Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1000
Views
0
Helpful
1
Replies

Anyconnect Tunnelall

kenny.kerns
Level 1
Level 1

‎07-21-2011 09:39 AM - edited ‎02-21-2020 05:27 PM

Hi,

I have a 5505 setup and running with access to my corp recourses, problem is that I can't reach the Internet.  I do not want to Split-tunnel due to security concerns and it seems that it would be simple to find documents describing this scenario, but surprisingly that is not the case.

One point of concern is when I do "sh connections"  I see the flags SaAB

S=Awaiting inside SYN

     I'm not sure what to make of this since my Anyconnect session terminates on the "outside" interface and any SYN sent from my client would appear to have originated on the "outside".  The SYN-ACK response from the Internet would be to the "outside" interface as well.  So where is the "inside" SYN going to originate?

a=Awaiting Outside ACK to SYN

     Same issue I described above.  Since my initial SYN was originated on the "outside", how does the ASA correlate the SYN-ACK received on the "outside" to my initial SYN sent from the "outside"?

A=Awaiting inside ACK to SYN

     Again, same issue. 

B=Initial SYN form Outside

     Described above

I have same-security-interface permit intra-interface enabled and the split-tunnel-policy tunnelall enabled on the group policy.

Here is a snippet of my config.

same-security-traffic permit intra-interface

access-list no_nat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

ip local pool sslvpnpool 192.168.70.10-192.168.70.50 mask 255.255.255.0

 

global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0

group-policy sslclientpolicy internal

group-policy sslclientpolicy attributes

dns-server value x.x.x.x

vpn-tunnel-protocol svc

split-tunnel-policy tunnelall

default-domain value xxxx.xxxx

address-pools value sslvpnpool

Labels:
0 Helpful
1 Reply 1

Loren Kolnes
Cisco Employee
Cisco Employee

‎07-21-2011 10:23 AM

Hi Kenny,

Here is a configuration example from CCO.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml

Looks like you just need to add the following line:

nat (outside) 1 192.168.70.0 255.255.255.0

Let me know if this helps.

Thanks,

Loren

0 Helpful
Customers Also Viewed These Support Documents