06-11-2013 05:34 PM - edited 02-21-2020 06:57 PM
anyconnect vpn client no internet access.
Below is configuration. Please help.
Thank you
Jessie
ASA Version 8.2(1)
!
hostname ciscoasa5505
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 69.x.x.54 255.255.255.248
!
interface Vlan5
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 172.16.0.2
name-server 69.x.x.6
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service TS-777 tcp-udp
port-object eq 777
object-group service Graphon tcp-udp
port-object eq 491
object-group service TS-778 tcp-udp
port-object eq 778
object-group service moodle tcp-udp
port-object eq 5801
object-group service moodle-5801 tcp-udp
port-object eq 5801
object-group service smtp-587 tcp-udp
port-object eq 587
access-list outside_access_in extended permit tcp any host 69.x.x.50 eq imap4
access-list outside_access_in extended permit tcp any host 69.x.x.52 eq ftp
access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 object-group smtp-587
access-list outside_access_in extended permit tcp any host 69.x.x.52 eq telnet
access-list outside_access_in extended permit tcp any host 69.x.x.52 eq ssh
access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.52 object-group moodle-5801
access-list outside_access_in extended permit tcp any host 69.x.x.52 eq smtp
access-list outside_access_in extended permit tcp any host 69.x.x.52 eq https
access-list outside_access_in extended permit tcp any host 69.x.x.52 eq www
access-list outside_access_in extended permit tcp any host 69.x.x.50 eq ftp
access-list outside_access_in extended permit tcp any host 69.x.x.50 eq smtp
access-list outside_access_in extended permit tcp any host 69.x.x.50 eq pop3
access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 eq domain
access-list outside_access_in extended permit tcp any host 69.x.x.50 eq https
access-list outside_access_in extended permit tcp any host 69.x.x.50 eq www
access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 eq domain
access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 object-group TS-778
access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 object-group Graphon
access-list outside_access_in extended permit tcp any host 69.x.x.51 eq https
access-list outside_access_in extended permit tcp any host 69.x.x.51 eq www
access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 object-group TS-777
access-list outside_access_in extended permit tcp any host 69.x.x.54 eq https
access-list outside_cryptomap_1 extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.0.32 255.255.255.224
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list Split-Tunnel standard permit 172.16.0.0 255.255.0.0
access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0
access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpn_users 172.16.100.10-172.16.100.20 mask 255.255.255.0
ip local pool anypool 172.16.0.9-172.16.0.19 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 69.x.x.50 172.16.0.2 netmask 255.255.255.255
static (inside,outside) 69.x.x.51 172.16.1.2 netmask 255.255.255.255
static (inside,outside) 69.x.x.52 172.16.1.3 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.x.x.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 208.x.x.162
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 209.x.x.178
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 208.x.x.165
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.16.0.20-172.16.0.40 inside
dhcpd dns 172.16.0.2 69.x.x.6 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 172.16.0.2
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy sales internal
group-policy sales attributes
dns-server value 172.16.1.2 172.16.0.2
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel
webvpn
svc mtu 1406
group-policy anyconnect internal
group-policy anyconnect attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable default webvpn
username graciela password CdnZ0hm9o72q6Ddj encrypted
username graciela attributes
vpn-group-policy DfltGrpPolicy
tunnel-group 208.x.x.165 type ipsec-l2l
tunnel-group 208.x.x.165 ipsec-attributes
pre-shared-key *
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool anypool
default-group-policy anyconnect
tunnel-group AnyConnect webvpn-attributes
group-alias anyconnect enable
group-url https://69.x.x.54/anyconnect enable
tunnel-group 208.x.x.162 type ipsec-l2l
tunnel-group 208.x.x.162 ipsec-attributes
pre-shared-key *
tunnel-group 209.x.x.178 type ipsec-l2l
tunnel-group 209.x.x.178 ipsec-attributes
pre-shared-key *
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect icmp
!
service-policy global-policy global
prompt hostname context
: end
Solved! Go to Solution.
06-11-2013 11:47 PM
Hi,
You could start by adding the following configurations
same-security-traffic permit intra-interface
This will allow the VPN users traffic to enter the "outside" interface of the ASA and leave to the Internet using the same interface "outside". Without the above command this is not possible.
Also you will need to add a NAT configuration for the VPN Client users to be able to use the Internet connection of the ASA
For that you can add this command
nat (outside) 1 172.16.0.0 255.255.0.0
This will allow the Dynamic PAT for the VPN Pool.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
06-11-2013 11:47 PM
Hi,
You could start by adding the following configurations
same-security-traffic permit intra-interface
This will allow the VPN users traffic to enter the "outside" interface of the ASA and leave to the Internet using the same interface "outside". Without the above command this is not possible.
Also you will need to add a NAT configuration for the VPN Client users to be able to use the Internet connection of the ASA
For that you can add this command
nat (outside) 1 172.16.0.0 255.255.0.0
This will allow the Dynamic PAT for the VPN Pool.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide