Cisco ASA 5545-X (Routing) - AnyConnect Verbindung und Internet klappt. Intranet (http und https) nicht.
Hallo Zusammen,
ich habe ein Problem mit einem ASA 5545-X. Und zwar kann ich bei bestehender VPN-Verbindung (von außerhalb unseres IP-Bereiches) unsere Internetseiten im LAN-Adressbereich nicht erreichen. Die Adressen kann ich soweit alle anpingen (DNS-Auflösung funktioniert ebenfalls), allerdings funktioniert halt der Zugriff im Browser (http + https) nicht.
Alle anderen Seiten im Internet funktionieren, wenn ich mich via Anyconnect in das Netz eingewählt habe. Die User authentifizieren sich an unserm Radius-Server, und bekommen eine Adresse aus unserm Adresspool zugewiesen.
Die Routen sollten denke ich auch ok sein, da ich ja alles pingen kann. Die Traceroute - Ausgaben sehen ebenfalls gut aus.
Hat vielleicht einer ne Idee was das seien kann ? Ich finde aktuell den Fehler leider nicht.
ich habe ein Problem mit einem ASA 5545-X. Und zwar kann ich bei bestehender VPN-Verbindung (von außerhalb unseres IP-Bereiches) unsere Internetseiten im LAN-Adressbereich nicht erreichen. Die Adressen kann ich soweit alle anpingen (DNS-Auflösung funktioniert ebenfalls), allerdings funktioniert halt der Zugriff im Browser (http + https) nicht.
Alle anderen Seiten im Internet funktionieren, wenn ich mich via Anyconnect in das Netz eingewählt habe. Die User authentifizieren sich an unserm Radius-Server, und bekommen eine Adresse aus unserm Adresspool zugewiesen.
Die Routen sollten denke ich auch ok sein, da ich ja alles pingen kann. Die Traceroute - Ausgaben sehen ebenfalls gut aus.
Hat vielleicht einer ne Idee was das seien kann ? Ich finde aktuell den Fehler leider nicht.
ASA Version 9.2(1)
!
hostname **********
domain-name anyconnect.uni-*******.de
enable password 2WLH8Q4ppJ2r7cR8 encrypted
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit tcp any6 any6
xlate per-session permit udp any6 any6 eq domain
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any4 any6
passwd FViwCES1DCeOTbKA encrypted
names
ip local pool 237 ***.250.237.2-***.250.237.249 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif Extern
security-level 100
ip address ***.250.184.209 255.255.255.240
ospf cost 10
!
interface GigabitEthernet0/1
nameif Intern
security-level 0
ip address ***.250.184.153 255.255.255.248
ospf cost 10
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address ***.16.1.71 255.255.255.0
!
boot system disk0:/asa921-smp-k8.bin
boot system disk0:/asa913-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup Extern
dns domain-lookup Intern
dns server-group DefaultDNS
name-server ***.250.1.7
name-server ***.250.3.10
domain-name anyconnect.uni-*******.de
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network uni-duisburg
subnet 134.91.0.0 255.255.0.0
object network uni-essen
subnet ***.250.0.0 255.255.0.0
object network vpn-netz
subnet ***.250.137.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group network uni-*******
network-object object uni-duisburg
network-object object uni-essen
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_8
protocol-object ip
protocol-object icmp
access-list Intern_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list Intern_access_out extended permit object-group DM_INLINE_PROTOCOL_4 any any
access-list Extern_access_out extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list Extern_access_out extended permit object-group DM_INLINE_PROTOCOL_6 object vpn-netz object-group uni-******* inactive
access-list Extern_access_out extended permit object-group DM_INLINE_PROTOCOL_8 object-group uni-******* object vpn-netz inactive
access-list Extern_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list Extern_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object vpn-netz object-group uni-******* inactive
access-list Extern_access_in extended permit object-group DM_INLINE_PROTOCOL_7 object-group uni-******* object vpn-netz inactive
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination management ***.16.1.249 9985
mtu Extern 1500
mtu Intern 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Intern
icmp permit any management
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Extern_access_in in interface Extern
access-group Extern_access_out out interface Extern
access-group Intern_access_in in interface Intern
access-group Intern_access_out out interface Intern
access-group global_access global
route Extern 0.0.0.0 0.0.0.0 ***.250.184.222 1
route Intern ***.250.0.0 255.255.0.0 ***.250.184.158 1
route Intern 134.91.0.0 255.255.0.0 ***.250.184.158 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS1 protocol radius
interim-accounting-update
aaa-server RADIUS1 (Intern) host ***.250.181.92
key *****
authentication-port 1812
accounting-port 1813
aaa-server RADIUS1 (Intern) host 134.91.4.162
key *****
authentication-port 1812
accounting-port 1813
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http ***.16.1.0 255.255.255.0 management
http ***.250.164.0 255.255.255.0 Intern
http redirect Extern 80
snmp-server host management ***.16.1.249 community ***** version 2c
snmp-server host management ***.16.1.253 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Extern_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Extern_map interface Extern
crypto map Intern_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Intern_map interface Intern
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=VPN1-1
keypair Test
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
crypto ca trustpoint VPN_UNI-*******_1
crl configure
crypto ca trustpoint VPN_UNI-*******_PRIVATE
crl configure
crypto ca trustpoint VPN_UNI_*******_1
keypair VPN_UNI_*******
crl configure
crypto ca trustpoint Test
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 705a5f52
30820331 30820219 a0030201 02020470 5a5f5230 0d06092a 864886f7 0d010105
05003028 310f300d 06035504 03130656 504e312d 31311530 1306092a 864886f7
0d010902 16065650 4e312d31 301e170d 31333131 31333131 34373435 5a170d32
[abgeschnitten]
be6402e7 c1bb7b0e 058cce75 d3ff99e1 cb0d99ea 8e93321d 409898b6 a8c16228
86b3af2b 21f5a391 fba40ae6 8ce4c114 7ff067b0 27
quit
crypto ca certificate chain VPN_UNI_*******_1
certificate 17c7cd8ca97e8e
30820758 30820640 a0030201 02020717 c7cd8ca9 7e8e300d 06092a86 4886f70d
01010b05 003081c6 310b3009 06035504 06130244 45312430 22060355 040a131b
556e6976 65727369 74616574 20447569 73627572 672d4573 73656e31 35303306
0355040b ***c5a65 6e747275 6d206675 65722049 6e666f72 6d617469 6f6e732d
[abgeschnitten]
8d0694dd c7b87559 8d0fb36f cb6ea1b0 341937e3 6173adea 6db47324 a55334ad
9a699d2d 6ec5cc63 9ee03e2d 982e82dc 8e40c554 3de33368 f97169b5
quit
crypto ca certificate chain Test
certificate 17c7cd8ca97e8e
30820758 30820640 a0030201 02020717 c7cd8ca9 7e8e300d 06092a86 4886f70d
01010b05 003081c6 310b3009 06035504 06130244 45312430 22060355 040a131b
[abgeschnitten]
6404fe05 3276b873 6caafa3f b1f6e9d0 cf988b0d 665e1d8b 28d44e9b 300a39da
8d0694dd c7b87559 8d0fb36f cb6ea1b0 341937e3 6173adea 6db47324 a55334ad
9a699d2d 6ec5cc63 9ee03e2d 982e82dc 8e40c554 3de33368 f97169b5
quit
crypto ca certificate chain ASDM_TrustPoint3
certificate 17c7cd8ca97e8e
30820758 30820640 a0030201 02020717 c7cd8ca9 7e8e300d 06092a86 4886f70d
01010b05 003081c6 310b3009 06035504 06130244 45312430 22060355 040a131b
[abgeschnitten]
8d0694dd c7b87559 8d0fb36f cb6ea1b0 341937e3 6173adea 6db47324 a55334ad
9a699d2d 6ec5cc63 9ee03e2d 982e82dc 8e40c554 3de33368 f97169b5
quit
crypto ca certificate chain ASDM_TrustPoint5
certificate 17c7cd8ca97e8e
30820758 30820640 a0030201 02020717 c7cd8ca9 7e8e300d 06092a86 4886f70d
01010b05 003081c6 310b3009 06035504 06130244 45312430 22060355 040a131b
[abgeschnitten]
6404fe05 3276b873 6caafa3f b1f6e9d0 cf988b0d 665e1d8b 28d44e9b 300a39da
8d0694dd c7b87559 8d0fb36f cb6ea1b0 341937e3 6173adea 6db47324 a55334ad
9a699d2d 6ec5cc63 9ee03e2d 982e82dc 8e40c554 3de33368 f97169b5
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet ***.250.2.0 255.255.255.0 management
telnet timeout 5
ssh stricthostkeycheck
ssh ***.250.164.0 255.255.255.0 Extern
ssh ***.250.164.0 255.255.255.0 Intern
ssh ***.250.2.0 255.255.255.0 management
ssh ***.16.1.0 255.255.255.0 management
ssh ***.250.164.0 255.255.255.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server ***.250.184.185 source Intern prefer
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point VPN_UNI_*******_1 Extern
ssl trust-point VPN_UNI_*******_1 Intern
webvpn
enable Extern
enable Intern
anyconnect-essentials
anyconnect image disk0:/anyconnect-linux-64-3.1.05170-k9.pkg 5 regex "Linux"
anyconnect image disk0:/anyconnect-linux-3.1.05170-k9.pkg 6 regex "Linux"
anyconnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 7 regex "Intel Mac OS X"
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 8
anyconnect profiles VPN2_client_profile disk0:/VPN2_client_profile.xml
anyconnect profiles anyconnect_test2_client_profile disk0:/anyconnect_test2_client_profile.xml
anyconnect profiles anyconnect_test_client_profile disk0:/anyconnect_test_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy Web-VPN2 internal
group-policy Web-VPN2 attributes
wins-server none
dns-server value ***.250.184.130 ***.250.184.140
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value UNI-*******
webvpn
url-list none
group-policy DfltGrpPolicy attributes
dns-server value ***.250.1.7 ***.250.3.10
group-policy Web-VPN internal
group-policy Web-VPN attributes
vpn-tunnel-protocol ssl-client ssl-clientless
webvpn
url-list none
group-policy GroupPolicy_VPN2 internal
group-policy GroupPolicy_VPN2 attributes
wins-server none
dns-server value ***.250.1.7 ***.250.3.10
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value anyconnect.uni-*******.de
webvpn
anyconnect keep-installer installed
anyconnect profiles value VPN2_client_profile type user
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value ***.250.1.7 ***.250.3.10
vpn-tunnel-protocol ikev2
default-domain value ciscovpn.uni-*******.de
username username password Dluz2MaMawAkH2q. encrypted privilege 15
username username attributes
vpn-group-policy Web-VPN2
username ***096 password plZYJRu2KNL1ZEpQ encrypted privilege 15
username ***096 attributes
vpn-group-policy Web-VPN2
tunnel-group Web-VPN type remote-access
tunnel-group Web-VPN general-attributes
default-group-policy Web-VPN
tunnel-group Web-VPN2 type remote-access
tunnel-group Web-VPN2 general-attributes
address-pool 237
default-group-policy Web-VPN2
tunnel-group VPN2 type remote-access
tunnel-group VPN2 general-attributes
address-pool 237
default-group-policy GroupPolicy_VPN2
tunnel-group VPN2 webvpn-attributes
group-alias VPN2 disable
tunnel-group UNI-******* type remote-access
tunnel-group UNI-******* general-attributes
address-pool 237
authentication-server-group RADIUS1
default-group-policy GroupPolicy_VPN2
tunnel-group UNI-******* webvpn-attributes
group-alias UNI-******* enable
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b15de7baad8d0c38e4f688e93573628f
: end
Please also mark the comments that contributed to the solution of the article
Content-Key: 242607
Url: https://administrator.de/contentid/242607
Printed on: April 25, 2024 at 22:04 o'clock
2 Comments
Latest comment
Hallo erstmal,
Zeile 495 ist glaube ich noch rauszuzensieren.
Ansonsten würde ich auf eine Access Rule tippen oder evtl. auf eine Gruppenzuteilung der VPN-Verbindung(en). Ab Zeile 451 sieht das nach 2 VPN-Konfigurationen ein (464. group-policy Web-VPN2 internal ).
Sorry aber so spontan kann ich den Fehler dabei auch nicht erblicken. Kämpfe aktuell auch etwas mit VPNs über ASAs rum.
Grüße,
Rubyous
Zeile 495 ist glaube ich noch rauszuzensieren.
Ansonsten würde ich auf eine Access Rule tippen oder evtl. auf eine Gruppenzuteilung der VPN-Verbindung(en). Ab Zeile 451 sieht das nach 2 VPN-Konfigurationen ein (464. group-policy Web-VPN2 internal ).
Sorry aber so spontan kann ich den Fehler dabei auch nicht erblicken. Kämpfe aktuell auch etwas mit VPNs über ASAs rum.
Grüße,
Rubyous