Skip navigation
Cisco Learning Home > Certifications > Security (CCSP) Retired > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts) 2 Helpful Answers available (2 pts)
2985 Views 1 Reply Latest reply: Aug 8, 2011 4:05 PM by Henry RSS

Currently Being Moderated

AnyConnect VPN Not Routing From The Outside In

Aug 2, 2011 3:47 PM

Henry 2 posts since
Aug 2, 2011

I'm an admitted newbie to this, but I've been struggling for days trying to get AnyConnect VPN client to be able to browse the inside network.  I know I've missed something but have no idea what.

Here is what I'm trying to accomplish:

 

Internet Cloud -->PubIP--------------->ASA5510(Outside port in DMZ)----->ASA5510(Inside Port)---------Network I Want To Access

                         208.104.16.xx     192.168.85.11/24                               10.200.22.34/22

 

Here is my config:(????? entered to protect the guilty)

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

enable password ???????????????????? encrypted

passwd ???????????? encrypted

names

!

interface Ethernet0/0

nameif OutsideCSG

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

nameif InsideRHUtility

security-level 0

ip address dhcp setroute

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.2.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup InsideRHUtility

dns server-group DefaultDNS

name-server 192.168.1.5

name-server 192.168.7.5

same-security-traffic permit inter-interface

access-list InsideRHUtility_nat0_outbound extended permit ip any any

pager lines 24

logging asdm informational

mtu OutsideCSG 1500

mtu InsideRHUtility 1500

mtu management 1500

ip local pool VPNAddresses 192.168.10.2-192.168.10.250 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat (InsideRHUtility) 0 access-list InsideRHUtility_nat0_outbound

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa local authentication attempts max-fail 16

http server enable

http 192.168.2.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 OutsideCSG

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

keypair sslvpnkeypair

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 916d384e

  308201cf 30820138 a0030201 02020491 6d384e30 0d06092a 864886f7 0d010104

  0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648

  86f70d01 09021608 63697363 6f617361 301e170d 31313038 30323231 33353133

  5a170d32 31303733 30323133 3531335a 302c3111 300f0603 55040313 08636973

  636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081

  9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100ae 9a00c052

  6d0984fc a7987d8e ecab37b4 93e1af30 f8d131d1 5eb81596 556f089c 21e95f88

  86f9d0d4 73a431e0 fccf5275 b51ac978 9fa47124 8a9a295c bf5d1435 dce69033

  f3484dbf cd772508 d3c004d6 e917a3d5 13ab6f78 a5d78d6c a55210b2 da213742

  5c231920 af0110af efdd86eb 4f0afdb6 3588cdd5 199563be ebd59102 03010001

  300d0609 2a864886 f70d0101 04050003 8181006a b875ca48 230d7ea6 0e362623

  52855929 218b8281 81bf82f8 b3570fe4 0af2c2ac 9c140d43 098cff9c 5267a2c4

  af17749e d170e04a 3ae627b5 98794e97 0198521b bec61573 9af71fd0 cadae0ac

  1057e2c8 974be19e 5038bf60 7eee632e 119e316b f09124d8 ce73c568 70deb7b1

  269c519e 05faf281 9ccfc773 1a260250 efdc5b

  quit

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface OutsideCSG

dhcp-client client-id interface InsideRHUtility

dhcpd address 192.168.2.2-192.168.2.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 64.4.10.44 source OutsideCSG prefer

ssl trust-point ASDM_TrustPoint0 OutsideCSG

webvpn

enable OutsideCSG

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value 192.168.1.5 192.168.7.5

vpn-tunnel-protocol svc

split-tunnel-policy tunnelall

default-domain value ???????????

address-pools value VPNAddresses

webvpn

  svc keep-installer installed

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

webvpn

  svc ask enable

group-policy AnyConnectPolicy internal

group-policy AnyConnectPolicy attributes

vpn-tunnel-protocol svc

username hlipsey password ???????????????????? encrypted privilege 15

username hlipsey attributes

vpn-group-policy SSLClientPolicy

username user1 password ???????????????? encrypted privilege 0

username user1 attributes

vpn-group-policy AnyConnectPolicy

username rockhill password ?????????????? encrypted

username rockhill attributes

service-type remote-access

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool (OutsideCSG) VPNAddresses

address-pool VPNAddresses

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

tunnel-group AnyConnectProfile type remote-access

tunnel-group AnyConnectProfile general-attributes

address-pool VPNAddresses

default-group-policy AnyConnectPolicy

!

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

!

prompt hostname context

Cryptochecksum:f90a90fca8c76e496b21847985794d37

: end

asdm image disk0:/asdm-631.bin

no asdm history enable

 

 

AnyConnect Exported Stats:

Cisco AnyConnect VPN Client Version 2.5.2014

VPN Stats
    Bytes Received:  629
    Bytes Sent:  16666
    Compressed Bytes Received:  0
    Compressed Bytes Sent:  0
    Compressed Packets Received:  0
    Compressed Packets Sent:  0
    Control Bytes Received:  16
    Control Bytes Sent:  16
    Control Packets Received:  2
    Control Packets Sent:  2
    Encrypted Bytes Received:  1337
    Encrypted Bytes Sent:  24123
    Encrypted Packets Received:  5
    Encrypted Packets Sent:  203
    Inbound Bypassed Packets:  0
    Inbound Discarded Packets:  0
    Outbound Bypassed Packets:  0
    Outbound Discarded Packets:  0
    Packets Received:  1
    Packets Sent:  198
    Time Connected:  00:01:33

Protocol Info
    Inactive Protocol
        Protocol Cipher:  RSA_AES_128_SHA1
        Protocol Compression:  None
        Protocol State:  Disconnected
        Protocol:  DTLS
    Active Protocol
        Protocol Cipher:  RSA_RC4_128_SHA1
        Protocol Compression:  None
        Protocol State:  Connected
        Protocol:  TLS

Routes
    Secure Routes
        0.0.0.0                        0.0.0.0
Firewall Rules

OS Version
    WinNT 6.1.7601 Service Pack 1

Windows IP Configuration

   Host Name . . . . . . . . . . . . : MiniMe
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ????????????

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : ???????????
   Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
   Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::65ab:7a7c:fd2d:c922%16(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.10.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.1
   DHCPv6 IAID . . . . . . . . . . . : 452986266
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-2D-DA-EC-E0-B9-A5-2F-DB-6A
   DNS Servers . . . . . . . . . . . : 192.168.1.5
                                       192.168.7.5
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Atheros AR8152/8158 PCI-E Fast Ethernet Controller (NDIS 6.20)
   Physical Address. . . . . . . . . : F4-6D-04-81-C3-D4
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom 802.11n Network Adapter
   Physical Address. . . . . . . . . : E0-B9-A5-2F-DB-6A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::ad59:66fd:d973:1227%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.101(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, August 02, 2011 5:52:52 PM
   Lease Expires . . . . . . . . . . : Wednesday, August 03, 2011 5:52:52 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 249608613
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-2D-DA-EC-E0-B9-A5-2F-DB-6A
   DNS Servers . . . . . . . . . . . : 208.104.244.45
                                       208.104.2.36
                                       208.104.2.85
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{423AC34C-6FC8-455B-810F-C6005CB77077}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.???????????????:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : ?????????????
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
===========================================================================
Interface List
16...00 05 9a 3c 7a 00 ......Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
11...f4 6d 04 81 c3 d4 ......Atheros AR8152/8158 PCI-E Fast Ethernet Controller (NDIS 6.20)
10...e0 b9 a5 2f db 6a ......Broadcom 802.11n Network Adapter
  1...........................Software Loopback Interface 1
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.101     25
          0.0.0.0          0.0.0.0     192.168.10.1     192.168.10.2      2
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.1  255.255.255.255         On-link     192.168.1.101     26
    192.168.1.101  255.255.255.255         On-link     192.168.1.101    281
     192.168.10.0    255.255.255.0         On-link      192.168.10.2    257
     192.168.10.2  255.255.255.255         On-link      192.168.10.2    257
   192.168.10.255  255.255.255.255         On-link      192.168.10.2    257
   208.104.16.168  255.255.255.255      192.168.1.1    192.168.1.101     26
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.101    281
        224.0.0.0        240.0.0.0         On-link      192.168.10.2    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.101    281
  255.255.255.255  255.255.255.255         On-link      192.168.10.2    257
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     192.168.10.1       1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
  None
Persistent Routes:
  None

 

 

I'm not familiar enough with the CLI to configure with it, so I'm looking for answers utilizing ASDM.

 

Thanks in advance,

Henry

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)