Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
2
Replies

Anyconnect No Internet but internet on WEBSSL VPN

cogenyk
Level 1
Level 1

‎08-29-2021 08:25 PM

hello, my Anyconnect VPN Clients can access internal resources but not the external web, but users on WEBSSL can access both.

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎08-29-2021 11:11 PM

Hello,

 

what is the context of your question, what device is configured as VPN server ?

0 Helpful

cogenyk
Level 1
Level 1
In response to Georg Pauwen

‎08-30-2021 05:34 PM

Apologies for the brevity, On our ASA 5512 we have a Clientless WEBSSL VPN of which users can access both internal and external networks, but on the AnyConnect profile i have tried to setup users can not access both internal and external networks, I've attached a scrubbed show run.

 

[REDACTED]
ASA Version [REDACTED]
!
hostname [REDACTED]
domain-name [REDACTED]
enable [REDACTED]
names
ip local pool VPN 10.0.4.2-10.0.4.254 mask 255.255.255.0

!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address dhcp 
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.0.0.1 255.255.254.0 
!
interface GigabitEthernet0/1.20
 vlan 20
 nameif Guests
 security-level 90
 ip address 10.0.2.1 255.255.255.0 
!
interface GigabitEthernet0/1.40
 vlan 40
 no nameif
 security-level 100
 ip address 10.0.4.1 255.255.255.0 
!
interface GigabitEthernet0/1.70
 vlan 70
 nameif CCTV
 security-level 100
 ip address 10.0.7.1 255.255.255.0 
!
interface GigabitEthernet0/1.100
 vlan 100
 nameif Servers
 security-level 100
 ip address 10.0.10.1 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup OUTSIDE
dns domain-lookup INSIDE
dns domain-lookup Guests
dns domain-lookup CCTV
dns domain-lookup Servers
dns server-group DefaultDNS
 name-server 10.0.10.5 Servers
 name-server 1.1.1.1 OUTSIDE
 domain-name local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network OBJ_GENERIC_ALL
 subnet 0.0.0.0 0.0.0.0
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network VLAN100
 subnet 10.0.10.0 255.255.255.0
 description ServerFarm
object network VLAN70
 subnet 10.0.7.0 255.255.255.0
 description CCTV
object network Meraki3
 subnet 209.206.49.0 255.255.255.224
object network 4Meraki3
 subnet 209.206.51.0 255.255.255.224
object network INTERNAL
 host REDACTED
object network Main-Minecraft-Server
 host 10.0.10.200
object network Main-Minecraft-Server-UDP
 host 10.0.10.200
object service MinecraftTCP
 service tcp destination eq 25565 
object service MinecraftUDP
 service udp source eq 25565 destination range 0 25565 
object network Miinecraft
 host 10.0.10.200
object network RealMC
 host 10.0.10.200
object service MC
 service tcp source eq 25565 
object network mcserver
 host REDACTED
object network extip
 host REDACTED
object network obj_mcs
 host 10.0.10.200
object network Minecraft-Server
 host 10.0.10.200
object service TestMC
 service tcp destination eq 25566 
object network NETWORK_OBJ_10.0.4.0_24
 subnet 10.0.4.0 255.255.255.0
object-group service allow_internet_tcp tcp
 description allow tcp ports for allowing access internet access
 port-object eq www
 port-object eq https
object-group service allow_internet_udp udp
 description allow udp ports for allowing access internet access
 port-object eq dnsix
object-group network Meraki
 network-object host 209.206.52.203
 network-object host 8.8.8.8
 network-object object 4Meraki3
 network-object object Meraki3
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object udp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object udp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
 protocol-object udp
object-group protocol DM_INLINE_PROTOCOL_4
 protocol-object ip
 protocol-object icmp
 protocol-object udp
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object tcp-udp destination eq www 
 service-object tcp destination eq 35000 
 service-object tcp destination eq https 
 service-object tcp destination eq rtsp 
 service-object udp destination eq ntp 
object-group service DM_INLINE_SERVICE_2
 service-object ip 
 service-object tcp-udp destination eq www 
 service-object tcp destination eq 35000 
 service-object tcp destination eq https

‍⚧️LenowovoThinkFop, [30.08.21 19:27]
service-object tcp destination eq rtsp 
 service-object udp destination eq ntp 
object-group network DM_INLINE_NETWORK_1
 network-object 10.0.0.0 255.255.254.0
 network-object 10.0.10.0 255.255.255.0
 network-object 10.0.7.0 255.255.255.0
object-group service DM_INLINE_SERVICE_3
 service-object ip 
 service-object icmp 
 service-object udp 
 service-object tcp 
 service-object icmp echo-reply
 service-object tcp destination eq echo 
object-group service DM_INLINE_SERVICE_4
 service-object ip 
 service-object icmp 
 service-object udp 
 service-object tcp 
 service-object icmp echo-reply
 service-object tcp destination eq echo 
object-group service DM_INLINE_SERVICE_5
 service-object ip 
 service-object icmp 
 service-object udp 
 service-object tcp 
 service-object icmp echo-reply
 service-object tcp destination eq echo 
object-group service DM_INLINE_SERVICE_6
 service-object ip 
 service-object icmp 
 service-object udp 
 service-object tcp 
 service-object icmp echo-reply
 service-object tcp destination eq echo 
 service-object object MinecraftTCP 
 service-object object MinecraftUDP 
 service-object object TestMC 
object-group service DM_INLINE_SERVICE_7
 service-object ip 
 service-object udp 
 service-object tcp 
 service-object tcp-udp destination eq domain 
object-group protocol DM_INLINE_PROTOCOL_5
 protocol-object ip
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_8
 service-object ip 
 service-object udp 
 service-object tcp 
 service-object tcp-udp destination eq domain 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
object-group service DM_INLINE_SERVICE_9
 service-object ip 
 service-object udp 
 service-object tcp 
 service-object tcp-udp destination eq domain 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
object-group network DM_INLINE_NETWORK_2
 network-object object Main-Minecraft-Server
 network-object object Miinecraft
object-group service DM_INLINE_SERVICE_10
 service-object object MinecraftUDP 
 service-object object TestMC 
object-group service DM_INLINE_SERVICE_11
 service-object ip 
 service-object udp 
 service-object tcp 
 service-object object TestMC 
object-group service DM_INLINE_SERVICE_12
 service-object icmp 
 service-object tcp-udp destination eq domain 
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_13
 service-object object MinecraftTCP 
 service-object object TestMC 
object-group service DM_INLINE_SERVICE_14
 service-object object TestMC 
 service-object tcp-udp destination eq domain 
object-group service DM_INLINE_SERVICE_15
 service-object object MinecraftTCP 
 service-object object TestMC 
object-group network DM_INLINE_NETWORK_3
 network-object 10.0.0.0 255.255.254.0
 network-object 10.0.10.0 255.255.255.0
 network-object 10.0.2.0 255.255.255.0
 network-object 10.0.7.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
 network-object 10.0.0.0 255.255.254.0
 network-object 10.0.10.0 255.255.255.0
 network-object 10.0.7.0 255.255.255.0
access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_3 object-group Meraki any 
access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any object-group Meraki 
access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_12 any any 
access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_3 10.0.0.0 255.255.254.0 10.0.10.0 255.255.255.0 
access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_4 10.0.10.0 255.255.255.0 10.0.0.0 255.255.254.0 
access-list INSIDE_access_in_1 extended permit ip any any 
access-list INSIDE_access_in_1 extended permit object-group TCPUDP any any eq sip 
access-list INSIDE_access_in_1 extended permit ip any 10.0.10.0 255.255.255.0 
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_4 object-group Meraki any 
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_15 any object Miinecraft

‍⚧️LenowovoThinkFop, [30.08.21 19:27]
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_2 any object-group Meraki 
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any host 10.0.7.2 
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_5 10.0.10.0 255.255.255.0 any 
access-list OUTSIDE_access_in_1 extended permit icmp object-group DM_INLINE_NETWORK_1 any 
access-list OUTSIDE_access_in_1 extended deny ip any object BlockedBotnet012021 
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_9 10.0.0.0 255.255.254.0 any 
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_8 10.0.2.0 255.255.255.0 any 
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_14 any any 
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_13 any object Minecraft-Server 
access-list OUTSIDE_access_in_1 extended permit tcp any interface OUTSIDE eq https 
access-list CCTV_access_in_2 extended permit object-group DM_INLINE_SERVICE_1 host 10.0.7.2 any 
access-list Servers_access_in extended permit object-group DM_INLINE_SERVICE_6 10.0.10.0 255.255.255.0 any4 
access-list Servers_access_in extended permit object-group DM_INLINE_SERVICE_7 10.0.2.0 255.255.255.0 any 
access-list Servers_access_in extended permit tcp any any eq 25565 
access-list Servers_access_in extended permit object-group TCPUDP any any eq sip 
access-list Servers_access_in extended permit ip 10.0.10.0 255.255.255.0 10.0.0.0 255.255.254.0 
access-list global_access extended deny ip any object BlockedBotnet012021 
access-list global_access extended permit object-group DM_INLINE_SERVICE_10 any object Miinecraft 
access-list global_access extended permit object-group DM_INLINE_SERVICE_11 any object-group DM_INLINE_NETWORK_2 
access-list global_access extended permit tcp any any eq 25565 
access-list global_access extended permit tcp any host REDACTED eq https 
access-list Guests_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any 
access-list minecraft extended permit tcp any any eq 25565 
access-list Filter standard permit any4 
access-list Internal standard permit 10.0.0.0 255.255.254.0 
access-list Internal standard permit 10.0.7.0 255.255.255.0 
access-list Internal standard permit 10.0.10.0 255.255.255.0 
access-list no_nat extended permit ip 10.0.0.0 255.255.255.254 192.168.10.0 255.255.255.0 
access-list VPN-POLICY webtype permit url any log default
pager lines 24
logging enable
logging asdm informational
logging debug-trace
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu Guests 1500
mtu CCTV 1500
mtu Servers 1500
mtu management 1500
no failover
no monitor-interface Guests
no monitor-interface CCTV
no monitor-interface Servers
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply OUTSIDE
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (INSIDE,OUTSIDE) source dynamic OBJ_GENERIC_ALL interface
nat (INSIDE,OUTSIDE) source static any any destination static NETWORK_OBJ_10.0.4.0_24 NETWORK_OBJ_10.0.4.0_24 no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static NETWORK_OBJ_10.0.4.0_24 NETWORK_OBJ_10.0.4.0_24 no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static NETWORK_OBJ_10.0.4.0_24 NETWORK_OBJ_10.0.4.0_24 no-proxy-arp route-lookup
!
object network obj_any
 nat (INSIDE,OUTSIDE) dynamic interface
object network Minecraft-Server
 nat (INSIDE,OUTSIDE) static interface service tcp 25565 25565 
!
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
nat (CCTV,OUTSIDE) after-auto source dynamic any interface
nat (Servers,OUTSIDE) after-auto source dynamic any interface
nat (Guests,OUTSIDE) after-auto source dynamic any interface
access-group OUTSIDE_access_in_1 in interface OUTSIDE
access-group INSIDE_access_in_1 in interface INSIDE
access-group Guests_access_in in interface Guests

‍⚧️LenowovoThinkFop, [30.08.21 19:27]
access-group CCTV_access_in_2 in interface CCTV
access-group Servers_access_in in interface Servers
access-group global_access global
!
route-map A permit 1
 match interface INSIDE

!
route OUTSIDE 0.0.0.0 0.0.0.0 REDACTED 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
[REDACTED Crypto]
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 INSIDE
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 10.0.0.11-10.0.0.254 INSIDE
dhcpd dns 1.1.1.1 10.0.10.5 interface INSIDE
dhcpd enable INSIDE
!
dhcpd address 10.0.2.11-10.0.2.254 Guests
dhcpd dns 1.1.1.1 interface Guests
dhcpd enable Guests
!
dhcpd address 10.0.7.11-10.0.7.29 CCTV
dhcpd dns 1.1.1.1 10.0.10.5 interface CCTV
dhcpd enable CCTV
!
dhcpd address 10.0.10.50-10.0.10.51 Servers
dhcpd dns 1.1.1.1 10.0.10.5 interface Servers
dhcpd enable Servers
!
dhcpd address 192.168.1.2-192.168.1.254 management
!
dhcprelay timeout 60
dhcprelay information trust-all
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable 
dynamic-filter enable interface OUTSIDE 
dynamic-filter enable interface INSIDE 
dynamic-filter enable interface CCTV 
dynamic-filter enable interface Servers 
dynamic-filter enable interface management 
dynamic-filter drop blacklist 
dynamic-filter ambiguous-is-black
dynamic-filter blacklist
 address 34.102.136.180 255.255.255.255
ssl trust-point ASDM_TrustPoint3 OUTSIDE
ssl trust-point ASDM_TrustPoint1 INSIDE
webvpn
 enable OUTSIDE
 enable INSIDE
 no anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.7.00136-webdeploy-k9.pkg 2
 anyconnect image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg 3
 anyconnect profiles ACC_client_profile disk0:/ACC_client_profile.xml
 anyconnect profiles ACD_client_profile disk0:/ACD_client_profile.xml
 anyconnect profiles AC_client_profile disk0:/AC_client_profile.xml
 anyconnect profiles AnyConnectVPN_client_profile disk0:/AnyConnectVPN_client_profile.xml
 anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
 anyconnect profiles Any_Connect_client_profile disk0:/Any_Connect_client_profile.xml
 anyconnect profiles Main-VPN_client_profile disk0:/Main-VPN_client_profile.xml
 anyconnect profiles RemoteClients_client_profile disk0:/RemoteClients_client_profile.xml
 anyconnect profiles Remote_client_profile disk0:/Remote_client_profile.xml
 anyconnect profiles SSL-RA-VPN_client_profile disk0:/SSL-RA-VPN_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 internal-password enable
 cache
  disable
 error-recovery disable
group-policy SSLVPN internal
group-policy SSLVPN attributes
 wins-server none
 dns-server value 1.1.1.1
 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
 default-domain value local
 webvpn
  url-list value Tools
group-policy SSLClient internal
group-policy SSLClient attributes
 dns-server value 1.1.1.1
 vpn-tunnel-protocol ikev2 ssl-client 
 default-domain value GOOGLE.COM
 address-pools value VPN
group-policy DfltGrpPolicy attributes
 dns-server value 1.1.1.1

‍⚧️LenowovoThinkFop, [30.08.21 19:27]
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 default-domain value local
 webvpn
  url-list value GAiN
group-policy RA-SSL internal
group-policy RA-SSL attributes
 banner value BANNER
 wins-server none
 dns-server value 1.1.1.1
 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
 default-domain value local
 webvpn
  url-list value GAiN
  filter value VPN-POLICY
  customization value P2C
  url-entry enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
 wins-server none
 dns-server value 1.1.1.1
 vpn-filter value Filter
 vpn-tunnel-protocol ikev2 ssl-client 
 default-domain value local
 address-pools value VPN
 webvpn
  filter value VPN-POLICY
  anyconnect profiles value AnyConnect_client_profile type user
group-policy "GroupPolicy_Any Connect" internal
dynamic-access-policy-record DfltAccessPolicy
username genyk-co password rWCF2Jf9krX4cvfF encrypted privilege 15
tunnel-group WebSSL type remote-access
tunnel-group WebSSL general-attributes
 address-pool VPN
 default-group-policy SSLVPN
tunnel-group WebSSL webvpn-attributes
 customization P2C
 group-alias WebSSL enable
tunnel-group SSLClient type remote-access
tunnel-group SSLClient general-attributes
 address-pool VPN
 default-group-policy SSLClient
tunnel-group SSLClient webvpn-attributes
 group-alias MY_RA enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect dns preset_dns_map dynamic-filter-snoop 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
hpm topN enable
Cryptochecksum:Redacted
: end
`
0 Helpful
Customers Also Viewed These Support Documents