Poonam Garg,

Reordering the NAT statements improved my situation greatly. Thanks for the advice.

Now I have two more issues. I can now ping a LIVE workstation over the tunnel but DNS resolution does not work. I cant get to external sites. The second issue is how do I enable administration of the ASA over the tunnel.  Please take a look at the new configuration along with IP settings on my workstation that has successfully connected to the ASA.

### Workstation ###

   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : default.domain.invalid
                                       home

Ethernet adapter Local Area Connection 5:

   Connection-specific DNS Suffix  . : default.domain.invalid
   Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client V
irtual Miniport Adapter for Windows x64
   Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::74f6:6b4f:a0ac:2e0e%22(Preferred)
   Link-local IPv6 Address . . . . . : fe80::f59b:2b3d:1b03:b6d5%22(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.100.30(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : ::
                                       192.168.100.1
   DHCPv6 IAID . . . . . . . . . . . : 369100186
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-A3-19-E3-A4-17-31-17-CF-80

   DNS Servers . . . . . . . . . . . : 8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\Michael>nslookup
DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  8.8.4.4

> google.com
Server:  UnKnown
Address:  8.8.4.4

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

### Current configuration on ASA ###

ASA Version 9.2(2)4 
!
hostname internal-fw-home
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool ANYCONNECT-POOL 192.168.100.30-192.168.100.254 mask 255.255.255.0
!
interface Ethernet0/0
 description DESKTOP_PC
!
<--- More --->
              
interface Ethernet0/1
 description CABLEVISION
 switchport access vlan 12
!
interface Ethernet0/2
 description WiFi
!
interface Ethernet0/3
 description LAB equipment
!
interface Ethernet0/4
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
ip address 10.1.1.1 255.255.255.0 
!
interface Vlan12
 description CKT-CABLEVISION-20MB-0/1
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
boot system disk0:/asa922-4-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.4.4
 domain-name default.domain.invalid
object network NETWORK_OBJ_192.168.100.0_24
 subnet 192.168.100.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 10.1.1.0 255.255.255.0 

pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap informational
logging asdm debugging
logging device-id hostname
logging host inside 10.1.1.2
logging permit-hostdown
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL 
aaa authorization command LOCAL 
aaa authorization exec LOCAL auto-enable
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_2
 enrollment self
 subject-name CN=10.1.1.1,CN=internal-fw-home
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_2
 certificate 74bd8e54
    30820243 308201ac a0030201 02020474 bd8e5430 0d06092a 864886f7 0d010105 
    05003066 31193017 06035504 03131069 6e746572 6e616c2d 66772d68 6f6d6531 
    11300f06 03550403 13083130 2e312e31 2e313136 30340609 2a864886 f70d0109 
    02162769 6e746572 6e616c2d 66772d68 6f6d652e 64656661 756c742e 646f6d61 
    696e2e69 6e76616c 6964301e 170d3134 31323238 32323231 33385a17 0d323431 
    32323532 32323133 385a3066 31193017 06035504 03131069 6e746572 6e616c2d 
    66772d68 6f6d6531 11300f06 03550403 13083130 2e312e31 2e313136 30340609 
    2a864886 f70d0109 02162769 6e746572 6e616c2d 66772d68 6f6d652e 64656661 
    756c742e 646f6d61 696e2e69 6e76616c 69643081 9f300d06 092a8648 86f70d01 
<--- More --->
              
    01010500 03818d00 30818902 81810084 0b7119f5 01187fa1 730cbefd 1154c6de 
    61f50fab cbc5ddf7 88f09c61 1b420c60 2a722f2c 68528ab9 379217b6 1bee2a39 
    15083a20 5f0c058e 9540b64b 3cb528da e0a9f84d 0aa91378 e7dd1234 06e83cb8 
    d9de6523 58bd5252 059508d8 6cec826b 3ca707ea 39bc9a59 909f7830 bf855bb4 
    1d092baa 639f37d9 d2d38f20 2c49db02 03010001 300d0609 2a864886 f70d0101 
    05050003 8181001b 519e6757 dfd094ca b9845095 6e419740 da0b0d81 1fa78221 
    de7b32bd b2dff5e9 e19181c0 44afe0ec f7952449 7d53fce5 ec9b497b 19ccd15c 
    1274b49d 7f615290 9c07c0be 7b737101 8f9a4384 c0ef780c dff68253 5170d664 
    9fe1889d f4e3e205 94d6b02c 7bea7b5d a281ebec 458eb83a fa02a619 343aba28 
    8466e0af c31cf6
  quit
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_2
telnet timeout 5
ssh stricthostkeycheck
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 inside
ssh 71.190.152.162 255.255.255.255 outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcp-client client-id interface outside
<--- More --->
              
dhcpd address 10.1.1.2-10.1.1.12 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 206.246.122.250 source outside
ntp server 66.219.116.140 source outside
ntp server 165.193.126.229 source outside prefer
ssl trust-point ASDM_Launcher_Access_TrustPoint_2 inside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_2 inside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05182-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 dns-server value 8.8.4.4
 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
 default-domain value default.domain.invalid
<--- More --->
              
group-policy GroupPolicy_SSL-VPN internal
group-policy GroupPolicy_SSL-VPN attributes
 wins-server none
 dns-server value 8.8.4.4
 vpn-tunnel-protocol ssl-client 
 default-domain value default.domain.invalid
username e19262 password 4IOKIX/1luwaGA94 encrypted
username michael password 2THh7qjMF9mCrgtP encrypted privilege 15
tunnel-group SSL-VPN type remote-access
tunnel-group SSL-VPN general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy GroupPolicy_SSL-VPN
tunnel-group SSL-VPN webvpn-attributes
 group-alias SSL-VPN enable
!
!
prompt hostname priority 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
<--- More --->
              
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2f078a53c55494e1ef7b8acc548962d2
: end

internal-fw-home/sec#                                   

Hi Michael,

Right now you have not applied split-tunneling. Right now the default route on your workstation will be pointing to appliance inside interface. (use "route print" command).

Your SSL-VPN group policy is pointing to external DNS (server dns-server value 8.8.4.4 on internet ). Presently you cannot reach DNS server as every traffic of your workstation is going via tunnel.

You need to configure split-tunneling, so that :

The default route points to physical adapter, and route to split network will point to VPN adapter.

But there should be a way to force all traffic through the tunnel including DNS queries.

If I do any kind of checking on what my external IP is it should be that of the ASA outside interface.

Or am I incorrect in this assumption.

Hi Michael,

When you don't configure split tunnel, route print will show two default routes:

First Pointing to your physical adapter and default GW configured on your adapter but having higher metric.

Second pointing to VPN Adapter interface and default gateway (one of the IP address from the pool, it assume as inside address of ASA) with lower metric.So it will be the only one used when Split tunnel is not configured.

When you configure split tunnel, you will get only one default route that will point to your physical adapter, whereas ASA inside address space (split tunnel subnet) will be reachable via VPN adapter.

Hope it will clear the doubt. Attached is the route print for above scenario

HI Michael,

Thanks for rating the post.

Please mark the answer as correct, if it resolved your issue, so that it can be helpful for others also.