Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
950
Views
5
Helpful
1
Replies

Cisco Anyconnect VPN 9.8.3 - No Internet Connection

Go to solution
dvargas@nwfcu.org
Level 1
Level 1

‎05-11-2019 12:41 AM

I need assistance with Anyconnect VPN for remote users. Im able to connect to the internal services by creating a NAT Exception "Static". But traffic destine to the internet is getting blocked by phase either 3 or 4 depending on the changes i've made.

 

I've created dynamic NATing from any,outside for the anyconnect traffic and nothing - Also, white listed the subnet on the outside interface and nothing. 

 

Cloud -->ASA/Anyconnect ---> DMZ & LAN "this piece works.

Cloud --> ASA/Anyconnect 

 cloud/internet     <--  |  "doesnt work"

 

nat (LAN,OUTSITE) source static NAT_SRX_Anyconnect NAT_SRX_Anyconnect destination static NAT_Anyconnect NAT_Anyconnect
nat (DMZ,OUTSITE) source static NAT_SYNO_Anyconnect NAT_SYNO_Anyconnect destination static NAT_Anyconnect NAT_Anyconnect

 

webvpn
port 444
enable OUTSITE
dtls port 444

 

group-policy GroupPolicy_Dgonit internal
group-policy GroupPolicy_Dgonit attributes
banner value Authorized users only
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
default-domain value dgonit.com
split-tunnel-all-dns enable
webvpn
anyconnect mtu 1406

 

 

 

 

Users are able to connect just fine.. but when attemting to go to the internet .... no luck. As of now - i've created a proxy server for them to be able to connect. Any thoughts?

 

packet-tracer input OUTSITE tcp 192.168.102.1 443 8.8.8.8 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 74.96.178.1 using egress ifc OUTSITE

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.102.1 using egress ifc OUTSITE

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSITE
input-status: up
input-line-status: up
output-interface: OUTSITE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

access-list OUTSIDE_access_in extended permit ip object Anyconnect_Subnet any log

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Martin Carr
Level 4
Level 4

‎05-11-2019 03:18 AM

For TA you require a NAT rule for OUTSIDE,OUTSIDE to translate (i.e. overload) to your public address.

 

You also need to confirm you have configured the tunnel correctly (i.e. not ST) so all traffic is routed across it.

 

That ACE is not required (and moreover is in the wrong direction), it depends on your build but typically on the ASA an option is enabled which ignores ACL's. Access is restricted by "filters" which are applied to the tunnel group-policy (not an interface).

 

Martin

View solution in original post

1 Reply 1

Go to solution
Martin Carr
Level 4
Level 4

‎05-11-2019 03:18 AM

For TA you require a NAT rule for OUTSIDE,OUTSIDE to translate (i.e. overload) to your public address.

 

You also need to confirm you have configured the tunnel correctly (i.e. not ST) so all traffic is routed across it.

 

That ACE is not required (and moreover is in the wrong direction), it depends on your build but typically on the ASA an option is enabled which ignores ACL's. Access is restricted by "filters" which are applied to the tunnel group-policy (not an interface).

 

Martin

Customers Also Viewed These Support Documents