07-11-2013 12:12 PM - edited 02-21-2020 07:01 PM
Hello there,
I have installed Cisco AnyConnect VPN Client 2.5, login successfully but after the successful connection of VPN I get no internet connectivity, cant browse anything. I have searched for its solution online but didnt find any solution to be understood by a newbie like me. Please help me in this regard. Your help will be really appreciated. Thanks
07-11-2013 12:21 PM
Hi Muhammad,
When you connect to the ASA using anyconnect client the tunnel group you connect to must have a group policy binded to it, if that group policy has tunnelall specified that means all the traffic even the internet traffic would pass through the anyconnect adapter.
So, either you need to specify split tunelling in the group-policy,ie, only allow that traffic to go through the VPN Adapter which is in your internal LAN.
Or, you can enable U-Turning for anyconnect clients, ie, PAT the anyconnect client's pool to the outside interface IP of the ASA (which would be a public IP address and hence routable on the internet).
HTH
07-11-2013 12:30 PM
Thanks for your quick response.
The server i m using is
https://ra1.apu.ac.jp
Can you explain me step by step how to specify that group tunneling thing?
By the way in Anyconnect vpn client i do not see many options or menus to play with.
Thanks.
Sent from Cisco Technical Support iPhone App
07-11-2013 12:36 PM
I believe you are connecting to the DefaultWEBVPNGroup, the group policy assigned to that is the default group policy which has tunnelall specified by default, unless you have changed that to split tunnel.
You can use the following command to check which tunnel group you are connected to and what group policy you are getting assigned,
show vpn-sessiondb detail anyconnect
The above command will show you all the users connected to anyconnect you can filter it by using "filter name " at the end of the command.
Check which tunnel group you are connecting to and what group policy is getting pushed.
Whichever is the group policy getting pushed you can modify it to use split tunneling.
If you need help doing it you can provide me your running configuration and I can look into it for you.
10-14-2015 09:02 PM
Cisco AnyConnect VPN Client, login successfully but after the successful connection of VPN I get no internet connectivity, cant browse anything.
Path.
10-14-2015 09:07 PM
Yes I need your help to resolve this Cisco AnyConnect VPN Client 2.5, login successfully but after the successful connection of VPN I get no internet connectivity, cant browse anything.
Path.
Date October 15, 2015.
10-14-2015 09:07 PM
Yes I need your help to resolve this Cisco AnyConnect VPN Client 2.5, login successfully but after the successful connection of VPN I get no internet connectivity, cant browse anything.
Path.
Date October 15, 2015.
03-27-2014 02:37 PM
I have same issue after connected through Cisco AnyConnect VPN my Internet does not work means blocks me browsing any website. Please see me configuration.
sh run
: Saved
:
ASA Version 8.4(1)
!
hostname LTSNuxiba1
enable password iDvxngLADGG/OBbM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.200.185.0 windebt-vpn description VPN Pool
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network windebt-vpn
subnet 10.200.185.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.200.186.0_24
subnet 10.200.186.0 255.255.255.0
object service JiraWeb
service tcp source eq 8080 destination eq 8080
object network obj-192.168.1.247
host 192.168.1.247
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group service rdp tcp
description Remote Desktop
port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service sip-group udp
description CW SIP Grouping
port-object range sip 5065
port-object range 10000 60000
object-group service centerware
description Centerware Ports
service-object tcp-udp destination eq 9100
service-object tcp-udp destination eq 9112
service-object tcp-udp destination eq 9201
service-object tcp-udp destination eq 9300
service-object tcp-udp destination eq sip
service-object tcp-udp destination range 10000 60000
<--- More --->
service-object tcp-udp destination range sip 5065
object-group service Port8080 tcp
port-object eq 8080
object-group service sip_tcp_udp tcp-udp
port-object range sip 5065
access-list Nuxiba_splitTunnelAcl standard permit host 192.168.1.247
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object windebt-vpn
access-list outside_access_in extended permit ip any host 192.168.1.247
access-list outside_access_in extended permit tcp any host 192.168.1.247 object-group rdp
access-list outside_access_in extended permit tcp any host 192.168.1.247 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object-group centerware any host 192.168.1.247
access-list outside_access_in extended permit udp host x.x.x.x host 192.168.1.247 object-group sip-group
access-list outside_access_in extended permit udp any host 192.168.1.247 object-group sip-group
access-list from_outside extended permit icmp any any echo
access-list VPNClient remark The Corporate network behind the Firewall
access-list VPNClient standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1500
ip local pool PoolVPN 192.168.1.10-192.168.1.254 mask 255.255.255.0
ip local pool rvpnpool 10.200.186.10-10.200.186.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
<--- More --->
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static NETWORK_OBJ_10.200.186.0_24
NETWORK_OBJ_10.200.186.0_24
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static
NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj-192.168.1.247
nat (inside,outside) static x.x.x.x
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x. 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 inside
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.255 outside
http 192.168.1.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-
AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
enrollment self
fqdn x.x.x.x
subject-name CN=ElevateRecoveries
keypair plano.key
crl configure
crypto ca certificate chain localtrust
certificate ce2d2653
308201ed 30820156 a0030201 020204ce 2d265330 0d06092a 864886f7 0d010105
0500303b 311a3018 06035504 03131145 6c657661 74655265 636f7665 72696573
311d301b 06092a86 4886f70d 01090216 0e313733 2e35372e 3231372e 31313430
1e170d31 34303332 37303732 3030365a 170d3234 30333234 30373230 30365a30
3b311a30 18060355 04031311 456c6576 61746552 65636f76 65726965 73311d30
1b06092a 864886f7 0d010902 160e3137 332e3537 2e323137 2e313134 30819f30
0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00de171a 65def07e
00f59366 397ae791 ec6e881f 2ceec53a f420e389 0522f29c 9f7ff70a 355d6c2b
f0d78176 5000b147 144b46be 9a1fb6d0 114b0506 2902c1ac eb142e31 190ba58b
5b60e4bf e4ecbeaa 8c13357c f7e3a740 88f8094f c97b7960 5ab31a19 fccfd8ef
2df9d023 f2a0c035 c92684cd 520bbc72 6bfc6210 e6268b01 5b020301 0001300d
06092a86 4886f70d 01010505 00038181 00032cc5 8cc62e0e 35f387fe 6b3cb855
3af3dc67 25c95c39 c02265f2 90945127 9c13c047 1e87c617 f9ed5b8d 67cb62c2
e53e891f 32cf69e3 93228cd2 0f9755da 7f61a5ea 91106598 63a95481 c32f339c
a9a386b1 2ce81e3f 28aea339 17b28601 2bd681f8 aa91f62f 68441b7b d1636ba6
4cd9f183 00765f6a 4d894541 a965e2b0 f8
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint localtrust
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet x.x.x.x 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8 4.2.2.2
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles Elevate_VPN_client_profile disk0:/Elevate_VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 50
vpn-idle-timeout none
group-policy "GroupPolicy_Elevate VPN" internal
group-policy "GroupPolicy_Elevate VPN" attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
default-domain none
webvpn
anyconnect profiles value Elevate_VPN_client_profile type user
group-policy ElevateVPN internal
group-policy ElevateVPN attributes
dns-server value 8.8.8.8 4.2.2.1
vpn-tunnel-protocol ikev1
group-policy ClientVPN internal
group-policy ClientVPN attributes
dns-server value 8.8.8.8 4.4.2.2
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNClient
username XXXX password eKmsHjyx01vfusvs encrypted privilege 15
username XXXX password Q7xzbbkSUa94JqP4 encrypted privilege 0
username VPNUser attributes
vpn-group-policy ElevateVPN
username XXXX password wpxbqWbAP6ZX1DVn encrypted privilege 15
username XXXX password onUufcgkROfAmULA encrypted privilege 0
username XXXX attributes
vpn-group-policy ClientVPN
username XXXX password 8lbb/JfZA5yN1fvU encrypted privilege 15
username XXXXX password eWhyEuuBMVZc0Gg0 encrypted privilege 15
tunnel-group ElevateVPN type remote-access
tunnel-group ElevateVPN general-attributes
address-pool PoolVPN
default-group-policy ElevateVPN
tunnel-group ElevateVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group ClientVPN type remote-access
tunnel-group ClientVPN general-attributes
address-pool PoolVPN
default-group-policy ClientVPN
tunnel-group ClientVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group "Elevate VPN" type remote-access
tunnel-group "Elevate VPN" general-attributes
address-pool PoolVPN
default-group-policy "GroupPolicy_Elevate VPN"
tunnel-group "Elevate VPN" webvpn-attributes
group-alias "Elevate VPN" enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect sip
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0b4ba26248dd095227dd7541a37c033f
: end
LTSNuxiba1#
03-27-2014 03:40 PM
Which connection profile (tunnel-group) are you using when you connect?
11-08-2017 04:08 AM
Hi Mohammad,
First of all I would not recommended using a VPN pool in the same range as the internal network.
It could work but it is just confusing to confiure and troubleshoot.
You could use the other vpnpool you configured: rvpnpool
Configuration to change the vpnpool:
tunnel-group ElevateVPN general-attributes
address-pool rvpnpool
tunnel-group ClientVPN general-attributes
address-pool rvpnpool
tunnel-group "Elevate VPN" general-attributes
address-pool rvpnpool
With this configuration the ClientVPN should work and be able to access the internet directly and the 192.168.1.0/24 network over vpn.
You can verify that the split tunnel is cofigured corectly on the anyconnect client in the route details tab after you connect.
You should have 0.0.0.0/0 as non-secured routes and 192.168.1.0/24 as secured routes.
For the other 2 tunnels you can apply the split-tunnel with the following config:
group-policy "GroupPolicy_Elevate VPN" attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNClient
group-policy ElevateVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNClient
You already have a NAT identity configured: nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static NETWORK_OBJ_10.200.186.0_24 NETWORK_OBJ_10.200.186.0_24
, so no additional NAT config should be required.
In the group-policy ClientVPN the dns server should be 4.2.2.2 instead of 4.4.2.2,
but I would use the 2 google DNS servers: 8.8.8.8 and 8.8.4.4 instead of the Level 3 DNS.
11-07-2017 10:00 PM
Did you find the solution ?
03-30-2019 02:05 PM
just in case that anyone has the same issue :
this happens because all traffic is being tunneling (IPSEC - SSL - L2TP you named) trough the VPN
you have to let ASA (router) to know that you just want your internal lan traffic to be tunneled, that way the router will just pick the correct traffic.
Here is how to do it on ASDM 7.4
you have to have an ACL pointing to your internal network in my case it will be Split_Tunnel_List = internal lan (172.16.10.0/24)
hope it clear up this one
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide