cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23629
Views
0
Helpful
16
Replies

Anyconnect users cannot access internal network

HampusAtea
Level 1
Level 1

Hi!

Just sat up a new Anyconnect VPN solution for a customer. It works almost perfect.

The anyconnect users cannot reach the internal network storage. The anyconnect users can reach the internet but nothing on the internal network.

(Have removed all passwords and public IP adresses)

ASA Version 8.4(4)1

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 213.80.98.2

name-server 213.80.101.3

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list NONAT extended permit ip 192.168.9.0 255.255.255.0 192.168.9.0 255.255.255.0

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

pager lines 24

logging enable

logging asdm debugging

mtu inside 1500

mtu outside 1500

ip local pool SSLClientPool 192.168.9.50-192.168.9.80 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0  1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.9.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.9.2-192.168.9.33 inside

dhcpd option 3 ip 192.168.9.1 interface inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.3046-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy SSLClitentPolicy internal

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value 192.168.9.5

vpn-tunnel-protocol ssl-client

address-pools value SSLClientPool

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

tunnel-group VPN type remote-access

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:6a58e90dc61dfbf7ba15e059e5931609

: end

1 Accepted Solution

Accepted Solutions

Looks like you have the permit-vpn sysopt disable, to enable it:

sysopt connection permit-vpn

Also remove the following dynamic NAT as you already have that configured under the object NAT:

no nat (inside,outside) source dynamic any interface

Then "clear xlate" again, and let us know if it works now.

View solution in original post

16 Replies 16

Hello,

It is not really recomended to use VPN client pool and inside network as same. Please use a different subnet for VPN client

and also do the NONAT for  inside to VPN pool subnet.

please let me know if you need any help in doing that

Harish

I'm having some issues too but my issue is getting to the internet via vpn.  Here is the discussion, do you think  you can assist?

https://supportforums.cisco.com/message/3773293#3773293

Hello Mohammad

Could you give me the  latest config so that we can start troubleshooting

regards

Harish

Hello!

I had that problem too before. These commands solved the problems for me.

You need to do the following in order to enable split tunneling for anyconnect ssl vpn:

1) first create an access list for the split tunnel. This access list should include your internal network range:

ASA(config)#access-list split-tunnel standard permit 192.168.1.0 255.255.255.0

2) Then assign this ACL into the SSL group poilicy

ASA(config)# group-policy SSLCLientPolicy internal

ASA(config)# group-policy SSLCLientPolicy attributes

ASA(config-group-policy)# split-tunnel-policy tunnelspecified

ASA(config-group-policy)# split-tunnel-network-list value split-tunnel

Doesn't seem to work. Maybe it is me that writes the wrong command. Can you help me by showing me how the command should look like?

Regards Hampus

Hello

The above mentioned commands are correct assuming that your internal network is 192.168.1.0/24 and vpn pool is 192.168.9.0, then you need to have a nonat as follows

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0

nat (inside) 0 access-list nonat

regards

Harish

Hi!

The commands mentioned above solved my problem that the users couldn't access internet. (internal network ip address is not correct above)

I have one access-list that says :

access-list NONAT extended permit ip 192.168.9.0 255.255.255.0 192.168.9.0 255.255.255.0

I cannot write "nat (inside) 0 access-list nonat" gets the following message

ERROR: This syntax of nat command has been deprecated.

Please refer to "help nat" command for more details.

I am running asa version 8.4 and the nat (inside) command doesn't work in that version.

Hello

Assuming your inside network is 192.168.1.0/24 and vpn pool is 192.168.9.0/24 then

object network inside

subnet 192.168.1.0 255.255.255.0

object network vpnpool

subnet 192.168.9.0 255.255.255.0

nat (inside,outside) source static inside vpnpool destination static inside vpnpool

regards

Harish

Hi!

I run the commands:

object network inside

subnet 192.168.9.0 255.255.255.0

object network vpnpool

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) source static inside vpnpool destination static inside vpnpool

But it still doesn't work. I believe there is something with the nat thats not correct in my config.

The NAT statement should have been:

nat (inside,outside) source static inside inside destination static vpnpool vpnpool

Then, "clear xlate".

Thanks for the correction Jennifer.

Hi all!

Jennifer, i run your commands but it still doesn't work. I can not ping, telnet, RDP, or open in explorer. If it is not the nat that's the problem, what could it be?

This is the running-config, it would be very good if someone could say what i should do to let VPN users access the internal network.

ASA Version 8.4(4)1

!

hostname

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server

name-server

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network vpnpool

subnet 192.168.100.0 255.255.255.0

description vpnpool

object network inside

subnet 192.168.9.0 255.255.255.0

object network NONAT

subnet 192.168.100.0 255.255.255.0

object network SSLClientPool

subnet 192.168.100.0 255.255.255.0

object-group network VPN

access-list NONAT extended permit ip 192.168.9.0 255.255.255.0 192.168.9.0 255.255.255.0

access-list NONAT extended permit ip 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

access-list split-tunnel standard permit 192.168.9.0 255.255.255.0

access-list NONAT-inside extended permit ip 192.168.9.0 255.255.255.0 192.168.9.0 255.255.255.0

pager lines 24

logging enable

logging asdm debugging

mtu inside 1500

mtu outside 1500

ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static inside inside destination static vpnpool vpnpool

!

object network obj_any

nat (inside,outside) dynamic interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.9.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

no sysopt connection permit-vpn

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.9.2-192.168.9.33 inside

dhcpd option 3 ip 192.168.9.1 interface inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.3046-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain none

address-pools value SSLClientPool

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

tunnel-group VPN type remote-access

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:d8fc3131a7f33dc2410e4df1b3a9c71e

: end

Regards Hampus

Looks like you have the permit-vpn sysopt disable, to enable it:

sysopt connection permit-vpn

Also remove the following dynamic NAT as you already have that configured under the object NAT:

no nat (inside,outside) source dynamic any interface

Then "clear xlate" again, and let us know if it works now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: