04-30-2018 10:58 AM - edited 03-12-2019 05:14 AM
Hello Community
I have successfully been able to connect to my network configuring the ASA to allow Cisco Anyconnect client.
Once connected, i am not able to browse the internet but i am able to ssh/http onto my servers. I suspect i have not configured DNS, i believe split tunnelling is turned on my default. Looking for any solutions please.
My inside network is on 172.16.6.0/23
I created a IP pool 172.16.100.1-172.16.100.5, when connecting via Anyconnect I get a 100.2 IP address.
See below 1st NAT excempt. Would i need to remove this, or do i have to put a internal route in?
access-list INT_NONAT line 7 extended permit ip 172.16.6.0 255.255.254.0 172.16.100.0 255.255.255.0
2nd NAT exempt rule, 192.168.1.0/24 is my internet IP lets say from home, going to my corp IP.
access-list INT_NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.6.0 255.255.254. (my private home network)
Any ideas would be great. Thank You
05-01-2018 06:08 AM
Without seeing your configuration it is difficult to say exactly what the problem is.
for your AnyConnect VPN to access the inside network you need to have NAT exempt configured if the VPN head end has dynamic NAT configured on it. You will also need to have a dynamic NAT configured for the AnyConnect VPN subnet for outside to outside. In addition to this you need the command same-security-traffic permit intra-interface
Hope this helps.
05-01-2018 06:56 AM
Any suggestions
Thank you
05-01-2018 06:58 AM
I gave you some things to look for in my previous post.
05-02-2018 08:21 AM
Hello @ketansoni1,
As @Marius Gunnerud already mentioned, you need to verify the NAT outside, outside for the traffic and also the same-security-traffic configuration.
But based on your statement, we need to check the configuration:
Once connected, i am not able to browse the internet but i am able to ssh/http onto my servers. I suspect i have not configured DNS, i believe split tunnelling is turned on my default. Looking for any solutions please.
My question is, would like to do Split-Tunnel or Tunnel All? Just for reference the default is tunnel all, and if you want to use split-tunnel you don´t need to do all the other stuff mentioned before.
If you can share the configuration that would be really helpful too.
HTH
Gio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide