08-29-2021 08:25 PM
hello, my Anyconnect VPN Clients can access internal resources but not the external web, but users on WEBSSL can access both.
08-29-2021 11:11 PM
Hello,
what is the context of your question, what device is configured as VPN server ?
08-30-2021 05:34 PM
Apologies for the brevity, On our ASA 5512 we have a Clientless WEBSSL VPN of which users can access both internal and external networks, but on the AnyConnect profile i have tried to setup users can not access both internal and external networks, I've attached a scrubbed show run.
[REDACTED] ASA Version [REDACTED] ! hostname [REDACTED] domain-name [REDACTED] enable [REDACTED] names ip local pool VPN 10.0.4.2-10.0.4.254 mask 255.255.255.0 ! interface GigabitEthernet0/0 nameif OUTSIDE security-level 0 ip address dhcp ! interface GigabitEthernet0/1 nameif INSIDE security-level 100 ip address 10.0.0.1 255.255.254.0 ! interface GigabitEthernet0/1.20 vlan 20 nameif Guests security-level 90 ip address 10.0.2.1 255.255.255.0 ! interface GigabitEthernet0/1.40 vlan 40 no nameif security-level 100 ip address 10.0.4.1 255.255.255.0 ! interface GigabitEthernet0/1.70 vlan 70 nameif CCTV security-level 100 ip address 10.0.7.1 255.255.255.0 ! interface GigabitEthernet0/1.100 vlan 100 nameif Servers security-level 100 ip address 10.0.10.1 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup OUTSIDE dns domain-lookup INSIDE dns domain-lookup Guests dns domain-lookup CCTV dns domain-lookup Servers dns server-group DefaultDNS name-server 10.0.10.5 Servers name-server 1.1.1.1 OUTSIDE domain-name local same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network OBJ_GENERIC_ALL subnet 0.0.0.0 0.0.0.0 object network obj_any subnet 0.0.0.0 0.0.0.0 object network VLAN100 subnet 10.0.10.0 255.255.255.0 description ServerFarm object network VLAN70 subnet 10.0.7.0 255.255.255.0 description CCTV object network Meraki3 subnet 209.206.49.0 255.255.255.224 object network 4Meraki3 subnet 209.206.51.0 255.255.255.224 object network INTERNAL host REDACTED object network Main-Minecraft-Server host 10.0.10.200 object network Main-Minecraft-Server-UDP host 10.0.10.200 object service MinecraftTCP service tcp destination eq 25565 object service MinecraftUDP service udp source eq 25565 destination range 0 25565 object network Miinecraft host 10.0.10.200 object network RealMC host 10.0.10.200 object service MC service tcp source eq 25565 object network mcserver host REDACTED object network extip host REDACTED object network obj_mcs host 10.0.10.200 object network Minecraft-Server host 10.0.10.200 object service TestMC service tcp destination eq 25566 object network NETWORK_OBJ_10.0.4.0_24 subnet 10.0.4.0 255.255.255.0 object-group service allow_internet_tcp tcp description allow tcp ports for allowing access internet access port-object eq www port-object eq https object-group service allow_internet_udp udp description allow udp ports for allowing access internet access port-object eq dnsix object-group network Meraki network-object host 209.206.52.203 network-object host 8.8.8.8 network-object object 4Meraki3 network-object object Meraki3 object-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object icmp protocol-object udp object-group protocol DM_INLINE_PROTOCOL_2 protocol-object ip protocol-object icmp protocol-object udp object-group protocol DM_INLINE_PROTOCOL_3 protocol-object ip protocol-object icmp protocol-object udp object-group protocol DM_INLINE_PROTOCOL_4 protocol-object ip protocol-object icmp protocol-object udp object-group service DM_INLINE_SERVICE_1 service-object ip service-object tcp-udp destination eq www service-object tcp destination eq 35000 service-object tcp destination eq https service-object tcp destination eq rtsp service-object udp destination eq ntp object-group service DM_INLINE_SERVICE_2 service-object ip service-object tcp-udp destination eq www service-object tcp destination eq 35000 service-object tcp destination eq https⚧️LenowovoThinkFop , [30.08.21 19:27] service-object tcp destination eq rtsp service-object udp destination eq ntp object-group network DM_INLINE_NETWORK_1 network-object 10.0.0.0 255.255.254.0 network-object 10.0.10.0 255.255.255.0 network-object 10.0.7.0 255.255.255.0 object-group service DM_INLINE_SERVICE_3 service-object ip service-object icmp service-object udp service-object tcp service-object icmp echo-reply service-object tcp destination eq echo object-group service DM_INLINE_SERVICE_4 service-object ip service-object icmp service-object udp service-object tcp service-object icmp echo-reply service-object tcp destination eq echo object-group service DM_INLINE_SERVICE_5 service-object ip service-object icmp service-object udp service-object tcp service-object icmp echo-reply service-object tcp destination eq echo object-group service DM_INLINE_SERVICE_6 service-object ip service-object icmp service-object udp service-object tcp service-object icmp echo-reply service-object tcp destination eq echo service-object object MinecraftTCP service-object object MinecraftUDP service-object object TestMC object-group service DM_INLINE_SERVICE_7 service-object ip service-object udp service-object tcp service-object tcp-udp destination eq domain object-group protocol DM_INLINE_PROTOCOL_5 protocol-object ip protocol-object udp protocol-object tcp object-group service DM_INLINE_SERVICE_8 service-object ip service-object udp service-object tcp service-object tcp-udp destination eq domain service-object tcp destination eq www service-object tcp destination eq https object-group service DM_INLINE_SERVICE_9 service-object ip service-object udp service-object tcp service-object tcp-udp destination eq domain service-object tcp destination eq www service-object tcp destination eq https object-group network DM_INLINE_NETWORK_2 network-object object Main-Minecraft-Server network-object object Miinecraft object-group service DM_INLINE_SERVICE_10 service-object object MinecraftUDP service-object object TestMC object-group service DM_INLINE_SERVICE_11 service-object ip service-object udp service-object tcp service-object object TestMC object-group service DM_INLINE_SERVICE_12 service-object icmp service-object tcp-udp destination eq domain object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service DM_INLINE_SERVICE_13 service-object object MinecraftTCP service-object object TestMC object-group service DM_INLINE_SERVICE_14 service-object object TestMC service-object tcp-udp destination eq domain object-group service DM_INLINE_SERVICE_15 service-object object MinecraftTCP service-object object TestMC object-group network DM_INLINE_NETWORK_3 network-object 10.0.0.0 255.255.254.0 network-object 10.0.10.0 255.255.255.0 network-object 10.0.2.0 255.255.255.0 network-object 10.0.7.0 255.255.255.0 object-group network DM_INLINE_NETWORK_4 network-object 10.0.0.0 255.255.254.0 network-object 10.0.10.0 255.255.255.0 network-object 10.0.7.0 255.255.255.0 access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_3 object-group Meraki any access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any object-group Meraki access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_12 any any access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_3 10.0.0.0 255.255.254.0 10.0.10.0 255.255.255.0 access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_4 10.0.10.0 255.255.255.0 10.0.0.0 255.255.254.0 access-list INSIDE_access_in_1 extended permit ip any any access-list INSIDE_access_in_1 extended permit object-group TCPUDP any any eq sip access-list INSIDE_access_in_1 extended permit ip any 10.0.10.0 255.255.255.0 access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_4 object-group Meraki any access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_15 any object Miinecraft ⚧️LenowovoThinkFop , [30.08.21 19:27] access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_2 any object-group Meraki access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any host 10.0.7.2 access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_5 10.0.10.0 255.255.255.0 any access-list OUTSIDE_access_in_1 extended permit icmp object-group DM_INLINE_NETWORK_1 any access-list OUTSIDE_access_in_1 extended deny ip any object BlockedBotnet012021 access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_9 10.0.0.0 255.255.254.0 any access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_8 10.0.2.0 255.255.255.0 any access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_14 any any access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_13 any object Minecraft-Server access-list OUTSIDE_access_in_1 extended permit tcp any interface OUTSIDE eq https access-list CCTV_access_in_2 extended permit object-group DM_INLINE_SERVICE_1 host 10.0.7.2 any access-list Servers_access_in extended permit object-group DM_INLINE_SERVICE_6 10.0.10.0 255.255.255.0 any4 access-list Servers_access_in extended permit object-group DM_INLINE_SERVICE_7 10.0.2.0 255.255.255.0 any access-list Servers_access_in extended permit tcp any any eq 25565 access-list Servers_access_in extended permit object-group TCPUDP any any eq sip access-list Servers_access_in extended permit ip 10.0.10.0 255.255.255.0 10.0.0.0 255.255.254.0 access-list global_access extended deny ip any object BlockedBotnet012021 access-list global_access extended permit object-group DM_INLINE_SERVICE_10 any object Miinecraft access-list global_access extended permit object-group DM_INLINE_SERVICE_11 any object-group DM_INLINE_NETWORK_2 access-list global_access extended permit tcp any any eq 25565 access-list global_access extended permit tcp any host REDACTED eq https access-list Guests_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any access-list minecraft extended permit tcp any any eq 25565 access-list Filter standard permit any4 access-list Internal standard permit 10.0.0.0 255.255.254.0 access-list Internal standard permit 10.0.7.0 255.255.255.0 access-list Internal standard permit 10.0.10.0 255.255.255.0 access-list no_nat extended permit ip 10.0.0.0 255.255.255.254 192.168.10.0 255.255.255.0 access-list VPN-POLICY webtype permit url any log default pager lines 24 logging enable logging asdm informational logging debug-trace mtu OUTSIDE 1500 mtu INSIDE 1500 mtu Guests 1500 mtu CCTV 1500 mtu Servers 1500 mtu management 1500 no failover no monitor-interface Guests no monitor-interface CCTV no monitor-interface Servers no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 icmp deny any echo-reply OUTSIDE no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 8192 nat (INSIDE,OUTSIDE) source dynamic OBJ_GENERIC_ALL interface nat (INSIDE,OUTSIDE) source static any any destination static NETWORK_OBJ_10.0.4.0_24 NETWORK_OBJ_10.0.4.0_24 no-proxy-arp route-lookup nat (INSIDE,OUTSIDE) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static NETWORK_OBJ_10.0.4.0_24 NETWORK_OBJ_10.0.4.0_24 no-proxy-arp route-lookup nat (INSIDE,OUTSIDE) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static NETWORK_OBJ_10.0.4.0_24 NETWORK_OBJ_10.0.4.0_24 no-proxy-arp route-lookup ! object network obj_any nat (INSIDE,OUTSIDE) dynamic interface object network Minecraft-Server nat (INSIDE,OUTSIDE) static interface service tcp 25565 25565 ! nat (INSIDE,OUTSIDE) after-auto source dynamic any interface nat (CCTV,OUTSIDE) after-auto source dynamic any interface nat (Servers,OUTSIDE) after-auto source dynamic any interface nat (Guests,OUTSIDE) after-auto source dynamic any interface access-group OUTSIDE_access_in_1 in interface OUTSIDE access-group INSIDE_access_in_1 in interface INSIDE access-group Guests_access_in in interface Guests ⚧️LenowovoThinkFop , [30.08.21 19:27] access-group CCTV_access_in_2 in interface CCTV access-group Servers_access_in in interface Servers access-group global_access global ! route-map A permit 1 match interface INSIDE ! route OUTSIDE 0.0.0.0 0.0.0.0 REDACTED 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication login-history http server enable http 192.168.1.0 255.255.255.0 management http 10.0.0.0 255.255.255.0 INSIDE no snmp-server location no snmp-server contact [REDACTED Crypto] telnet timeout 5 ssh stricthostkeycheck ssh 10.0.0.0 255.255.255.0 INSIDE ssh 192.168.1.0 255.255.255.0 management ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 10.0.0.11-10.0.0.254 INSIDE dhcpd dns 1.1.1.1 10.0.10.5 interface INSIDE dhcpd enable INSIDE ! dhcpd address 10.0.2.11-10.0.2.254 Guests dhcpd dns 1.1.1.1 interface Guests dhcpd enable Guests ! dhcpd address 10.0.7.11-10.0.7.29 CCTV dhcpd dns 1.1.1.1 10.0.10.5 interface CCTV dhcpd enable CCTV ! dhcpd address 10.0.10.50-10.0.10.51 Servers dhcpd dns 1.1.1.1 10.0.10.5 interface Servers dhcpd enable Servers ! dhcpd address 192.168.1.2-192.168.1.254 management ! dhcprelay timeout 60 dhcprelay information trust-all threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 dynamic-filter updater-client enable dynamic-filter use-database dynamic-filter enable dynamic-filter enable interface OUTSIDE dynamic-filter enable interface INSIDE dynamic-filter enable interface CCTV dynamic-filter enable interface Servers dynamic-filter enable interface management dynamic-filter drop blacklist dynamic-filter ambiguous-is-black dynamic-filter blacklist address 34.102.136.180 255.255.255.255 ssl trust-point ASDM_TrustPoint3 OUTSIDE ssl trust-point ASDM_TrustPoint1 INSIDE webvpn enable OUTSIDE enable INSIDE no anyconnect-essentials anyconnect image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-macos-4.7.00136-webdeploy-k9.pkg 2 anyconnect image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg 3 anyconnect profiles ACC_client_profile disk0:/ACC_client_profile.xml anyconnect profiles ACD_client_profile disk0:/ACD_client_profile.xml anyconnect profiles AC_client_profile disk0:/AC_client_profile.xml anyconnect profiles AnyConnectVPN_client_profile disk0:/AnyConnectVPN_client_profile.xml anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml anyconnect profiles Any_Connect_client_profile disk0:/Any_Connect_client_profile.xml anyconnect profiles Main-VPN_client_profile disk0:/Main-VPN_client_profile.xml anyconnect profiles RemoteClients_client_profile disk0:/RemoteClients_client_profile.xml anyconnect profiles Remote_client_profile disk0:/Remote_client_profile.xml anyconnect profiles SSL-RA-VPN_client_profile disk0:/SSL-RA-VPN_client_profile.xml anyconnect enable tunnel-group-list enable internal-password enable cache disable error-recovery disable group-policy SSLVPN internal group-policy SSLVPN attributes wins-server none dns-server value 1.1.1.1 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless default-domain value local webvpn url-list value Tools group-policy SSLClient internal group-policy SSLClient attributes dns-server value 1.1.1.1 vpn-tunnel-protocol ikev2 ssl-client default-domain value GOOGLE.COM address-pools value VPN group-policy DfltGrpPolicy attributes dns-server value 1.1.1.1 ⚧️LenowovoThinkFop , [30.08.21 19:27] vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless default-domain value local webvpn url-list value GAiN group-policy RA-SSL internal group-policy RA-SSL attributes banner value BANNER wins-server none dns-server value 1.1.1.1 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless default-domain value local webvpn url-list value GAiN filter value VPN-POLICY customization value P2C url-entry enable group-policy GroupPolicy_AnyConnect internal group-policy GroupPolicy_AnyConnect attributes wins-server none dns-server value 1.1.1.1 vpn-filter value Filter vpn-tunnel-protocol ikev2 ssl-client default-domain value local address-pools value VPN webvpn filter value VPN-POLICY anyconnect profiles value AnyConnect_client_profile type user group-policy "GroupPolicy_Any Connect" internal dynamic-access-policy-record DfltAccessPolicy username genyk-co password rWCF2Jf9krX4cvfF encrypted privilege 15 tunnel-group WebSSL type remote-access tunnel-group WebSSL general-attributes address-pool VPN default-group-policy SSLVPN tunnel-group WebSSL webvpn-attributes customization P2C group-alias WebSSL enable tunnel-group SSLClient type remote-access tunnel-group SSLClient general-attributes address-pool VPN default-group-policy SSLClient tunnel-group SSLClient webvpn-attributes group-alias MY_RA enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect dns preset_dns_map dynamic-filter-snoop ! service-policy global_policy global prompt hostname context call-home reporting anonymous hpm topN enable Cryptochecksum:Redacted : end `
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide