificate self-signed 01
30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383737 33363536 3332301E 170D3933 30333031 30303031
30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373733
36353633 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DF81 DA515E0B 7FC760CF 2CC98400 42DCA007 215E4DDE D0C3FBF2 D974CE85
C46A8700 6AE44C2C 79D9BD2A A9297FA0 2D9C2BE4 B3941A2F 435AC4EA 17E89DFE
34EC8E93 63BD4CDF 784E91D7 2EE0093F 06CC97FD 83CB818B 1ED624E6 F0F5DA51
1DE4B8A7 169EED2B 40575B81 BADDE052 85BA9D19 4C206DCB 00878FF3 89E74028
B3F30203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
551D1104 0C300A82 086D7833 35363062 2E301F06 03551D23 04183016 80147125
78CE8540 DB95D852 3C0BD975 5D9C6EB7 58FC301D 0603551D 0E041604 14712578
CE8540DB 95D8523C 0BD9755D 9C6EB758 FC300D06 092A8648 86F70D01 01040500
03818100 94B98410 2D9CD602 4BD16181 BCB7C515 77C8F947 7C4AF5B8 281E3131
59298655 B12FAB1D A6AAA958 8473483C E993D896 5251770B 557803C0 531DEB62
A349C057 CB473F86 DCEBF8B8 7DDE5728 048A49D0 AB18CE8C 8257C00A C2E06A63
B91F872C 5F169FF9 77DC523B AB1E3965 C6B67FCC 84AE11E9 02DD10F0 C45EAFEA 41D7FA6C
quit
port-channel load-balance src-dst-mac
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/1
switchport access vlan 50
switchport mode access
interface FastEthernet0/2
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 20,22
switchport mode trunk
power inline never
interface FastEthernet0/4
switchport mode access
shutdown
power inline never
interface FastEthernet0/5
shutdown
power inline never
interface FastEthernet0/6
shutdown
power inline never
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/8
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/9
shutdown
power inline never
interface FastEthernet0/10
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/11
shutdown
power inline never
interface FastEthernet0/12
switchport access vlan 40
switchport mode access
interface FastEthernet0/13
switchport access vlan 40
switchport mode access
interface FastEthernet0/14
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/15
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/16
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/17
switchport access vlan 10
switchport mode access
power inline never
interface FastEthernet0/18
shutdown
power inline never
interface FastEthernet0/19
shutdown
power inline never
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/21
shutdown
power inline never
interface FastEthernet0/22
shutdown
power inline never
interface FastEthernet0/23
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/24
shutdown
power inline never
interface FastEthernet0/25
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/26
shutdown
power inline never
interface FastEthernet0/27
shutdown
power inline never
interface FastEthernet0/28
switchport access vlan 40
switchport mode access
interface FastEthernet0/29
switchport access vlan 40
switchport mode access
interface FastEthernet0/30
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/31
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/32
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/33
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/34
shutdown
power inline never
interface FastEthernet0/35
shutdown
power inline never
interface FastEthernet0/36
switchport mode access
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/37
shutdown
power inline never
interface FastEthernet0/38
shutdown
power inline never
interface FastEthernet0/39
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/40
switchport access vlan 90
switchport mode access
power inline never
interface FastEthernet0/41
shutdown
power inline never
interface FastEthernet0/42
shutdown
power inline never
interface FastEthernet0/43
shutdown
power inline never
interface FastEthernet0/44
switchport access vlan 40
switchport mode access
interface FastEthernet0/45
switchport access vlan 40
switchport mode access
interface FastEthernet0/46
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/47
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/48
switchport access vlan 40
switchport mode access
shutdown
interface GigabitEthernet0/1
shutdown
interface GigabitEthernet0/2
switchport access vlan 40
switchport mode access
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface Vlan1
no ip address
ip classless
ip http server
ip http secure-server
ip sla enable reaction-alerts
line con 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
end -
Unable to access internal networks over Remote acces VPN
Hi,
I have set up a Remote access VPN from Home to Cisco ASA 5512-X.
I am able to connect successfully and even getting a valid IP address from VPN pool 172.21.3.1-. However I am unable to access any of the internal resources.
Internal Network: 172.20.0.0 255.255.0.0
Please if someone can help identifying the issue.
Below is the running config:-
Result of the command: "sh run"
: Saved
ASA Version 9.1(1)
hostname ASA
domain-name M8fl.com
enable password Aoz9GlxLLvkWrTUy encrypted
passwd Gc1jA6zbgOsj63RW encrypted
names
ip local pool vpnclients 172.21.3.1-172.21.3.20 mask 255.255.0.0
ip local pool test 172.21.3.21-172.21.3.40 mask 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.20.254.250 255.255.0.0
interface GigabitEthernet0/2
description vodafone 100mb internet 195.11.180.40_29
speed 100
duplex full
nameif outside1
security-level 1
ip address 195.11.180.42 255.255.255.248
interface GigabitEthernet0/3
description Voice
nameif Voice
security-level 80
ip address 192.168.2.1 255.255.255.252
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup outside1
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.0.0.4
name-server 172.20.0.100
domain-name M8fl.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VLAN1
subnet 172.20.0.0 255.255.0.0
object network NETWORK_OBJ_172.20.3.0_27
subnet 172.21.3.0 255.255.255.224
object network Voice_Net
subnet 172.21.20.0 255.255.255.0
object network PBX_Internal
host 192.168.2.2
description PBX Internal
object network Voice_External
host 195.11.180.43
description For PBX
object network Raith_Remote_Network
subnet 192.168.20.0 255.255.255.0
description Raith Remote Network
object network NETWORK_OBJ_172.21.3.0_27
subnet 172.21.3.0 255.255.255.224
object network NETWORK_OBJ_172.21.3.0_26
subnet 172.21.3.0 255.255.255.192
object-group network azure-networks
network-object 10.0.0.0 255.0.0.0
object-group network onprem-networks
network-object 172.20.0.0 255.255.0.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service test_PPTP
service-object ip
service-object tcp destination eq pptp
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
access-list outside_access_in extended permit ip object-group azure-networks object-group onprem-networks
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in_1 extended permit ip object-group onprem-networks object-group azure-networks
access-list inside_access_in_1 extended permit ip any object Voice_Net log debugging
access-list inside_access_in_1 extended permit ip any any
access-list outside_access_in_1 extended permit ip object-group azure-networks object-group onprem-networks
access-list outside_access_in_1 extended permit icmp any any
access-list outside_access_in_1 extended permit ip any any inactive
access-list Voice_access_in extended permit ip any any log debugging
access-list outside_cryptomap extended permit ip object-group onprem-networks object Raith_Remote_Network
pager lines 24
logging enable
logging buffer-size 40000
logging buffered notifications
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu outside1 1500
mtu Voice 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside1) source static onprem-networks onprem-networks destination static azure-networks azure-networks
nat (inside,outside1) source dynamic VLAN1 interface
nat (inside,Voice) source static VLAN1 VLAN1 destination static Voice_Net Voice_Net no-proxy-arp route-lookup
nat (Voice,outside1) source static PBX_Internal Voice_External
nat (inside,outside) source static onprem-networks onprem-networks destination static Raith_Remote_Network Raith_Remote_Network no-proxy-arp route-lookup
nat (inside,outside1) source static any any destination static NETWORK_OBJ_172.21.3.0_27 NETWORK_OBJ_172.21.3.0_27 no-proxy-arp route-lookup
nat (inside,outside1) source static any any destination static NETWORK_OBJ_172.21.3.0_26 NETWORK_OBJ_172.21.3.0_26 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group outside_access_in_1 in interface outside1
access-group Voice_access_in in interface Voice
route outside1 0.0.0.0 0.0.0.0 195.11.180.41 10
route inside 172.21.20.0 255.255.255.0 172.20.20.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 444
http 192.168.1.0 255.255.255.0 management
http 172.20.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1350
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ASA
crl configure
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 28800
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 enable outside1
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 172.20.0.0 255.255.0.0 inside
telnet timeout 5
ssh 172.20.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 172.20.2.1-172.20.2.254 inside
dhcpd dns 10.0.0.4 172.20.0.100 interface inside
dhcpd enable inside
dhcpd dns 172.21.20.254 interface Voice
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 172.20.2.34 /tftp
webvpn
enable outside1
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect enable
tunnel-group-list enable
internal-password enable
group-policy DefaultRAGroup_2 internal
group-policy DefaultRAGroup_2 attributes
dns-server value 10.0.0.4 172.20.0.100
vpn-tunnel-protocol l2tp-ipsec
default-domain value
group-policy DefaultRAGroup_3 internal
group-policy DefaultRAGroup_3 attributes
dns-server value 10.0.0.4 172.20.0.100
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.0.0.4 172.20.0.100
vpn-tunnel-protocol l2tp-ipsec
default-domain value
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 10.0.0.4 172.20.0.100
vpn-tunnel-protocol l2tp-ipsec
default-domain value
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy RA_VPN internal
group-policy RA_VPN attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol ikev1
default-domain value
