established - VPN connection, but cannot connect to the server?

vpn connection AnyConnect is implemented - but cannot connect to the server? The server IP is 192.168.0.4

Thank you

ASA Version 8.2 (1)

!

hostname ciscoasa5505

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.0.3 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 208.0.0.162 255.255.255.248

!

interface Vlan5

Shutdown

prior to interface Vlan1

nameif dmz

security-level 50

IP address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

clock timezone PST - 8

clock summer-time recurring PDT

DNS lookup field inside

DNS server-group DefaultDNS

192.168.0.4 server name

Server name 208.0.0.11

permit same-security-traffic intra-interface

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

object-group service TS-780-tcp - udp

port-object eq 780

object-group service Graphon tcp - udp

port-object eq 491

Allworx-2088 udp service object-group

port-object eq 2088

object-group service allworx-15000 udp

15000 15511 object-port Beach

object-group service udp allworx-2088

port-object eq 2088

object-group service allworx-5060 udp

port-object eq sip

object-group service allworx-8081 tcp

EQ port 8081 object

object-group service web-allworx tcp

EQ object of port 8080

allworx udp service object-group

16001 16010 object-port Beach

object-group service allworx-udp

object-port range 16384-16393

object-group service remote tcp - udp

port-object eq 779

object-group service billing1 tcp - udp

EQ object of port 8080

object-group service billing-1521 tcp - udp

port-object eq 1521

object-group service billing-6233 tcp - udp

6233 6234 object-port Beach

object-group service billing2-3389 tcp - udp

EQ port 3389 object

object-group service olivia-3389 tcp - udp

EQ port 3389 object

object-group service olivia-777-tcp - udp

port-object eq 777

netgroup group of objects

network-object host 192.168.0.15

network-object host 192.168.0.4

object-group service allworx1 tcp - udp

8080 description

EQ object of port 8080

allworx_15000 udp service object-group

15000 15511 object-port Beach

allworx_16384 udp service object-group

object-port range 16384-16393

DM_INLINE_UDP_1 udp service object-group

purpose of group allworx_16384

object-port range 16384 16403

object-group service allworx-5061 udp

range of object-port 5061 5062

object-group service ananit tcp - udp

port-object eq 880

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-6233

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-1521

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing2-3389

outside_access_in list extended access permit tcp any host 208.0.0.164 eq https

outside_access_in list extended access permit tcp any host 208.0.0.164 eq www

outside_access_in list extended access permit tcp any host 208.0.0.164 eq ftp

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing1

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 EQ field

outside_access_in list extended access permit tcp any host 208.0.0.162 eq www

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 remote object-group

outside_access_in list extended access permit tcp any host 208.0.0.162 eq smtp

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 object-group olivia-777

outside_access_in list extended access permit udp any host 208.0.0.162 - group Allworx-2088 idle object

outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5060

outside_access_in list extended access permit tcp any host 208.0.0.162 object-group web-allworx inactive

outside_access_in list extended access permit tcp any host 208.0.0.162 object-group inactive allworx-8081

outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-15000

outside_access_in list extended access permit udp any host 208.0.0.162 DM_INLINE_UDP_1 idle object-group

outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5061

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 inactive ananit object-group

outside_access_in list extended access deny ip host 151.1.68.194 208.0.0.164

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

permit access ip 192.168.0.0 scope list outside_20_cryptomap 255.255.255.0 172.16.0.0 255.255.0.0

Ping list extended access permit icmp any any echo response

inside_access_in of access allowed any ip an extended list

permit access ip 192.168.0.0 scope list outside_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0

access-list 1 standard allow 192.168.0.0 255.255.255.0

pager lines 24

Enable logging

logging buffered stored notifications

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

MTU 1500 dmz

IP local pool 192.168.100.30 - 192.168.100.60 mask 255.255.255.0 remote_pool

192.168.0.20 mask - distance local pool 255.255.255.0 IP 192.168.0.50

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (outside) 1 192.168.0.0 255.255.255.0

alias (inside) 192.168.0.4 99.63.129.65 255.255.255.255

public static tcp (indoor, outdoor) interface 192.168.0.4 smtp smtp netmask 255.255.255.255

public static tcp (indoor, outdoor) interface field 192.168.0.4 netmask 255.255.255.255 area

public static tcp (indoor, outdoor) interface 192.168.0.4 www www netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 777 192.168.0.15 777 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 779 192.168.0.4 779 netmask 255.255.255.255

public static (inside, outside) udp interface field 192.168.0.4 netmask 255.255.255.255 area

public static tcp (indoor, outdoor) interface 880 192.168.0.16 880 netmask 255.255.255.255

static (inside, outside) 208.0.0.164 tcp 3389 192.168.0.185 3389 netmask 255.255.255.255

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 208.0.0.161 1

Route inside 192.168.50.0 255.255.255.0 192.168.0.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.0.0 255.255.255.0 inside

http 192.168.0.3 255.255.255.255 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Sysopt noproxyarp inside

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 1 match address outside_cryptomap

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 108.0.0.97

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

card crypto outside_map 20 match address outside_20_cryptomap

card crypto outside_map 20 set pfs

peer set card crypto outside_map 20 69.0.0.54

outside_map crypto 20 card value transform-set ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life no

crypto ISAKMP policy 30

preshared authentication

3des encryption

sha hash

Group 1

life no

Telnet timeout 5

SSH timeout 5

Console timeout 0

identifying client DHCP-client interface dmz

dhcpd outside auto_config

!

dhcpd address 192.168.0.20 - 192.168.0.50 inside

dhcpd dns 192.168.0.4 208.0.0.11 interface inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow outside

SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

enable SVC

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

internal group anyconnect strategy

attributes of the strategy group anyconnect

VPN-tunnel-Protocol svc webvpn

WebVPN

list of URLS no

SVC request enable

encrypted olivia Zta1M8bCsJst9NAs password username

username of graciela CdnZ0hm9o72q6Ddj encrypted password

tunnel-group 69.0.0.54 type ipsec-l2l

IPSec-attributes tunnel-group 69.0.0.54

pre-shared-key *.

tunnel-group 108.0.0.97 type ipsec-l2l

IPSec-attributes tunnel-group 108.0.0.97

pre-shared-key *.

tunnel-group anyconnect type remote access

tunnel-group anyconnect General attributes

remote address pool

strategy-group-by default anyconnect

tunnel-group anyconnect webvpn-attributes

Group-alias anyconnect enable

!

Global class-card class

match default-inspection-traffic

!

!

World-Policy policy-map

Global category

inspect the icmp

!

service-policy-international policy global

: end

ASDM location 208.0.0.164 255.255.255.255 inside

ASDM location 192.168.0.15 255.255.255.255 inside

ASDM location 192.168.50.0 255.255.255.0 inside

ASDM location 192.168.1.0 255.255.255.0 inside

don't allow no asdm history

Right now your nat 0 (NAT exemption) follows the access list:

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

Traffic back from your server to 192.168.0.4 in the pool of VPN (192.168.0.20 - 50) not correspond to this access list and thus be NATted. The TCP connection will not develop due to the failure of the Reverse Path Forwarding (RPF) - traffic is asymmetric NATted.

Then try to add an entry to the list of access as:

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.0.0 255.255.255.0

It's a bit paradoxical but necessary that your VPN pool is cut out in your interior space network. You could also do like André offers below and use a separate network, but you would still have to add an access list entry to exempt outgoing NAT traffic.

Tags: Cisco Security

Similar Questions

Maybe you are looking for