cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2747
Views
3
Helpful
31
Replies

AnyConnect VPN Connected but no internet

philipvoceehs
Level 1
Level 1

Hi Guys,

Managed to get our VPN connection to login and work. I can access anything locally on the office network such as file servers etc but we have no internet access. We don't want to split tunnel as all traffic needs to go through the office ASA for IP restricted servers, websites etc.

What are we missing? Here is our config albeit with some bits committed mainly objects and certificates:

Result of the command: "show running-config"

: Saved

:
: Serial Number: JAD27200585
: Hardware: FPR-1010, 7204 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
:
ASA Version 9.16(2)3
!
hostname ciscoasa
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
!
license smart
feature tier standard
names
no mac-address auto
ip local pool VPN-IP-Range 10.0.100.15-10.0.100.20 mask 255.255.255.0

!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.100.1 255.255.255.0
!
interface Ethernet1/1
no switchport
nameif outside
security-level 0
pppoe client vpdn group EHS
ip address pppoe setroute
!
interface Ethernet1/2
switchport
!
interface Ethernet1/3
switchport
!
interface Ethernet1/4
switchport
!
interface Ethernet1/5
switchport
!
interface Ethernet1/6
switchport
!
interface Ethernet1/7
switchport
power inline auto
!
interface Ethernet1/8
switchport
power inline auto
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 192.168.45.1 255.255.255.0
!
interface BVI1
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222 outside
name-server 208.67.220.220 outside
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
host EXTERNALIP
object service PPTP-srv
service tcp source eq pptp
object service https
service tcp source eq https
object service http
service tcp source eq www
object service ESET
service tcp source eq 2222
object service SVN
service tcp source eq 8443
object service MPWEB
service tcp source eq 8444
access-list outside_access_in remark EHS VPN Connection
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object EHS_VPN_SERVER
access-list outside_access_in extended permit tcp any object-group Development_Agent_Servers object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object EHSDEVAPP01 object-group SVN_Connection
access-list outside_access_in remark ESET Management Server incoming connections
access-list outside_access_in extended permit tcp any object EHS_ESET_SERVER object-group ESET_Server
access-list outside_access_in extended permit tcp any object EHSDEVAPP01 object-group Dev_MPWeb_External
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit tcp any eq pptp any
access-list outside_cryptomap extended permit ip 10.0.100.0 255.255.255.0 object UK_HOSTED_NETWORK
access-list VPN_Filter extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_3
access-list VPN_Filter extended permit ip object USA_HOSTED_DC_CONTROLLER object-group DM_INLINE_NETWORK_4
access-list VPN_Filter extended permit ip object CANADA_DOMAIN_CONTROLLER object-group DM_INLINE_NETWORK_5
access-list VPN_Filter extended permit ip object EA_DOMAIN_CONTROLLER object-group DM_INLINE_NETWORK_6
access-list outside_cryptomap_1 extended permit ip 10.0.100.0 255.255.255.0 object USA_Network
access-list outside_cryptomap_2 extended permit ip 10.0.100.0 255.255.255.0 object CANADA_INSIDE_NETWORK
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging timestamp
logging console debugging
logging trap warnings
logging asdm debugging
logging class auth console debugging asdm debugging
logging class session asdm debugging
logging class sys asdm debugging
logging class vpn console debugging asdm debugging
logging class vpnc console debugging asdm debugging
logging class webvpn console debugging asdm debugging
logging class svc console debugging asdm debugging
logging class dap console debugging asdm debugging
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static UK_HOSTED_NETWORK UK_HOSTED_NETWORK no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static USA_Network USA_Network no-proxy-arp route-lookup
nat (any,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static CANADA_INSIDE_NETWORK CANADA_INSIDE_NETWORK no-proxy-arp route-lookup
nat (inside,outside) source static EHS_VPN_SERVER interface service PPTP-srv PPTP-srv
nat (inside,outside) source static DM_INLINE_NETWORK_1 interface service https https
nat (inside,outside) source static DM_INLINE_NETWORK_2 interface service http http
nat (inside,outside) source static EHS_ESET_SERVER interface service ESET ESET
nat (inside,outside) source static EHSDEVAPP01 interface service SVN SVN
nat (inside,outside) source static EHSDEVAPP01 interface service MPWEB MPWEB
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static NETWORK_OBJ_10.0.100.0_27 NETWORK_OBJ_10.0.100.0_27 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server EHSRADIUS protocol radius
aaa-server EHSRADIUS (inside) host 10.0.100.80
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.45.0 255.255.255.0 management
http 10.0.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal AES-256-SHA-512
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES AZURE-PROPOSAL
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer X.X.X.X
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-DES-SHA
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer X.X.X.X
crypto map outside_map 3 set ikev2 ipsec-proposal AES-256-SHA-512
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA2
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=10.0.100.1,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
auto-import

-- OMMITTED CERTIFICATE DETAILS --

quit
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha512
group 21
prf sha512
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 40
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 14
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 14
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
vpdn group EHS request dialout pppoe
vpdn group EHS localname m594672@X.X.X.X
vpdn group EHS ppp authentication chap
vpdn username X.X.X.Xpassword *****
dhcpd auto_config outside
!
dhcpd address 192.168.45.10-192.168.45.12 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
webvpn
port 4433
enable outside
dtls port 4433
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.9.04043-webdeploy-k9.pkg 1
anyconnect profiles EHS disk0:/ehs.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_EHSVPN internal
group-policy GroupPolicy_EHSVPN attributes
wins-server none
dns-server value 10.0.100.200 8.8.8.8
vpn-access-hours none
vpn-simultaneous-logins 15
vpn-idle-timeout 60
vpn-session-timeout none
vpn-filter value inside_access_in
vpn-tunnel-protocol ssl-client
group-lock value EHSVPN
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value EHS
split-tunnel-all-dns enable
vlan none
security-group-tag none
webvpn
anyconnect profiles value EHS type user
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-filter value VPN_Filter
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-filter value VPN_Filter
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask none default svc
username admin password ***** pbkdf2 privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
ikev2 remote-authentication eap query-identity
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group X.X.X.Xtype ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group EHSVPN type remote-access
tunnel-group EHSVPN general-attributes
address-pool VPN-IP-Range
authentication-server-group EHSRADIUS
default-group-policy GroupPolicy_EHSVPN
tunnel-group EHSVPN webvpn-attributes
group-alias EHSVPN enable
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect pptp
inspect icmp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:ea62db802051e27e24b2f9a4d537a0e0
: end

Thanks,

Dave

31 Replies 31

@MHM Cisco World sorry I missed that first comment of yours regarding the NAT rule conflict. It is now working! Thank you so much for your help it's really appreciated!

you need to apply the nat rule and hairpin configuration.

 

 

 

 

same-security-traffic permit intra-interface, change the priority of nat move your anyconnect nat rule on very top if using ASDM and if CLI using 1
nat (outside,outside) 1 source dynamic VPN_POOL interface 
(OR) 
nat (outside,outside) source dynamic VPN_POOL interface

 

 

please do not forget to rate.