group-policy "GroupPolicy_Anyconnect _profile" internal
group-policy "GroupPolicy_Anyconnect _profile" attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain none
webvpn
file-browsing enable
group-policy GroupPolicy_89.241.208.14 internal
group-policy GroupPolicy_89.241.208.14 attributes
vpn-tunnel-protocol ikev1
username test2 password encrypted privilege 15
username test1 password nt-encrypted privilege 0
username test1 attributes
vpn-group-policy DefaultRAGroup_2
username test password encrypted privilege 15
username test attributes
vpn-group-policy DefaultRAGroup_1
username EdwardM password encrypted privilege 15
username vpntest password encrypted privilege 0
username vpntest attributes
vpn-group-policy RA_VPN
username vpntest3 password nt-encrypted privilege 15
username vpntest3 attributes
service-type remote-access
username rhunton password encrypted privilege 15
username rhunton attributes
service-type admin
username e.melaugh password encrypted privilege 15
username netx password encrypted privilege 15
username netx attributes
service-type remote-access
username colin password encrypted privilege 15
username colin attributes
service-type remote-access
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
address-pool vpnclients
default-group-policy DefaultRAGroup_3
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group "Anyconnect _profile" type remote-access
tunnel-group "Anyconnect _profile" general-attributes
address-pool vpnclients
default-group-policy "GroupPolicy_Anyconnect _profile"
tunnel-group "Anyconnect _profile" webvpn-attributes
group-alias "Anyconnect _profile" enable
tunnel-group 137.117.215.177 type ipsec-l2l
tunnel-group 137.117.215.177 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive disable
tunnel-group 89.241.208.14 type ipsec-l2l
tunnel-group 89.241.208.14 general-attributes
default-group-policy GroupPolicy_89.241.208.14
tunnel-group 89.241.208.14 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
policy-map type inspect ipsec-pass-thru Fairhurst
description to allow vpn to fairhurst network
parameters
esp
ah
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f4185106b309478da7804dc22d2c1a85
: endHi,
You seem to have this nat (inside,outside1) source dynamic VLAN1 interface at line 2 which is causing the identity Nat/ Nat exempt to fail.
It is always good to use the packet tracer feature on the ASA to see what exactly is happening.
Try this
nat (inside,outside1) 1 source static VLAN1 VLAN1 destination static NETWORK_OBJ_172.21.3.0_27 NETWORK_OBJ_172.21.3.0_27 no-pr route-lo
Let me know how it goes for you.
Regards,
Nitish Emmanuel -
VPN clients cannot access inside network
I have a ASA 5505 that I am using as a VPN appliance. The outside interface is connected to the DMZ (172.16.2.10) and the inside to our internal network (10.27.1.12). VPN clients are assigned an address in the range 10.27.2.2-10.27.2.20. A 1841 is the router and firewall for the network. Recently the ASA lost power when a UPS went down and now VPN clients can no longer access anything on the inside network. Config is attached. Help.
I realized after I posted that I should have a connection active when running this command. Here is the results:
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 172.16.2.10
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.27.2.2/255.255.255.255/0/0)
current_peer: 169.130.14.253, username: kenz
dynamic allocated peer ip: 10.27.2.2
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.2.10, remote crypto endpt.: 169.130.14.253
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 208F45F5
inbound esp sas:
spi: 0x2026D973 (539416947)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28406
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x208F45F5 (546260469)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28406
IV size: 8 bytes
replay detection support: Y
So it looks like there are encrypts but no decrypts. What should I do now? -
VPN users unable to access internal network - ASA 8.3.1
Hello,
I have a base config of AnyConnect VPN below, however the ASA 8.3.1 code has deprecated some commands and the VPN/NAT/FW rule syntax is quite different. Can someone point out what's missing from the pertinent config below that prevents the VPN Pool from accessing the internal LAN?
The Core LAN router is 1.2.3.1.
ASA Version 8.3(1)
interface Ethernet0/0
nameif inside
security-level 100
ip address 1.2.3.2 255.255.255.0
ip local pool anyconnect-vpn-pool 1.2.9.10-1.2.9.20 mask 255.255.255.0
object network DataVLAN
subnet 1.2.3.0 255.255.255.0
object-group network Internal-Data
network-object object DataVLAN
nat (any,any) after-auto source dynamic Internal-Data Outside_INT
route inside 1.2.0.0 255.255.0.0 1.2.3.1 1
dynamic-access-policy-record DfltAccessPolicy
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
address-pools value anyconnect-vpn-pool
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
address-pools value anyconnect-vpn-pool
group-policy vpn-anyconnecct-policy internal
group-policy vpn-anyconnecct-policy attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable
tunnel-group vpn-users type remote-access
tunnel-group vpn-users general-attributes
address-pool anyconnect-vpn-pool
default-group-policy vpn-anyconnecct-policy
tunnel-group anyconnect2 type remote-access
tunnel-group anyconnect2 general-attributes
address-pool anyconnect-vpn-pool
TIA.
MikeHi Rohan,
Are you saying to replace "nat (any,any)" with "nat (inside,outside)"? I was wondering about this because I'd always done "nat (inside,outside)" but a colleague had performed the initial configuration which already contained "nat (any,any)" statement and I was not sure if this was just something new in 8.3.1. I also noticed the "global" command is no longer available.
I will give this a try. Thanks.
-Mike -
Unable to access mapped network drive, DFS
TL;DR: Unable to map a network drive on one particular computer, except if circumventing DFS.
OK - So I have exhausted all my options in this matter, so all suggestions are welcome.
Keep in mind the file system is DFS.
1. User has been set up the same as our other users in Active Directory.
2. Most network drives are connected via GPO. They are mapped via\\company.local\common\
3. The users' home folder is connected via setting in AD -> Profile -> Home folder ->
Connect X: To \\company.local\homedir\username
4. When the user logs on, all network drives defined in GPO are mapped OK, but the X: which is defined via "Home folder" in AD, is not connected. When trying to map it manually, we get "Access denied".
5. If the user tries the complete path via Explorer: \\company.local\homedir\username - Error 0x80004005 Unspecified error occurs. We have googled this particular code but found nothing that applies to us.
6. If the user tries the complete path to the folder on the actual file server, circumventing DFS, the home folder is mapped OK.
Strange thing is: This only happens on this particular computer. If users logs on to another computer, in the same domain, receiving the same GPO etc. The X: is mapped fine via \\company.local\homedir\username
Also if another user logs on to the problematic computer they also cannot access their X: on \\company.local\homedir\username
So we tried updating the WLAN/LAN drivers to no avail. Might there be any settings on the network adapters that might cause this?
KthxbaiIf other computer has the same policy ("Send NTLMv2 response only. Refuse LM"), it should not be the cause.
I agree that all clients should have the same Group Policy but sometimes the group policy may not be applied correctly on a client which causes issues. Thus you can try a "gpupdate /force" and see if issue persists.
Also you can test to access \\company.local to see if it will success. Try \\rootserver as well if it is different as DFS folder target.
As the issue only occurs on a specific client, maybe we can have a try with re-join domain.
If you have any feedback on our support, please send to [email protected] -
HT201415 iPhone is unable to access into internet use wi-fi connectoins
Hi,
When use Wi-Fi connections sometimes can't get access to the network. Phone get ip and successfully connected to Access Point.
Use Wi-Fi Router: D-link DAP-2310I won't be able to find out for a to maximum of 72 hours regarding why I can't connect to the xfinity hotspot. I won't be at the location I'm the at now for the next 72 hours.
As a temporary workaround, I signed up for a free one hour trial of internet service by being a 'new member.' That will have to do for now. -
Is it possible to force some urls through the vpn using split tunneling?
Hi all,
just that. We have some urls accessible only from our office lan, and will be nice to allow the clients to split tunnel all but this specific urls.
Possible? Thanks in advance!Simon,
I was thinking that you were trying to reach a web server hosted on the LAN. I see now that you are trying to reach external sites that are only accessible from the LAN. I am not aware of any way to allow a partially split tunnel, if I find anything I will update.
- Marty -
UNABLE TO ACCESS SECURED EJB USING IIOP FROM JSP
Following codes does not work with IIOP when called from jsp returns an
com.sap.engine.services.iiop.CORBA.CORBAObject:com.sap.engine.services.iiop.server.portable.Delegate_1_1@8312b1 step2 RemoteException occurred in server thread; nested exception is: java.rmi.RemoteException: com.sap.engine.services.ejb.exceptions.BaseRemoteException: User Guest does not have access to method create(). at
Following codes does not work with IIOP when called from a fat client returns an
org.omg.CORBA.UNKNOWN: vmcid: 0x0 minor code: 0 completed: Maybe
at com.sun.corba.se.internal.core.UEInfoServiceContext.<init>(UEInfoServ
iceContext.java:33)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstruct
orAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingC
onstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
at com.sun.corba.se.internal.core.ServiceContextData.makeServiceContext(
Properties p = new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.cosnaming.CNCtxFactory");
p.put(Context.PROVIDER_URL, "iiop://hostname:50007");
p.put(Context.SECURITY_PRINCIPAL, "User");
p.put(Context.SECURITY_CREDENTIALS, "pass");
I have add java option to add IIOP filer
-Dorg.omg.PortableInterceptor.ORBInitializerClass.com.sap.engine.services.iiop.csiv2.interceptors.SecurityInitializer
Solution Required: Could you please detail me what steps in need to perform in order for me to access secure ejb using iiop protocol.
FYI -- How ever ejb security works with P4 protocol, If required i can send you the test case ear.
Thanks
Vijay
Following are the server side logs
java.rmi.RemoteException: com.sap.engine.services.ejb.exceptions.BaseRemoteException: User Guest does not have access to method create().
at test.TestEJBHomeImpl0.create(TestEJBHomeImpl0.java:91)
at test._TestEJBHome_Stub.create(_TestEJBHome_Stub.java:214)
at jsp_testIIOP1199698887113._jspService(jsp_testIIOP1199698887113.java:33)
at com.sap.engine.services.servlets_jsp.server.jsp.JspBase.service(JspBase.java:112)
at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:544)
at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:186)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:608)
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:505)
at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
at test.TestEJBHomeImpl0.create(TestEJBHomeImpl0.java:89)
... 20 more
; nested exception is:
java.lang.SecurityException: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:608)
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:505)
at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
at test.TestEJBHomeImpl0.create(TestEJBHomeImpl0.java:89)
at test._TestEJBHome_Stub.create(_TestEJBHome_Stub.java:214)
at jsp_testIIOP1199698887113._jspService(jsp_testIIOP1199698887113.java:33)
at com.sap.engine.services.servlets_jsp.server.jsp.JspBase.service(JspBase.java:112)
at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:544)
at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:186)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)That's the code that you need to execute but you should
probably encapsulate that code in Custom Action.
Orion has a EJB Tag Library that is free to distribute that
does all that stuff you just set some attributes.
Go to their site and look at their Tag Libraries.
Also look for other Tag Libraries Freely Available for EJB Access. -
When I click on the firefox icon it was not opening up or it would open then say unable to make connection. I had no problem using Internet explorer. So I thought I should download Mozilla firefox again and I did. It seemed to be functioning but then reverted back to nonresponsive. I am able to contact you using internet explorer. What can i do?
A possible cause is security software (firewall) that blocks or restricts Firefox or the plugin-container process without informing you, possibly after detecting changes (update) to the Firefox program.
Remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox and the plugin-container process and the updater process.
See:
*https://support.mozilla.com/kb/Server+not+found
*https://support.mozilla.com/kb/Firewalls -
Unable to access CIFS shares using SSL Web portal
Hello,
i have deployed Cisco Clientless Web VPN on my ASA5515.
I'm having an issue when I try to browse a file server (access CIFS shares) from the WEB VPN portal. I am prompted for login, and after logging in I get the "Error contacting host" immediately. it's seem like a bug on ASA ? i saw that on Cisco Web site : bug CSCsl94183
I already DONE those things :
1- reload the ASA
2- upgrade to the latest software release
3- test different web browser ( Firefox, IE, Chrome)
1- ASA Platform is 5515 running latest software release (9.1.4)
2- File server running Windows 2008 R2
3- Clients is using Firefox.
4- When I establish SSL VPN connection using Cisco AnyConnect I have no problems accessing files or folders on the same server.
NOTE : I have 2 other CIFS server running Window 2003 and there is no issue. the issue is happening ONLY with the server running Window 2008 R2I've also seen this exact problem. We have several Windows 2008 R2 servers, one of our Domain controllers has been migrated to 2008 R2. I can access shares on the Windows 2008 R2 domain controller, but not a deicated (member) file share server.
Maybe you are looking for
-
When I click on a link from a web page opened in Safari I get a blank black screen. Why can't I see the contents of the page?
-
Login as Administrator in Windows 8 Single Language
We are using Windows 8.1 Single Language. We are not able to log in as the user Administrator. Please provide a solution for the same. Bhavesh
-
VerifyError on OC4J (9.0.2.1.0)
We've been getting a smattering of these errors lately, and once they happen, we have to bounce our OC4J process. Sometimes they can return in 5 minutes, sometimes not till the next day. I just found out that the support staff applied a patch shortly
-
Saving Password for a pdf file in HP Client Security Manager
Hello, I want to save the password for a pdf file in the Password Manager of the HP Client Security Manager Software but the symbol for the entry of the password is not appearing on the top right of the screen. If I use the registered fingerprint a d
-
When I delete a file, Jdeveloper now issues a CVS remove. That is WRONG. If I want to delete the file from CVS I will do a remove from the menu. I no longer can just delete a file from my local sandbox. JDeveloper deletes it from CVS and I get scream