Solved: What wrong with my setup ASA AnyConnect

Wan_Whisperer · ‎03-04-2019

I have and ASA an its only use will be AnyConnect.

I have both interfaces connected to a switch.

ASA#

inside 172.21.0.2

outside XXX.XXX.XXX.2

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.2

On the switch I have the interfaces set up for access to their prospective vlans.

On the same switch I have a trunk port to the router on a stick.

I have AnyConnect up and the only way I can actually reach any network is like this.

tunnel all network on that ASA

The dhcp pool for AnyConnect is 172.21.2.5-6

If I do that I can access the 172. network and nothing else.

If I make the pool in the same range as my outside and can not access anything including the outside network.

What am I doing wrong

Marvin Rhoads · ‎03-05-2019

Your ASA's default route is pointing to its own outside interface. It should instead reference the upstream gateway.

If you need the VPN clients to reach anything other than their own subnet the ASA will likewise need to have an inside static route or be running a dynamic routing protocol like OSPF or EIGRP whereby it learns the route to inside subnets.

The clients' address pool can be either part of the inside subnet or another subnet altogether. As long as the hosts they need to reach know to go to the ASA for that hosts in that subnet (usually due to the fact that the ASA is getting all outbound traffic) then it will work fine.

View solution in original post

Rob Ingram · ‎03-04-2019

Hi,
Without seeing your entire configuration I can provide a few guesses.
- To access the internal networks you'd need to ensure you have a no-nat rule, to ensure the traffic from the AnyConnect IP Pool is not natted.
- To route AnyConnect traffic out to the internet you'll need to configure "same-security-traffic permit intra-interface" - you'd also need a nat rule to nat this traffic destined to the internet via the outside interface, this rule must be below the no-nat rule mentioned above.

HTH

Wan_Whisperer · ‎03-04-2019

You will be my hero if you can help me.

:

!
hostname CBA-ASA-1

names
ip local pool 172.21.2.0/24 172.21.2.5-172.21.2.6 mask 255.255.255.0
ip local pool xxx.xxx.xxx2.0/24 xxx.xxx.xxx.7-xxx.xxx.xxx.8 mask 255.255.255.128
!
interface Ethernet0/0
nameif Inside
security-level 100
ip address 172.21.2.4 255.255.255.0
!
interface Ethernet0/1
nameif Outside
security-level 100
ip address xxx.xxx.xxx.10 255.255.255.192
!
interface Ethernet0/2
description LAN Failover Interface
!
interface Ethernet0/3
description STATE Failover Interface
!
interface Management0/0
management-only
shutdown
nameif management
security-level 100
no ip address
!
ftp mode passive
object network NETWORK_OBJ_10.0.25.0_27
subnet 10.0.25.0 255.255.255.224
object network ABC-Internals
subnet 172.21.0.0 255.255.252.0
object network ABC-OOB
subnet xxx.xxx.xxx.112 255.255.255.248
object network ABC-Private-
subnet 172.16.0.0 255.252.0.0
object network ABC-Public-1
subnet 192.81.80.0 255.255.252.0
object network ABC-Public-2
subnet xxx.xxx.xxx.0 255.255.252.0
object network CBA-Internals
subnet 172.21.2.0 255.255.255.0
description Vlan 10
object network CBA-OOB
subnet xxx.xxx.xxx.92 255.255.255.252
object network CBA-Public
subnet xxx.xxx.xxx.0 255.255.252.0
object network NETWORK_OBJ_10.10.10.0_27
subnet 10.10.10.0 255.255.255.224
object network NETWORK_OBJ_10.10.20.0_28
subnet 10.10.20.0 255.255.255.240
object network NETWORK_OBJ_10.4.70.0_24
subnet 10.4.70.0 255.255.255.0
object network NETWORK_OBJ_172.21.2.4_30
subnet 172.21.2.4 255.255.255.252
object network NETWORK_OBJ_xxx.xxx.xxx.0_28
subnet xxx.xxx.xxx.0 255.255.255.240
object-group network All-Networks
description Created for AnyConnect
network-object object ABC-Internals
network-object object ABC-OOB
network-object object ABC-Private-
network-object object ABC-Public-1
network-object object ABC-Public-2
network-object object CBA-Internals
network-object object CBA-OOB
network-object object CBA-Public
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list AnyConnect standard permit 172.21.2.0 255.255.255.0
access-list AnyConnect standard permit xxx.xxx.xxx.0 255.255.255.192
access-list global_access extended permit ip any any
access-list global_access extended permit icmp any4 any4
access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any4 any4
access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any4 any4
access-list 104 standard permit xxx.xxx.xxx.0 255.255.255.192
access-list 104 standard permit 172.21.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
no failover
failover lan unit primary
failover lan interface Failover Ethernet0/2
failover replication http
failover link statefull Ethernet0/3
failover interface ip Failover 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover interface ip statefull 10.2.2.1 255.255.255.0 standby 10.2.2.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_172.21.2.4_30 NETWORK_OBJ_172.21.2.4_30 no-proxy-arp route-lookup
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_xxx.xxx.xxx.0_28 NETWORK_OBJ_xxx.xxx.xxx.0_28 no-proxy-arp route-lookup
access-group Inside_access_in in interface Inside
access-group Outside_access_in in interface Outside
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure

webvpn
enable Outside
anyconnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
anyconnect profiles xxx.xxx.xxx.0_client_profile disk0:/xxx.xxx.xxx.0_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AnyConnect
group-policy GroupPolicy_172.21.2.0/24 internal
group-policy GroupPolicy_172.21.2.0/24 attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AnyConnect
default-domain none
address-pools value 172.21.2.0/24
group-policy GroupPolicy_xxx.xxx.xxx.0 internal
group-policy GroupPolicy_xxx.xxx.xxx.0 attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AnyConnect
default-domain none
address-pools value xxx.xxx.xxx.0/24
webvpn
anyconnect profiles value xxx.xxx.xxx.0_client_profile type user
username jcart password PI8NhZe13130vvcG encrypted privilege 15
tunnel-group 172.21.2.0/24 type remote-access
tunnel-group 172.21.2.0/24 general-attributes
address-pool 172.21.2.0/24
default-group-policy GroupPolicy_172.21.2.0/24
tunnel-group 172.21.2.0/24 webvpn-attributes
group-alias 172.21.2.0/24 enable
tunnel-group xxx.xxx.xxx.0 type remote-access
tunnel-group xxx.xxx.xxx.0 general-attributes
address-pool xxx.xxx.xxx.0/24
default-group-policy GroupPolicy_xxx.xxx.xxx.0
tunnel-group xxx.xxx.xxx.0 webvpn-attributes
group-alias xxx.xxx.xxx.0 enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname priority state
call-home reporting anonymous

: end

Rob Ingram · ‎03-04-2019

The security level of your outside interface is 100, usually it's set as "0"
Add the "same-security-traffic permit intra-interface" command
Can the ASA ping the other networks? You don't appear to have static routes for them
Is this the full configuration of the ASA?

Wan_Whisperer · ‎03-04-2019

Hey,

Thank for your reply. I added the command "same-security-traffic permit intra-interface" and changed the security level. I have them the same because this ASA is only used for AnyConnect. Yes this is the full config....except I remove some crypto stuff.

As a reminder the inside and outside are connect to a switch.

SW1#

int g0/0/1

description To-ASA-oustide

switchport mode access

switch port access vlan 20

int g0/0/0

description To-ASA-inside

switchport mode access

switch port access vlan 10

int g0/0/3

description To-R1

switchport mode trunk

switchport trunk encapsulation dot1q

R1#

interface GigabitEthernet0/0/0.10
encapsulation dot1Q 10
ip address 172.21.2.1 255.255.255.0

interface GigabitEthernet0/0/0.20
encapsulation dot1Q 20
ip address xxx.xxx.xxx.1 255.255.255.0

interface GigabitEthernet0/0/0.30
encapsulation dot1Q 30
ip address 172.21.3.2 255.255.255.0

interface GigabitEthernet0/0/0.40
encapsulation dot1Q 40
ip address 172.21.4.1 255.255.255.0

Marvin Rhoads · ‎03-05-2019

Your ASA's default route is pointing to its own outside interface. It should instead reference the upstream gateway.

If you need the VPN clients to reach anything other than their own subnet the ASA will likewise need to have an inside static route or be running a dynamic routing protocol like OSPF or EIGRP whereby it learns the route to inside subnets.

The clients' address pool can be either part of the inside subnet or another subnet altogether. As long as the hosts they need to reach know to go to the ASA for that hosts in that subnet (usually due to the fact that the ASA is getting all outbound traffic) then it will work fine.

Wan_Whisperer · ‎03-05-2019

So you are saying the interface on the switch needs to be routed as well?

Or you saying I just need to make static routes pointing out my inside interface?

Wan_Whisperer · ‎03-05-2019

I assumed for some reason that It would route everything out the outside. As soon as I added EIGRP it all worked.

Thanks!