Showing results for 
Search instead for 
Did you mean: 

Anyconnect users cannot access internal network

Level 1
Level 1


Just sat up a new Anyconnect VPN solution for a customer. It works almost perfect.

The anyconnect users cannot reach the internal network storage. The anyconnect users can reach the internet but nothing on the internal network.

(Have removed all passwords and public IP adresses)

ASA Version 8.4(4)1


hostname ciscoasa



interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address


ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS



object network obj_any


access-list NONAT extended permit ip

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

pager lines 24

logging enable

logging asdm debugging

mtu inside 1500

mtu outside 1500

ip local pool SSLClientPool mask

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface


object network obj_any

nat (inside,outside) dynamic interface

route outside  1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http inside

http inside

http outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside


dhcpd address inside

dhcpd option 3 ip interface inside


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


enable outside

anyconnect image disk0:/anyconnect-win-2.5.3046-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy SSLClitentPolicy internal

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value

vpn-tunnel-protocol ssl-client

address-pools value SSLClientPool

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

tunnel-group VPN type remote-access

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options


service-policy global_policy global

prompt hostname context

no call-home reporting anonymous


: end

1 Accepted Solution

Accepted Solutions

Looks like you have the permit-vpn sysopt disable, to enable it:

sysopt connection permit-vpn

Also remove the following dynamic NAT as you already have that configured under the object NAT:

no nat (inside,outside) source dynamic any interface

Then "clear xlate" again, and let us know if it works now.

View solution in original post

16 Replies 16


It is not really recomended to use VPN client pool and inside network as same. Please use a different subnet for VPN client

and also do the NONAT for  inside to VPN pool subnet.

please let me know if you need any help in doing that


I'm having some issues too but my issue is getting to the internet via vpn.  Here is the discussion, do you think  you can assist?

Hello Mohammad

Could you give me the  latest config so that we can start troubleshooting




I had that problem too before. These commands solved the problems for me.

You need to do the following in order to enable split tunneling for anyconnect ssl vpn:

1) first create an access list for the split tunnel. This access list should include your internal network range:

ASA(config)#access-list split-tunnel standard permit

2) Then assign this ACL into the SSL group poilicy

ASA(config)# group-policy SSLCLientPolicy internal

ASA(config)# group-policy SSLCLientPolicy attributes

ASA(config-group-policy)# split-tunnel-policy tunnelspecified

ASA(config-group-policy)# split-tunnel-network-list value split-tunnel

Doesn't seem to work. Maybe it is me that writes the wrong command. Can you help me by showing me how the command should look like?

Regards Hampus


The above mentioned commands are correct assuming that your internal network is and vpn pool is, then you need to have a nonat as follows

access-list nonat extended permit ip

nat (inside) 0 access-list nonat




The commands mentioned above solved my problem that the users couldn't access internet. (internal network ip address is not correct above)

I have one access-list that says :

access-list NONAT extended permit ip

I cannot write "nat (inside) 0 access-list nonat" gets the following message

ERROR: This syntax of nat command has been deprecated.

Please refer to "help nat" command for more details.

I am running asa version 8.4 and the nat (inside) command doesn't work in that version.


Assuming your inside network is and vpn pool is then

object network inside


object network vpnpool


nat (inside,outside) source static inside vpnpool destination static inside vpnpool




I run the commands:

object network inside


object network vpnpool


nat (inside,outside) source static inside vpnpool destination static inside vpnpool

But it still doesn't work. I believe there is something with the nat thats not correct in my config.

The NAT statement should have been:

nat (inside,outside) source static inside inside destination static vpnpool vpnpool

Then, "clear xlate".