cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11294
Views
0
Helpful
18
Replies

AnyConnect connected with no network access

mau792
Level 1
Level 1

Dear all,

 

I'm struggling with an ASA 5506 config for VPN.

Simple config, outisde is static and connected to the provider router (192.168.0.0/24) and inside is 192.168.1.0/24. ASA is not handling DHCP cause there is a domain controller doing it, which is also the main DNS for the corp network.

 

AnyConnect configured via wizard. I'm able to connect and estabilish a VPN and getting the IP assigned by the ASA static). DNS and gateway are correctly assigned (ipconfig). However there is no way to access the network. Cannot even ping the ASA on 192.168.1.1. I guess it might be related to routing issue. On AnyConnect (on windows client) I have routing 0.0.0.0.

 

Thanks

18 Replies 18

192.168.1.208/28 is the network range you've assigned to your Remote Access users, the object used in the rule was already defined in your configuration.

 

You can see from your output traffic is matching that NAT rule

 

Manual NAT Policies (Section 1)
1 (any) to (outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.208_28 NETWORK_OBJ_192.168.1.208_28 no-proxy-arp
translate_hits = 62, untranslate_hits = 188

 

So how are you testing and confirming it's not working? Can you ping an IP address, don't use it's DNS name, this would confirm whether it's a DNS issue.

 

Provide the output of "show vpn-sessiondb detail anyconnect" when a user is connected to the VPN.

Provide a screenshot from windows of "route print" in particular the "IPv4 Route table"

 

Run packet-tracer from the CLI and provide the output for review

Great! Getting closer.

 

I can ping all the devices on 192.168.1.0/24, and actually access them, excluding web. (shared folder are working, RDP is working, printers, ...), but web services are not rechable (via ip directly - no dns).

I cannot ping the router on 192.168.0.1 (outside interface) and I cannot browse on the web (always outside interface).

 

Thanks

Add the following for internet access

 

same-security-traffic permit intra-interface

object network NETWORK_OBJ_192.168.1.208_28
nat (OUTSIDE,OUTSIDE) dynamic interface

 

When you say web services are not working do you mean internal hosted web services or the internet access? Can you access RDP servers via their hostname or only the IP address?


Amend your group-policy:-

 

group-policy GroupPolicy_AnyConnectSSL attributes
dns-server value 192.168.1.21
no split-dns value 192.168.1.21 8.8.8.8
no split-tunnel-all-dns enable

 

Great, 

everything is working fine.

 

Thank you guys :)

 

Regards,

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: