01-22-2018 06:03 PM - edited 03-12-2019 04:56 AM
I'm trying to configure a VPN tunnel group that doesn't use split tunneling. I get connected via AnyConnect but then can't connect to the Internet. What am I missing?
ASA# sh vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : mmurray Index : 140
Assigned IP : 10.120.20.35 Public IP : 76.X.X.X
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 19134 Bytes Rx : 17796
Group Policy : vpngroup_no_split_tunnel
Tunnel Group : RADgroup_no_split_tunnel
Login Time : 20:14:59 EST Mon Jan 22 2018
Duration : 0h:00m:05s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0ac833010008c0005a668c93
Security Grp : none
ASA# sh run tunnel-group RADgroup_no_split_tunnel
tunnel-group RADgroup_no_split_tunnel type remote-access
tunnel-group RADgroup_no_split_tunnel general-attributes
address-pool toddsvpnpool
authentication-server-group RADIUS
default-group-policy vpngroup_no_split_tunnel
tunnel-group RADgroup_no_split_tunnel webvpn-attributes
group-alias vpngroup_no_split_tunnel enable
tunnel-group RADgroup_no_split_tunnel ipsec-attributes
ikev1 pre-shared-key *****
ASA# sh run group-policy vpngroup_no_split_tunnel
group-policy vpngroup_no_split_tunnel internal
group-policy vpngroup_no_split_tunnel attributes
wins-server value 10.10.2.1 10.20.2.60
dns-server value 10.10.2.1 10.10.2.2
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
ASA# sh run webvpn
webvpn
enable lan
enable outside2
anyconnect image disk0:/anyconnect-win-4.1.02011-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.1.02011-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
Solved! Go to Solution.
01-22-2018 11:34 PM
As mentioned, you need NAT from outside to outside:
nat (outside,outside) after-auto source dynamic VPN-POOL interface
And in addition to that, same-security-traffic has to be enabled:
same-security-traffic permit intra-interface
01-22-2018 06:32 PM
have you checked your nat settings?
01-22-2018 11:34 PM
As mentioned, you need NAT from outside to outside:
nat (outside,outside) after-auto source dynamic VPN-POOL interface
And in addition to that, same-security-traffic has to be enabled:
same-security-traffic permit intra-interface
01-23-2018 02:26 PM
Thanks Karsten, I had the
same-security-traffic permit intra-interface
command in there but not the NAT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide