Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5883
Views
5
Helpful
6
Replies

AnyConnect VPN users lose internet access

Joffroi85
Level 1
Level 1

‎05-17-2012 11:24 AM - edited ‎02-21-2020 06:04 PM

I am able to successfully connect to my ASA5505 via AnyConnect via a mobile device. Upon doing so, I lose internet connectivity.  My access list appear to be correct to I'm sort of at a loss.  Any help?

Thanks

ASA5505# show run
: Saved
:
ASA Version 8.2(5)
!
hostname SA5505
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 99.66.167.69 255.255.255.248
!
ftp mode passive

access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400

global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 99.66.167.70 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 anyconnect-essentials
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 dns-server value 192.168.5.100
 vpn-tunnel-protocol svc
 address-pools value SSLClientPool
username testuser password cd0dmVM0fEWRYugq encrypted
username testuser attributes
 service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
 default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
 group-alias SSLVPNClient enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d5fab45fe19eea3f55517353a07e50d0
: end
Labels:
0 Helpful
6 Replies 6

rizwanr74
Level 7
Level 7

‎05-17-2012 11:52 AM

Hi there,

Please try this out.

access-list Split-tunnel extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0

group-policy SSLClientPolicy attributes

  split-tunnel-policy tunnelspecified

  split-tunnel-network-list value Split-tunnel

Let me know, if this helps.

thanks

Rizwan Rafeek

Joffroi85
Level 1
Level 1
In response to rizwanr74

‎05-17-2012 12:03 PM

I've added those lines and still lose internet connectective from my handset when I'm connected.

....

ftp mode passive

access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list Split-tunnel extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0

no failover

.....

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value 192.168.5.100

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split-tunnel

address-pools value SSLClientPool

username testuser password cd0dmVM0fEWRYugq encrypted

username testuser attributes

service-type remote-access

0 Helpful

rizwanr74
Level 7
Level 7
In response to Joffroi85

‎05-17-2012 01:36 PM

When you are connected on vpn-client, see if you can ping a public IP, such as 4.2.2.2

Please let me know the result.

thanks

0 Helpful

Joffroi85
Level 1
Level 1
In response to rizwanr74

‎05-17-2012 01:41 PM

I editted your previous suggestion and was able to connect to the internet now. Thanks for the help

ASA(config)#access-list split-tunnel standard permit 192.168.1.0 255.255.255.0

ASA(config)# group-policy SSLCLientPolicy internal
ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# split-tunnel-policy tunnelspecified
ASA(config-group-policy)# split-tunnel-network-list value split-tunnel

0 Helpful

Joffroi85
Level 1
Level 1
In response to Joffroi85

‎05-21-2012 01:23 PM

rizwanr74,

I thought I was all in the clear, but it looks like the first mobile phone I was testing this with is the only device that is working.  All my other devices can connect fine, but seem to not be able to browse the web again.  The only differences I can find is the Public IP addresses of the devices. My working phone is always in the 68.24.X.X range and my public IP of the device not working seems to be in the 166.188.X.X range. 

I thought I had it set to just let all devices with the correct assigned IP (which they are) to go through and get access?

0 Helpful

Joffroi85
Level 1
Level 1
In response to Joffroi85

‎05-21-2012 01:29 PM

I hopped my working device on the 166.188.X.X network and was also blocked from the Internet.  What can I add to ensure that all devices connected can still freely browse the web?

Thanks in advance for all the help!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents