cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
802
Views
5
Helpful
1
Replies

Cisco Anyconnect VPN 9.8.3 - No Internet Connection

I need assistance with Anyconnect VPN for remote users. Im able to connect to the internal services by creating a NAT Exception "Static". But traffic destine to the internet is getting blocked by phase either 3 or 4 depending on the changes i've made.

 

I've created dynamic NATing from any,outside for the anyconnect traffic and nothing - Also, white listed the subnet on the outside interface and nothing. 

 

Cloud -->ASA/Anyconnect ---> DMZ & LAN "this piece works.

Cloud --> ASA/Anyconnect 

 cloud/internet     <--  |  "doesnt work"

 

nat (LAN,OUTSITE) source static NAT_SRX_Anyconnect NAT_SRX_Anyconnect destination static NAT_Anyconnect NAT_Anyconnect
nat (DMZ,OUTSITE) source static NAT_SYNO_Anyconnect NAT_SYNO_Anyconnect destination static NAT_Anyconnect NAT_Anyconnect

 

webvpn
port 444
enable OUTSITE
dtls port 444

 

group-policy GroupPolicy_Dgonit internal
group-policy GroupPolicy_Dgonit attributes
banner value Authorized users only
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
default-domain value dgonit.com
split-tunnel-all-dns enable
webvpn
anyconnect mtu 1406

 

 

 

 

Users are able to connect just fine.. but when attemting to go to the internet .... no luck. As of now - i've created a proxy server for them to be able to connect. Any thoughts?

 

packet-tracer input OUTSITE tcp 192.168.102.1 443 8.8.8.8 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 74.96.178.1 using egress ifc OUTSITE

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.102.1 using egress ifc OUTSITE

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSITE
input-status: up
input-line-status: up
output-interface: OUTSITE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

access-list OUTSIDE_access_in extended permit ip object Anyconnect_Subnet any log

 

 

 

1 Accepted Solution

Accepted Solutions

Martin Carr
Level 4
Level 4

For TA you require a NAT rule for OUTSIDE,OUTSIDE to translate (i.e. overload) to your public address.

 

You also need to confirm you have configured the tunnel correctly (i.e. not ST) so all traffic is routed across it.

 

That ACE is not required (and moreover is in the wrong direction), it depends on your build but typically on the ASA an option is enabled which ignores ACL's. Access is restricted by "filters" which are applied to the tunnel group-policy (not an interface).

 

Martin

View solution in original post

1 Reply 1

Martin Carr
Level 4
Level 4

For TA you require a NAT rule for OUTSIDE,OUTSIDE to translate (i.e. overload) to your public address.

 

You also need to confirm you have configured the tunnel correctly (i.e. not ST) so all traffic is routed across it.

 

That ACE is not required (and moreover is in the wrong direction), it depends on your build but typically on the ASA an option is enabled which ignores ACL's. Access is restricted by "filters" which are applied to the tunnel group-policy (not an interface).

 

Martin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: