[c-nsp] SSL VPN on an ASA 5505

Ryan xc3f59 at gmail.com
Tue Jan 31 15:59:49 EST 2012

I used the VPN Wizard on ASDM 6.4(7) with an ASA 5505 running 8.4(3)
to create a config for SSL VPNs. The ASDM didn't configure
split-tunneling, so I did that manually by creating the NONAT access
list and applying it to the Group Policy.

The Anyconnect client connects successfully with the appropriate
routes, but I can't get any traffic going to the networks that I've
VPNed into. The sanitized config is below. Any thoughts?

-------------- next part --------------
vpn# sh run
: Saved
ASA Version 8.4(3)
hostname vpn
domain-name domain.com
enable password *************** encrypted
passwd ************** encrypted
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name domain.com
object network obj_any
object network ANET
 description A Network
object network BNET
 description B Network
object network NETWORK_OBJ_192.168.131.0_24
object network VPNS
 description VPNS
object-group network DM_INLINE_NETWORK_1
 network-object object ANET
 network-object object BNET
object-group network DM_INLINE_NETWORK_2
 network-object object ANET
 network-object object BNET
access-list global_access extended permit ip object VPNS object-group DM_INLINE_NETWORK_1
access-list NONAT standard permit
access-list NONAT standard permit
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNIPS mask
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static NETWORK_OBJ_192.168.131.0_24 NETWORK_OBJ_192.168.131.0_24 no-proxy-arp route-lookup
access-group global_access global
route outside 1
route inside 1
route inside 1
route inside 1
route inside 1
route inside 1
route inside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 4443
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet inside
telnet timeout 30
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
 enable outside
 anyconnect image disk0:/anyconnect-win-2.4.0202-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_ANYCONNECT internal
group-policy GroupPolicy_ANYCONNECT attributes
 wins-server none
 dns-server value
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value NONAT
 default-domain value domain.com
username testuser password ************* encrypted
tunnel-group ANYCONNECT type remote-access
tunnel-group ANYCONNECT general-attributes
 address-pool VPNIPS
 default-group-policy GroupPolicy_ANYCONNECT
tunnel-group ANYCONNECT webvpn-attributes
 group-alias ANYCONNECT enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end

More information about the cisco-nsp mailing list