07-10-2019 12:44 PM
Dear Cisco community,
I have a problem with a ASA5510 (OS: 9.1(6)10; ASDM: 7.6(2)150) and AnyConnect 4.X clients and I really need yout help and ideas!
The AnyConnect clients (no Split Tunnel) can connect and reach hosts directly on the inside interface but they cannot reach IP nodes in the Internet. All traffic from the users must go throuth the tunnel and Spit Tunnel is not allowed.
I determined that AnyConnect client cannot ping its default gateway indicated at ipconfig command when connected. The ASA cannot ping this default gateway (first IP address in the pool) too.
I have aleredy did the following:
1. Checked the connection profile (DefaultWEBVPNGroup) for the AnyConnect clients in the ASDM - no reason for the issue found.
2. Checked the group policy (GP_VPN_PA_User) for the AnyConnect clients in the ASDM - no reason for the issue found.
3. Checked the relevant system settings:
fw-pa/act(config)# sh run same-security-traffic same-security-traffic permit inter-interface same-security-traffic permit intra-interface <--- fw-pa/act(config)# sh run all sysopt no sysopt connection timewait sysopt connection tcpmss 1380 sysopt connection tcpmss minimum 0 sysopt connection permit-vpn <--- sysopt connection reclassify-vpn no sysopt connection preserve-vpn-flows no sysopt radius ignore-secret no sysopt noproxyarp outside sysopt noproxyarp inside no sysopt noproxyarp gast-wlan no sysopt noproxyarp dmz1
The VPN-Filter (vpnfilter-gp_VPN_PA_User) in the group policy does not contain a deny statement that prevent the Internet access.
I have pasted out the relevant configuration lines and hope not to forget something:
ip local pool vpn-bh-ra-pool 192.168.253.1-192.168.253.254 ... tunnel-group DefaultWEBVPNGroup general-attributes address-pool vpn-bh-ra-pool authentication-server-group LDAP_Servers default-group-policy GP_Deny_ALL ... access-list vpnfilter-gp_VPN_PA_User extended permit ip any 172.16.2.0 255.255.254.0 log disable access-list vpnfilter-gp_VPN_PA_User extended permit ip any 172.16.8.0 255.255.255.0 log disable access-list vpnfilter-gp_VPN_PA_User extended permit ip any 172.16.18.0 255.255.254.0 log disable access-list vpnfilter-gp_VPN_PA_User extended permit ip any 172.16.20.0 255.255.254.0 log disable access-list vpnfilter-gp_VPN_PA_User extended permit ip any 172.16.22.0 255.255.255.0 log disable access-list vpnfilter-gp_VPN_PA_User extended permit ip any 172.16.96.0 255.255.254.0 log disable access-list vpnfilter-gp_VPN_PA_User extended permit ip any 172.16.102.0 255.255.255.0 log disable access-list vpnfilter-gp_VPN_PA_User extended permit ip any host 172.16.4.38 log disable access-list vpnfilter-gp_VPN_PA_User extended permit ip any host 172.16.32.38 log disable access-list vpnfilter-gp_VPN_PA_User extended permit ip any object H-HAG-CTX1 log disable access-list vpnfilter-gp_VPN_PA_User extended permit ip any object H-HAG-CTX2 log disable access-list vpnfilter-gp_VPN_PA_User extended permit ip any object-group grp-adito access-list vpnfilter-gp_VPN_PA_User extended permit ip any object h-172.17.0.14 access-list vpnfilter-gp_VPN_PA_User extended permit ip any object AditoService ... access-list vpnfilter-DenyAll extended permit ip any object AditoService inactive access-list vpnfilter-DenyAll extended deny ip any any , ... group-policy GP_VPN_PA_User internal group-policy GP_VPN_PA_User attributes wins-server value 172.16.2.32 172.16.2.33 dns-server value 172.16.2.32 172.16.2.33 vpn-filter value vpnfilter-gp_VPN_PA_User vpn-tunnel-protocol ssl-client ssl-clientless msie-proxy pac-url value http://bh-enterprise.company.org/wpad.dat webvpn anyconnect modules value vpngina anyconnect profiles value GP_VPN_AC_SBL type user ... group-policy GP_Deny_ALL internal group-policy GP_Deny_ALL attributes wins-server value 172.16.2.32 172.16.2.33 dns-server value 172.16.2.32 172.16.2.33 vpn-simultaneous-logins 3 vpn-filter value vpnfilter-DenyAll vpn-tunnel-protocol ssl-client ssl-clientless default-domain value company.org ... tunnel-group DefaultWEBVPNGroup general-attributes address-pool vpn-bh-ra-pool authentication-server-group LDAP_Servers default-group-policy GP_Deny_ALL
My questions:
1. What can case such behaviour of the AnyConnect clients and where would you look to find the reason for this issue?
2. Do you have any sample configuration for AnyConnect (no Split Tunnel) with Internet access?
Every hint is very welcome and will be followed.
Thanks a lot!
Greatings!
Solved! Go to Solution.
07-10-2019 12:55 PM
07-10-2019 12:55 PM
07-13-2019 12:46 PM
Hi RJI,
thanks for the hints!
I found the reason in the NAT because the existing 'nat (outside,outside)' command was insufficient. The Packet tracer pointed to an ACL and sent me to the wrong trace :-(
Thanks a lot!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: