Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
887
Views
0
Helpful
4
Replies

Cisco ASA 5525 Client VPN

jthombs1016
Level 1
Level 1

‎03-01-2018 08:08 AM - edited ‎02-21-2020 07:27 AM

Hello all

I have a strange issue with a new client VPN. When I connect to the VPN  I am unable to ping  the inside interface or browse the  Internet. I have attached the firewall configuration. can any spot what I am missing?

Thanks

 

 

 

Labels:
Preview file
9 KB
0 Helpful
4 Replies 4

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-01-2018 09:01 AM

2 issues:

 

1) Internet access: Your VPN is not set up for Split tunneling. That means all traffic from your PC is going to be sent to the ASA, which includes internet. If you want to access internet through the ASA, you need to create NAT rules to u-turn the traffic on the outside interface.

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html#anc6

 

If you want split-tunnel, you need to create the split-tunnel policy and apply it to the group-policy as shown below:

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html#anc9

 

 

2) Inside interface access: Your management access is set to the Management interface.

management-access Management

This setting is required for VPN users to be able to ping or ssh to a particular interface. You can only set one interface for management-access, so changing to Inside will allow you to ping the Inside interface. 

0 Helpful

jthombs1016
Level 1
Level 1
In response to Rahul Govindan

‎03-01-2018 09:53 AM

Thanks Rahul what would the NAT rule look like. I would like to have all the internet traffic through the firewall.
0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to jthombs1016

‎03-01-2018 12:14 PM

NAT rule would look something like below. Pool object and ip address should be the object name you used in your config.

 

ciscoasa(config)# object network obj-AnyconnectPool
ciscoasa(config-network-object)# subnet 192.168.10.0 255.255.255.0
ciscoasa(config-network-object)# nat (outside,outside) dynamic interface

You would also need the below command for u-turning:

 

 

ciscoasa(config)#same-security-traffic permit intra-interface

 

This is documented in the link I pasted before:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html#anc6

 

 

 

0 Helpful

jthombs1016
Level 1
Level 1
In response to Rahul Govindan

‎03-03-2018 12:29 AM

I am now connected to VPN.  I cant browse or ping  the Internet .  Am I missing some access rules ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card