dovla110010101's questions -server

dovla110010101

Asked: 2019-05-21 03:49:59 +0800 CST

changing password - issue with ldap update

0

I have set directory 389 and 1 server to be client for testing authentication of users, etc.

For installation of Directory I have used this tutorial:

Install And Configure LDAP Server In CentOS 7

For installing client I have used this tutorial: How to Install Configure LDAP Client for 389 Directory Server

Now ds-389 and client authentication works, but when I try to change password of ldap user I get some weird message:

May 20 13:40:55 server passwd: pam_unix(passwd:chauthtok): user "test" does not exist in /etc/passwd May 20 13:41:06 server passwd: pam_unix(passwd:chauthtok): user "test" does not exist in /etc/passwd May 20 13:41:06 server passwd: pam_ldap(passwd:chauthtok): password change failed: password change failed: Confidentiality required; user=test May 20 13:41:06 server passwd: gkr-pam: couldn't change password for the login keyring: the passwords didn't match. May 20 13:41:06 server passwd: gkr-pam: stopped the daemon

Does anyone know what can be the problem? my pam config looks like this:

password-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so skel=/etc/skel umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so skel=/etc/skel umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

dovla110010101

Asked: 2019-05-04 02:36:08 +0800 CST

OpenVPN revoke user - CRL verify issues

4

I have configured my OpenVPN and it is working properly so far. Lately I had to revoke one certificate and after using easy-rsa revoke-full, I saw that in index.txt that specific user has been revoked. I also noticed that crl.pem has new timestamp so it was updated indeed. The problem started after 1 month that all users were blocked as I had in server.conf line added to verify-crl and path to crl.pem

#CRL-VERIFY - for revoking users
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem

So my question is, if I used easy-rsa 2.x script revoke-full and I can see that index has marked this specific certificate to be revoked. If I also found that time stamp of /keys/crl.pem is current time stamp, and after I restarted openvpn service (for the good measure), how come that it is still getting blocked.

Sure I can remove verify-crl, but that is not the point.

Certificate Revocation List (CRL):
        Version 1 (0x0)
    Signature Algorithm: XXXXXXXXXXXXXXXX
        Issuer: /C=DE/ST=xxxxxx/L=xxxxxx/O=xxxxxxxxxx/OU=xxxxxxxxxx/CN=xxxxxxxxxx/emailAddress=lol@xxxxxxxxxx
        Last Update: May  1 07:10:34 2019 GMT
        Next Update: May 31 07:10:34 2019 GMT
Revoked Certificates:
    Serial Number: 0B
        Revocation Date: Mar 29 19:37:51 2019 GMT

I can see that next update is scheduled for 31.May, so I would like to know step by step procedure how to revoke certificate, perhaps I missed something.

dovla110010101

Asked: 2016-12-02 00:32:10 +0800 CST

Stastic NAT with multiple WANs - internet connectivity issue

0

I am having an issue with my ASA. I have set multiple WAN and static NAT in ASA. I can get via specific ports from those WAN addresses to my server, but I am having issue with internet connectivity. I cannot browse from that server to outside. What am I missing?

   : Saved

: 
: Serial Number: XXXXXXXXX
: Hardware:   ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
: Written by enable_15 at 22:59:07.919 GMT Wed Nov 30 2016
!
ASA Version 9.6(1) 
!
hostname HC-ClientASA
enable password xxxxxxxxxxxxxxxxxx encrypted
names
ip local pool Test_DHCP_VPN 10.20.30.0-10.20.30.100 mask 255.255.255.0

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.74 255.255.255.248 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 description WAN for ServerTV
 nameif ServerTV
 security-level 80
 ip address 192.168.96.1 255.255.255.0 
!
interface GigabitEthernet1/5
 description GuestWiFi interface for Access poitns
 nameif GuestWiFi
 security-level 100
 ip address 172.16.64.1 255.255.248.0 
!
interface GigabitEthernet1/6
 description Parking interface To Server
 nameif ParkingInterface
 security-level 100
 ip address 172.16.17.1 255.255.255.0 
!
interface GigabitEthernet1/7
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 description Old WAN Interface
 nameif WAN_OLD
 security-level 0
 ip address xxx.xxx.xxx.137 255.255.255.252 
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone GMT 0
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network OLD_GW
 host xxx.xxx.xxx.138
 description Old GW Interface
object network GuestWiFi_NAT_OLD
 subnet 172.16.64.0 255.255.248.0
 description GuestWiFi OLD WAN
object network NEW_GW
 host xxx.xxx.xxx.73
 description Telia New Gateway
object network TestGw
 subnet 192.168.1.0 255.255.255.0
 description Test NAT
object network VPN_POOL_10.20.30.0
 subnet 10.20.30.0 255.255.255.128
 description VPN Pool
object network GuestWiFiNAT
 subnet 172.16.64.0 255.255.248.0
 description NAT for guestWiFi
object network inside_NAT_OLD
 subnet 192.168.1.0 255.255.255.0
 description Inside OLD WAN
object network ParkingSystem
 subnet 172.16.17.0 255.255.255.0
 description Parking system NAT
object network ParkingSystem_NAT_OLD
 subnet 172.16.17.0 255.255.255.0
 description Parking S OLD WAN
object network ParkingSystemServers
 subnet xxx.xxx.xxx.0 255.255.255.0
 description Public WAN from Parking System
object network ParkingSystemSubnet
 subnet 172.16.17.0 255.255.255.0
 description Parking System Subnet
object network GuestWiFi
 subnet 172.16.64.0 255.255.248.0
 description GuestWiFi object
object network ParkingServer1
 host 172.16.17.3
 description ParkingServer1
object network ParkingServer2
 host 172.16.17.4
 description Parking server 2
object service TCP_Parking_771
 service tcp source eq 771 
 description Port for Parking server1
object service TCP_Parking_771_U
 service udp source eq 771 
 description Port for parking server UDP
object service TCP_Parking2_9100
 service tcp source eq 9100 
 description Parking for server 2 TCP
object service TCP_Parking2_9100_U
 service udp source eq 9100 
 description TCP_Parking2_9100_UDP
object network TestLabNAT
 subnet 192.168.1.0 255.255.255.0
 description TestLab NAT
object network GuestWiFiLAB
 subnet 172.16.64.0 255.255.248.0
object network ParkingInterfaceLAB
 subnet 172.16.17.0 255.255.255.0
 description Test Lab interface
object network ServerInternet
 subnet 192.168.96.0 255.255.255.0
 description Server Internet In
object network ServerTVLab
 subnet 192.168.96.0 255.255.255.0
 description Test Lab
object network ServerTV_OLD
 subnet 192.168.96.0 255.255.255.0
object network ServerServer
 host 192.168.96.2
 description ConnectionToServer
object network NETWORK_OBJ_10.20.30.0_25
 subnet 10.20.30.0 255.255.255.128
object network Parking
 subnet 172.16.17.0 255.255.255.0
object network ParkingNAT
 subnet 172.16.17.0 255.255.255.0
object network ParkingSystems
 host xxx.xxx.xxx.120
object network ParkingInterfaceOLD_WAN
 subnet 172.16.17.0 255.255.255.0
object network Server1
 subnet 192.168.96.0 255.255.255.0
object network Server2
 host 192.168.96.2
object service iPerfServer
 service tcp source eq 5001 
object network ServerNet
 subnet 192.168.96.0 255.255.255.0
object network WAN2
 host xxx.xxx.xxx.75
object network ServerTV2
 host 192.168.96.2
object network HostNatToOutside
 subnet 192.168.96.0 255.255.255.0
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_2
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
object-group service ParkingObj tcp-udp
 port-object eq 771
 port-object eq 9100
object-group service ParkingPortsNAT tcp-udp
 description OpenPortsForParking
 port-object eq 771
 port-object eq 9100
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group icmp-type DM_INLINE_ICMP_4
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
object-group service DM_INLINE_SERVICE_1
 service-object tcp-udp destination eq 4500 
 service-object tcp-udp destination eq 500 
 service-object tcp-udp destination eq 5001 
 service-object tcp-udp destination eq 8090 
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
 service-object udp destination eq snmp 
object-group network DM_INLINE_NETWORK_6
 network-object object ParkingServer1
 network-object object ParkingServer2
object-group service NOC_Auth tcp-udp
 port-object eq 8090
object-group service VPN_IPSec tcp-udp
 port-object eq 4500
 port-object eq 500
object-group service iPerf tcp-udp
 port-object eq 5001
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 
access-list inside_access_in extended permit object-group TCPUDP any any eq domain 
access-list inside_access_in extended permit ip any any 
access-list Test_Guest remark GuestWiFi network
access-list Test_Guest standard permit 172.16.64.0 255.255.248.0 
access-list Test_Guest remark ParkingNetwork
access-list Test_Guest standard permit 172.16.17.0 255.255.255.0 
access-list Test_Guest standard permit 192.168.96.0 255.255.255.0 
access-list Test_Guest standard permit 192.168.1.0 255.255.255.0 
access-list GuestWiFi_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2 
access-list GuestWiFi_access_in extended permit object-group TCPUDP any any eq domain 
access-list GuestWiFi_access_in extended permit ip any any 
access-list ParkingInterface_access_in extended permit object-group TCPUDP any any object-group ParkingObj 
access-list ParkingInterface_access_in extended permit object-group TCPUDP any any eq domain 
access-list ParkingInterface_access_in extended permit ip any any 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object ServerServer 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any echo 
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq https 
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq ssh 
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 8090 
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 8090 
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq snmp 
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 5001 
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 5001 
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 500 
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 4500 
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 4500 
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq isakmp 
access-list ServerTVAccessList extended permit icmp any any echo-reply 
access-list ServerTV_access_in extended permit icmp any any object-group DM_INLINE_ICMP_4 
access-list ServerTV_access_in extended permit object-group TCPUDP any any eq domain 
access-list ServerTV_access_in extended permit ip any any 
access-list WAN_OLD_access_in extended permit object-group TCPUDP xxx.xxx.xxx.0 255.255.255.0 object-group DM_INLINE_NETWORK_6 object-group ParkingPortsNAT 
access-list WAN_OLD_access_in extended permit ip object ParkingSystems object ParkingSystemSubnet 
access-list WAN_OLD_access_in extended permit ip any object ParkingSystemSubnet 
access-list WAN_OLD_access_in extended permit ip any any inactive 
access-list WAN_OLD_access_in extended permit icmp any any echo-reply 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu ServerTV 1500
mtu GuestWiFi 1500
mtu ParkingInterface 1500
mtu WAN_OLD 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any GuestWiFi
icmp permit any ParkingInterface
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static VPN_POOL_10.20.30.0 VPN_POOL_10.20.30.0 no-proxy-arp route-lookup
nat (ParkingInterface,WAN_OLD) source static ParkingServer1 interface service any TCP_Parking_771
nat (ParkingInterface,WAN_OLD) source static ParkingServer1 interface service any TCP_Parking_771_U
nat (ParkingInterface,WAN_OLD) source static ParkingServer2 interface service any TCP_Parking2_9100
nat (ParkingInterface,WAN_OLD) source static ParkingServer2 interface service any TCP_Parking2_9100_U
!
object network GuestWiFi_NAT_OLD
 nat (GuestWiFi,WAN_OLD) dynamic interface dns
object network inside_NAT_OLD
 nat (inside,WAN_OLD) dynamic interface dns
object network ServerServer
 nat (ServerTV,outside) static interface
object network ParkingInterfaceOLD_WAN
 nat (ParkingInterface,WAN_OLD) dynamic interface dns
object network ServerTV2
 nat (ServerTV,outside) static WAN2
access-group ServerTVAccessList in interface outside
access-group inside_access_in in interface inside
access-group ServerTV_access_in in interface ServerTV
access-group GuestWiFi_access_in in interface GuestWiFi
access-group ParkingInterface_access_in in interface ParkingInterface
access-group WAN_OLD_access_in in interface WAN_OLD
route WAN_OLD 0.0.0.0 0.0.0.0 xxx.xxx.xxx.138 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.73 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.64.0 255.255.248.0 GuestWiFi
http 10.20.30.0 255.255.255.0 GuestWiFi
http 172.16.17.0 255.255.255.0 ParkingInterface
http 192.168.96.0 255.255.255.0 ServerTV
http xxx.xxx.xxx.72 255.255.255.248 outside
http xxx.xxx.xxx.136 255.255.255.252 WAN_OLD
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map WAN_OLD_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_OLD_map interface WAN_OLD
crypto map TestLab_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=HC-ClientASA
 keypair HC_Client_Odense
 proxy-ldc-issuer
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
 certificate 50de3358
    30820551 30820339 a0030201 02020450 de335830 0d06092a 864886f7 0d010105 
    05003038 31173015 06035504 03130e48 432d416e 64657273 656e4153 41311d30 
    1b06092a 864886f7 0d010902 160e4843 2d416e64 65727365 6e415341 301e170d 
    31363131 32323039 34353430 5a170d32 36313132 30303934 3534305a 30383117 
    30150603 55040313 0e48432d 416e6465 7273656e 41534131 1d301b06 092a8648 
    86f70d01 0902160e 48432d41 6e646572 73656e41 53413082 0222300d 06092a86 
    4886f70d 01010105 00038202 0f003082 020a0282 0201009b bf07918b 21978e37 
    0a517ac1 5d1eb7a3 1dca77f7 054b0615 7a85096b 87b3d32f b86e61b5 78fa6364 
    08d932b7 2e73d1a9 1acdef89 a5cf7dd2 a9dfa34c b5086cd2 6f954b83 680c5fcc 
    dee06f08 7030ff8d 729458e4 59780d58 ae72b300 4a0b2e7a ac608cb7 cd5ce92a 
    39184d2e 3a7fd589 8ddbea50 bb4100a7 58dbc795 011181ae 34a92ba3 21a3d844 
    4ba72a10 2ce287e9 586dedbd 25b82e69 fd400b6f ce7de623 54a079f3 d0d096cb 
    fa2e69b7 1269aa84 ac5ed471 e2604897 aea282ca 27bb86b3 d3a78ac1 d8fcfc84 
    0e62f59f 71878e7d 0d6d052f e4fd7d90 374dc860 a3cd83e2 772e58de 77e29583 
    03ecd3d4 9df22a1a 5903cc62 8f781e4d 2ecb281b efe0b1e4 211e5953 bb5cec6e 
    0a260312 f85fd498 8adbd9e7 23e2e32c 9b034df9 839d9bbe aa769171 bb464bfe 
    be066806 d5d56cdc 22427990 08c8eb4a 93d676da 13bb9662 ad3bcb05 d29d8b9a 
    c800abd0 d4f482d5 c7cb8aa9 50d67062 61a33965 0c0aa305 e21b844c 95b12ed4 
    293e4b31 fc9300a5 367ae17f defd89b3 74b1e9e5 d44a93a3 19fa9df0 4e4e6bee 
    c64beddd d2541da6 d3a2699f 37f90b3a 8c190c9c 889c3856 ace813cb 6e4a0026 
    e10e2233 52dae76e 47b31549 0dc98652 14b2714a 3f60170a b3d3fb03 84adada8 
    eacff402 fc1b1158 9df65d60 3b8346ad b49da8ab dc9401cc b1402b46 ebd88db2 
    fa2d35a5 afa9b0e6 1985baa2 81f9dc97 024ec940 2fdf6102 03010001 a3633061 
    300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 
    86301f06 03551d23 04183016 8014577e f2a6cd27 748802e9 0bc66c09 52098e7d 
    0fb3301d 0603551d 0e041604 14577ef2 a6cd2774 8802e90b c66c0952 098e7d0f 
    b3300d06 092a8648 86f70d01 01050500 03820201 0091f593 e31c5af8 4e8da415 
    039fcf93 bf770c4b f501da50 93dc9e57 f0f00b2e c7c2d53f 34547fcb 692976b3 
    337d293a 27d6f1be af40d76c cd78ef34 81a5cafc e9d60f7b 85de3870 5924468a 
    5dbba34f 63c1fe2c b14ab9b6 02634f45 7d40b61f 3d3a1378 8f4fafb4 9499bf7c 
    3784e9a9 fe4a7fac 3fb115b8 6e2b14e4 62bceea0 a8c5c5ba e2599857 f19c84ff 
    33f5f2a8 95c531ba d97d9e35 75f51081 e1451a22 60353ac7 2e2711d1 9e64fb52 
    45514b02 d362f07a bf874f23 f848da92 70ec10c8 f03741be 3bb28233 d78e95f8 
    26606b88 ff9f3f2a 8fe948eb 7005c9ed 9610cae9 90e4e6c1 69e98ec0 0e2debe7 
    d09a07cb ea159809 1dc1b666 a1401ea3 bb7e9203 f905c696 aee9d2f6 93978e82 
    4b6ec24e ab695964 64fd929c d0cfc46b dea848e5 d3cf56cb 08a2991f 7ddee7ef 
    5ed8869f 0be2a5ed dba14771 0d23ae29 6ebf7640 381106ff 99c1d56a 7d5ec7ad 
    cd432009 2ef4248e aa9b42b8 a71ead22 14b38dcb e343c945 064796d3 1e337d75 
    baccf54c 209b67f8 0e4e8fa8 cf7ce3f1 99cddf3b 18eced0d 770448aa 1b37d65a 
    09574ee9 d5985c00 bdb804c3 9c0e069e 9eaa50e3 b4694174 e17251b4 fc0bc169 
    845b7639 ebc47f37 894b5a5f d5662fa9 40b9898c 86a44b6b 805cb0ba 8607499d 
    2c330359 c0b30ef1 046b01b2 bad5d514 efea8647 55db6819 4eaf2da2 59e219b8 
    e8ff9053 f4e630b8 34f631c7 c49062a5 a0239c9a ef
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable WAN_OLD client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh xxx.xxx.xxx.72 255.255.255.248 outside
ssh 192.168.1.0 255.255.255.0 GuestWiFi
ssh 172.16.64.0 255.255.248.0 GuestWiFi
ssh 10.20.30.0 255.255.255.0 GuestWiFi
ssh xxx.xxx.xxx.136 255.255.255.252 WAN_OLD
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access GuestWiFi

dhcp-client client-id interface outside
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd dns 8.8.8.8 208.67.222.222 interface inside
dhcpd enable inside
!
dhcpd address 192.168.96.3-192.168.96.254 ServerTV
dhcpd dns 8.8.8.8 8.8.4.4 interface ServerTV
!
dhcpd address 172.16.64.2-172.16.64.250 GuestWiFi
dhcpd dns 8.8.8.8 208.67.222.222 interface GuestWiFi
dhcpd enable GuestWiFi
!
dhcpd address 172.16.17.33-172.16.17.250 ParkingInterface
dhcpd dns 8.8.8.8 8.8.8.8 interface ParkingInterface
dhcpd enable ParkingInterface
!
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 ServerTV
ssl trust-point ASDM_TrustPoint0 GuestWiFi
ssl trust-point ASDM_TrustPoint0 ParkingInterface
ssl trust-point ASDM_TrustPoint0 WAN_OLD
webvpn
 enable outside
 enable WAN_OLD
 anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
 anyconnect profiles Test_GuestWiFi_client_profile disk0:/Test_GuestWiFi_client_profile.xml
 anyconnect profiles VPN_Test_client_profile disk0:/VPN_Test_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_VPN_Test internal
group-policy GroupPolicy_VPN_Test attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Test_Guest
 default-domain none
 webvpn
  anyconnect profiles value VPN_Test_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username admin password xxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group VPN_Test type remote-access
tunnel-group VPN_Test general-attributes
 address-pool Test_DHCP_VPN
 default-group-policy GroupPolicy_VPN_Test
tunnel-group VPN_Test webvpn-attributes
 group-alias VPN_Test enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:14a2b233fa9e205b5a530e7925ef77ac
: end

dovla110010101

Asked: 2016-11-17 06:53:22 +0800 CST

How to configure HP MSM720 with multiple VSC from which one has IGMP possibility

1

I have one really odd project to pull out. I am replacing entire infrastructure on one of our customers. They requirements are quite easy until they decided to put something else. 3 WAN addresses that are assigned like this: 1x WAN for plain internet connection which is distributed via HP E-MSM720 controller and HP MSM460 access points (default VLAN and VSC), now the fun part. 2x WAN to be assigned for one server inside clients network VLAN 6 subnet 192.168.x.x/23. This is also quite simple to pull. What I am having trouble, most likely because I have never played with HP controllers, is to set additional VSC with VLAN 6 and stream content from that server via Wireless. Now I must assume that on Meraki switch I need 2 ports as assign VLAN 6 on them (untagged). On Controller same thing. I need configure new VLAN 6 using "Network"->"Network Profiles", and under "Network"-> "VLANs" select new created profile and assign port as untagged. Since from some strange reason I cannot use "Automated Workflow" as I am getting an error, I need to create new VSC and bind it with that VLAN/Network profile that I would like to create. Creating profile should be easy by selecting "Controller"->"VSCs"-> "Add New VSC Profile". There I would set all the parameters such as SSID, Authentication, broadcasting, hiding SSID, etc, etc.

Can somebody confirm if the binding of VSC with new VLAN 6 using "VSC bindings" interfere with default VSC or disrupt current wireless link which is already configured? Manual procedure that I would use would be: - Select new "Controller"->"VSC"->"VSC Bindings" -> "Add New Binding"-> Check option "Egress Network - Network Profile: VLAN 6" and Save.

Will this in any way drop connection for current default VSC which uses default VLAN?

Also one additional question which I don't know if anyone knows, and I definitely need clarification:

If the VLAN is going to be set as IGMP (multicast), how can you set VSC to support IGMP? There is an option of IGMP proxy but is related to an interface. I assume that this interface that is facing switches/access points, if configured with IGMP proxy, might disrupt wireless internet connection for default VSC and default VLAN correct? (normal internet connection is unicast, while video stream is using multicast)...

Please refer from the schematic below, how it should look like. Clients network schematic

dovla110010101

Asked: 2016-10-19 03:51:17 +0800 CST

Cisco Anyconnect client connects to the VPN, but cannot reach any other network/subnet from the clients machine

1

I have one huge issue regarding VPN which I cannot resolve or connect the dots (what can possibly cause an issue)

One of our customers wants to replace old snapgear with something better so they've choose ASA to do so.

I have created all the configuration in ASA and tested inside our test network. I was able to connect with clients machine from outside to ASA VPN and to ping any machine inside the network. Everything worked perfectly. After that I have set same firewall/config to the customers site, and as soon as I connected ASA to their network and tried to connect from outside using Any connect, I was not able to ping any machine inside their network. All networks, subnets were out of reach/no reply.

At first I have set static routes and static IP of the ASA interface, but without luck. Then I set interface to get the IP address from DHCP server and all the routes from "L3 Core switch" that is doing all the routing, again without any luck.

Configuration of the ASA (dynamic)

: Saved

:
: Serial Number: xxxxxxxx
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(2)
!
hostname xxxxxxxx
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
ip local pool VPN_xxxxxx 10.13.3.2-10.13.3.200 mask 255.255.255.0
!
interface GigabitEthernet1/1
 description WAN Connection
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.88 255.255.255.224
!
interface GigabitEthernet1/2
 description LAN address
 nameif inside
 security-level 100
 ip address dhcp setroute
!
interface GigabitEthernet1/3
 description Test Connection Outside
 nameif testConn
 security-level 0
 ip address xxx.xxx.xxx.218 255.255.255.248
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 nameif mgmtbck
 security-level 100
 ip address 192.168.96.1 255.255.255.0
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network TestConnection
 subnet 192.168.10.0 255.255.254.0
 description TestConnection
object network WANAddress
 host xxx.xxx.xxx.217
object network WAN_Connection
 subnet 192.168.10.0 255.255.254.0
 description InternetConnection
object network WANConnectionxxxxxx
 host xxx.xxx.xxx.65
object network WANConn
 subnet 192.168.10.0 255.255.254.0
object network NETWORK_OBJ_10.13.3.0_24
 subnet 10.13.3.0 255.255.255.0
object network Network_A
 subnet 192.168.0.0 255.255.254.0
 description Network 192.168.0.0/23
object network Network_B
 subnet 172.17.110.0 255.255.255.0
 description Network 172.17.110.0
object network Network_C
 subnet 172.17.101.0 255.255.255.0
 description Network 172.17.101.0/24
object network Network_D
 subnet 172.17.137.0 255.255.255.0
 description Network 172.17.137.0/24
object network Gateway_Inside
 host 192.168.10.1
 description inside gateway address
object network OutsideNAT
 subnet 192.168.10.0 255.255.254.0
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu testConn 1500
mtu mgmtbck 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-762.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,testConn) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup
!
object network WANConn
 nat (inside,testConn) dynamic interface dns
object network OutsideNAT
 nat (inside,outside) dynamic interface dns
access-group 101 in interface outside
access-group inside_access_in in interface inside
access-group 101 in interface testConn
route testConn 0.0.0.0 0.0.0.0 xxx.xxx.xxx.217 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 2
route inside 172.17.101.0 255.255.255.0 192.168.10.1 1
route inside 172.17.110.0 255.255.255.0 192.168.10.1 1
route inside 172.17.137.0 255.255.255.0 192.168.10.1 1
route inside 192.168.0.0 255.255.254.0 192.168.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server NPS protocol radius
aaa-server NPS (inside) host 192.168.0.186
 key *****
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.254.0 inside
http 192.168.96.0 255.255.255.0 mgmtbck
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map testConn_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map testConn_map interface testConn
crypto ca trustpoint xxxxxxxx
 enrollment self
 fqdn xxxxxx.local
 subject-name CN=xxxxxxxx
 serial-number
 proxy-ldc-issuer
 crl configure
crypto ca trustpool policy
crypto ca certificate chain xxxxxxxx
 certificate cffdf657
    3082036f 30820257 a0030201 020204cf fdf65730 0d06092a 864886f7 0d010105
    05003047 31133011 06035504 03130a41 646d6972 616c4153 41313030 12060355
    0405130b 4a414432 30323330 34435430 1a06092a 864886f7 0d010902 160d6164
    6d697261 6c2e6c6f 63616c30 1e170d31 36313030 37303234 3431335a 170d3236
    31303035 30323434 31335a30 47311330 11060355 0403130a 41646d69 72616c41
    121616e7 7014f20f dbf9733a bca6055a 15f68e68 8fa67ea5 0c63d7ed 712e5517
    a392775d 2f4bdd5a df207e10 0413c878 fba699
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable testConn client-services port 443
crypto ikev2 remote-access trustpoint xxxxxxxx
crypto ikev1 enable outside
crypto ikev1 enable testConn
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.10.0 255.255.254.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcp-client client-id interface inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server xxx.xxx.xxx.44 source testConn prefer
ssl trust-point xxxxxxxx outside
ssl trust-point xxxxxxxx inside
ssl trust-point xxxxxxxx testConn
ssl trust-point xxxxxxxx mgmtbck
webvpn
 enable outside
 enable testConn
 anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
 anyconnect profiles xxxxxxMain_client_profile disk0:/xxxxxxMain_client_profile.xml
 anyconnect profiles xxxxxx_client_profile disk0:/xxxxxx_client_profile.xml
 anyconnect profiles TestVPN_client_profile disk0:/TestVPN_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_TestVPN internal
group-policy GroupPolicy_TestVPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value TestVPN_client_profile type user
group-policy GroupPolicy_xxxxxxMain internal
group-policy GroupPolicy_xxxxxxMain attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value xxxxxxMain_client_profile type user
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client
 default-domain none
group-policy Policy_xxxxxx internal
group-policy Policy_xxxxxx attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list none
dynamic-access-policy-record DfltAccessPolicy
username admin password xxxxxxxx encrypted privilege 15
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 address-pool VPN_xxxxxx
 default-group-policy GroupPolicy_VPN
tunnel-group VPN webvpn-attributes
 group-alias VPN enable
tunnel-group TestVPN type remote-access
tunnel-group TestVPN general-attributes
 address-pool VPN_xxxxxx
 default-group-policy GroupPolicy_TestVPN
tunnel-group TestVPN webvpn-attributes
 group-alias TestVPN enable
tunnel-group xxxxxxMain type remote-access
tunnel-group xxxxxxMain general-attributes
 address-pool VPN_xxxxxx
 authentication-server-group NPS
 default-group-policy GroupPolicy_xxxxxxMain
tunnel-group xxxxxxMain webvpn-attributes
 group-alias xxxxxxMain enable
tunnel-group VPN_SSL type remote-access
tunnel-group VPN_SSL general-attributes
 default-group-policy Policy_xxxxxx
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

Configuration - static

: Saved

: 
: Serial Number: xxxxxxxx
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by xxxxx at 08:27:30.065 GMT Wed Oct 12 2016
!
ASA Version 9.5(2) 
!
hostname xxxxxxxxASA
enable password xxxxxxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxxxxx encrypted
names
ip local pool VPN_xxxxxxxx 10.13.3.2-10.13.3.254 mask 255.255.255.0
!
interface GigabitEthernet1/1
 description WAN Connection
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.88 255.255.255.224 
!
interface GigabitEthernet1/2
 description LAN address
 nameif inside
 security-level 100
 ip address 192.168.10.3 255.255.254.0 
!
interface GigabitEthernet1/3
 description Test Connection Outside
 nameif testConn
 security-level 0
 ip address xxx.xxx.xxx.218 255.255.255.248 
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network TestConnection
 subnet 192.168.10.0 255.255.254.0
 description TestConnection
object network WANAddress
 host xxx.xxx.xxx.217
object network WAN_Connection
 subnet 192.168.10.0 255.255.254.0
 description InternetConnection
object network WANConnectionxxxxxxxx
 host xxx.xxx.xxx.65
object network WANConn
 subnet 192.168.10.0 255.255.254.0
object network NETWORK_OBJ_10.13.3.0_24
 subnet 10.13.3.0 255.255.255.0
object network Network_A
 subnet 192.168.0.0 255.255.254.0
 description Network 192.168.0.0/23
object network Network_B
 subnet 172.17.110.0 255.255.255.0
 description Network 172.17.110.0
object network Network_C
 subnet 172.17.101.0 255.255.255.0
 description Network 172.17.101.0/24
object network Network_D
 subnet 172.17.137.0 255.255.255.0
 description Network 172.17.137.0/24
object network Gateway_Inside
 host 192.168.10.1
 description inside gateway address
object network OutsideNAT
 subnet 192.168.10.0 255.255.254.0
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 
access-list 101 extended permit icmp any any echo-reply 
access-list 101 extended permit icmp any any source-quench 
access-list 101 extended permit icmp any any unreachable 
access-list 101 extended permit icmp any any time-exceeded 
access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu testConn 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-762.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,testConn) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup
!
object network WANConn
 nat (inside,testConn) dynamic interface dns
object network OutsideNAT
 nat (inside,outside) dynamic interface dns
access-group 101 in interface outside
access-group inside_access_in in interface inside
access-group 101 in interface testConn
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 1
route testConn 0.0.0.0 0.0.0.0 xxx.xxx.xxx.217 3
route inside 172.17.101.0 255.255.255.0 192.168.10.1 1
route inside 172.17.110.0 255.255.255.0 192.168.10.1 1
route inside 172.17.137.0 255.255.255.0 192.168.10.1 1
route inside 192.168.0.0 255.255.254.0 192.168.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server NPS protocol radius
aaa-server NPS (inside) host 192.168.0.186
 key xxxxxxx
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map testConn_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map testConn_map interface testConn
crypto ca trustpoint xxxxxxxxCert
 enrollment self
 fqdn xxxxxxxx.local
 subject-name CN=xxxxxxxxASA
 serial-number
 proxy-ldc-issuer
 crl configure
crypto ca trustpool policy
crypto ca certificate chain xxxxxxxxCert
 certificate cffdf657
    3082036f 30820257 a0030201 020204cf fdf65730 0d06092a 864886f7 0d010105 
    05003047 31133011 06035504 03130a41 646d6972 616c4153 41313030 12060355 
    0405130b 4a414432 30323330 34435430 1a06092a 864886f7 0d010902 160d6164 
    6d697261 6c2e6c6f 63616c30 1e170d31 36313030 37303234 3431335a 170d3236 
    31303035 30323434 31335a30 47311330 11060355 0403130a 41646d69 72616c41 
    89dcd2ca 48d03495 655c1b39 35d26809 40d73e65 8bebfe10 c3c07753 75d6ba67 
    e7fd3326 5ee135c4 bf96971a 99e5ed5c 72c22c56 bda3e047 97f5e667 57504628 
    5b64c134 279b5205 2ebf37fe 81174d03 e2c9a30f acdf2893 f3136e20 4221bca0 
    121616e7 7014f20f dbf9733a bca6055a 15f68e68 8fa67ea5 0c63d7ed 712e5517 
    a392775d 2f4bdd5a df207e10 0413c878 fba699
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable testConn client-services port 443
crypto ikev2 remote-access trustpoint xxxxxxxxCert
crypto ikev1 enable outside
crypto ikev1 enable testConn
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.10.0 255.255.254.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server xxx.xxx.xxx.44 source testConn prefer
ssl trust-point xxxxxxxxCert outside
ssl trust-point xxxxxxxxCert inside
ssl trust-point xxxxxxxxCert testConn
webvpn
 enable outside
 enable testConn
 anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
 anyconnect profiles xxxxxxxxVPNMain_client_profile disk0:/xxxxxxxxVPNMain_client_profile.xml
 anyconnect profiles xxxxxxxxVPN_client_profile disk0:/xxxxxxxxVPN_client_profile.xml
 anyconnect profiles TestVPN_client_profile disk0:/TestVPN_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_xxxxxxxxVPN internal
group-policy GroupPolicy_xxxxxxxxVPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value xxxxxxxxVPN_client_profile type user
group-policy GroupPolicy_TestVPN internal
group-policy GroupPolicy_TestVPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value TestVPN_client_profile type user
group-policy GroupPolicy_xxxxxxxxVPNMain internal
group-policy GroupPolicy_xxxxxxxxVPNMain attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value xxxxxxxxVPNMain_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username xxxxx password xxxxxxxxxxx encrypted privilege 15
tunnel-group xxxxxxxxVPN type remote-access
tunnel-group xxxxxxxxVPN general-attributes
 address-pool VPN_xxxxxxxx
 default-group-policy GroupPolicy_xxxxxxxxVPN
tunnel-group xxxxxxxxVPN webvpn-attributes
 group-alias xxxxxxxxVPN enable
tunnel-group TestVPN type remote-access
tunnel-group TestVPN general-attributes
 address-pool VPN_xxxxxxxx
 default-group-policy GroupPolicy_TestVPN
tunnel-group TestVPN webvpn-attributes
 group-alias TestVPN enable
tunnel-group xxxxxxxxVPNMain type remote-access
tunnel-group xxxxxxxxVPNMain general-attributes
 address-pool VPN_xxxxxxxx
 authentication-server-group NPS
 default-group-policy GroupPolicy_xxxxxxxxVPNMain
tunnel-group xxxxxxxxVPNMain webvpn-attributes
 group-alias xxxxxxxxVPNMain enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:x
: end

Switch configuration to which ASA is directly connected and that is doing all the routing.

Routes of the Snapgear VPN that works

Working Routes

ASA VPN route (not working)

Routes while connected to ASA

Also I need to inform you that when I connected ASA to the customers network, I could ping any interface of any subnet/network from the ASA which means that routes are correctly set, but as soon I use VPN and try to ping from outside through the tunnel of inside device/server/interface, I cannot reach any of them...

What could possibly causing the issue?

Thank you in advance and have yourself a great day.

changing password - issue with ldap update

OpenVPN revoke user - CRL verify issues

Stastic NAT with multiple WANs - internet connectivity issue

How to configure HP MSM720 with multiple VSC from which one has IGMP possibility

Cisco Anyconnect client connects to the VPN, but cannot reach any other network/subnet from the clients machine

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?