Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
53263
Views
0
Helpful
11
Replies

Cisco AnyConnect VPN Client 2.5 - no internet access while connected

captainakif
Level 1
Level 1

‎07-11-2013 12:12 PM - edited ‎02-21-2020 07:01 PM

Hello there,

I have installed Cisco AnyConnect VPN Client 2.5, login successfully but after the successful connection of VPN I get no internet connectivity, cant browse anything. I have searched for its solution online but didnt find any solution to be understood by a newbie like me. Please help me in this regard. Your help will be really appreciated. Thanks

2 people had this problem
Labels:
0 Helpful
11 Replies 11

kssinha
Level 1
Level 1

‎07-11-2013 12:21 PM

Hi Muhammad,

When you connect to the ASA using anyconnect client the tunnel group you connect to must have a group policy binded to it, if that group policy has tunnelall specified that means all the traffic even the internet traffic would pass through the anyconnect adapter.

So, either you need to specify split tunelling in the group-policy,ie, only allow that traffic to go through the VPN Adapter which is in your internal LAN.

Or, you can enable U-Turning for anyconnect clients, ie, PAT the anyconnect client's pool to the outside interface IP of the ASA (which would be a public IP address and hence routable on the internet).

HTH

0 Helpful

captainakif
Level 1
Level 1

‎07-11-2013 12:30 PM

Thanks for your quick response.
The server i m using is
https://ra1.apu.ac.jp

Can you explain me step by step how to specify that group tunneling thing?
By the way in Anyconnect vpn client i do not see many options or menus to play with.
Thanks.


Sent from Cisco Technical Support iPhone App

0 Helpful

kssinha
Level 1
Level 1
In response to captainakif

‎07-11-2013 12:36 PM

I believe you are connecting to the DefaultWEBVPNGroup, the group policy assigned to that is the default group policy which has tunnelall specified by default, unless you have changed that to split tunnel.

You can use the following command to check which tunnel group you are connected to and what group policy you are getting assigned,

show vpn-sessiondb detail anyconnect

The above command will show you all the users connected to anyconnect you can filter it by using "filter name " at the end of the command.

Check which tunnel group you are connecting to and what group policy is getting pushed.

Whichever is the group policy getting pushed you can modify it to use split tunneling.

If you need help doing it you can provide me your running configuration and I can look into it for you.

0 Helpful

pathnathan
Level 1
Level 1
In response to kssinha

‎10-14-2015 09:02 PM

Cisco AnyConnect VPN Client, login successfully but after the successful connection of VPN I get no internet connectivity, cant browse anything.

Path.

0 Helpful

pathnathan
Level 1
Level 1
In response to kssinha

‎10-14-2015 09:07 PM

Yes I need your help to resolve this Cisco AnyConnect VPN Client 2.5, login successfully but after the successful connection of VPN I get no internet connectivity, cant browse anything.

Path.

Date October 15, 2015.

 

0 Helpful

pathnathan
Level 1
Level 1
In response to kssinha

‎10-14-2015 09:07 PM

Yes I need your help to resolve this Cisco AnyConnect VPN Client 2.5, login successfully but after the successful connection of VPN I get no internet connectivity, cant browse anything.

Path.

Date October 15, 2015.

 

0 Helpful

Mohammad Rahman
Level 1
Level 1

‎03-27-2014 02:37 PM

I have same issue after connected through Cisco AnyConnect VPN my Internet does not work means blocks me browsing any website. Please see me configuration.

sh run
: Saved
:
ASA Version 8.4(1) 
!
hostname LTSNuxiba1
enable password iDvxngLADGG/OBbM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.200.185.0 windebt-vpn description VPN Pool
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!

interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network obj-192.168.1.0 
 subnet 192.168.1.0 255.255.255.0
object network windebt-vpn 
 subnet 10.200.185.0 255.255.255.0
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.200.186.0_24 
 subnet 10.200.186.0 255.255.255.0
 
object service JiraWeb 
 service tcp source eq 8080 destination eq 8080 
object network obj-192.168.1.247 
 host 192.168.1.247
object network NETWORK_OBJ_192.168.1.0_24 
 subnet 192.168.1.0 255.255.255.0
object-group service rdp tcp
 description Remote Desktop
 port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service sip-group udp
 description CW SIP Grouping
 port-object range sip 5065
 port-object range 10000 60000
object-group service centerware
 description Centerware Ports
 service-object tcp-udp destination eq 9100 
 service-object tcp-udp destination eq 9112 
 service-object tcp-udp destination eq 9201 
 service-object tcp-udp destination eq 9300 
 service-object tcp-udp destination eq sip 
 service-object tcp-udp destination range 10000 60000 
<--- More --->
              
 service-object tcp-udp destination range sip 5065 
object-group service Port8080 tcp
 port-object eq 8080
object-group service sip_tcp_udp tcp-udp
 port-object range sip 5065
access-list Nuxiba_splitTunnelAcl standard permit host 192.168.1.247 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object windebt-vpn 
access-list outside_access_in extended permit ip any host 192.168.1.247 
access-list outside_access_in extended permit tcp any host 192.168.1.247 object-group rdp 
access-list outside_access_in extended permit tcp any host 192.168.1.247 object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit object-group centerware any host 192.168.1.247 
access-list outside_access_in extended permit udp host x.x.x.x host 192.168.1.247 object-group sip-group 
access-list outside_access_in extended permit udp any host 192.168.1.247 object-group sip-group 
access-list from_outside extended permit icmp any any echo 
access-list VPNClient remark The Corporate network behind the Firewall
access-list VPNClient standard permit 192.168.1.0 255.255.255.0 
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1500
ip local pool PoolVPN 192.168.1.10-192.168.1.254 mask 255.255.255.0
ip local pool rvpnpool 10.200.186.10-10.200.186.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
<--- More --->
              
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static NETWORK_OBJ_10.200.186.0_24 

NETWORK_OBJ_10.200.186.0_24
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static 

NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
!
object network obj_any
 nat (inside,outside) dynamic interface
object network obj-192.168.1.247
 nat (inside,outside) static x.x.x.x
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x. 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
aaa local authentication attempts max-fail 10

http server enable
http 192.168.1.0 255.255.255.0 inside
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.255 outside
http 192.168.1.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-

AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 fqdn x.x.x.x
 subject-name CN=ElevateRecoveries
 keypair plano.key
 crl configure
crypto ca certificate chain localtrust
 certificate ce2d2653
    308201ed 30820156 a0030201 020204ce 2d265330 0d06092a 864886f7 0d010105 
    0500303b 311a3018 06035504 03131145 6c657661 74655265 636f7665 72696573 
    311d301b 06092a86 4886f70d 01090216 0e313733 2e35372e 3231372e 31313430 
    1e170d31 34303332 37303732 3030365a 170d3234 30333234 30373230 30365a30 
    3b311a30 18060355 04031311 456c6576 61746552 65636f76 65726965 73311d30 
    1b06092a 864886f7 0d010902 160e3137 332e3537 2e323137 2e313134 30819f30 
    0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00de171a 65def07e 
    00f59366 397ae791 ec6e881f 2ceec53a f420e389 0522f29c 9f7ff70a 355d6c2b 
    f0d78176 5000b147 144b46be 9a1fb6d0 114b0506 2902c1ac eb142e31 190ba58b 
    5b60e4bf e4ecbeaa 8c13357c f7e3a740 88f8094f c97b7960 5ab31a19 fccfd8ef 
    2df9d023 f2a0c035 c92684cd 520bbc72 6bfc6210 e6268b01 5b020301 0001300d 
    06092a86 4886f70d 01010505 00038181 00032cc5 8cc62e0e 35f387fe 6b3cb855 
    3af3dc67 25c95c39 c02265f2 90945127 9c13c047 1e87c617 f9ed5b8d 67cb62c2 
    e53e891f 32cf69e3 93228cd2 0f9755da 7f61a5ea 91106598 63a95481 c32f339c 
    a9a386b1 2ce81e3f 28aea339 17b28601 2bd681f8 aa91f62f 68441b7b d1636ba6 
    4cd9f183 00765f6a 4d894541 a965e2b0 f8
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint localtrust

crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet x.x.x.x 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 outside
ssh timeout 5
console timeout 0

dhcpd dns 8.8.8.8 4.2.2.2
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

ssl trust-point localtrust outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect profiles Elevate_VPN_client_profile disk0:/Elevate_VPN_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 50
 vpn-idle-timeout none
group-policy "GroupPolicy_Elevate VPN" internal
group-policy "GroupPolicy_Elevate VPN" attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client 
 default-domain none
 webvpn
  anyconnect profiles value Elevate_VPN_client_profile type user
group-policy ElevateVPN internal
group-policy ElevateVPN attributes
 dns-server value 8.8.8.8 4.2.2.1
 vpn-tunnel-protocol ikev1 
group-policy ClientVPN internal
group-policy ClientVPN attributes
dns-server value 8.8.8.8 4.4.2.2
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNClient
username XXXX password eKmsHjyx01vfusvs encrypted privilege 15
username XXXX password Q7xzbbkSUa94JqP4 encrypted privilege 0
username VPNUser attributes
 vpn-group-policy ElevateVPN
username XXXX password wpxbqWbAP6ZX1DVn encrypted privilege 15
username XXXX password onUufcgkROfAmULA encrypted privilege 0
username XXXX attributes
 vpn-group-policy ClientVPN
username XXXX password 8lbb/JfZA5yN1fvU encrypted privilege 15
username XXXXX password eWhyEuuBMVZc0Gg0 encrypted privilege 15
tunnel-group ElevateVPN type remote-access
tunnel-group ElevateVPN general-attributes
 address-pool PoolVPN
 default-group-policy ElevateVPN
tunnel-group ElevateVPN ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group ClientVPN type remote-access
tunnel-group ClientVPN general-attributes
 address-pool PoolVPN
 default-group-policy ClientVPN

tunnel-group ClientVPN ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group "Elevate VPN" type remote-access
tunnel-group "Elevate VPN" general-attributes
 address-pool PoolVPN
 default-group-policy "GroupPolicy_Elevate VPN"
tunnel-group "Elevate VPN" webvpn-attributes
 group-alias "Elevate VPN" enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect sip  
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0b4ba26248dd095227dd7541a37c033f
: end

LTSNuxiba1# 

0 Helpful

Joe Doran
Level 1
Level 1
In response to Mohammad Rahman

‎03-27-2014 03:40 PM

Which connection profile (tunnel-group) are you using when you connect?

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to Mohammad Rahman

‎11-08-2017 04:08 AM

Hi Mohammad,

First of all I would not recommended using a VPN pool in the same range as the internal network.
It could work but it is just confusing to confiure and troubleshoot.
You could use the other vpnpool you configured: rvpnpool
Configuration to change the vpnpool:
tunnel-group ElevateVPN general-attributes
address-pool rvpnpool
tunnel-group ClientVPN general-attributes
address-pool rvpnpool
tunnel-group "Elevate VPN" general-attributes
address-pool rvpnpool

 

With this configuration the ClientVPN should work and be able to access the internet directly and the 192.168.1.0/24 network over vpn.
You can verify that the split tunnel is cofigured corectly on the anyconnect client in the route details tab after you connect.
You should have 0.0.0.0/0 as non-secured routes and 192.168.1.0/24 as secured routes.
For the other 2 tunnels you can apply the split-tunnel with the following config:
group-policy "GroupPolicy_Elevate VPN" attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNClient
group-policy ElevateVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNClient

You already have a NAT identity configured: nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static NETWORK_OBJ_10.200.186.0_24 NETWORK_OBJ_10.200.186.0_24
, so no additional NAT config should be required.

 

In the group-policy ClientVPN the dns server should be 4.2.2.2 instead of 4.4.2.2,
but I would use the 2 google DNS servers: 8.8.8.8 and 8.8.4.4 instead of the Level 3 DNS.

0 Helpful

vinayjaiswal
Level 3
Level 3

‎11-07-2017 10:00 PM

Did you find the solution ?

0 Helpful

mgutierr
Level 1
Level 1
In response to vinayjaiswal

‎03-30-2019 02:05 PM

just in case that anyone has the same issue :

 

this happens because all traffic is being tunneling (IPSEC - SSL - L2TP you named) trough the VPN 

you have to let ASA (router) to know that you just want your internal lan traffic to be tunneled, that way the router will just pick the correct traffic.

Here is how to do it on ASDM 7.4vpn fix for internet access.jpg

you have to have an ACL pointing to your internal network in my case it will be Split_Tunnel_List  = internal lan (172.16.10.0/24)

 

hope it clear up this one

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents