Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
569
Views
0
Helpful
4
Replies

ASA 5505 ver 8.2 Anyconnect VPN

ketansoni1
Level 1
Level 1

‎04-30-2018 10:58 AM - edited ‎03-12-2019 05:14 AM

Hello Community 

 

I have successfully been able to connect to my network  configuring the ASA to allow Cisco Anyconnect client.

 

Once connected, i am not able to browse the internet but i am able to ssh/http onto my servers.  I suspect i have not configured DNS, i believe split tunnelling is turned on my default. Looking for any solutions please. 

 

My inside network is on 172.16.6.0/23

I created a IP pool 172.16.100.1-172.16.100.5, when connecting via Anyconnect I get a 100.2 IP address. 

See below 1st NAT excempt. Would i need to remove this, or do i have to put a internal route in?

 

access-list INT_NONAT line 7 extended permit ip 172.16.6.0 255.255.254.0 172.16.100.0 255.255.255.0 

 

2nd NAT exempt rule, 192.168.1.0/24 is my internet IP lets say from home, going to my corp IP. 
access-list INT_NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.6.0 255.255.254. (my private home network)

 

 

Any ideas would be great. Thank You

 

Labels:
0 Helpful
4 Replies 4

Marius Gunnerud
VIP
VIP

‎05-01-2018 06:08 AM

Without seeing your configuration it is difficult to say exactly what the problem is.

 

for your AnyConnect VPN to access the inside network you need to have NAT exempt configured if the VPN head end has dynamic NAT configured on it.  You will also need to have a dynamic NAT configured for the AnyConnect VPN subnet for outside to outside.  In addition to this you need the command same-security-traffic permit intra-interface

 

Hope this helps.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

ketansoni1
Level 1
Level 1

‎05-01-2018 06:56 AM

Any suggestions

Thank you

0 Helpful

Marius Gunnerud
VIP
VIP
In response to ketansoni1

‎05-01-2018 06:58 AM

I gave you some things to look for in my previous post.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

GioGonza
Level 4
Level 4
In response to ketansoni1

‎05-02-2018 08:21 AM

Hello @ketansoni1

 

As @Marius Gunnerud already mentioned, you need to verify the NAT outside, outside for the traffic and also the same-security-traffic configuration. 

 

But based on your statement, we need to check the configuration: 

 

Once connected, i am not able to browse the internet but i am able to ssh/http onto my servers.  I suspect i have not configured DNS, i believe split tunnelling is turned on my default. Looking for any solutions please. 

 

My question is, would like to do Split-Tunnel or Tunnel All? Just for reference the default is tunnel all, and if you want to use split-tunnel you don´t need to do all the other stuff mentioned before.

 

If you can share the configuration that would be really helpful too. 

 

HTH

Gio

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents