Solved: Hi Frederic,

Frederic Garcia · ‎06-19-2017

Hello,

I have a little problem, I don't have access to my LAN. I have split-tunnel rules, maybe it's mistake in my NAT rules or another error.

When I'm connected on my VPN, I want to separate the traffic, a route for Google, Facebook etc... And a route for my LAN Access.

You will find a copy of my config.

Can you help me ?

Thanks a lot.

[edit] My responsable forget to add a route on the principal router (default gateway...)

Spooster IT Services · ‎06-24-2017

Hi Frederic,

Can you please do the following command on ASA and test the VPN again?

no access-list ANYCONNECT-SPLIT-TUNNEL-ACL standard permit any4
!
access-list ANYCONNECT-SPLIT-TUNNEL-ACL standard permit 192.168.6.0 255.255.255.0
access-list ANYCONNECT-SPLIT-TUNNEL-ACL standard permit 192.168.10.0 255.255.255.0
!
group-policy ANYCONNECT-POLICY attributes
split-tunnel-network-list value ANYCONNECT-SPLIT-TUNNEL-ACL
!

Spooster IT Services Team

View solution in original post

Spooster IT Services · ‎06-30-2017

Hi Frederic Garcia,

To which subnet you are trying to reach through VPN? The following configuration is also missing. Add the following config and try again

route outside 192.168.6.0 255.255.255.0 88.173.12.254

nat (inside,outside) source static NETWORK-LORIENT NETWORK-LORIENT destination static NETWORK-ANYCONNECT NETWORK-ANYCONNECT no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK-BSM NETWORK-BSM destination static NETWORK-ANYCONNECT NETWORK-ANYCONNECT no-proxy-arp route-lookup

Spooster IT Services Team

View solution in original post

Spooster IT Services · ‎06-24-2017

Hi Frederic,

Can you please do the following command on ASA and test the VPN again?

no access-list ANYCONNECT-SPLIT-TUNNEL-ACL standard permit any4
!
access-list ANYCONNECT-SPLIT-TUNNEL-ACL standard permit 192.168.6.0 255.255.255.0
access-list ANYCONNECT-SPLIT-TUNNEL-ACL standard permit 192.168.10.0 255.255.255.0
!
group-policy ANYCONNECT-POLICY attributes
split-tunnel-network-list value ANYCONNECT-SPLIT-TUNNEL-ACL
!

Spooster IT Services Team

Frederic Garcia · ‎06-29-2017

Hello,

Thanks you for your help.
I tried this but same result. To put in the nutshell, I was clear the configuration to restart from scratch because the FW it's not used.

You will find the new running config, but it's the I have the same problem...It's really piss me off...
I read, I compare... But I don't find a solution...

I hope to have tomorrow the SmartNet to contact the assistance...

Spooster IT Services · ‎06-30-2017

Hi Frederic Garcia,

To which subnet you are trying to reach through VPN? The following configuration is also missing. Add the following config and try again

route outside 192.168.6.0 255.255.255.0 88.173.12.254

nat (inside,outside) source static NETWORK-LORIENT NETWORK-LORIENT destination static NETWORK-ANYCONNECT NETWORK-ANYCONNECT no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK-BSM NETWORK-BSM destination static NETWORK-ANYCONNECT NETWORK-ANYCONNECT no-proxy-arp route-lookup

Spooster IT Services Team

Frederic Garcia · ‎06-30-2017

Hello,

From the VPN I need on the networks INSIDE, LORIENT & BSM.

I add the route and the news NAT rules and I will try again. I cross the fingers !

Frederic Garcia · ‎06-30-2017

I have test, no results :(

But, I have a strange thing... When I test with Packet Tracer I have WEBVPN-SVC -> DROP...

Frederic Garcia · ‎07-11-2017

I have edited the post, my responsable have forget to add a route on our router...

Spooster IT Services · ‎07-11-2017

Hi Frederic,

That means the VPN is working fine now and you are able to access resources.

And the changes we did on ASA were correct.

Spooster IT Services Team

Frederic Garcia · ‎07-11-2017

Yes,

Thanks a lot for your help.

Spooster IT Services · ‎07-11-2017

Hi Frederic,

Please rate if you found this information useful.

Spooster IT Services Team

Cisco ASA 5506-X No LAN Access [solved]