cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1926
Views
0
Helpful
6
Replies

AnyConnect client's can't access internet

dennishoutsma
Level 1
Level 1

I'm trying to configure AnyConnect VPN, but I can't figure 2 two things;

1. In the AnyConnect profile all traffic is tunneled, unfortunately the clients aren't able to connect to the ASA nor to internet.

2. Clients connected to the SplitTunnel profile aren't able to contact the ASA. 

Below is my config:

: Saved

:

ASA Version 8.4(4)3

!

hostname ASA01

enable password ****** encrypted

passwd ***** encrypted

names

name 192.168.2.253 Guest_WAP

name 10.5.5.150 SynologyDS

name 10.6.6.0 VPN_Network

!

interface Ethernet0/0

switchport access vlan 6

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!            

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 2

!

interface Vlan1

nameif LAN

security-level 100

ip address 10.5.5.254 255.255.255.0

!

interface Vlan2

nameif Guest

security-level 20

ip address 192.168.1.254 255.255.255.0

!

interface Vlan6

nameif outside

security-level 0

ip address pppoe setroute

!

boot system disk0:/asa844-3-k8.bin

ftp mode passive

clock timezone GMT 0

dns domain-lookup LAN

dns server-group DefaultDNS

name-server SynologyDS

name-server 8.8.8.8

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network VPN_Network

subnet 10.6.6.0 255.255.255.0

object network LAN_Network

subnet 10.5.5.0 255.255.255.0

object network Guest_Network

subnet 192.168.1.0 255.255.255.0

object network Guest_WAP

host 192.168.2.253

object-group icmp-type ICMP-INBOUND

description Permit necessary inbound ICMP traffic

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list LAN_access_in extended permit ip any any

access-list LAN_access_in extended permit ip object VPN_Network any

access-list Outside_access_in extended permit ip object VPN_Network any

access-list LAN_nat0_outbound extended permit ip any any

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

access-list AnyConnect_SplitTunnel standard permit 10.5.5.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging buffer-size 20096

logging asdm-buffer-size 500

logging asdm informational

mtu LAN 1500

mtu Guest 1500

mtu outside 1500

ip local pool AnyConnect_DHCP_Pool 10.6.6.1-10.6.6.10 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (outside,LAN) source static VPN_Network VPN_Network

nat (outside,outside) source dynamic VPN_Network interface

nat (LAN,outside) source dynamic LAN_Network interface

access-group LAN_access_in in interface LAN

access-group Guest_access_in in interface Guest

access-group Outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

network-acl LAN_nat0_outbound

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.5.5.0 255.255.255.0 LAN

http VPN_Network 255.255.255.0 LAN

http VPN_Network 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 10.5.5.0 255.255.255.0 LAN

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

vpdn group KPNrequest dialout pppoe

vpdn group KPN localname ******

vpdn group KPN ppp authentication pap

vpdn username ***** password ***** store-local

dhcpd auto_config outside

!

dhcpd address 192.168.1.20-192.168.1.40 Guest

dhcpd dns SynologyDS 8.8.8.8 interface Guest

dhcpd enable Guest

!

webvpn       

enable outside

anyconnect image disk0:/anyconnect-macosx-i386-3.1.01065-k9.pkg 3

anyconnect image disk0:/anyconnect-win-2.5.6005-k9.pkg 4

anyconnect profiles AnyConnect disk0:/anyconnect.xml

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec

group-policy SplitTunnel internal

group-policy SplitTunnel attributes

wins-server none

dns-server value 10.5.5.150 8.8.8.8

vpn-tunnel-protocol ikev2 ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value AnyConnect_SplitTunnel

split-tunnel-all-dns disable

group-policy AnyConnect internal

group-policy AnyConnect attributes

wins-server none

dns-server value 10.5.5.150

vpn-tunnel-protocol ssl-client ssl-clientless

webvpn      

  url-list value AnyConnect

  anyconnect profiles value AnyConnect type user

  always-on-vpn profile-setting

username **** password ***** encrypted privilege 15

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool AnyConnect_DHCP_Pool

secondary-authentication-server-group DUO-LDAP use-primary-username

default-group-policy AnyConnect

tunnel-group AnyConnect webvpn-attributes

group-alias AnyConnect enable

group-url *******

tunnel-group SplitTunnel type remote-access

tunnel-group SplitTunnel general-attributes

address-pool AnyConnect_DHCP_Pool

default-group-policy SplitTunnel

tunnel-group SplitTunnel webvpn-attributes

group-alias SplitTunnel enable

group-url ***** enable

!            

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:4ca9289170b2f56081e2f027a538d220

: end

6 Replies 6

Tarik Admani
VIP Alumni
VIP Alumni

Hi

You said that you can't get the any connect client to connect?

Can you check the activation keys to make sure 3des license is installed.

Also is this connected behind a firewall or is this connected at the edge?


Sent from Cisco Technical Support Android App


Hi Tarik,

The ASA is directly connected to internet using pppoe. AnyConnect clients are able to connect, but when they're connected they can't access the ASA internal ip address (by ping/asdm). Also they can't access the internet through the ASA.

As for the management access (say ASDM) to the LAN interface through the tunnel, you should issue management-access LAN.

About clients not being able to access Internet. Does the clients aquire IP addresses? Are the able to access LAN? To me, tunnel-group and NAT config seems to be fine.

Management access is available to the internal network (10.5.5.0/24), except for the AnyConnect client's (10.6.6.0/24).

I will try your suggestion to issue the 'management-access LAN' command when I'm home.

The AnyConnect client gets an 10.6.6.x ip address and is able to access the internal network.

hi ,

let try to remove below entry nd check

access-list LAN_access_in extended permit ip object VPN_Network any

access-group LAN_access_in in interface LAN

nat (outside,outside) source dynamic VPN_Network interface

add one ACL source any or either you VPN Pool range Destination you LAN ..

access-list LAN_access_in extended permit ip VPN_POOL LAN

access-group LAN_access_in in interface LAN

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: