cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1558
Views
0
Helpful
3
Replies

No internet on VPN Client connected to Cisco ASA 5506x

Pinesh Amin
Level 1
Level 1

Hi,

I tried mostly everything I found on this forum and others on the web but have not luck to the resolution of the issue.  VPN client loses the internet connection as soon as SSL vpn connection starts (sing anyconnect). I think it has to do with the DNS resolution but you smart guys can figure it out in no time and help me.  Here is the configuration.

 


CIscoasa# sh run
: Saved

:
: Serial Number: JADxyzabcd
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname Ciscoasa
domain-name xyz
enable password abcxyzz3 encrypted
passwd abcxyzz3 encrypted
names
ip local pool RAPOOL 192.10.15.100-192.10.15.125 mask 255.255.255.0

!
interface GigabitEthernet1/1
description ISP (Comcast) connection
nameif outside
security-level 0
ip address aaa.bbb.ccc.ddd 255.255.255.252
!
interface GigabitEthernet1/2
description Inside Data Network
nameif Data
security-level 100
ip address 10.10.15.254 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.10.15.12 Data
domain-name abcxyz.com
dns server-group defaultdns
name-server 75.75.75.75 outside
name-server 8.8.8.8 outside
domain-name abcxyz.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-Data
subnet 10.10.15.0 255.255.255.0
object network obj-VPNPOOL
subnet 192.10.15.0 255.255.255.0
access-list insideST standard permit 10.10.15.0 255.255.255.0
access-list insideST standard permit 192.10.15.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Data 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Data,outside) source static obj-Data obj-Data destination static obj-VPNPOOL obj-VPNPOOL
!
object network obj_any
nat (any,outside) dynamic interface
object network obj-Data
nat (Data,outside) dynamic interface
object network obj-VPNPOOL
nat (outside,outside) dynamic interface
!
nat (Data,outside) after-auto source dynamic any interface
access-group Inbound in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 Data
http 10.10.15.0 255.255.255.0 Data
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn vpn.xyz.com
email xyz@xyz.com
subject-name CN=vpn.xyz.com,OU=IT-IT Solutions,O=firm,St=NY,L=NewYork,EA=xyz@xyz.com
ip-address aaa.bbb.ccc.ddd
keypair xyz-SSL-VPN.key
crl configure
crypto ca trustpool policy
telnet 10.10.15.0 255.255.255.0 Data
telnet timeout 30
ssh stricthostkeycheck
ssh 10.10.15.0 255.255.255.0 Data
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd lease 691200
dhcpd auto_config Data
dhcpd option 3 ip 10.10.15.254
!
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl dh-group group24
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.5.02036-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.5.02036-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
ssl-server-check warn-on-failure
group-policy xyz-GP internal
group-policy xyz-GP attributes
dns-server value 75.75.75.75 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-network-list value insideST
split-tunnel-all-dns disable
address-pools value RAPOOL
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask enable default anyconnect timeout 10
dynamic-access-policy-record DfltAccessPolicy
username xyz password abcdxyzsde encrypted privilege 15
username abcd password mkjsiprdituwe encrypted
username abcd attributes
service-type remote-access
tunnel-group xyz-TG type remote-access
tunnel-group xyz-TG general-attributes
address-pool RAPOOL
default-group-policy xyz-GP
tunnel-group xyz-TG webvpn-attributes
group-alias xyz-Office enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global-policy
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:32c84a31162c7fed9fd7535e07a07c14
: end

3 Replies 3

GioGonza
Level 4
Level 4

Hello @Pinesh Amin,

 

You need to change you group-policy: 

 

group-policy xyz-GP internal
group-policy xyz-GP attributes
dns-server value 75.75.75.75 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-network-list value insideST
split-tunnel-all-dns disable

 

You have tunnel all and you applied an ACL for the connection, you need to remove the ACL with the command "no split-tunnel-network-list value insideST" or make it split-tunnel changing the tunnel all configuration "split-tunnel-policy tunnel-specified", try this and let me know. 

 

HTH

Gio

Thanks for the quick Replay Gio.

 

Changed it but still no internet.  

 

group-policy xyz-GP internal
group-policy xyz-GP attributes
dns-server value 75.75.75.75 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-all-dns disable
address-pools value RAPOOL

 

Hello @Pinesh Amin

 

When you connect after you remove the split-tunnel configuration from ASA, can you ping 8.8.8.8?

 

It can be problems with DNS and that could be the reason why you don´t have Internet access, also can you place a capture on the VPN adapter to see if the names are being resolved?

 

HTH

Gio

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: