05-17-2012 11:24 AM - edited 02-21-2020 06:04 PM
I am able to successfully connect to my ASA5505 via AnyConnect via a mobile device. Upon doing so, I lose internet connectivity. My access list appear to be correct to I'm sort of at a loss. Any help?
Thanks
ASA5505# show run : Saved : ASA Version 8.2(5) ! hostname SA5505 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 99.66.167.69 255.255.255.248 ! ftp mode passive
access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24 mtu inside 1500 mtu outside 1500 ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400
global (outside) 1 interface nat (inside) 0 access-list NONAT nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 99.66.167.70 1
timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside anyconnect-essentials svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1 svc enable tunnel-group-list enable group-policy SSLClientPolicy internal group-policy SSLClientPolicy attributes dns-server value 192.168.5.100 vpn-tunnel-protocol svc address-pools value SSLClientPool username testuser password cd0dmVM0fEWRYugq encrypted username testuser attributes service-type remote-access tunnel-group SSLClientProfile type remote-access tunnel-group SSLClientProfile general-attributes default-group-policy SSLClientPolicy tunnel-group SSLClientProfile webvpn-attributes group-alias SSLVPNClient enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:d5fab45fe19eea3f55517353a07e50d0 : end
05-17-2012 11:52 AM
Hi there,
Please try this out.
access-list Split-tunnel extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
group-policy SSLClientPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-tunnel
Let me know, if this helps.
thanks
Rizwan Rafeek
05-17-2012 12:03 PM
I've added those lines and still lose internet connectective from my handset when I'm connected.
....
ftp mode passive
access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list Split-tunnel extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0
no failover
.....
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.5.100
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-tunnel
address-pools value SSLClientPool
username testuser password cd0dmVM0fEWRYugq encrypted
username testuser attributes
service-type remote-access
05-17-2012 01:36 PM
When you are connected on vpn-client, see if you can ping a public IP, such as 4.2.2.2
Please let me know the result.
thanks
05-17-2012 01:41 PM
I editted your previous suggestion and was able to connect to the internet now. Thanks for the help
ASA(config)#access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
ASA(config)# group-policy SSLCLientPolicy internal
ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# split-tunnel-policy tunnelspecified
ASA(config-group-policy)# split-tunnel-network-list value split-tunnel
05-21-2012 01:23 PM
rizwanr74,
I thought I was all in the clear, but it looks like the first mobile phone I was testing this with is the only device that is working. All my other devices can connect fine, but seem to not be able to browse the web again. The only differences I can find is the Public IP addresses of the devices. My working phone is always in the 68.24.X.X range and my public IP of the device not working seems to be in the 166.188.X.X range.
I thought I had it set to just let all devices with the correct assigned IP (which they are) to go through and get access?
05-21-2012 01:29 PM
I hopped my working device on the 166.188.X.X network and was also blocked from the Internet. What can I add to ensure that all devices connected can still freely browse the web?
Thanks in advance for all the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide