02-24-2020 03:39 PM
I am trying to configure an Anyconnect VPN. The wizard failed miserably, and I have been trying to get it to work for a few hours now. It will connect, but no traffic is passing. I had been getting error messages in the log, but now that I fixed (I think) split tunneling, I am not seeing any traffic from my machine on the SSL VPN hitting the logs. I see the connection and disconnection traffic, but nothing when I try to ping or RDP. I am out of ideas. Here is the relevant config.
ip local pool SSLVPN-Pool 10.173.0.2-10.173.0.254 mask 255.255.255.0
object network SGR-Servers
subnet 10.172.0.0 255.255.255.0
object network InternetAccess
subnet 10.172.0.0 255.255.0.0
object network SSLVPN-Anyconnect
subnet 10.173.0.0 255.255.255.0
object network NETWORK_OBJ_10.173.0.0_24
subnet 10.173.0.0 255.255.255.0
object network NETWORK_OBJ_10.172.0.0_24
subnet 10.172.0.0 255.255.255.0
access-list Outside_access_in extended permit ip object SSLVPN-Anyconnect object SGR-Servers
access-list Outside_access_in extended permit tcp any interface Outside eq https
access-list Inside_access_in extended permit ip object SGR-Servers any
access-list Inside_access_in extended permit ip 10.172.0.0 255.255.255.0 object SSLVPN-Anyconnect
access-list SSLVPN-SplitTunnel extended permit ip object SGR-Servers object SGR-Servers
access-list SSLVPN-Split-Tunnel standard permit 10.172.0.0 255.255.255.0
mtu Outside 1500
mtu Inside 1500
mtu management 1500
nat (Inside,Outside) source static NETWORK_OBJ_10.172.0.0_24 NETWORK_OBJ_10.172.0.0_24 destination static NETWORK_OBJ_10.173.0.0_24 NETWORK_OBJ_10.173.0.0_24 no-proxy-arp route-lookup
nat (Inside,Outside) source static SGR-Servers SGR-Servers destination static NETWORK_OBJ_10.173.0.0_24 NETWORK_OBJ_10.173.0.0_24 no-proxy-arp route-lookup
!
object network InternetAccess
nat (Inside,Outside) dynamic interface
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
webvpn
enable Outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-macos-4.8.02042-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-filter value Outside_cryptomap
vpn-tunnel-protocol l2tp-ipsec ssl-clientless
group-policy GroupPolicy_AnyConnectSSLVPN internal
group-policy GroupPolicy_AnyConnectSSLVPN attributes
wins-server none
dns-server value 10.172.0.5 4.2.2.2
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN-Split-Tunnel
default-domain value lawfirmllp.net
dynamic-access-policy-record DfltAccessPolicy
tunnel-group AnyConnectSSLVPN type remote-access
tunnel-group AnyConnectSSLVPN general-attributes
address-pool SSLVPN-Pool
default-group-policy GroupPolicy_AnyConnectSSLVPN
tunnel-group AnyConnectSSLVPN webvpn-attributes
group-alias AnyConnectSSLVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
Solved! Go to Solution.
02-24-2020 06:35 PM
02-24-2020 06:35 PM
02-24-2020 06:44 PM
02-24-2020 07:22 PM
02-25-2020 10:47 AM
Can we verify the operation of split tunneling for AnyConnect? With AnyConnect connected would you look into the routes tab and share with us what secured routes are sent via vpn and what is just sent to the Internet without vpn?
02-26-2020 05:21 PM
You were right. This filter was applied in both places, when it should have only been applied to the IPSEC VPN. Setting vpn-filter none fixed the issue.
02-27-2020 05:31 AM
Thanks for the update. Glad that you have solved the problem and that our suggestions pointed you in the right direction.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide