Solved: Re: ASA ANYCONNECT SpiltTtunnel problem

yeharold94@gmail.com · ‎11-13-2018

ciscoasa(config)#ip local pool vpnpool 10.1.3.1-10.1.3.254 mask 255.255.255.0
ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#enable outside
ciscoasa(config-webvpn)#anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg
ciscoasa(config-webvpn)#tunnel-group-list enable
ciscoasa(config-webvpn)#anyconnect enable
ciscoasa(config)#access-list SPLIt-ACL standard permit 172.20.160.0 255.255.255.0
ciscoasa(config)#access-list SPLIt-ACL standard permit 192.168.21.0 255.255.255.0
ciscoasa(config)#group-policy vpntest internal
ciscoasa(config)#group-policy vpntest attributes
ciscoasa(config-group-policy)#vpn-tunnel-protocol ssl-client
ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)#split-tunnel-network-list SPLIt-ACL
ciscoasa(config)#tunnel-group vpntest type remote-access
ciscoasa(config)#tunnel-group vpntest general-attributes
ciscoasa(config-tunnel-general)#address-pool vpnpool
ciscoasa(config-tunnel-general)#default-group-policy vpntest
ciscoasa(config-tunnel-general)#exit
ciscoasa(config)#tunnel-group vpntest webvpn-attributes
ciscoasa(config-tunnel-webvpn)#group-alias vpntest_users enable

there is not hit to ACL

JP Miranda Z · ‎11-16-2018

Hi yeharold94@gmail.com,

If you don't want your clients to be able to access the internet you are not supposed to use split tunnel since the split tunnel is only going to send the specified traffic through the VPN and the rest will use the local VA of the computer, i will recommend you to check the following config guide and understand the configuration so you can implement it:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

If you want all the traffic to go through the tunnel so you can restrict the internet access you need to do tunnel-all.

Hope this info helps!!

Rate if helps you!!

-JP-

View solution in original post

JP Miranda Z · ‎11-16-2018

yeharold94@gmail.com,

When doing tunnel all the ACL is not important since that is only for split tunnel so you can remove the ACL:

group-policy vpntest attributes
no split-tunnel-network-list value SPLIt-ACL

Now, the reason why your traffic is falling is probably because you are missing the nat exemption for the traffic from your internal network to the vpn pool, should look like this:

object network vpnpool
subnet 10.1.3.0 255.255.255.0
object-group network internal-subnets
network-object 172.20.160.0 255.255.255.0
network-object 192.168.21.0 255.255.255.0

nat (inside,outside) source static internal-subnets internal-subnets destination static vpnpool vpnpool no-proxy-arp route-lookup

On the link shared before you can find all the information you need to get this up and running even when doing tunnel all.

Hope this info helps!!

Rate if helps you!!

-JP-

View solution in original post

JP Miranda Z · ‎11-14-2018

Hi yeharold94@gmail.com,

Im not sure what you mean with "there is not hit to ACL", but keep in mind the following:

-The correct command to apply the ACL to the split tunnel config is:

split-tunnel-network-list value

-Also the ACL applied to the split tunnel is not going to show any hit counts (in case that's what you mean).

If you question is related to something else please explain yourself a little bit more so we can help.

Hope this info helps!!

Rate if helps you!!

-JP-

yeharold94@gmail.com · ‎11-15-2018

asa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list SPLIt-ACL; 2 elements; name hash: 0xb661bf5f
access-list SPLIt-ACL line 1 standard permit 172.20.160.0 255.255.255.0 (hitcnt=0) 0x6e30947a
access-list SPLIt-ACL line 2 standard permit 192.168.21.0 255.255.255.0 (hitcnt=0) 0x31eb7c0f

asa# sh run group-policy
group-policy vpntest internal
group-policy vpntest attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIt-ACL
webvpn
anyconnect firewall-rule client-interface public value SPLIt-ACL
anyconnect firewall-rule client-interface private value SPLIt-ACL

Thank you for helping, the configuration as above is the ACL detail in my ASA, if you need any information please let me know

My ACL is not running, I have no idea why.

JP Miranda Z · ‎11-15-2018

Hi yeharold94@gmail.com,

I'm still confused about what is not working here, if you are expecting the hitcounts on the standard ACL to increment that is not going to happen, if you have a client already connected with AnyConnect and they are not able to access the subnets specified on the split tunnel ACL this could be related to a couple of other configs, can you run the following command and make sure this traffic is going out your Firewall through the AnyConnect and not just through the internet:

Ex.

packet-tracer input inside icmp 172.20.160.10 8 0 <ip assigned to the client> detail

you can also run the following command on the CLI to check the ip of the client:

sh vpn-sessiondb anyconnect

I will probably be able to give you a solution quickly if you are more specific about the issue you are having.

Hope this info helps!!

Rate if helps you!!

-JP-

yeharold94@gmail.com · ‎11-16-2018

asa# sh vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : test Index : 204
Assigned IP : 10.1.3.3 Public IP : XXXXX
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 56786 Bytes Rx : 44523
Group Policy : vpntest Tunnel Group : vpntest
Login Time : 08:37:41 UTC Fri Nov 16 2018
Duration : 0h:05m:33s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a80101000cc0005bee81d5
Security Grp : none
asa#

I did not permit VPN to go out to the internet, but I still can reach 8.8.8.8, how can I deny my VPN client to internet

JP Miranda Z · ‎11-16-2018

Hi yeharold94@gmail.com,

If you don't want your clients to be able to access the internet you are not supposed to use split tunnel since the split tunnel is only going to send the specified traffic through the VPN and the rest will use the local VA of the computer, i will recommend you to check the following config guide and understand the configuration so you can implement it:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

If you want all the traffic to go through the tunnel so you can restrict the internet access you need to do tunnel-all.

Hope this info helps!!

Rate if helps you!!

-JP-

yeharold94@gmail.com · ‎11-16-2018

Thank you for helping. I try to use the full tunnel but it does not work as well.

group-policy vpntest internal
group-policy vpntest attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value SPLIt-ACL
webvpn
anyconnect firewall-rule client-interface public value SPLIt-ACL
anyconnect firewall-rule client-interface private value SPLIt-ACL

yeharold94@gmail.com · ‎11-16-2018

yes, it blocks my internet traffic but the ACL does not work

JP Miranda Z · ‎11-16-2018

yeharold94@gmail.com,

When doing tunnel all the ACL is not important since that is only for split tunnel so you can remove the ACL:

group-policy vpntest attributes
no split-tunnel-network-list value SPLIt-ACL

Now, the reason why your traffic is falling is probably because you are missing the nat exemption for the traffic from your internal network to the vpn pool, should look like this:

object network vpnpool
subnet 10.1.3.0 255.255.255.0
object-group network internal-subnets
network-object 172.20.160.0 255.255.255.0
network-object 192.168.21.0 255.255.255.0

nat (inside,outside) source static internal-subnets internal-subnets destination static vpnpool vpnpool no-proxy-arp route-lookup

On the link shared before you can find all the information you need to get this up and running even when doing tunnel all.

Hope this info helps!!

Rate if helps you!!

-JP-