https://community.cisco.com/t5/network-security/anyconnect-asa-cannot-access-internal-network-or-internet/m-p/1975235#M409968 <HTML><HEAD></HEAD><BODY><P>Split tunnel ACL is incorrect, you should add the internal LAN subnets, not the VPN pool subnets and also add the correct NONAT ACL.</P><P></P><P>If you are trying to access the 172.16.1.0/24 subnet, then add the following:</P><P>access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 10.2.2.0 255.255.255.0</P><P></P><P>Then the following split tunnel ACL:</P><P>access-list split-smart standard permit ip 172.16.1.0 255.255.255.0</P><P></P><P>Lastly, try to see if you can ping 172.16.1.200 after adding the above.</P></BODY></HTML> Sat, 04 Aug 2012 08:58:34 GMT Jennifer Halim 2012-08-04T08:58:34Z https://community.cisco.com/t5/network-security/anyconnect-asa-cannot-access-internal-network-or-internet/m-p/1975231#M409961 <P>After connecting via anyconnect client 2.5, I cannot access my internal network or internet. </P><P></P><P><SPAN style="color: #ff0000;">My Host is getting ip address of 10.2.2.1/24 &amp; gw:10.2.2.2</SPAN></P><P></P><P>Following is the config</P><P></P><P>ASA Version 8.2(5) </P><P>!</P><P></P><P>names</P><P>name 172.16.1.200 EOCVLAN198 description EOC VLAN 198</P><P>dns-guard</P><P>!</P><P>interface Ethernet0/0</P><P> description to EOCATT7200-G0/2</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P> description to EOC-Inside</P><P> switchport access vlan 198</P><P>!</P><P></P><P>!</P><P>interface Vlan1</P><P> shutdown</P><P> no nameif</P><P> security-level 100</P><P> no ip address</P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> ip address 1.21.24.23 255.255.255.248 </P><P>!</P><P>interface Vlan198</P><P> nameif inside</P><P> security-level 100</P><P> ip address 172.16.1.1 255.255.255.0 </P><P>!</P><P>ftp mode passive</P><P>clock timezone PST -8</P><P>clock summer-time PDT recurring</P><P>dns server-group DefaultDNS</P><P> domain-name riversideca.gov</P><P>access-list outside_acl extended permit icmp any interface inside </P><P>access-list outside_acl extended permit ip any any </P><P>access-list inside_acl extended permit icmp any interface outside </P><P>access-list inside_acl extended permit icmp interface outside any </P><P>access-list inside_acl extended permit ip any any </P><P>access-list inside_acl extended permit ip 172.16.1.0 255.255.255.0 any </P><P>access-list inside_acl extended permit ip 10.0.0.0 255.0.0.0 any </P><P>access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.2.2.0 255.255.255.0 </P><P>access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.10.10.0 255.255.255.0 </P><P>access-list NONAT extended permit ip 10.10.86.0 255.255.255.0 10.2.2.0 255.255.255.0 </P><P>access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.10.86.0 255.255.255.0 </P><P>access-list NONAT extended permit ip 10.80.1.0 255.255.255.0 10.2.2.0 255.255.255.0 </P><P>access-list split-tunnel standard permit 172.16.1.0 255.255.255.0 </P><P>access-list split-smart standard permit any </P><P></P><P>ip local pool SSLClientPool 10.2.2.1-10.2.2.50 mask 255.255.255.0</P><P></P><P>asdm image disk0:/asdm-649.bin</P><P></P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list NONAT</P><P>nat (inside) 1 172.16.1.0 255.255.255.0</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>access-group outside_acl in interface outside</P><P>access-group inside_acl in interface inside</P><P>route outside 0.0.0.0 0.0.0.0 1.21.24.23 1</P><P>route inside 10.0.0.0 255.0.0.0 EOCVLAN198 1</P><P>route inside 192.168.1.0 255.255.255.0 EOCVLAN198 1</P><P>route inside 192.168.100.0 255.255.255.0 EOCVLAN198 1</P><P>route inside 192.168.211.0 255.255.255.0 EOCVLAN198 1</P><P></P><P></P><P>webvpn</P><P> enable outside</P><P> svc image disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 1</P><P> svc enable</P><P> tunnel-group-list enable</P><P>group-policy SSLCLientPolicy internal</P><P>group-policy SSLCLientPolicy attributes</P><P> dns-server value 10.10.86.128 10.10.86.129</P><P> vpn-tunnel-protocol svc webvpn</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value split-smart</P><P> default-domain value yourname.tld</P><P> address-pools value SSLClientPool</P><P>username test password P4ttSyrm33SV8TYp encrypted privilege 15</P><P>username admin password fOGXfuUK21gWxwO6 encrypted privilege 15</P><P>tunnel-group SSLClientProfile type remote-access</P><P>tunnel-group SSLClientProfile general-attributes</P><P> default-group-policy SSLCLientPolicy</P><P>tunnel-group SSLClientProfile webvpn-attributes</P><P> group-alias EOCSSL enable</P><P>!</P><P>class-map global-class</P><P>class-map IPS</P><P>class-map my-ips-class</P><P>class-map test1</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect ip-options </P><P>&nbsp; inspect ipsec-pass-thru </P><P>&nbsp; inspect http </P><P>&nbsp; inspect pptp </P><P>&nbsp; inspect icmp </P><P> class global-class</P><P>&nbsp; ips inline fail-close</P><P> class class-default</P><P>&nbsp; set connection decrement-ttl</P><P>policy-map my-ips-policy</P><P> class my-ips-class</P><P>&nbsp; ips promiscuous fail-open</P><P>!</P><P>service-policy global_policy global</P><P>p</P><P></P><P>ciscoasa#&nbsp;&nbsp;&nbsp; show log</P><P>Syslog logging: enabled</P><P></P><P></P><P>Aug 02 2012 21:34:03: %ASA-6-302014: Teardown TCP connection 60662 for outside:10.2.2.1/62706 to outside:74.125.224.228/443 duration 0:00:00 bytes 0 Flow is a loopback (test)</P><P></P><P>Aug 02 2012 21:34:09: %ASA-6-302015: Built inbound UDP connection 60664 for outside:10.2.2.1/49768 (10.2.2.1/49768) to inside:10.10.86.128/53 (10.10.86.128/53) (test)</P><P>Aug 02 2012 21:34:09: %ASA-6-302014: Teardown TCP connection 60665 for outside:10.2.2.1/62706 to outside:74.125.224.228/443 duration 0:00:00 bytes 0 Flow is a loopback (test)</P><P>Aug 02 2012 21:34:10: %ASA-6-302015: Built inbound UDP connection 60666 for outside:10.2.2.1/49768 (10.2.2.1/49768) to inside:10.10.86.129/53 (10.10.86.129/53) (test)</P><P><SPAN style="color: #ff0000;">Aug 02 2012 21:34:11: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.2.2.1/62708 dst inside:192.248.248.120/443 denied due to NAT reverse path failure</SPAN></P><P>Aug 02 2012 21:34:21: %ASA-6-302015: Built inbound UDP connection 60668 for outside:10.2.2.1/50715 (10.2.2.1/50715) to inside:10.10.86.128/53 (10.10.86.128/53) (test)</P><P>Aug 02 2012 21:34:21: %ASA-6-302015: Built inbound UDP connection 60669 for outside:10.2.2.1/64333 (10.2.2.1/64333) to inside:10.10.86.128/53 (10.10.86.128/53) (test)</P><P>Aug 02 2012 21:34:22: %ASA-6-302015: Built inbound UDP connection 60670 for outside:10.2.2.1/50715 (10.2.2.1/50715) to inside:10.10.86.129/53 (10.10.86.129/53) (test)</P><P>Aug 02 2012 21:34:22: %ASA-6-302016: Teardown UDP connection 60474 for outside:10.2.2.1/50367 to inside:10.10.86.128/53 duration 0:02:01 bytes 40 (test)</P><P>Aug 02 2012 21:34:22: %ASA-6-302016: Teardown UDP connection 60475 for outside:10.2.2.1/60325 to inside:10.10.86.128/53 duration 0:02:01 bytes 46 (test)</P><P>Aug 02 2012 21:34:22: %ASA-6-302015: Built inbound UDP connection 60671 for outside:10.2.2.1/64333 (10.2.2.1/64333) to inside:10.10.86.129/53 (10.10.86.129/53) (test)</P><P>Aug 02 2012 21:34:22: %ASA-6-302014: Teardown TCP connection 60672 for outside:10.2.2.1/62713 to outside:74.125.224.228/443 duration 0:00:00 bytes 0 Flow is a loopback (test)</P><P>Aug 02 2012 21:34:23: %ASA-6-302016: Teardown UDP connection 60477 for outside:10.2.2.1/50367 to inside:10.10.86.129/53 duration 0:02:01 bytes 40 (test)</P><P>Aug 02 2012 21:34:23: %ASA-6-302016: Teardown UDP connection 60479 for outside:10.2.2.1/60325 to inside:10.10.86.129/53 duration 0:02:01 bytes 46 (test)</P><P></P><P></P><P>ciscoasa# show vpn-sessiondb svc</P><P></P><P>Session Type: SVC</P><P></P><P>Username&nbsp;&nbsp;&nbsp;&nbsp; : test&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Index&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 21</P><P>Assigned IP&nbsp; : 10.2.2.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Public IP&nbsp;&nbsp;&nbsp; : 76.95.186.82</P><P>Protocol&nbsp;&nbsp;&nbsp;&nbsp; : Clientless SSL-Tunnel DTLS-Tunnel</P><P>License&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : SSL VPN</P><P>Encryption&nbsp;&nbsp; : RC4 AES128&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Hashing&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : SHA1</P><P>Bytes Tx&nbsp;&nbsp;&nbsp;&nbsp; : 13486&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Bytes Rx&nbsp;&nbsp;&nbsp;&nbsp; : 136791</P><P>Group Policy : SSLCLientPolicy&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Tunnel Group : SSLClientProfile</P><P>Login Time&nbsp;&nbsp; : 21:26:21 PDT Thu Aug 2 2012</P><P>Duration&nbsp;&nbsp;&nbsp;&nbsp; : 0h:08m:41s</P><P>Inactivity&nbsp;&nbsp; : 0h:00m:00s</P><P>NAC Result&nbsp;&nbsp; : Unknown</P><P>VLAN Mapping : N/A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; VLAN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : none</P> Mon, 11 Mar 2019 23:37:50 GMT https://community.cisco.com/t5/network-security/anyconnect-asa-cannot-access-internal-network-or-internet/m-p/1975231#M409961 aparikh 2019-03-11T23:37:50Z https://community.cisco.com/t5/network-security/anyconnect-asa-cannot-access-internal-network-or-internet/m-p/1975232#M409963 <HTML><HEAD></HEAD><BODY><P>You can add the following:</P><P></P><P>route outside 10.2.2.0 255.255.255.0 1.21.24.23 1</P><P></P><P>because you have 10.0.0.0/8 route pointing to the inside.</P></BODY></HTML> Fri, 03 Aug 2012 08:55:27 GMT https://community.cisco.com/t5/network-security/anyconnect-asa-cannot-access-internal-network-or-internet/m-p/1975232#M409963 Jennifer Halim 2012-08-03T08:55:27Z https://community.cisco.com/t5/network-security/anyconnect-asa-cannot-access-internal-network-or-internet/m-p/1975233#M409965 <HTML><HEAD></HEAD><BODY><P>Also, do you need split tunnel, or are you trying to send all traffic to the ASA? because you have "permit any" for your split tunnel acl, that's why i asked.</P><P></P><P>If you want to send the VPN internet traffic towards the ASA too, then you need to configure:</P><P>nat (outside) 1 10.2.2.0 255.255.255.0</P><P></P><P>If you want to send the VPN internet traffic directly off local internet, then you would need to configure the correct split tunnel acl to only include subnet behind the ASA.</P></BODY></HTML> Fri, 03 Aug 2012 08:58:00 GMT https://community.cisco.com/t5/network-security/anyconnect-asa-cannot-access-internal-network-or-internet/m-p/1975233#M409965 Jennifer Halim 2012-08-03T08:58:00Z https://community.cisco.com/t5/network-security/anyconnect-asa-cannot-access-internal-network-or-internet/m-p/1975234#M409966 <HTML><HEAD></HEAD><BODY><P>It did not work. </P><P>I added the "</P><P>route outside 10.2.2.0 255.255.255.0 1.21.24.23 1"</P><P>I also added "access-list split-smart standard permit ip 10.2.2.0 255.255.255.0"</P><P></P><P></P><P>I do not care about the split-tuunel. </P><P></P><P></P><P>MY Laptop IP address: 10.2.2.1, SM:255.255.255.0 GW:10.2.2.2</P></BODY></HTML> Fri, 03 Aug 2012 22:56:15 GMT https://community.cisco.com/t5/network-security/anyconnect-asa-cannot-access-internal-network-or-internet/m-p/1975234#M409966 aparikh 2012-08-03T22:56:15Z https://community.cisco.com/t5/network-security/anyconnect-asa-cannot-access-internal-network-or-internet/m-p/1975235#M409968 <HTML><HEAD></HEAD><BODY><P>Split tunnel ACL is incorrect, you should add the internal LAN subnets, not the VPN pool subnets and also add the correct NONAT ACL.</P><P></P><P>If you are trying to access the 172.16.1.0/24 subnet, then add the following:</P><P>access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 10.2.2.0 255.255.255.0</P><P></P><P>Then the following split tunnel ACL:</P><P>access-list split-smart standard permit ip 172.16.1.0 255.255.255.0</P><P></P><P>Lastly, try to see if you can ping 172.16.1.200 after adding the above.</P></BODY></HTML> Sat, 04 Aug 2012 08:58:34 GMT https://community.cisco.com/t5/network-security/anyconnect-asa-cannot-access-internal-network-or-internet/m-p/1975235#M409968 Jennifer Halim 2012-08-04T08:58:34Z https://community.cisco.com/t5/network-security/anyconnect-asa-cannot-access-internal-network-or-internet/m-p/1975236#M409969 <HTML><HEAD></HEAD><BODY><P>It is working.</P><P>I added the "address-pool" under the tunnel-group xxx general-attribute"</P><P></P><P>Thanks for taking time to respond. </P></BODY></HTML> Sat, 04 Aug 2012 20:56:10 GMT https://community.cisco.com/t5/network-security/anyconnect-asa-cannot-access-internal-network-or-internet/m-p/1975236#M409969 aparikh 2012-08-04T20:56:10Z