Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4897
Views
5
Helpful
8
Replies

anyconnect

Go to solution
jkay18041
Level 3
Level 3

‎06-13-2017 06:12 AM - edited ‎02-21-2020 09:19 PM

Hello, I have a asa 5510 and have been trying to setup the anyconnect vpn on it. I got it working in the sense that you can connect but it kills my internet access. Where have I gone wrong? I've also noticed the ASA kills icmp except between devices on the LAN, is there a way to fix this?

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Level 9
Level 9
In response to jkay18041

‎06-14-2017 01:07 AM

Hi,

Can You enable the following line under the group-policy and test:

group-policy GroupPolicy_test attributes
wins-server none
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
password-storage disable

split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel

Regards,

Aditya

Please rate helpful posts and mark correct answers.


View solution in original post

0 Helpful
8 Replies 8

Go to solution
Aditya Ganjoo
Level 9
Level 9

‎06-13-2017 06:44 AM

Hi,

You need to enable split tunnel on the ASA to resolve this.

Here is the link for this:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa-split-tunnel-vpn-client.html

Regards,

Aditya

Please rate helpful posts and mark correct answers.


Go to solution
jkay18041
Level 3
Level 3
In response to Aditya Ganjoo

‎06-13-2017 01:02 PM

I went through the document you sent me. Looks like my version is slightly different. I was able to see it added a new route to my vpn config but I still don't get internet access and I can't ping my local network behind the asa. 

Can you see where I've gone wrong?


ASA Version 8.4(7)
!
hostname ciscoasa
enable password  encrypted
passwd  encrypted
names
!
interface Ethernet0/0
description WAN
nameif WAN
security-level 0
ip address 68.155.193.200 255.255.255.240
!
interface Ethernet0/1
description LAN
nameif LAN
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa847-k8.bin
boot system disk0:/asa916-k8.bin
ftp mode passive
dns domain-lookup LAN
dns server-group DefaultDNS
name-server 8.8.8.8
object network Generic_All
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.10.0_27
subnet 192.168.10.0 255.255.255.224
access-list Split_Tunnel standard permit 192.168.1.0 255.255.255.0
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
pager lines 24
mtu WAN 1500
mtu LAN 1500
ip local pool dhcp_vpn 192.168.10.10-192.168.10.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-752-153.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (LAN,WAN) source dynamic Generic_All interface
nat (LAN,WAN) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
route WAN 0.0.0.0 0.0.0.0 68.155.193.193 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_map interface WAN
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.1.1,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 19423e59
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable WAN client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 LAN
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 LAN vpnlb-ip
ssl trust-point ASDM_TrustPoint0 WAN
webvpn
enable WAN
enable LAN
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
anyconnect profiles test_client_profile disk0:/test_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
split-tunnel-all-dns enable
group-policy GroupPolicy_test internal
group-policy GroupPolicy_test attributes
wins-server none
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
password-storage disable
split-tunnel-network-list value Split_Tunnel
default-domain none
webvpn
anyconnect profiles value test_client_profile type user
username  password  encrypted
username  password . encrypted
tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool dhcp_vpn
default-group-policy GroupPolicy_test
tunnel-group test webvpn-attributes
group-alias test enable
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:438987

Thank you for your help on this!

0 Helpful

Go to solution
Aditya Ganjoo
Level 9
Level 9
In response to jkay18041

‎06-14-2017 01:07 AM

Hi,

Can You enable the following line under the group-policy and test:

group-policy GroupPolicy_test attributes
wins-server none
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
password-storage disable

split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel

Regards,

Aditya

Please rate helpful posts and mark correct answers.


0 Helpful

Go to solution
jkay18041
Level 3
Level 3
In response to Aditya Ganjoo

‎06-14-2017 07:29 AM

adding that allowed me to ping 8.8.8.8 from a client computer connected to the vpn, however doesn't work and I can't ping host on the inside/lan side of the cisco asa. I did notice I don't get a default gateway from the vpn nor do I get a dns server. I manually added 8.8.8.8 as the dns but that didn't resolve the issue of web browsing while on the vpn.

sorry to be such a bother, I really appreciate your help.

0 Helpful

Go to solution
Aditya Ganjoo
Level 9
Level 9
In response to jkay18041

‎06-14-2017 07:47 AM

Hi,

Config seems fine now.

Can you take a capture on ASA and check if packets at least reach to the inside of the ASA?

capture capin interface LAN match icmp host <any host behind LAN> <Anyconnect client IP>

Please share the outputs.

Regards,

Aditya

Please rate helpful posts and mark correct answers.


0 Helpful

Go to solution
jkay18041
Level 3
Level 3
In response to Aditya Ganjoo

‎06-14-2017 07:55 AM

1: 03:12:54.612959 192.168.10.11 > 192.168.1.2: icmp: echo request
2: 03:12:54.613341 192.168.1.2 > 192.168.10.11: icmp: echo reply
3: 03:12:59.264863 192.168.10.11 > 192.168.1.2: icmp: echo request
4: 03:12:59.265229 192.168.1.2 > 192.168.10.11: icmp: echo reply
5: 03:13:00.853502 192.168.1.2 > 192.168.10.11: icmp: echo request
6: 03:13:04.266435 192.168.10.11 > 192.168.1.2: icmp: echo request
7: 03:13:04.266770 192.168.1.2 > 192.168.10.11: icmp: echo reply
8: 03:13:05.761084 192.168.1.2 > 192.168.10.11: icmp: echo request
9: 03:13:09.253389 192.168.10.11 > 192.168.1.2: icmp: echo request
10: 03:13:09.253725 192.168.1.2 > 192.168.10.11: icmp: echo reply
11: 03:13:10.762655 192.168.1.2 > 192.168.10.11: icmp: echo request
12: 03:13:15.764227 192.168.1.2 > 192.168.10.11: icmp: echo request
12 packets shown

On the computer with anyconnect connected (192.168.10.11) I get the ip address and subnet but no default gateway or dns server.

0 Helpful

Go to solution
Aditya Ganjoo
Level 9
Level 9
In response to jkay18041

‎06-14-2017 08:05 AM

Hi,

It seems the ASA is sending the reply as well.

Can you turn off the Anti-Virus or Firewall on the PC?

Regards,

Aditya

Please rate helpful posts and mark correct answers.


0 Helpful

Go to solution
jkay18041
Level 3
Level 3
In response to Aditya Ganjoo

‎06-14-2017 08:20 AM

Neither computer has firewall or antivirus on or installed. I did notice on the client computer if I go into the anyconnect settings there are no rules for firewall to permit or deny anything...Would this cause an issue?

On the client computer if I do a ping 8.8.8.8 it responds but it goes out of my primary internet connection not through the vpn. But if I do a ping www.google.com it says I have no dns. Once I disconnect anyconnect my dns works on my LAN connection again.

0 Helpful
Customers Also Viewed These Support Documents