03-20-2020 10:10 PM - last edited on 03-24-2020 10:06 AM by Monica Lluis
You can ask your question on your own language:
Español | Português | Français | Русский | 日本語 | 简体中文 |
Here’s your chance to discuss Cisco Secure Remote Working technologies such as AnyConnect, ASA, FTD, Duo, and Umbrella. In this session, the experts will answer questions about emergency licenses, design, configuration, and troubleshooting. Our experts span more than 12 time zones. Also, we’ll be translating the session into multiple languages to provide you with the best experience possible.
This forum event works well as an introduction for those who are not familiar with these security solutions and/or have recently started using them.
To participate in this event, please use the button below to ask your questions
Ask questions from Friday, March 20 to Friday, April 3, 2020
Divya Nair is a Technical Marketing Engineer with the Security Business Group in Raleigh, North Carolina. She has more than 10 years of experience in Cisco network security technologies, including firewalls, IPS, VPN, and AAA; and is currently focusing on VPN and firewall management platforms. Divya holds a Bachelor's degree in Computer Science and Engineering.
**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions
03-23-2020 04:18 AM
Hi,
Can you share the output of show run group-policy <policy-name>?
Regards,
Aditya
03-23-2020 09:37 PM
Hi,
Here is my sh run group policy
1)
group-policy it-test internal
group-policy it-test attributes
dns-server value 192.168.1.100
vpn-idle-timeout 20
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value it-test-acl
default-domain value test.local
address-pools value it-test-pool
2 )group-policy it-test2 internal
group-policy it-test2 attributes
wins-server none
dns-server value 192.168.1.100
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value it-test2-acl
default-domain value test.local
split-dns value test.local test.com
split-tunnel-all-dns disable
address-pools value it-test2-Pool
Tried the below also after removing "split-tunnel-all-dns disable" but did not help .
3 )group-policy it-test2 internal
group-policy it-test2 attributes
wins-server none
dns-server value 192.168.1.100
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value it-test2-acl
default-domain value test.local
split-dns value test.local test.comsplit-tunnel-all-dns disable
address-pools value it-test2-Pool
Thanks
03-24-2020 12:11 AM
03-25-2020 02:32 AM
Please disable/remove the tunnel-all split dns config and keep the split-dns values, also ensure that the DNS servers (IP) is a part of the split tunnel ACL.
disabled and full subnet is (192.168.1.0/24 ) is part of split tunnel acl
To confirm the DNS lookups (if they are going through Anyconnect) you can use Wireshark, start a capture on the machine and check on which adapter the DNS requests go out to.
yes it is going through any connect
Please share the output of ipconfig /all from the test machine and the captures if possible.
attached
03-25-2020 04:22 AM
03-25-2020 06:14 AM
Thanks for the reply .
What I mean by it is working when I am on anyconnect , If I remove "split-dns value test.com " it is going to public dns ( ISP) through physical adapter and public ip address .
and the internal dns server working from our local lan ( I can share the packet capture soon )
And can you tell me why the anyconnect mac address is shown as 00:11:22:33:44:55
Thanks
03-25-2020 07:13 AM
03-25-2020 07:34 AM
Thanks for the reply ,
I have removed the subnet from acl , but it is giving the same issue .
From the wireshark capture analysis , the dns query is responding with an error ?
When you say "The MAC address is for the Destination IP, your next hop."
It could be the ASA firewall interface ?
Thanks
03-25-2020 08:12 AM
03-24-2020 05:08 AM
Hello all, I have several questions:
1. Am I correct in understanding that webvpn customization (i.e. the webvpn home page) and AnyConnect customization (messages, languages etc.) are not currently supported when using Firepower Threat Defense (FTD) device as the headend? (either FMC-managed or FDM/CDO-managed)
2. Basic posture checking like we are able to do with ASA and DAP/Hostscan is not currently an option with FTD alone (i.e. we must refer to an external solution like ISE) - correct?
3. For DAP/Hostscan with ASA, does it require AnyConnect Premium and is it supported on ASAv platform models?
03-24-2020 05:44 AM
Hi Marvin,
03-24-2020 06:04 AM
Thanks Divya,
One followup - a couple of us have tried getting DAP going on ASAv and ran into problems. Please see this thread:
https://community.cisco.com/t5/vpn/asa-virtual-unable-to-activate-hostscan/td-p/4044100
Is that something you can answer here or should we open a TAC case?
03-24-2020 06:20 AM
03-24-2020 06:22 AM
Updated on the post you mentioned too.
03-24-2020 07:19 AM - edited 03-24-2020 10:09 AM
Thanks @Divya Nair and @Aditya Ganjoo !
To fill in readers here, bumping the memory to run the ASAv as an ASAv10 (vs. ASAv5) model fixes the inability to add in hostscan which is necessary to use DAP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide