Cisco ASA 5545-X (Routing) - AnyConnect Verbindung und Internet klappt. Intranet (http und https) nicht.

Hallo Zusammen,

ich habe ein Problem mit einem ASA 5545-X. Und zwar kann ich bei bestehender VPN-Verbindung (von außerhalb unseres IP-Bereiches) unsere Internetseiten im LAN-Adressbereich nicht erreichen. Die Adressen kann ich soweit alle anpingen (DNS-Auflösung funktioniert ebenfalls), allerdings funktioniert halt der Zugriff im Browser (http + https) nicht.
Alle anderen Seiten im Internet funktionieren, wenn ich mich via Anyconnect in das Netz eingewählt habe. Die User authentifizieren sich an unserm Radius-Server, und bekommen eine Adresse aus unserm Adresspool zugewiesen.

Die Routen sollten denke ich auch ok sein, da ich ja alles pingen kann. Die Traceroute - Ausgaben sehen ebenfalls gut aus.

Hat vielleicht einer ne Idee was das seien kann ? Ich finde aktuell den Fehler leider nicht.

ASA Version 9.2(1) 
!
hostname **********
domain-name anyconnect.uni-*******.de
enable password 2WLH8Q4ppJ2r7cR8 encrypted
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit tcp any6 any6
xlate per-session permit udp any6 any6 eq domain
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any4 any6
passwd FViwCES1DCeOTbKA encrypted
names
ip local pool 237 ***.250.237.2-***.250.237.249 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif Extern
 security-level 100
 ip address ***.250.184.209 255.255.255.240 
 ospf cost 10
!
interface GigabitEthernet0/1
 nameif Intern
 security-level 0
 ip address ***.250.184.153 255.255.255.248 
 ospf cost 10
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address ***.16.1.71 255.255.255.0 
!
boot system disk0:/asa921-smp-k8.bin
boot system disk0:/asa913-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup Extern
dns domain-lookup Intern
dns server-group DefaultDNS
 name-server ***.250.1.7
 name-server ***.250.3.10
 domain-name anyconnect.uni-*******.de
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network uni-duisburg
 subnet 134.91.0.0 255.255.0.0
object network uni-essen
 subnet ***.250.0.0 255.255.0.0
object network vpn-netz
 subnet ***.250.137.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
object-group network uni-*******
 network-object object uni-duisburg
 network-object object uni-essen
object-group protocol DM_INLINE_PROTOCOL_5
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_6
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_7
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_8
 protocol-object ip
 protocol-object icmp
access-list Intern_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any 
access-list Intern_access_out extended permit object-group DM_INLINE_PROTOCOL_4 any any 
access-list Extern_access_out extended permit object-group DM_INLINE_PROTOCOL_2 any any 
access-list Extern_access_out extended permit object-group DM_INLINE_PROTOCOL_6 object vpn-netz object-group uni-******* inactive 
access-list Extern_access_out extended permit object-group DM_INLINE_PROTOCOL_8 object-group uni-******* object vpn-netz inactive 
access-list Extern_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any 
access-list Extern_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object vpn-netz object-group uni-******* inactive 
access-list Extern_access_in extended permit object-group DM_INLINE_PROTOCOL_7 object-group uni-******* object vpn-netz inactive 
access-list global_access extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination management ***.16.1.249 9985
mtu Extern 1500
mtu Intern 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Intern
icmp permit any management
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Extern_access_in in interface Extern
access-group Extern_access_out out interface Extern
access-group Intern_access_in in interface Intern
access-group Intern_access_out out interface Intern
access-group global_access global
route Extern 0.0.0.0 0.0.0.0 ***.250.184.222 1
route Intern ***.250.0.0 255.255.0.0 ***.250.184.158 1
route Intern 134.91.0.0 255.255.0.0 ***.250.184.158 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS1 protocol radius
 interim-accounting-update
aaa-server RADIUS1 (Intern) host ***.250.181.92
 key *****
 authentication-port 1812
 accounting-port 1813
aaa-server RADIUS1 (Intern) host 134.91.4.162
 key *****
 authentication-port 1812
 accounting-port 1813
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http ***.16.1.0 255.255.255.0 management
http ***.250.164.0 255.255.255.0 Intern
http redirect Extern 80
snmp-server host management ***.16.1.249 community ***** version 2c
snmp-server host management ***.16.1.253 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Extern_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Extern_map interface Extern
crypto map Intern_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Intern_map interface Intern
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=VPN1-1
 keypair Test
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint4
 enrollment terminal
 crl configure
crypto ca trustpoint VPN_UNI-*******_1
 crl configure
crypto ca trustpoint VPN_UNI-*******_PRIVATE
 crl configure
crypto ca trustpoint VPN_UNI_*******_1
 keypair VPN_UNI_*******
 crl configure
crypto ca trustpoint Test
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint3
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint5
 enrollment terminal
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
 certificate 705a5f52
    30820331 30820219 a0030201 02020470 5a5f5230 0d06092a 864886f7 0d010105 
    05003028 310f300d 06035504 03130656 504e312d 31311530 1306092a 864886f7 
    0d010902 16065650 4e312d31 301e170d 31333131 31333131 34373435 5a170d32 
        [abgeschnitten]
    be6402e7 c1bb7b0e 058cce75 d3ff99e1 cb0d99ea 8e93321d 409898b6 a8c16228 
    86b3af2b 21f5a391 fba40ae6 8ce4c114 7ff067b0 27
  quit
crypto ca certificate chain VPN_UNI_*******_1
 certificate 17c7cd8ca97e8e
    30820758 30820640 a0030201 02020717 c7cd8ca9 7e8e300d 06092a86 4886f70d 
    01010b05 003081c6 310b3009 06035504 06130244 45312430 22060355 040a131b 
    556e6976 65727369 74616574 20447569 73627572 672d4573 73656e31 35303306 
    0355040b ***c5a65 6e747275 6d206675 65722049 6e666f72 6d617469 6f6e732d 
        [abgeschnitten]
   
    8d0694dd c7b87559 8d0fb36f cb6ea1b0 341937e3 6173adea 6db47324 a55334ad 
    9a699d2d 6ec5cc63 9ee03e2d 982e82dc 8e40c554 3de33368 f97169b5
  quit
crypto ca certificate chain Test
 certificate 17c7cd8ca97e8e
    30820758 30820640 a0030201 02020717 c7cd8ca9 7e8e300d 06092a86 4886f70d 
    01010b05 003081c6 310b3009 06035504 06130244 45312430 22060355 040a131b 
        [abgeschnitten]
    6404fe05 3276b873 6caafa3f b1f6e9d0 cf988b0d 665e1d8b 28d44e9b 300a39da 
    8d0694dd c7b87559 8d0fb36f cb6ea1b0 341937e3 6173adea 6db47324 a55334ad 
    9a699d2d 6ec5cc63 9ee03e2d 982e82dc 8e40c554 3de33368 f97169b5
  quit
crypto ca certificate chain ASDM_TrustPoint3
 certificate 17c7cd8ca97e8e
    30820758 30820640 a0030201 02020717 c7cd8ca9 7e8e300d 06092a86 4886f70d 
    01010b05 003081c6 310b3009 06035504 06130244 45312430 22060355 040a131b 
    [abgeschnitten]
    8d0694dd c7b87559 8d0fb36f cb6ea1b0 341937e3 6173adea 6db47324 a55334ad 
    9a699d2d 6ec5cc63 9ee03e2d 982e82dc 8e40c554 3de33368 f97169b5
  quit
crypto ca certificate chain ASDM_TrustPoint5
 certificate 17c7cd8ca97e8e
    30820758 30820640 a0030201 02020717 c7cd8ca9 7e8e300d 06092a86 4886f70d 
    01010b05 003081c6 310b3009 06035504 06130244 45312430 22060355 040a131b 
        [abgeschnitten]
    6404fe05 3276b873 6caafa3f b1f6e9d0 cf988b0d 665e1d8b 28d44e9b 300a39da 
    8d0694dd c7b87559 8d0fb36f cb6ea1b0 341937e3 6173adea 6db47324 a55334ad 
    9a699d2d 6ec5cc63 9ee03e2d 982e82dc 8e40c554 3de33368 f97169b5
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet ***.250.2.0 255.255.255.0 management
telnet timeout 5
ssh stricthostkeycheck
ssh ***.250.164.0 255.255.255.0 Extern
ssh ***.250.164.0 255.255.255.0 Intern
ssh ***.250.2.0 255.255.255.0 management
ssh ***.16.1.0 255.255.255.0 management
ssh ***.250.164.0 255.255.255.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server ***.250.184.185 source Intern prefer
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point VPN_UNI_*******_1 Extern
ssl trust-point VPN_UNI_*******_1 Intern
webvpn
 enable Extern
 enable Intern
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-linux-64-3.1.05170-k9.pkg 5 regex "Linux"  
 anyconnect image disk0:/anyconnect-linux-3.1.05170-k9.pkg 6 regex "Linux"  
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 7 regex "Intel Mac OS X"  
 anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 8
 anyconnect profiles VPN2_client_profile disk0:/VPN2_client_profile.xml
 anyconnect profiles anyconnect_test2_client_profile disk0:/anyconnect_test2_client_profile.xml
 anyconnect profiles anyconnect_test_client_profile disk0:/anyconnect_test_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy Web-VPN2 internal
group-policy Web-VPN2 attributes
 wins-server none
 dns-server value ***.250.184.130 ***.250.184.140
 vpn-tunnel-protocol ssl-client ssl-clientless
 default-domain value UNI-*******
 webvpn
  url-list none
group-policy DfltGrpPolicy attributes
 dns-server value ***.250.1.7 ***.250.3.10
group-policy Web-VPN internal
group-policy Web-VPN attributes
 vpn-tunnel-protocol ssl-client ssl-clientless
 webvpn
  url-list none
group-policy GroupPolicy_VPN2 internal
group-policy GroupPolicy_VPN2 attributes
 wins-server none
 dns-server value ***.250.1.7 ***.250.3.10
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelall
 default-domain value anyconnect.uni-*******.de
 webvpn
  anyconnect keep-installer installed
  anyconnect profiles value VPN2_client_profile type user
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 wins-server none
 dns-server value ***.250.1.7 ***.250.3.10
 vpn-tunnel-protocol ikev2 
 default-domain value ciscovpn.uni-*******.de
username username password Dluz2MaMawAkH2q. encrypted privilege 15
username username attributes
 vpn-group-policy Web-VPN2
username ***096 password plZYJRu2KNL1ZEpQ encrypted privilege 15
username ***096 attributes
 vpn-group-policy Web-VPN2
tunnel-group Web-VPN type remote-access
tunnel-group Web-VPN general-attributes
 default-group-policy Web-VPN
tunnel-group Web-VPN2 type remote-access
tunnel-group Web-VPN2 general-attributes
 address-pool 237
 default-group-policy Web-VPN2
tunnel-group VPN2 type remote-access
tunnel-group VPN2 general-attributes
 address-pool 237
 default-group-policy GroupPolicy_VPN2
tunnel-group VPN2 webvpn-attributes
 group-alias VPN2 disable
tunnel-group UNI-******* type remote-access
tunnel-group UNI-******* general-attributes
 address-pool 237
 authentication-server-group RADIUS1
 default-group-policy GroupPolicy_VPN2
tunnel-group UNI-******* webvpn-attributes
 group-alias UNI-******* enable
!
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
!
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:b15de7baad8d0c38e4f688e93573628f
: end

Please also mark the comments that contributed to the solution of the article

Content-Key: 242607

Url: https://administrator.de/contentid/242607

Printed on: April 25, 2024 at 02:04 o'clock

2 Comments

Latest comment

Hallo erstmal,

Zeile 495 ist glaube ich noch rauszuzensieren.
Ansonsten würde ich auf eine Access Rule tippen oder evtl. auf eine Gruppenzuteilung der VPN-Verbindung(en). Ab Zeile 451 sieht das nach 2 VPN-Konfigurationen ein (464. group-policy Web-VPN2 internal ).

Sorry aber so spontan kann ich den Fehler dabei auch nicht erblicken. Kämpfe aktuell auch etwas mit VPNs über ASAs rum.

Grüße,

Rubyous

Hat sich erstmal erledigt. Ich habe nochmal etwas am Routing gedreht. Jetzt funktioniert die Kiste erstmal soweit.

German solved Question Routers, Routing Networks

Hotly discussed

Check of ZFW Firewallgleixnerd - 5 Comments

Wireguard VPN on UDM Pro behind Fritzbox - Handshake did not completejstricker - 3 Comments