Solved: Re: ASA 5525- Anyconnect Full Tunnel LAN Traffic ok but no Internet

garybrophy · ‎02-16-2023

Hi All,

I have a strange issue that I have not seen before. customer has 2 profiles setup on the Firewall with LDAP Auth and these work fine

Customer wants to test MFA so we have setup another profile with Radius connection to MFA Server. They can connect into this profile and get authenticated with no issues . They pick up the correct ip pool and can access all internal resources.

But when browsing to the Internet the Firewall is dropping the traffic. Set up a capture for the asp type drop all

Drop-reason: (acl-drop) Flow is denied by configured rule

The Profile has a filter list to allow all traffic for testing and a NAT rule to allow the network out

object network ANYCONNECT_NETWORK
nat (OUTSIDE,OUTSIDE) dynamic interface

sysopt connection permit-vpn is enabled

I cannot see why the Firewall is dropping this traffic? The tunnel groups and group policy are essentially the same as the LDAP profiles with the only difference the Auth Profile bring radius

Anyone come across anything like this before?

thanks

Gary

garybrophy · ‎02-17-2023

issue solved - i should have coped it with show vpn-sessiondb detail anyconnect filter name user

there was a filter applied to the session that was not part of the group-policy. the radius server had this tied to the logins so it was getting applied to the sessions. that access list was setup incorrectly

thanks for the engagement

View solution in original post

MHM Cisco World · ‎02-16-2023

I want to see all config

same-security-traffic permit intra-interface <<- this I think you need to add

garybrophy · ‎02-16-2023

this was already there - same-security-traffic permit intra-interface

i think this covers everything - the pool matches the access list and nat object

aaa-server AuthPointGateway protocol radius
aaa-server AuthPointGateway (INSIDE) host x.x.x.x
timeout 60
key *****
authentication-port 1812
accounting-port 1813

tunnel-group AuthPointGroup type remote-access
tunnel-group AuthPointGroup general-attributes
address-pool MFA-TEST-x.x.x.x
authentication-server-group AuthPointGateway
default-group-policy AuthPointPolicy
tunnel-group AuthPointGroup webvpn-attributes
group-alias xxAuthPointGroup enable

group-policy AuthPointPolicy internal
group-policy AuthPointPolicy attributes
banner value *** STAFF ACCESS ***
dns-server value x.x.x.x
vpn-simultaneous-logins 5
vpn-filter value SSL-MFA-ACCESS
vpn-tunnel-protocol ssl-client
split-tunnel-policy excludespecified
split-tunnel-network-list value MS-Teams_and_ZOOM
default-domain value xxx
address-pools value MFA-TEST-x.x.x.x

access-list SSL-MFA-ACCESS line 1 extended permit ip x.x.x.x any

object network ANYCONNECT_NETWORK
nat (OUTSIDE,OUTSIDE) dynamic interface

MHM Cisco World · ‎02-16-2023

your config is OK
do packet tracer again but make sure that you dont use any IP use by other anyconnect client
share the packet tracer

note:- add detail in end of packet tracer

garybrophy · ‎02-16-2023

I have never found packet tracer to work when sourcing from the outside interface?

the source address in an internal RFC address so I dont have an access list on the outside permitting that network to anything. the packet tracer just says access-list drop

MHM Cisco World · ‎02-16-2023

Petes-ASA# packet-tracer input outside tcp  <VPN Pool IP> 1234 <any public IP> www detail

garybrophy · ‎02-16-2023

i dont have an access list on the outside for the ip pool

ie if the pool is 10.10.10.0/24

I dont have access access list on the Outside Interface allowing that network as i would not expect it to be coming from the outside

sysopt connection permit-vpn will allow the anyconnect traffic I believe

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop x.x.x.x using egress ifc OUTSIDE

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056352e4120b4 flow (NA)/NA

MHM Cisco World · ‎02-16-2023

Implicit Rule <<- meaning that implicit deny in ACL
I see you use vpn-filter I think it issue here

remove vpn-filter
sysopt connection permit-vpn is disable
then apply ACL to INside interface for Anyconnect.

garybrophy · ‎02-17-2023

issue solved - i should have coped it with show vpn-sessiondb detail anyconnect filter name user

there was a filter applied to the session that was not part of the group-policy. the radius server had this tied to the logins so it was getting applied to the sessions. that access list was setup incorrectly

thanks for the engagement

MHM Cisco World · ‎02-17-2023

You are so so welcome friend