09-01-2016 06:28 AM - edited 03-12-2019 01:13 AM
I'm throwing in the white flag.. I have an ASA 5508 with ver 9.5. I have setup an AnyConnect Profile, VPN Pool, split tunneling etc. Via AnyConnect VPN software I can connect, authenticate and see internal network just as I should. I can ping google but I cannot browse the internet while connected to the VPN. I am pulling DNS from the ASA. I've tried Charter and Google DNS. Still users cannot browse internet while connected via VPN.
Hopefully from the pieces below someone can see something I have that I shouldn't or vice versa. Internal network 192.168.3.x, vpn pool 192.168.100.x
ip local pool GriffinVPNPool1 192.168.100.1-192.168.100.255 mask 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.3.0_24
subnet 192.168.3.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.3.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
object network obj_any
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 inside vpnlb-ip
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.2.04039-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.2.00096-k9.pkg 2
anyconnect profiles GriffinVPN_client_profile disk0:/GriffinVPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_GriffinVPN internal
group-policy GroupPolicy_GriffinVPN attributes
wins-server none
dns-server value 24.196.64.53
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain none
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
Thank you in advance for help
Solved! Go to Solution.
09-01-2016 06:53 AM
You need to allow the ASA to route traffic from the VPN back out the on the interface it arrived, which is the outside.
Enter the command same-security-traffic permit intra-interface in global configuration mode.
Hope this helps.
Please rate any helpful posts.
09-01-2016 06:53 AM
You need to allow the ASA to route traffic from the VPN back out the on the interface it arrived, which is the outside.
Enter the command same-security-traffic permit intra-interface in global configuration mode.
Hope this helps.
Please rate any helpful posts.
09-01-2016 07:40 AM
Worked perfectly. Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide