cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1393
Views
0
Helpful
9
Replies

Cisco ASA 5506W VPN Clients not seeing local network

D Blum
Level 1
Level 1

VPN Client connects and gets proper IP address, but cannot ping local servers or access local resources


Cisco AnyConnect Secure Mobility Client 4.2.01035
(Wed Feb 03 06:28:51 2016)

Connection Information
State: Connected
Tunnel Mode (IPv4): Split Exclude
Tunnel Mode (IPv6): Drop All Traffic
Duration: 00:05:04


Address Information
Client (IPv4): 192.168.1.101
Client (IPv6): Not Available
Server: x.x.x.x

Client Management
Administrative Domain: Undefined
Profile Name: xxx.xml


Feature Configuration
Trusted Network Detection: Disabled


Route Details

Non-Secured Routes (IPv4)
192.168.0.0/24


Secured Routes (IPv4)
0.0.0.0/0

Relevant Config

interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network VPN
subnet 192.168.1.0 255.255.255.0
object network DMZ1
range 192.168.0.100 192.168.0.101
object network DMZ2
range 192.168.0.35 192.168.0.36

object network pb_any
subnet 192.168.0.0 255.255.0.0
object network pb_inside
subnet 192.168.0.0 255.255.255.0
object network Inside_Subnet
subnet 192.168.0.0 255.255.0.0
object-group network nonat
network-object 192.168.0.0 255.255.0.0

access-list Split-Tunnel standard permit 192.168.0.0 255.255.255.0
access-list traffic extended permit ip 192.168.0.0 255.255.255.0 any
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.51.0 255.255.255.0

no arp permit-nonconnected
nat (any,any) source static DMZ2 DMZ2
nat (any,outside) source dynamic VPN interface description VPN Access to Internet
nat (any,any) source static nonat nonat destination static nonat nonat no-proxy-arp
nat (any,any) source static DMZ1 DMZ1 destination static VPN VPN
nat (any,any) source static DMZ2 DMZ2 destination static VPN VPN
nat (any,any) source static DMZ1 DMZ1
nat (inside,outside) source static pb_inside pb_inside destination static VPN VPN
!
object network obj_any
nat (any,outside) dynamic interface
object network pb_inside
nat (outside,outside) dynamic interface

Any thoughts?  Users are connecting via LDAP.  Thank you

1 Accepted Solution

Accepted Solutions

No, I thought, that you want to tunnel all your traffic and use ASA's ISP. I thought so because of the following NAT statement:

nat (any,outside) source dynamic VPN interface description VPN Access to Internet

Anyway, to implement your task, you should use another Split tunnel policy - tunnelspecified.

Please, try to make the following change:

no access-list Split-Tunnel standard permit 192.168.0.0 255.255.255.0
access-list Split-Tunnel standard permit 192.168.0.0 255.255.0.0
group-policy GroupPolicy_VPN attributes
 no  split-tunnel-policy excludespecified
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel

This may help. 

Also, what IP pool do you use for VPN Clients?

View solution in original post

9 Replies 9

Boris Uskov
Level 4
Level 4

Hello!

I think the issue may be with incorrect Split tunnel policy. Try the following configuration inside VPN Group-policy:

split-tunnel-policy tunnelall

Here is my group policy

Group-policy NoAccess internal
group-policy NoAccess attributes
  vpn-simultaneous-logins 0
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  address-pools none
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
  wins-server none
  dns-server value 192.168.0.10 
  vpn-tunnel-protocol ikev2 ssl-client
  split-tunnel-policy excludespecified
  split-tunnel-network-list value internal_traffic
  webvpn
    anyconnect profiles value VPN type user

dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record AV_Check
dynamic-access-policy-record OS_Check

---------------

So you are recommending change it to:

group-policy GroupPolicy_VPN attributes
  wins-server none
  dns-server value 192.168.0.10 
  vpn-tunnel-protocol ikev2 ssl-client 
  split-tunnel-policy tunnelall
  

Please note we only want network traffic to use vpn and if user is just surfing the internet to use their own internet access to reduce network traffic.  thank you

No, I thought, that you want to tunnel all your traffic and use ASA's ISP. I thought so because of the following NAT statement:

nat (any,outside) source dynamic VPN interface description VPN Access to Internet

Anyway, to implement your task, you should use another Split tunnel policy - tunnelspecified.

Please, try to make the following change:

no access-list Split-Tunnel standard permit 192.168.0.0 255.255.255.0
access-list Split-Tunnel standard permit 192.168.0.0 255.255.0.0
group-policy GroupPolicy_VPN attributes
 no  split-tunnel-policy excludespecified
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel

This may help. 

Also, what IP pool do you use for VPN Clients?

Thank you for the info, here is the local ip pool

ip local pool VPN_Pool 192.168.1.101-192.168.1.240 mask 255.255.255.0

Ok, no problem, I'll be glad, if my advices helps.

Also, do you have inside network with the same IP-subnet as VPN_Pool? I mean, 192.168.1.0/24?

The problem is, that you may experience some connectivity issues due to NAT statement:

nat (any,any) source static nonat nonat destination static nonat nonat no-proxy-arp

"no-proxy-arp" keyword can play the role in this case.

I really advise you to use VPN_Pool subnet, which is completely different from your inside subnets. For example 172.16.1.0/24 for VPN_Pool.

If you change your VPN pool I also advice you to add "no-proxy-arp" and "route-lookup" keywords to all of your NAT exception rules.

internal subnet is 192.168.0.0/24

Ok, so just try with Split tunnel policy "tunnelspecified", and the configuration, I posted above.

Hope this helps.

That worked, employees have network access.  Thank you

Great news! Mark the question as answered, please.