01-22-2018 06:03 PM - edited 03-12-2019 04:56 AM
I'm trying to configure a VPN tunnel group that doesn't use split tunneling. I get connected via AnyConnect but then can't connect to the Internet. What am I missing?
ASA# sh vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : mmurray Index : 140
Assigned IP : 10.120.20.35 Public IP : 76.X.X.X
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 19134 Bytes Rx : 17796
Group Policy : vpngroup_no_split_tunnel
Tunnel Group : RADgroup_no_split_tunnel
Login Time : 20:14:59 EST Mon Jan 22 2018
Duration : 0h:00m:05s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0ac833010008c0005a668c93
Security Grp : none
ASA# sh run tunnel-group RADgroup_no_split_tunnel
tunnel-group RADgroup_no_split_tunnel type remote-access
tunnel-group RADgroup_no_split_tunnel general-attributes
address-pool toddsvpnpool
authentication-server-group RADIUS
default-group-policy vpngroup_no_split_tunnel
tunnel-group RADgroup_no_split_tunnel webvpn-attributes
group-alias vpngroup_no_split_tunnel enable
tunnel-group RADgroup_no_split_tunnel ipsec-attributes
ikev1 pre-shared-key *****
ASA# sh run group-policy vpngroup_no_split_tunnel
group-policy vpngroup_no_split_tunnel internal
group-policy vpngroup_no_split_tunnel attributes
wins-server value 10.10.2.1 10.20.2.60
dns-server value 10.10.2.1 10.10.2.2
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
ASA# sh run webvpn
webvpn
enable lan
enable outside2
anyconnect image disk0:/anyconnect-win-4.1.02011-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.1.02011-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
Solved! Go to Solution.
01-22-2018 11:34 PM
As mentioned, you need NAT from outside to outside:
nat (outside,outside) after-auto source dynamic VPN-POOL interface
And in addition to that, same-security-traffic has to be enabled:
same-security-traffic permit intra-interface
01-22-2018 06:32 PM
have you checked your nat settings?
01-22-2018 11:34 PM
As mentioned, you need NAT from outside to outside:
nat (outside,outside) after-auto source dynamic VPN-POOL interface
And in addition to that, same-security-traffic has to be enabled:
same-security-traffic permit intra-interface
01-23-2018 02:26 PM
Thanks Karsten, I had the
same-security-traffic permit intra-interface
command in there but not the NAT.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: