11-13-2018 09:08 AM
ciscoasa(config)#ip local pool vpnpool 10.1.3.1-10.1.3.254 mask 255.255.255.0
ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#enable outside
ciscoasa(config-webvpn)#anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg
ciscoasa(config-webvpn)#tunnel-group-list enable
ciscoasa(config-webvpn)#anyconnect enable
ciscoasa(config)#access-list SPLIt-ACL standard permit 172.20.160.0 255.255.255.0
ciscoasa(config)#access-list SPLIt-ACL standard permit 192.168.21.0 255.255.255.0
ciscoasa(config)#group-policy vpntest internal
ciscoasa(config)#group-policy vpntest attributes
ciscoasa(config-group-policy)#vpn-tunnel-protocol ssl-client
ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)#split-tunnel-network-list SPLIt-ACL
ciscoasa(config)#tunnel-group vpntest type remote-access
ciscoasa(config)#tunnel-group vpntest general-attributes
ciscoasa(config-tunnel-general)#address-pool vpnpool
ciscoasa(config-tunnel-general)#default-group-policy vpntest
ciscoasa(config-tunnel-general)#exit
ciscoasa(config)#tunnel-group vpntest webvpn-attributes
ciscoasa(config-tunnel-webvpn)#group-alias vpntest_users enable
there is not hit to ACL
Solved! Go to Solution.
11-16-2018 09:40 AM
If you don't want your clients to be able to access the internet you are not supposed to use split tunnel since the split tunnel is only going to send the specified traffic through the VPN and the rest will use the local VA of the computer, i will recommend you to check the following config guide and understand the configuration so you can implement it:
If you want all the traffic to go through the tunnel so you can restrict the internet access you need to do tunnel-all.
Hope this info helps!!
Rate if helps you!!
-JP-
11-16-2018 11:35 AM
11-14-2018 10:13 AM
Im not sure what you mean with "there is not hit to ACL", but keep in mind the following:
-The correct command to apply the ACL to the split tunnel config is:
split-tunnel-network-list value
-Also the ACL applied to the split tunnel is not going to show any hit counts (in case that's what you mean).
If you question is related to something else please explain yourself a little bit more so we can help.
Hope this info helps!!
Rate if helps you!!
-JP-
11-15-2018 07:29 AM
asa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list SPLIt-ACL; 2 elements; name hash: 0xb661bf5f
access-list SPLIt-ACL line 1 standard permit 172.20.160.0 255.255.255.0 (hitcnt=0) 0x6e30947a
access-list SPLIt-ACL line 2 standard permit 192.168.21.0 255.255.255.0 (hitcnt=0) 0x31eb7c0f
asa# sh run group-policy
group-policy vpntest internal
group-policy vpntest attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIt-ACL
webvpn
anyconnect firewall-rule client-interface public value SPLIt-ACL
anyconnect firewall-rule client-interface private value SPLIt-ACL
Thank you for helping, the configuration as above is the ACL detail in my ASA, if you need any information please let me know
My ACL is not running, I have no idea why.
11-15-2018 04:53 PM
I'm still confused about what is not working here, if you are expecting the hitcounts on the standard ACL to increment that is not going to happen, if you have a client already connected with AnyConnect and they are not able to access the subnets specified on the split tunnel ACL this could be related to a couple of other configs, can you run the following command and make sure this traffic is going out your Firewall through the AnyConnect and not just through the internet:
Ex.
packet-tracer input inside icmp 172.20.160.10 8 0 <ip assigned to the client> detail
you can also run the following command on the CLI to check the ip of the client:
sh vpn-sessiondb anyconnect
I will probably be able to give you a solution quickly if you are more specific about the issue you are having.
Hope this info helps!!
Rate if helps you!!
-JP-
11-16-2018 08:38 AM
asa# sh vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : test Index : 204
Assigned IP : 10.1.3.3 Public IP : XXXXX
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 56786 Bytes Rx : 44523
Group Policy : vpntest Tunnel Group : vpntest
Login Time : 08:37:41 UTC Fri Nov 16 2018
Duration : 0h:05m:33s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a80101000cc0005bee81d5
Security Grp : none
asa#
I did not permit VPN to go out to the internet, but I still can reach 8.8.8.8, how can I deny my VPN client to internet
11-16-2018 09:40 AM
If you don't want your clients to be able to access the internet you are not supposed to use split tunnel since the split tunnel is only going to send the specified traffic through the VPN and the rest will use the local VA of the computer, i will recommend you to check the following config guide and understand the configuration so you can implement it:
If you want all the traffic to go through the tunnel so you can restrict the internet access you need to do tunnel-all.
Hope this info helps!!
Rate if helps you!!
-JP-
11-16-2018 10:56 AM
Thank you for helping. I try to use the full tunnel but it does not work as well.
group-policy vpntest internal
group-policy vpntest attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value SPLIt-ACL
webvpn
anyconnect firewall-rule client-interface public value SPLIt-ACL
anyconnect firewall-rule client-interface private value SPLIt-ACL
11-16-2018 10:59 AM
yes, it blocks my internet traffic but the ACL does not work
11-16-2018 11:35 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide