1

I have one huge issue regarding VPN which I cannot resolve or connect the dots (what can possibly cause an issue)

One of our customers wants to replace old snapgear with something better so they've choose ASA to do so.

I have created all the configuration in ASA and tested inside our test network. I was able to connect with clients machine from outside to ASA VPN and to ping any machine inside the network. Everything worked perfectly. After that I have set same firewall/config to the customers site, and as soon as I connected ASA to their network and tried to connect from outside using Any connect, I was not able to ping any machine inside their network. All networks, subnets were out of reach/no reply.

At first I have set static routes and static IP of the ASA interface, but without luck. Then I set interface to get the IP address from DHCP server and all the routes from "L3 Core switch" that is doing all the routing, again without any luck.

Configuration of the ASA (dynamic)

: Saved

:
: Serial Number: xxxxxxxx
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(2)
!
hostname xxxxxxxx
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
ip local pool VPN_xxxxxx 10.13.3.2-10.13.3.200 mask 255.255.255.0
!
interface GigabitEthernet1/1
 description WAN Connection
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.88 255.255.255.224
!
interface GigabitEthernet1/2
 description LAN address
 nameif inside
 security-level 100
 ip address dhcp setroute
!
interface GigabitEthernet1/3
 description Test Connection Outside
 nameif testConn
 security-level 0
 ip address xxx.xxx.xxx.218 255.255.255.248
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 nameif mgmtbck
 security-level 100
 ip address 192.168.96.1 255.255.255.0
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network TestConnection
 subnet 192.168.10.0 255.255.254.0
 description TestConnection
object network WANAddress
 host xxx.xxx.xxx.217
object network WAN_Connection
 subnet 192.168.10.0 255.255.254.0
 description InternetConnection
object network WANConnectionxxxxxx
 host xxx.xxx.xxx.65
object network WANConn
 subnet 192.168.10.0 255.255.254.0
object network NETWORK_OBJ_10.13.3.0_24
 subnet 10.13.3.0 255.255.255.0
object network Network_A
 subnet 192.168.0.0 255.255.254.0
 description Network 192.168.0.0/23
object network Network_B
 subnet 172.17.110.0 255.255.255.0
 description Network 172.17.110.0
object network Network_C
 subnet 172.17.101.0 255.255.255.0
 description Network 172.17.101.0/24
object network Network_D
 subnet 172.17.137.0 255.255.255.0
 description Network 172.17.137.0/24
object network Gateway_Inside
 host 192.168.10.1
 description inside gateway address
object network OutsideNAT
 subnet 192.168.10.0 255.255.254.0
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu testConn 1500
mtu mgmtbck 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-762.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,testConn) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup
!
object network WANConn
 nat (inside,testConn) dynamic interface dns
object network OutsideNAT
 nat (inside,outside) dynamic interface dns
access-group 101 in interface outside
access-group inside_access_in in interface inside
access-group 101 in interface testConn
route testConn 0.0.0.0 0.0.0.0 xxx.xxx.xxx.217 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 2
route inside 172.17.101.0 255.255.255.0 192.168.10.1 1
route inside 172.17.110.0 255.255.255.0 192.168.10.1 1
route inside 172.17.137.0 255.255.255.0 192.168.10.1 1
route inside 192.168.0.0 255.255.254.0 192.168.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server NPS protocol radius
aaa-server NPS (inside) host 192.168.0.186
 key *****
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.254.0 inside
http 192.168.96.0 255.255.255.0 mgmtbck
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map testConn_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map testConn_map interface testConn
crypto ca trustpoint xxxxxxxx
 enrollment self
 fqdn xxxxxx.local
 subject-name CN=xxxxxxxx
 serial-number
 proxy-ldc-issuer
 crl configure
crypto ca trustpool policy
crypto ca certificate chain xxxxxxxx
 certificate cffdf657
    3082036f 30820257 a0030201 020204cf fdf65730 0d06092a 864886f7 0d010105
    05003047 31133011 06035504 03130a41 646d6972 616c4153 41313030 12060355
    0405130b 4a414432 30323330 34435430 1a06092a 864886f7 0d010902 160d6164
    6d697261 6c2e6c6f 63616c30 1e170d31 36313030 37303234 3431335a 170d3236
    31303035 30323434 31335a30 47311330 11060355 0403130a 41646d69 72616c41
    121616e7 7014f20f dbf9733a bca6055a 15f68e68 8fa67ea5 0c63d7ed 712e5517
    a392775d 2f4bdd5a df207e10 0413c878 fba699
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable testConn client-services port 443
crypto ikev2 remote-access trustpoint xxxxxxxx
crypto ikev1 enable outside
crypto ikev1 enable testConn
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.10.0 255.255.254.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcp-client client-id interface inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server xxx.xxx.xxx.44 source testConn prefer
ssl trust-point xxxxxxxx outside
ssl trust-point xxxxxxxx inside
ssl trust-point xxxxxxxx testConn
ssl trust-point xxxxxxxx mgmtbck
webvpn
 enable outside
 enable testConn
 anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
 anyconnect profiles xxxxxxMain_client_profile disk0:/xxxxxxMain_client_profile.xml
 anyconnect profiles xxxxxx_client_profile disk0:/xxxxxx_client_profile.xml
 anyconnect profiles TestVPN_client_profile disk0:/TestVPN_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_TestVPN internal
group-policy GroupPolicy_TestVPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value TestVPN_client_profile type user
group-policy GroupPolicy_xxxxxxMain internal
group-policy GroupPolicy_xxxxxxMain attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value xxxxxxMain_client_profile type user
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client
 default-domain none
group-policy Policy_xxxxxx internal
group-policy Policy_xxxxxx attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list none
dynamic-access-policy-record DfltAccessPolicy
username admin password xxxxxxxx encrypted privilege 15
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 address-pool VPN_xxxxxx
 default-group-policy GroupPolicy_VPN
tunnel-group VPN webvpn-attributes
 group-alias VPN enable
tunnel-group TestVPN type remote-access
tunnel-group TestVPN general-attributes
 address-pool VPN_xxxxxx
 default-group-policy GroupPolicy_TestVPN
tunnel-group TestVPN webvpn-attributes
 group-alias TestVPN enable
tunnel-group xxxxxxMain type remote-access
tunnel-group xxxxxxMain general-attributes
 address-pool VPN_xxxxxx
 authentication-server-group NPS
 default-group-policy GroupPolicy_xxxxxxMain
tunnel-group xxxxxxMain webvpn-attributes
 group-alias xxxxxxMain enable
tunnel-group VPN_SSL type remote-access
tunnel-group VPN_SSL general-attributes
 default-group-policy Policy_xxxxxx
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

Configuration - static

: Saved

: 
: Serial Number: xxxxxxxx
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by xxxxx at 08:27:30.065 GMT Wed Oct 12 2016
!
ASA Version 9.5(2) 
!
hostname xxxxxxxxASA
enable password xxxxxxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxxxxx encrypted
names
ip local pool VPN_xxxxxxxx 10.13.3.2-10.13.3.254 mask 255.255.255.0
!
interface GigabitEthernet1/1
 description WAN Connection
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.88 255.255.255.224 
!
interface GigabitEthernet1/2
 description LAN address
 nameif inside
 security-level 100
 ip address 192.168.10.3 255.255.254.0 
!
interface GigabitEthernet1/3
 description Test Connection Outside
 nameif testConn
 security-level 0
 ip address xxx.xxx.xxx.218 255.255.255.248 
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network TestConnection
 subnet 192.168.10.0 255.255.254.0
 description TestConnection
object network WANAddress
 host xxx.xxx.xxx.217
object network WAN_Connection
 subnet 192.168.10.0 255.255.254.0
 description InternetConnection
object network WANConnectionxxxxxxxx
 host xxx.xxx.xxx.65
object network WANConn
 subnet 192.168.10.0 255.255.254.0
object network NETWORK_OBJ_10.13.3.0_24
 subnet 10.13.3.0 255.255.255.0
object network Network_A
 subnet 192.168.0.0 255.255.254.0
 description Network 192.168.0.0/23
object network Network_B
 subnet 172.17.110.0 255.255.255.0
 description Network 172.17.110.0
object network Network_C
 subnet 172.17.101.0 255.255.255.0
 description Network 172.17.101.0/24
object network Network_D
 subnet 172.17.137.0 255.255.255.0
 description Network 172.17.137.0/24
object network Gateway_Inside
 host 192.168.10.1
 description inside gateway address
object network OutsideNAT
 subnet 192.168.10.0 255.255.254.0
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 
access-list 101 extended permit icmp any any echo-reply 
access-list 101 extended permit icmp any any source-quench 
access-list 101 extended permit icmp any any unreachable 
access-list 101 extended permit icmp any any time-exceeded 
access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu testConn 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-762.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,testConn) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup
!
object network WANConn
 nat (inside,testConn) dynamic interface dns
object network OutsideNAT
 nat (inside,outside) dynamic interface dns
access-group 101 in interface outside
access-group inside_access_in in interface inside
access-group 101 in interface testConn
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 1
route testConn 0.0.0.0 0.0.0.0 xxx.xxx.xxx.217 3
route inside 172.17.101.0 255.255.255.0 192.168.10.1 1
route inside 172.17.110.0 255.255.255.0 192.168.10.1 1
route inside 172.17.137.0 255.255.255.0 192.168.10.1 1
route inside 192.168.0.0 255.255.254.0 192.168.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server NPS protocol radius
aaa-server NPS (inside) host 192.168.0.186
 key xxxxxxx
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map testConn_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map testConn_map interface testConn
crypto ca trustpoint xxxxxxxxCert
 enrollment self
 fqdn xxxxxxxx.local
 subject-name CN=xxxxxxxxASA
 serial-number
 proxy-ldc-issuer
 crl configure
crypto ca trustpool policy
crypto ca certificate chain xxxxxxxxCert
 certificate cffdf657
    3082036f 30820257 a0030201 020204cf fdf65730 0d06092a 864886f7 0d010105 
    05003047 31133011 06035504 03130a41 646d6972 616c4153 41313030 12060355 
    0405130b 4a414432 30323330 34435430 1a06092a 864886f7 0d010902 160d6164 
    6d697261 6c2e6c6f 63616c30 1e170d31 36313030 37303234 3431335a 170d3236 
    31303035 30323434 31335a30 47311330 11060355 0403130a 41646d69 72616c41 
    89dcd2ca 48d03495 655c1b39 35d26809 40d73e65 8bebfe10 c3c07753 75d6ba67 
    e7fd3326 5ee135c4 bf96971a 99e5ed5c 72c22c56 bda3e047 97f5e667 57504628 
    5b64c134 279b5205 2ebf37fe 81174d03 e2c9a30f acdf2893 f3136e20 4221bca0 
    121616e7 7014f20f dbf9733a bca6055a 15f68e68 8fa67ea5 0c63d7ed 712e5517 
    a392775d 2f4bdd5a df207e10 0413c878 fba699
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable testConn client-services port 443
crypto ikev2 remote-access trustpoint xxxxxxxxCert
crypto ikev1 enable outside
crypto ikev1 enable testConn
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.10.0 255.255.254.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server xxx.xxx.xxx.44 source testConn prefer
ssl trust-point xxxxxxxxCert outside
ssl trust-point xxxxxxxxCert inside
ssl trust-point xxxxxxxxCert testConn
webvpn
 enable outside
 enable testConn
 anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
 anyconnect profiles xxxxxxxxVPNMain_client_profile disk0:/xxxxxxxxVPNMain_client_profile.xml
 anyconnect profiles xxxxxxxxVPN_client_profile disk0:/xxxxxxxxVPN_client_profile.xml
 anyconnect profiles TestVPN_client_profile disk0:/TestVPN_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_xxxxxxxxVPN internal
group-policy GroupPolicy_xxxxxxxxVPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value xxxxxxxxVPN_client_profile type user
group-policy GroupPolicy_TestVPN internal
group-policy GroupPolicy_TestVPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value TestVPN_client_profile type user
group-policy GroupPolicy_xxxxxxxxVPNMain internal
group-policy GroupPolicy_xxxxxxxxVPNMain attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value xxxxxxxxVPNMain_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username xxxxx password xxxxxxxxxxx encrypted privilege 15
tunnel-group xxxxxxxxVPN type remote-access
tunnel-group xxxxxxxxVPN general-attributes
 address-pool VPN_xxxxxxxx
 default-group-policy GroupPolicy_xxxxxxxxVPN
tunnel-group xxxxxxxxVPN webvpn-attributes
 group-alias xxxxxxxxVPN enable
tunnel-group TestVPN type remote-access
tunnel-group TestVPN general-attributes
 address-pool VPN_xxxxxxxx
 default-group-policy GroupPolicy_TestVPN
tunnel-group TestVPN webvpn-attributes
 group-alias TestVPN enable
tunnel-group xxxxxxxxVPNMain type remote-access
tunnel-group xxxxxxxxVPNMain general-attributes
 address-pool VPN_xxxxxxxx
 authentication-server-group NPS
 default-group-policy GroupPolicy_xxxxxxxxVPNMain
tunnel-group xxxxxxxxVPNMain webvpn-attributes
 group-alias xxxxxxxxVPNMain enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:x
: end

Switch configuration to which ASA is directly connected and that is doing all the routing.

Routes of the Snapgear VPN that works

Working Routes

ASA VPN route (not working)

Routes while connected to ASA

Also I need to inform you that when I connected ASA to the customers network, I could ping any interface of any subnet/network from the ASA which means that routes are correctly set, but as soon I use VPN and try to ping from outside through the tunnel of inside device/server/interface, I cannot reach any of them...

What could possibly causing the issue?

Thank you in advance and have yourself a great day.

dovla110010101
  • 162
  • 1
  • 2
  • 10
  • Since I am limited here to 30K characters here is additional info about L3 switch that ASA is connected: [Configuration of L3 switch that ASA is directly connected](https://drive.google.com/file/d/0B27L04b0tKBic3VaS0NvSTkxa2c/view?usp=sharing) – dovla110010101 Oct 18 '16 at 11:54
  • Do I understand correctly that the Snapgear is still present and functioning as Internet gateway? I.e I see the core switch has a default route to 192.168.254.1 which I assume is the Snapgear? I suspect that things will work when you point that default route to the ASA instead, however if you want to keep the Snapgear as Internet gateway and use the ASA only for VPN (or temporarily keep the Snapgear as Internet gateway while you test the ASA) then you should add a route on the core switch for 10.13.3.0/24 with the ASA as next-hop. – hertitu Oct 18 '16 at 13:28
  • BTW that implies keeping the static config on the ASA. – hertitu Oct 18 '16 at 13:48
  • Hi, the purpose of the Snapgear is to be VPN nothing more. Gateway is ISP box, and router is Core L3 switch (don't ask me why, somebody smart has set network like that. I am only the poor baster that inherited that cr***). Snapgear IP has static IP 192.168.10.3, the difference is snapgear has default gateway, while ASA don't since is static, Current setup ISP -> L3 Core Sw -> Snapgear -> L3 Core Sw (different VLAN) My config that has issue: ISP -> L3 Core Sw -> ASA -> L3 Core Sw (different VLAN) The whole purpose of that firewall is to be VPN gateway... – dovla110010101 Oct 19 '16 at 09:29

1 Answers1

0

Keep the "static" configuration on the ASA.

On the core switch, add a route for 10.13.3.0/24 (your Anyconnect ip pool) with the ASA's inside ip address 192.168.10.3 as next-hop.

Edit: note that your Split-Tunnel configuration will cause only traffic to 192.168.10.0/23 to be tunnelled, if you want to be able to reach any other address on the inside then you will need to add those networks to the split-tunnel list.

I.e. you currently have (I'm only showing one group-policy, the others have the same):

group-policy GroupPolicy_xxxxxxxxVPN attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel

which refers to this ACL:

access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0

So this means that the client will only send traffic over the tunnel when the destination is in that network 192.168.10.0/23. Traffic to the Internet, but also traffic to e.g. 172.17.x.x will not be sent over the tunnel but to the normal default gateway (so 172.17.x.x will be unreachable).

If you want 172.17.x.x and 192.168.0.0/23 to also be reachable you need to add those networks to the Split-Tunnel ACL:

access-list Split-Tunnel standard permit 172.17.101.0 255.255.255.0
access-list Split-Tunnel standard permit 172.17.110.0 255.255.255.0
access-list Split-Tunnel standard permit 172.17.137.0 255.255.255.0
access-list Split-Tunnel standard permit 192.168.0.0 255.255.254.0

or you could also keep it short and broaden the acls to:

access-list Split-Tunnel standard permit 172.16.0.0 255.240.0.0
access-list Split-Tunnel standard permit 192.168.0.0 255.255.0.0
no access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0

Alternatively, you can change your split-tunnel-policy to "tunnelall" in order to send all traffic (including Internet traffic!) over the tunnel, however you will need to make some more changes then to allow the Internet traffic to make a U-turn at the ASA, see e.g. AnyConnect VPN Client U-turning Configuration Examples

hertitu
  • 337
  • 1
  • 6
  • Next Tuesday we will set ASA again and I will set the route and see if this helps, even though correct me if I am wrong, but when you create VPN via wizard, you specify outside interface and network that you want to reach. It should create routes automatically...?!? – dovla110010101 Oct 19 '16 at 12:57
  • @dovla091: the VPN wizard will only configure the VPN for you, not routing. But the routing on the ASA seems ok since you have your 4 static routes pointing to the core, and you confirmed that you could ping everything from the ASA. The problem is with the routing of the return packets, e.g. if your Anyconnect client is 10.13.3.3 and pings a LAN host then the ICMP echo-reply from that host will arrive on the core with a destination address 10.13.3.3 and so the core (as long as it does not have a route for that) will follow its default route and send it to 192.168.254.1 instead of to the ASA... – hertitu Oct 19 '16 at 13:15
  • @dovla091: I'm guessing that in your test network, the test machine used the ASA as default gateway, so that would explain why it worked there. I also just noticed that you use split-tunneling, so I've edited the answer to include a warning that you may or may not have an issue there as well. – hertitu Oct 19 '16 at 13:24
  • Hi Hertitu, It make sense what you are saying. To me also looks that it is not ASA issue, but CoreSW which doesn't have route, but can you please explain your comment regarding Split-Tunnel "Edit: note that your Split-Tunnel configuration will cause only traffic to 192.168.10.0/23 to be tunnelled, if you want to be able to reach any other address on the inside then you will need to add those networks to the split-tunnel list." What exactly I need to do and how? Best regards – dovla110010101 Oct 20 '16 at 07:09
  • @dovla091: I updated the answer, I hope this helps, let me know. – hertitu Oct 20 '16 at 07:53
  • Ok, I get it. The only thing I will probably need also: access-list Split-Tunnel standard permit 192.168.0.0 255.255.254.0 as well, since there are 4 static routes/networks that are included... S 172.17.101.0 255.255.255.0 [1/0] via 192.168.10.1, inside S 172.17.110.0 255.255.255.0 [1/0] via 192.168.10.1, inside S 172.17.137.0 255.255.255.0 [1/0] via 192.168.10.1, inside S 192.168.0.0 255.255.254.0 [1/0] via 192.168.10.1, inside – dovla110010101 Oct 20 '16 at 08:31
  • One more thing, since I used VPN wizard to speed things up, instead of typing all the commands, I noticed that ASA has created this automatically: nat (inside,testConn) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup
    nat (inside,outside) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup
    is this OK or it might cause issues with VPN traffic tunneling?     – dovla110010101 Oct 20 '16 at 08:41
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/47112/discussion-between-hertitu-and-dovla091). – hertitu Oct 20 '16 at 09:16
  • Hi Hertitu, thank you for helping me. the route was missing, so now it works. Now I have one more problem with the VPN anyconnect, but probably with license: AnyConnect Premium Peers : 2 perpetual, AnyConnect Essentials : Disabled perpetual, Other VPN Peers : 10 perpetual and Total VPN Peers : 12 perpetual. What does it mean? it is bit confusing, does I have right to use only 2 connection via Any connect, and what is with total 12 VPN peers? Best regards – dovla110010101 Oct 27 '16 at 06:44
  • @dovla091: I know Anyconnect licensing has changed so my knowledge is not up to date. I know this means that (with Anyconnect 3.x) you can have 2 simultaneous AC connections (so you can have more than 2 users, but only 2 can connect at the same time). With Anyconnect 4.x things changed, I suggest you talk to a Cisco reseller to understand the possible options. Total 12 = 2 anyconnect + 10 "other", so in addition to your 2 AC connections you can also have 10 other vpn connections (e.g. l2tp/ipsec). – hertitu Oct 28 '16 at 07:06
  • Thanks mate, we are in process of ordering the license. At lest their network and fw is now working properly. Have a great weekend. – dovla110010101 Oct 28 '16 at 08:01
  • @dovla091: you're welcome, glad I could help. Have a nice one as well! – hertitu Oct 28 '16 at 08:20