https://community.cisco.com/t5/network-security/asa-anyconnect-vpn-can-ping-but-not-browse/m-p/2986311#M155588 <P>You need to allow the ASA to route traffic from the VPN back out the on the interface it arrived, which is the outside.</P> <P>Enter the command same-security-traffic permit intra-interface in global configuration mode.</P> <P></P> <P>Hope this helps.</P> <P>Please rate any helpful posts.</P> Thu, 01 Sep 2016 13:53:27 GMT S-Lemming 2016-09-01T13:53:27Z https://community.cisco.com/t5/network-security/asa-anyconnect-vpn-can-ping-but-not-browse/m-p/2986310#M155587 <P>I'm throwing in the white flag.. I have an ASA 5508 with ver 9.5. I have setup an AnyConnect Profile, VPN Pool, split tunneling etc. Via AnyConnect VPN software I can connect, authenticate and see internal network just as I should. I can ping google but I cannot browse the internet while connected to the VPN. I am pulling DNS from the ASA. I've tried Charter and Google DNS. Still users cannot browse internet while connected via VPN.</P> <P></P> <P>Hopefully from the pieces below someone can see something I have that I shouldn't or vice versa. Internal network 192.168.3.x, vpn pool 192.168.100.x</P> <P></P> <P>ip local pool GriffinVPNPool1 192.168.100.1-192.168.100.255 mask 255.255.255.0</P> <P></P> <P>object network obj_any<BR /> subnet 0.0.0.0 0.0.0.0</P> <P>object network NETWORK_OBJ_192.168.3.0_24<BR /> subnet 192.168.3.0 255.255.255.0</P> <P>access-list Split_Tunnel_List standard permit 192.168.3.0 255.255.255.0<BR />access-list inside_access_in extended permit ip any any</P> <P>access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol<BR />access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631<BR />access-list AnyConnect_Client_Local_Print remark Windows' printing port<BR />access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100<BR />access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol<BR />access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353<BR />access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol<BR />access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355<BR />access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol<BR />access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137</P> <P>nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup</P> <P>object network obj_any<BR /> nat (any,outside) dynamic interface<BR />access-group inside_access_in in interface inside<BR />access-group inside_access_out out interface inside</P> <P></P> <P>ssl trust-point ASDM_Launcher_Access_TrustPoint_1 outside<BR />ssl trust-point ASDM_Launcher_Access_TrustPoint_1 inside<BR />ssl trust-point ASDM_Launcher_Access_TrustPoint_1 inside vpnlb-ip<BR />webvpn<BR /> enable outside<BR /> anyconnect image disk0:/anyconnect-win-4.2.04039-k9.pkg 1<BR /> anyconnect image disk0:/anyconnect-macosx-i386-4.2.00096-k9.pkg 2<BR /> anyconnect profiles GriffinVPN_client_profile disk0:/GriffinVPN_client_profile.xml<BR /> anyconnect enable<BR /> tunnel-group-list enable<BR /> error-recovery disable<BR />group-policy DfltGrpPolicy attributes<BR /> vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless<BR />group-policy GroupPolicy_GriffinVPN internal<BR />group-policy GroupPolicy_GriffinVPN attributes<BR /> wins-server none<BR /> dns-server value 24.196.64.53<BR /> vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client<BR /> split-tunnel-policy tunnelspecified<BR /> split-tunnel-network-list value Split_Tunnel_List<BR /> default-domain none</P> <P></P> <P>policy-map type inspect dns preset_dns_map<BR /> parameters<BR /> message-length maximum client auto<BR /> message-length maximum 512<BR />policy-map global<BR />policy-map global_policy<BR /> class inspection_default<BR /> inspect dns preset_dns_map<BR /> inspect ftp<BR /> inspect h323 h225<BR /> inspect h323 ras<BR /> inspect rsh<BR /> inspect rtsp<BR /> inspect sqlnet<BR /> inspect skinny<BR /> inspect sunrpc<BR /> inspect xdmcp<BR /> inspect sip<BR /> inspect netbios<BR /> inspect tftp<BR /> inspect ip-options<BR /> inspect icmp<BR /> inspect icmp error</P> <P></P> <P>Thank you in advance for help</P> Tue, 12 Mar 2019 08:13:14 GMT https://community.cisco.com/t5/network-security/asa-anyconnect-vpn-can-ping-but-not-browse/m-p/2986310#M155587 taspencegltc 2019-03-12T08:13:14Z https://community.cisco.com/t5/network-security/asa-anyconnect-vpn-can-ping-but-not-browse/m-p/2986311#M155588 <P>You need to allow the ASA to route traffic from the VPN back out the on the interface it arrived, which is the outside.</P> <P>Enter the command same-security-traffic permit intra-interface in global configuration mode.</P> <P></P> <P>Hope this helps.</P> <P>Please rate any helpful posts.</P> Thu, 01 Sep 2016 13:53:27 GMT https://community.cisco.com/t5/network-security/asa-anyconnect-vpn-can-ping-but-not-browse/m-p/2986311#M155588 S-Lemming 2016-09-01T13:53:27Z https://community.cisco.com/t5/network-security/asa-anyconnect-vpn-can-ping-but-not-browse/m-p/2986312#M155589 <P>Worked perfectly. Thank you!</P> Thu, 01 Sep 2016 14:40:03 GMT https://community.cisco.com/t5/network-security/asa-anyconnect-vpn-can-ping-but-not-browse/m-p/2986312#M155589 taspencegltc 2016-09-01T14:40:03Z