Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2511
Views
0
Helpful
1
Replies

anyconnect vpn client no internet access

Go to solution
jessie
Level 1
Level 1

‎06-11-2013 05:34 PM - edited ‎02-21-2020 06:57 PM

anyconnect vpn client no internet access.

Below is configuration. Please help.

Thank you

Jessie

ASA Version 8.2(1)

!

hostname ciscoasa5505

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.0.1 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 69.x.x.54 255.255.255.248

!

interface Vlan5

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

ip address dhcp

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 172.16.0.2

name-server 69.x.x.6

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service TS-777 tcp-udp

port-object eq 777

object-group service Graphon tcp-udp

port-object eq 491

object-group service TS-778 tcp-udp

port-object eq 778

object-group service moodle tcp-udp

port-object eq 5801

object-group service moodle-5801 tcp-udp

port-object eq 5801

object-group service smtp-587 tcp-udp

port-object eq 587

access-list outside_access_in extended permit tcp any host 69.x.x.50 eq imap4

access-list outside_access_in extended permit tcp any host 69.x.x.52 eq ftp

access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 object-group smtp-587

access-list outside_access_in extended permit tcp any host 69.x.x.52 eq telnet

access-list outside_access_in extended permit tcp any host 69.x.x.52 eq ssh

access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.52 object-group moodle-5801

access-list outside_access_in extended permit tcp any host 69.x.x.52 eq smtp

access-list outside_access_in extended permit tcp any host 69.x.x.52 eq https

access-list outside_access_in extended permit tcp any host 69.x.x.52 eq www

access-list outside_access_in extended permit tcp any host 69.x.x.50 eq ftp

access-list outside_access_in extended permit tcp any host 69.x.x.50 eq smtp

access-list outside_access_in extended permit tcp any host 69.x.x.50 eq pop3

access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 eq domain

access-list outside_access_in extended permit tcp any host 69.x.x.50 eq https

access-list outside_access_in extended permit tcp any host 69.x.x.50 eq www

access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 eq domain

access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 object-group TS-778

access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 object-group Graphon

access-list outside_access_in extended permit tcp any host 69.x.x.51 eq https

access-list outside_access_in extended permit tcp any host 69.x.x.51 eq www

access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 object-group TS-777

access-list outside_access_in extended permit tcp any host 69.x.x.54 eq https

access-list outside_cryptomap_1 extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.16.0.32 255.255.255.224

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list Split-Tunnel standard permit 172.16.0.0 255.255.0.0

access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0

access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0

access-list outside_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list outside_cryptomap_2 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool vpn_users 172.16.100.10-172.16.100.20 mask 255.255.255.0

ip local pool anypool 172.16.0.9-172.16.0.19 mask 255.255.0.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 69.x.x.50 172.16.0.2 netmask 255.255.255.255

static (inside,outside) 69.x.x.51 172.16.1.2 netmask 255.255.255.255

static (inside,outside) 69.x.x.52 172.16.1.3 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 69.x.x.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.16.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 208.x.x.162

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_cryptomap_1

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 209.x.x.178

crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 3 match address outside_cryptomap_2

crypto map outside_map 3 set pfs

crypto map outside_map 3 set peer 208.x.x.165

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 172.16.0.20-172.16.0.40 inside

dhcpd dns 172.16.0.2 69.x.x.6 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 172.16.0.2

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy sales internal

group-policy sales attributes

dns-server value 172.16.1.2 172.16.0.2

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split-Tunnel

webvpn

  svc mtu 1406

group-policy anyconnect internal

group-policy anyconnect attributes

vpn-tunnel-protocol svc webvpn

webvpn

  url-list none

  svc ask enable default webvpn

username graciela password CdnZ0hm9o72q6Ddj encrypted

username graciela attributes

vpn-group-policy DfltGrpPolicy

tunnel-group 208.x.x.165 type ipsec-l2l

tunnel-group 208.x.x.165 ipsec-attributes

pre-shared-key *

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool anypool

default-group-policy anyconnect

tunnel-group AnyConnect webvpn-attributes

group-alias anyconnect enable

group-url https://69.x.x.54/anyconnect enable

tunnel-group 208.x.x.162 type ipsec-l2l

tunnel-group 208.x.x.162 ipsec-attributes

pre-shared-key *

tunnel-group 209.x.x.178 type ipsec-l2l

tunnel-group 209.x.x.178 ipsec-attributes

pre-shared-key *

!

class-map global-class

match default-inspection-traffic

!

!

policy-map global-policy

class global-class

  inspect icmp

!

service-policy global-policy global

prompt hostname context

: end


Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-11-2013 11:47 PM

Hi,

You could start by adding the following configurations

same-security-traffic permit intra-interface

This will allow the VPN users traffic to enter the "outside" interface of the ASA and leave to the Internet using the same interface "outside". Without the above command this is not possible.

Also you will need to add a NAT configuration for the VPN Client users to be able to use the Internet connection of the ASA

For that you can add this command

nat (outside) 1 172.16.0.0 255.255.0.0

This will allow the Dynamic PAT for the VPN Pool.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-11-2013 11:47 PM

Hi,

You could start by adding the following configurations

same-security-traffic permit intra-interface

This will allow the VPN users traffic to enter the "outside" interface of the ASA and leave to the Internet using the same interface "outside". Without the above command this is not possible.

Also you will need to add a NAT configuration for the VPN Client users to be able to use the Internet connection of the ASA

For that you can add this command

nat (outside) 1 172.16.0.0 255.255.0.0

This will allow the Dynamic PAT for the VPN Pool.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

0 Helpful
Customers Also Viewed These Support Documents