[c-nsp] SSL VPN on an ASA 5505

Ryan xc3f59 at gmail.com
Tue Jan 31 15:59:49 EST 2012 

I used the VPN Wizard on ASDM 6.4(7) with an ASA 5505 running 8.4(3)
to create a config for SSL VPNs. The ASDM didn't configure
split-tunneling, so I did that manually by creating the NONAT access
list and applying it to the Group Policy.

The Anyconnect client connects successfully with the appropriate
routes, but I can't get any traffic going to the networks that I've
VPNed into. The sanitized config is below. Any thoughts?

Thanks,
Ryan
-------------- next part --------------
vpn# sh run
: Saved
:
ASA Version 8.4(3)
!
hostname vpn
domain-name domain.com
enable password *************** encrypted
passwd ************** encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.9 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 7.7.7.9 255.255.255.0
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name domain.com
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network ANET
 subnet 7.7.6.0 255.255.255.0
 description A Network
object network BNET
 subnet 192.168.8.0 255.255.255.0
 description B Network
object network NETWORK_OBJ_192.168.131.0_24
 subnet 192.168.131.0 255.255.255.0
object network VPNS
 subnet 192.168.131.0 255.255.255.0
 description VPNS
object-group network DM_INLINE_NETWORK_1
 network-object object ANET
 network-object object BNET
object-group network DM_INLINE_NETWORK_2
 network-object object ANET
 network-object object BNET
access-list global_access extended permit ip object VPNS object-group DM_INLINE_NETWORK_1
access-list NONAT standard permit 7.7.6.0 255.255.255.0
access-list NONAT standard permit 192.168.8.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNIPS 192.168.131.100-192.168.131.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static NETWORK_OBJ_192.168.131.0_24 NETWORK_OBJ_192.168.131.0_24 no-proxy-arp route-lookup
access-group global_access global
route outside 0.0.0.0 0.0.0.0 63.228.23.1 1
route inside 7.7.6.0 255.255.255.0 192.168.1.1 1
route inside 7.7.5.0 255.255.255.0 192.168.1.1 1
route inside 7.7.4.0 255.255.255.0 192.168.1.1 1
route inside 7.7.3.0 255.255.255.0 192.168.1.1 1
route inside 7.7.2.0 255.255.255.0 192.168.1.1 1
route inside 7.7.1.0 255.255.255.0 192.168.1.1 1
route inside 192.168.0.0 255.255.0.0 192.168.1.1 1
route inside 192.168.1.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 4443
http 192.168.1.0 255.255.255.0 inside
http 7.7.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 7.7.6.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-2.4.0202-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_ANYCONNECT internal
group-policy GroupPolicy_ANYCONNECT attributes
 wins-server none
 dns-server value 7.7.6.254
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value NONAT
 default-domain value domain.com
username testuser password ************* encrypted
tunnel-group ANYCONNECT type remote-access
tunnel-group ANYCONNECT general-attributes
 address-pool VPNIPS
 default-group-policy GroupPolicy_ANYCONNECT
tunnel-group ANYCONNECT webvpn-attributes
 group-alias ANYCONNECT enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:*********************
: end

More information about the cisco-nsp mailing list